Many companies are moving en-masse to the “cloud” these days. It’s an amorphous term, indicating using a shared network, usually the Internet, to save costs and increase efficiency. It often makes sense financially. Rather than operating your own data centers or owning servers, why not rent those of a company who specializes in that area and focus on your core business? But with recent breach of Microsoft 365, where it was used to send infected ransomware emails to a large portion of its user base, one has to wonder, does it make sense from a security standpoint? There have been many other less publicized breaches and given the increasing popularity of this technology, it would behoove us to take a moment to evaluate it from a security standpoint.
Let’s look at some of the security challenges for cloud services. First of all, they will generally have a larger exposed attack surface from the Internet than private servers hosted behind a corporate firewall. By its nature, cloud services must be available from a wide swath of the public Internet. Application servers often sit at the edge of the Internet with little blocking unlimited access. DMZing, while possible, is more difficult in the cloud than with a private server than can be put on a separate physical segment with only one firewall interface in or out.
Second, because the services are usually at least partially shared, they will have a large user base and more generic security rules than a service just run for your company. These rules are often dumbed down for general use. An example is the password self-service that most cloud services allow users to reset their password with simple click that sends them an email with a reset link. This means if your email gets hacked, it is easy to own every cloud service that you subscribe to. If you are the administrator of an Office365 domain for your company, that can quite a significant breach. Authentication is problematic too. When you control your computing environment, you can count on using physical location as an additional authenticator (not allowing logins remotely). You can also implement more stringent controls such as dual factor authentication for certain sensitive services or areas. Your cloud provider may not give you options and flexibility on these important elements. Kudos to Amazon Web Services who are offering token based dual factor authentication for their virtual server offerings but it is not mandatory or universal for its entire service platform yet.
Finally, this latest high profile incident illustrates a further danger to service in the cloud. When viruses sit on cloud servers accessed via a web browser, traditional antivirus and anti-spyware tools don’t help as much. The files and links sit on a remote server that you don’t have control of and your local protections can’t scan. You must rely on the vendor to provide those services. Many do, but if they are incomplete or not up to date, lapses can happen. The Microsoft incident is just one example.
So, bottom line can you depend on the security of cloud services? The answer, frustratingly, is that it depends on how you are using it and your specific vendor. First of all, what are you using it for? Just email or entire data center operations? Do you use the public cloud or private cloud? What are the security protections the vendor offers? Don’t take vendor sales people word for it. Talk to the technical staff and get detailed answers. Apply additional controls to protect you if they fail. And in the end if you aren’t comfortable with the vendor’s answers, reconsider your cloud strategy or find a vendor who you are comfortable with. So, in conclusion, it is possible to be secure in the cloud. Just don’t let your head get stuck in the clouds and ask the right questions and get the right answers before deploying.