- Public clouds: These are owned and operated by a third party and delivered on the internet. All hardware and software are owned by the provider. Therefore, in using a public cloud, hardware and software that you use is shared with other organisations. A public cloud is often used to provide online office applications and storage.
- Private clouds: These cloud deployments are, as the name would suggest, not available to the general public and used exclusively by one business or organisation. Services and infrastructure are always maintained on a private network and are dedicated solely to your organisation. This is often used by government departments, but also large organisations with a view to enhancing its control over the environment.
- Hybrid clouds: These combine private and public clouds. Data can move between private and public clouds. This could improve flexibility and allow for more deployment options. Sensitive data can be secured on a private cloud, whilst email applications could be kept on a public cloud.
Below, we have a section that goes into greater detail about security and cloud computing:
A model for Securing Cloud Workloads (Image source: C2 Cyber)
Is cloud security important?
- The on-demand availability of computer resources, particularly data storage, is a key advantage in using cloud computing systems. As the user, you generally don’t need to do any active management of the data once it is in the cloud. If devices are lost, stolen or broken, data can still be recovered if it is stored remotely.
- The security is centralised - Corporate networks operating through the cloud are made up of many devices that can sometimes be difficult to manage, especially in terms of BYOD or shadow IT. Centralized management can help you improve traffic analysis and web filtering, for example.
- Time and costs savings – Cloud computing and security allows you to eliminate your need for investment in specific and dedicated hardware. Thus, your capital expenses will be reduced as well as those in administrative overheads. Using security in the cloud gives you proactive security features and constant protection with little or no human intervention.
Although these advantages are clear, cloud computing does pose privacy concerns. A provider of the service can access data at any time. Not only does this mean that data can be accidentally altered, but it also means that sensitive data which is held in the cloud on your company can be compromised. Some of the other main threats posed by cloud computing include hardware failure and interfaces that aren’t secure.
Below, we have some recommendations for you to consider when choosing a provider of a cloud service and using it to share files.
Identity and access management: In order to control access to information, organizations must have an Identity and Access Management (IAM) system that combines multi-factor user authentication and access policies. So, you can control who has access to your apps and data, what they can access, and what they can do to your data. API security can be one tool of identity and access management, especially with Single Sign-On (SSO).
Identity and management technologies include, for example, password management tools or reporting and monitoring applications. Identity management systems are available for on-premises systems like Microsoft SharePoint and for cloud-based systems, such as Microsoft Office 365.
Check the provider: The provider of the cloud service must ensure that their infrastructure is secure and that their clients’ data and applications are protected. It is your responsibility to check that a potential provider has necessary protections in place. You could do this by conducting an open source intelligence (OSINT) exercise, which would give you the results you need, but can be fairly time-consuming, and may only give you a snapshot of what kind of security a provider has in place. C2’s vendor risk management (VRM) platform, COBRA, automates OSINT and carries it out continuously. This can quickly provide you with intelligence on different possible providers and can then compare possible vendors with a comprehensive grading system. This will help you to assess how secure a potential vendor’s cloud computing platform is, before you make a decision as to which service you choose to adopt.
Encryption: Regardless of the protections a cloud service may offer, at C2, we recommend that your company addresses these risks by encrypting data stored in the cloud, preventing any unauthorised access to sensitive information on your company. You can also introduce systems which distinguish between authorised and unauthorised users. This will help to determine who is eligible to see what data on the cloud. The need for Privileged access is not aligned with seniority, so you will have to consider carefully who in your company ought to have access to what data. To find out more about this, you can have a look at our blog on multi-factor authentication. For example, a CEO should not use an account with privileged access rights as their BAU credentials. This helps avoid issues arising from ever more sophisticated phishing attempts.
C2 recommends that you address the risks posed by using cloud computing to store data by ensuring that a provider has levels of security which are adequate for the data your company is planning to store. Once in the cloud, C2 also recommends that you put in place an encryption system to stop any data from being compromised should the clouds own security systems fail. Your company must also consider introducing a robust authentication system, so that data can only be seen by those that have the authorisation to see it. Data privacy laws are increasingly demanding these risks be actively managed, through Data processing impact assessments (DPIA in the EU) and their equivalents across the world.
Contact us to learn more, or to discuss how C2 Cyber helps organisations across the globe secure their data when in their supply chain (Cloud or otherwise).
Do you want to read more content? Click here!