Managing the cloud's security risks

The security pitfalls of cloud computing can be neutralized with proper planning

Cloud computing is all the rage these days. CIOs seem to be diving into cloud-based solutions with reckless abandon despite the fact that a mistake in planning or execution can have career-limiting effects. So, let's take a moment to balance the benefits against the potential security pitfalls that lie in the clouds.

The really important question is, How safe is your business in the clouds? After all, cloud vendors all aim to put your stuff onto cloud servers, and in most cases, these systems sit outside of your data center and outside of your direct control.

While this may buy you some cost reductions, it carries significant risks. Let's consider the classic triad of information security: confidentiality, integrity and availability.

There's no getting around that putting data onto an external server carries confidentiality risks. No matter what your cloud vendor may promise contractually or in its service-level agreement, if its security gets breached, so may yours.

How do you counter that risk? You can encrypt sensitive data, or you can keep the real sensitive stuff off the server. Encryption can be a viable path for some stuff like off-site backups. Being particularly careful about what goes on the server can help as well, so long as you maintain some level of oversight and control over the day-to-day decisions. That is, if you give your users the ability to store stuff on a cloud server, they're liable to store all sorts of stuff there, blissfully unaware of the security risks.

As to integrity, the risks in cloud computing are relatively small, unless your cloud service provider's security gets breached anyway. If an attacker breaches its defenses and tampers with your business data, then integrity can become vitally important all of a sudden, depending on the nature of the data.

And then there's availability. You're gambling that your data will be available when you need it when you put it in the cloud, betting that the availability won't be eroded by network outages, data center outages and other single points of failure. You can hedge your bet a bit by going with an industrial-strength cloud provider, but you'll pay more. If availability of data is important to your business, then you can't blithely go with the lowest bidder. You need to do appropriate due diligence and find out everything you can about your vendors' availability, disaster recovery and business continuity plans. "Trust but verify" should be your mantra.

Much of this sounds like Information Security 101. To be sure, there's a lot of plain old common sense that should be applied when considering cloud solutions.

At my company, we do use some cloud services and get gobs of value from them. For example, I'm a fan of Apple 's MobileMe cloud service. It helps me keep my contacts, calendars, bookmarks, etc., synchronized across my various computing devices. But I'm also careful about the data I put there. I keep business-sensitive information on my local hard drives, and generally encrypted.

I've also found great value in using cloud services as part of my Plan B for mobile disaster recovery. Whenever I travel on business, I always keep an encrypted copy of the stuff I need for that trip out on the MobileMe cloud. If my laptop is stolen or suffers a catastrophic failure, I know I can go out and buy a new one pretty quickly, and then load the mission-critical data I need from the cloud service.

Then, when I return home, I can do a full reload from the more extensive backups that don't leave my control.

It's about balancing risks and benefits. Having the most important stuff readily available to me via a cloud service as I'm traveling is a risk that has sufficient benefit should I need to invoke my Plan B.

Keeping all of my basic contact, calendar and bookmark data synchronized across multiple machines is likewise hugely beneficial.

I don't have any misplaced belief that Apple's MobileMe service is impregnable. Rather, I accept that risk for the value of the services it provides to me.

That's how we should view cloud services in general. It's important to make informed decisions before diving into the latest trend. There is value to be found in cloud computing. But rely too heavily on it, or place your deepest darkest secrets on it, and you're likely to be disappointed.

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.

Read more about security in Computerworld's Security Topic Center.

Join the PC World newsletter!

Error: Please check your email address.

Tags securitycloud computinginternet

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Kenneth van Wyk

Computerworld (US)
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?