Other issues in this category (93)
About cloud security: How is responsibility shared between the customer and the provider?
Thursday, May 11, 2023
Companies are switching to cloud technologies in search of a more cost-effective, scalable and convenient solution for storage and processing data. The number of migrations has been growing, and the performance and functionality of cloud solutions have been improving, but the security issue remains relevant. The main threats in the cloud are associated with theft and data loss, the hacking of accounts, holes in interfaces and APIs, DDoS attacks, insider activity, the possibility of hacker penetration, and downtimes due to the provider's fault.
Cloud service providers are responsible for infrastructure security. They host servers in data centers. These are rooms, well protected from access by outsiders, that are equipped with reliable fire-extinguishing, air-conditioning and power-supply systems. Data center employees who have direct access to equipment cannot retrieve data, since the virtual machine is not stored on one particular server but spread throughout the pool of resources.
To protect files from being copied while they are transferred to the cloud, as a rule, the TLS protocol is used. Encryption, authentication and key exchange are used to ensure a secure connection. Customer files uploaded to secure storage in the cloud are not decrypted on the provider's servers. Therefore, fraudsters, even if they get access to those files, will not be able to decrypt them.
The high fault tolerance of the cloud is achieved by reliable equipment, and a variety of automation tools can reduce idle time and minimise data loss. In addition, a cloud provider can offer tools for backup, data recovery and monitoring. However, if a customer completely shifts security responsibilities to their provider, this can present a serious risk to their business. Ideally, they should work together to create the most secure data-storage and data-processing system.
The Anti-virus Times recommends
- It is important to ensure controlled access to corporate data through the authentication of legitimate users and their authorisation based on roles and access rights.
- The data most important for the company should be encrypted to make it unavailable to attackers in case of theft or leakage.
- Rooms where corporate data is stored must be securely closed and protected from unauthorised access.
- It is important to have data backups so that when unforeseen situations happen (i.e., cyberattacks), they can be restored and employees can continue their work.
- Anti-virus software should be updated regularly.
- All employees should be trained in the basics of cybersecurity to exclude the human factor as the cause of data leakage.
- It is important to monitor and analyse access to corporate data in order to promptly respond to any suspicious actions or violations.
- It is essential to make sure that external partners who have access to corporate data ensure its security at the appropriate level.
- Before choosing a cloud service, it is important to carefully analyse corporate security requirements and determine which data can be transferred to the cloud for processing, and which would be better left on one’s own servers.
- When choosing a cloud service provider, it is important to track the server uptime (objectively, it cannot equal 100%, but for big decisions there is the rule of four or five nines, i.e., the server is available 99.99% or 99.999% of the time), especially if stopping its operation can lead to serious losses.