Data in the cloud... how much can you trust it?

Grimlakin

FPS Enthusiast
Joined
Jun 24, 2019
Messages
8,081
Points
113
I've been in the IT arena for a long time. 100% of my professional working career at the age of 46... is all in IT. My interest started in personal computing and gaming and has sprawled out to be pretty much any and everything in the IT arena. The latest trend is putting every **** thing in the cloud. And if you understand what the cloud is and how interconnected it all is, you too are probably worried about sensitive data that exists in the cloud and it's connectivity into your on premise systems, and if you're not... you should be.

Allow me to explain something that many C level executives don't get and for the most part put up with from us that are more security aware. If you have something in the cloud, I don't care what cloud service you are using, or why you are using it or how 'locked' down you think it is. there are people outside of your trust circle that can access your data. This isn't a probably it is a 100% guarantee. If your servers can shift between hosts they have access to your data. If your data is 'protected' they have access to your data. Further the trust circle that has access to your data is well outside of your control. Even if the data is top secret if your companies security policies take things into account that a top secret clearance does not then your data is with people you probably don't want to access it, at least not without knowing.

But lets presume for the sake of argument that your data isn't that important to the company for some strange reason. Lets go with the stability of service. Is the cloud more stable than what your company can stand up for a cost? This depends completely on your companies size, and need. You get too large you can't live only in the cloud. Cloud scales very well to small up through large businesses. But much beyond that the cloud then becomes a part of your environment not the whole of your environment. and that is a problem.

How is the cloud being part of or all of your environment a problem. Lets break that down in a couple of ways from a security standpoint.
1. The cloud is a shared service. Meaning your software (servers) are running on the same servers as other companies software (servers). If they were running Intel CPU's as an example before the memory access vulnerability was discovered your data could have been pilfered by someone who compromised someone with lesser security. Your level of exposure to that breach may have been minimal based on what the server was doing.... but what if that server were your cloud based Domain Controller to expedite logins to company websites hosted in the cloud with federated login managers? Is that data your comfortable with being in the cloud still?
2. Larger cloud deployments are actually multi cloud, Citrix cloud services, Azure, Amazon, Google, and private clouds are all interconnected today with geo-fencing and other interesting technologies to make sure the end user experience is as good as it can be. For non secure data this is great. For everyone else.. your data is ONLY as secure as the LEAST secure server or LEAST complex administrator level password in the cloud in your shared services... across ALL of your cloud platforms, AND if you have it local platforms as well.

So if you've been asked to push everything to the cloud because you can. Please remember an adage my team tries to live by. Yes... SURE you CAN do it... but SHOULD you?

Today companies have every **** thing living in the cloud including secure data in just document storage.

We are one big breach away from people realizing how vulnerable their data is. And when that happens the legal system will be FLOODED with corporate lawsuits in the 10's if not 100's of billions of dollars in damages.
 
You know, if you really think about it. This applies to any data on the net, not just cloud. The only difference with the cloud is someone else controls the light switch in the server room
 
You know, if you really think about it. This applies to any data on the net, not just cloud. The only difference with the cloud is someone else controls the light switch in the server room

To some degree yes. I think you can limit your exposure with colo's or as they are called these days 'private cloud' environments. Where the only things not in your control are the... well the power and building access really. Everything else you can buy and control in a colo.

But if your data is on the internet or internet accessible to some degree you have the problem. The issue as I see it is the reliance on cloud and the merging of cloud environments. The only organization that is doing it right is the military that are supposedly getting a private version of the Azure cloud that they define the access levels for. The risk is if they share equipment or if it is completely dedicated.

It's a risk multiplier whenever you have your Amazon Cloud, Google Cloud, Private cloud (colo) and private data centers all linked with fully integrated connections.

I've discussed this with the company I work for and while other parts of the company are using the cloud heavily, and more so the private cloud, the parts that are our core business are kept on premise with multiple hot locations that we control what is allowed in and out. To the point that we have firewalled and a unique network environment to the rest of the business. The only traffic that passes from cloud to internal is limited to exactly the application traffic we approve. Literally nothing else.

For me that's still a headache because I worry about other teams plugging something in that will accidentally bridge the gap. If that happens and isn't caught before it is exploited it's a bad day in paradise.

I think the cloud has it's place. Non sensitive data like private user data isn't a big target and is generally secure on the cloud as long as you have proper ACL's in place. But when you're putting data with $$$ on the cloud, like metadata, or financial data, or contract data and the like, exposing the lists of internal servers and what not... that needs to be dialed back and pulled off of the cloud in my opinion. But the upper levels have all of these assurances it's safe.

When the big hack happens of the clouds that are linked and everyone looses data and suffers the associated liabilities... That's when we will see everyone spinning back up private data centers again as they realize when they don't control the risk... that is the risk.
 
The cloud is "someone else's computer" as opposed to your own. There are certainly benefits to the cloud (getting more/less computing resources on demand, don't have to worry about buying physical hardware) and downsides (cost compared to running it yourself, others being the weakest link in security).

The decision to cloud or not from a security perspective should be determined through a risk assessment and whether or not the residual risks presented are acceptable to management or not. Using the cloud properly/securely, having appropriate enterprise wide change management processes for all infrastructure and not having a shadow IT organization goes a long way towards mitigating those risks. Cloud providers and colos alike go through security audits (SOC 1, SOC 2, ISO, etc.) on a regular basis - these can and should be reviewed as well as part of the risk assessment process.

Of course, very few companies actually have a robust risk assessment process or a complete and accurate hardware/information asset inventory (including classification of the assets), so cloud or not, if the company doesn't know where its crown jewels are (or even what they are), they've got bigger issues than just "the cloud".
 
David i think we are both on the same page more or less. I approach the cloud from a risk view and you approach from a benefit view. And I don't think most management is equipped to properly assess what should be in the cloud. Especially if stock holders are trying to cut costs.
 
Become a Patron!
Back
Top