Perhaps nowhere in business, and certainly nowhere in IT, does optimism abound more than it does in a discussion about “moving to the cloud.” Clouds aren’t always puffy, white cottony things dancing against an azure sky. Sometimes they are terrifying storms that have catastrophic affects.
IT professionals know that systems will eventually fail or get hacked and therefore almost always have back up servers and back up data that’s ready to restore after a failure. Somehow though, this diligence frequently dissipates when planning to move to the cloud.
Remember, “The Cloud” is a marketing term. There is no “cloud”, it is just somebody else’s servers. If you’re thinking of moving your applications or data to the cloud, or even if you already have, you should consider these things:
1. Read your T&C’s: Your cloud provider is probably not responsible for any consequences of a loss of service. If your customer database is (for example) in Microsoft’s Azure cloud services, and something goes wrong, then by the Microsoft online Services Agreement, the most you can collect from Microsoft is what you paid for the service and, of course, they are not liable for any costs you may incur from losing the service.
2. Backup like you weren’t in the cloud: Clouds fail. If you think that once you are in the cloud that you are protected, think again. A group at the University of California Berkley are so keenly aware of cloud fragility that they have proposed “Failure As A Service (FAAS)” to test large scale outages of cloud services. As they point out, “…the computing forecast for tomorrow is ‘cloudy with a chance of failure.’” The internet abounds with stories of epic cloud failures. Azure was down for 12 hours once on Feb. 29, 2012. Cloudflare, a SaaS company, went down for an hour on March 3, 2013 and took 785,000 client websites with it. It happens, and your business continuity planneeds to cover it.
3. Encrypt everything. What do you really know about where your data is stored and how protected it is from others? A Ponemon Institute report on data breaches revealed that 66 percent of the respondents of the 613 IT practitioners questioned believed that their organization’s use of cloud resources diminished their ability to protect confidential or sensitive information. Interestingly enough, the same investigation reveals that 51 percent of the same respondents said that their in-house IT was equally or less secure than cloud-based services. In other words, they weren’t satisfied with their in-house IT security, but felt even worse about security in the cloud.
4. Be aware of the “Cloud Multiplier”: The same Ponemon report suggests that there is a “Cloud Multiplier” effect to the cost of a data breach. Their research shows that the cost of a breach of 100,000 records from the cloud would almost double to $5.32 million versus an average cost of $2.37 million for the same size data breach from in-house servers. A separate report by Ponemon identifies “extensive cloud migration” as a contributing factor to the cost of data breaches.
5. Move routine data to the cloud – keep sensitive data in-house. No one cares about protecting your sensitive and confidential data and your trade secrets as much as you do. Don’t delegate protection of company critical information to someone else.
6. Use cloud services for back up. The cloud is a perfect back up location, especially when you need backups in a hurry (like when your system is hit by ransomware), but make sure that your data is encrypted before it is moved to the cloud and make sure your keys are accessible without your primary system being online.
The conveniences that cloud services bring to industry mean that it is here to stay, but those of us that are responsible for the security of our business’s data should be aware of the unique risks of cloud use and make plans for mitigating those risks. Like almost everything that provides convenience in our lives, an over reliance on that convenience can create even greater hardships during emergency situations.