Cloud Storage Security Isn't as Solid as Vendors Want You to Believe

 
 
By Lisa Vaas  |  Posted 2012-05-15
 
 
 

Cloud Storage Security Isn't as Solid as Vendors Want You to Believe


In cloud storage land, it's all roses, sunny skies and rock-solid security with fewer employees frittering away less time on securing data€”that is, if you trust vendor-funded studies.

For example, Microsoft released on May 14 a study that shows that 35 percent of small and midsize businesses have experienced higher levels of security in the cloud. (Whatever that means; I requested the full study to seek more granular detail, but neither Microsoft nor study preparer comScore had answered by the time this was published.)

Security management time for these lucky organizations is also reduced by 18 hours a week, according to comScore's report summary. However, does that mean per information security professional or per company? This isn€™t explained.

But how does that compare to noncloud SMBs? The surveyed SMBs told comScore that they spent an average of 19 hours per week managing IT security, compared with noncloud SMBs, which on average spent 25 hours.

So that means that before they move storage into the cloud these SMBs spent a whopping 37 hours per week (19 plus the reported savings of 18 hours = 37 hours total) managing security, compared with the 25 hours that noncloud SMBs spend.

Does that mean that cloud users are in the habit of spending so much more time managing security than their noncloud peers? Does it mean they're more frequently victimized by cyber-threats? Does it mean they're somehow not doing security right?

These results might point to a large number of SMBs turning to cloud because they're simply overwhelmed by the task of security management€”small wonder, given the amount of time it's sucking up for them.

This hypothesis is backed up by the fact that 41 percent of the surveyed cloud users felt that their cloud service provider was "entirely responsible for information security," according to the report summary.

The numbers paint an image of overburdened SMBs, desperate to offload their entire security burden to somebody else. Fortunately, a larger number, 57 percent, felt they shared responsibility with their cloud provider.

And that's exactly where organizations' heads should be when it comes to cloud storage security, because you just can't wipe your hands clean of certain elements of cloud security. As the report notes, organizations that turn to cloud still need to retain, for example, responsibility for client security.

It's in cloud service providers' interest, of course, to spin the data to show that security worries about embracing cloud storage are easing. Left out of the service providers' rosy picture, of course, are situations such as the MegaUpload debacle, in which millions of users who stored data on the file-sharing service faced losing their documents forever when the law shut the site down for copyright infringement.

Interestingly enough, when Sophos polled conference attendees about cloud storage riskiness at Infosec Europe in April, 64 percent of the respondents said they thought that cloud storage is risky, but 45 percent said they still went right ahead and used it.

Protect Yourself by Encrypting All Data Stored in the Cloud


In general, people who attend security conferences are more attuned to security risk than those who do not, so I'd trust their perceptions over those reported in a cloud service vendor-funded study. But then again, security vendors make their money off of security risk, so mix the results of surveys together, add a dollop of your own real-life experience and see what floats to the top, credibility-wise.

One of the biggest takeaways from the Sophos survey was that employees use cloud even when its security proposition is iffy and even when they don't have their bosses' permission. It's just too easy to exchange and share and store files in the cloud; you can't expect people to pass it up.

Chris Pace, a product specialist at Sophos, said you've just got to assume that users will take advantage of cloud services and prepare for the technology's inherent security vulnerabilities. Otherwise, ungoverned employee use could lead to data compromise.

His thoughts are that one of the most essential components in organizations' responsibility for securing data that goes to the cloud is file encryption that's done before the data leaves their grasp. The user gets a password to decrypt and the business keeps the keys. "It's their data, after all," he says.

Whether businesses are using cloud services without official sanction, thanks to employees, or whether they're using cloud because they (wrongly) think cloud will solve all their security problems, all organizations should be aware that all cloud services are not created equal.

Symform, provider of cloud network services, offers a few security issues to consider when choosing a service provider:

  • Some clouds encrypt your data while it's in the cloud, but leave it in the clear while it€™s being transported.
  • Others, though they encrypt the data before storing it, transport the data to their data center via a single Internet connection, creating a single point of attack and potential failure.
  • Cloud providers have distinctly different ways of generating, storing and managing encryption keys.

Pace recommends these other, simple precautions:

  • Web-based policies using URL filtering;
  • application controls that can be applied to cloud products; and
  • data encryption that provides a layer of security across the board.

To which I would add one more bullet point:

  • Keep backup copies of data uploaded to the cloud, lest you get MegaUploaded.

 

Rocket Fuel