In 2019, moving your data to the cloud is no longer a revolutionary concept. While five years ago the cloud might have been new and thrilling, these days the cloud is normal, standard and run-of-the-mill. Businesses everywhere that have migrated to the cloud have discovered major success: their data is faster, cheaper and most importantly safer — or is it?
In the past, the cloud seemed like a safer option to businesses petrified of data breaches. Indeed, cloud storage providers could offer much more robust security than the average small business, which often lacked a full-time IT security specialist on staff to keep data safe. However, these days data security is easier for the average business to obtain. In the meantime, has cloud security improved accordingly, or is it becoming smarter for businesses to take their data back?
2 Types of Security Gaps in the Cloud
All issues regarding cloud security fall into two broad categories:
- Security issues faced by cloud providers
- Security issues faced by customers
Generally, businesses are much more nervous about the former category. Cloud computing feels less secure than storing data on-site because it requires companies to send valuable data and applications to servers that they don’t control. If a business is going to trust a third party with their data, they want to be certain that third party will do its utmost to keep their data safe.
However, the truth is that the vast majority of insecurity in cloud computing lies with cloud customers, or businesses. It is at a cloud’s endpoints, i.e. its users, where most attacks occur — where cybercriminals can spy on security questions or steal passwords. A Kaspersky study found that 90 percent of cloud breaches occur due to employee mistakes, not some exploit uncovered by the cloud service provider.
In truth, certified cloud service providers tend to have outstanding security measures in place. Baseline protections include systems like authentication, access control and encryption. Attacking a cloud service provider directly is unlikely to yield positive results — which is why cybercriminals typically turn their attention to businesses. In comparison to a cloud service provider, a business is veritably riddled with vulnerabilities for one major reason: human error.
People make mistakes frequently, and in computing, mistakes can result in insecurities that permit access by malicious hackers. Common mistakes include sending valuable data through unsecure messages, like instant messaging or email, as well as clicking on compromised links or connecting to unknown networks or devices. These actions give attackers crucial information about a business, including login credentials and passwords, which might compromise the security of the cloud.
Not all employee mistakes are made with the intent to harm; in fact, most are due to lack of understanding of cyber security or else laziness and apathy. It is a business’s responsibility to properly educate and engage their staff to reduce this threat and close potentially gaping vulnerabilities in cloud security.
Other Risks Associated With the Cloud
While most insecurities are the result of user error, there is at least one major risk that businesses have little control over: privacy. Data doesn’t have to be stolen or published to be viewed by individuals unauthorized by companies. That’s because governments can legally request information from the cloud, and they do — every year, tens of thousands of requests of user data are sent to Google, Microsoft, Amazon and other cloud service providers. It is the responsibility of the cloud service provider to field these requests, and often, they comply at least partially. Government access isn’t limited to the nation where the cloud service provider operates, either; foreign governments can make data requests, too, meaning business information might be spread around the world.
Some cloud service providers have released statements about how they intend to handle privacy with regards to government requests. For instance, Microsoft promises to alert users to government access and to remain transparent with the public as well, informing everyone what types of data the government is after.
There is little that cloud customers can do to fight breaches of privacy due to government access — aside from supporting privacy advocacy and contributing to efforts to fight the established law. Additionally, businesses might opt to use cloud service providers with stated stances against blindly submitting to government requests.
The truth is that the cloud is and always has been insecure — but that’s not because cloud service providers are dropping the ball. Companies need to be careful to choose cloud service providers with strong reputations for security, but more importantly, businesses need to ensure that their own employees are bolstering the security of their data. Then, the cloud will be safe in 2019 and beyond.