Cloud-based applications, be they mere online storage systems or full-fledged Software-as-a-Service app solutions, present many organizations with opportunities for cost-savings, greater employee collaboration and efficiency, and the potential to focus I.T. assets and staff on core competencies rather than systems maintenance. These gains, however, also entail shifts in I.T. security processes and risks. The cloud isn’t necessarily less safe than on-premise systems, but it is differently safe. We outline the five main areas where cloud applications change how organizations manage I.T. security.
1. Per-User Security and Disaster Recovery Costs Become Transparent
Cloud security is typically priced on a per-user basis. While many on-premise security applications charge a per-seat license fee (particularly antivirus and anti-spyware apps), the cloud equivalents of on-premise server or network security applications (like protection for your file and email servers, firewalls, and intrusion detection systems) are also distributed and charged on a per-user basis — meaning the per-user cost of what was once a bulk, business-wide purchase is now obvious. While in aggregate per-user pricing is more efficient — you are no longer paying for excess capacity in the present to account for potential future growth — it also makes security costs immediately apparent. Cloud email server security is not allocated in the email budget — it’s now a line-item cost for every user.
Similarly, disaster recovery and backup systems in the cloud are often allocated on a per-user storage basis. This again makes the cost of protecting each user more transparent than ever before. A sudden line-item transparency of user-security costs budgets can catch I.T. and financial staff off-guard, so be prepared to have an honest cost-benefit analysis for all cloud-based security measures — especially if you’re arguing for security and disaster-recovery tools that have costs (and benefits) above and beyond the base cloud application you’re considering. You may not be spending more than before, but if the impetus for moving to the cloud was to reduce per-user costs, the sudden association of basic security with per-user overhead will present the temptation to reduce your security.
2. Data Exposure and Leakage Risks are Reduced
This one seems counterintuitive: How can putting your data on an Internet-accessible server you don’t control make that data less susceptible to unintended public exposure? Two words: centralized control. With locally stored data, a stolen laptop or lost backup tape becomes a data exposure time bomb. With cloud-stored data, your critical business information is protected by centralized data encryption and password access protocols. The loss of any physical hardware item cannot directly cause the exposure of data — because the data doesn’t live on the hardware. While hackers can target cloud storage systems for breach, the odds of an online attack exposing sensitive data are far lower than the odds of a careless sales rep leaving a laptop behind in a coffee shop. (Cloud-local hybrid solutions like Dropbox and Google Drive — which keep a synced offline copy of data on local devices — diminish some of this advantage.) On the whole, the cloud gives you more control of your data exposure risks, not less.
3. Data Monitoring and Backup Systems Become Centralized
When a laptop is disconnected from your on-premise network, the security, integrity and accessibility of the data residing on that laptop is no longer in your control. With cloud-based storage and applications, data doesn’t generally reside on the laptop, which means it stays behind your security perimeter, where you can monitor its access and fidelity at all times. All your reporting is centralized, and almost no activity can take place without a log record. Compliance becomes much simpler when your archiving solution has direct access to all data at all times. Moreover, if your cloud data is corrupted or deleted, a cloud backup solution can restore your data to the original online application — where it is once again immediately available to all users. While cloud-local hybrid solutions like Google Drive and Box mean that offline changes are reconciled with online master sets only when an offline device reconnects to your cloud application, those changes are again logged, secured and archived the moment that reconnection happens.
4. Data Access Controls Are Redefined (or Broken) By Online Collaboration
User error is arguably the single leading cause of data loss, both on-premise and in the cloud. The only other contender that some studies have shown to cause more loss of data is hardware failure — the exact use case that cloud redundancy is most equipped to prevent. Eliminating the risk of hardware failures isn’t the only reason why user error is the leading cause of data loss in the cloud. Among the primary benefits of cloud applications is the ease of online collaboration and data sharing. Users can distribute one master copy of a document, spreadsheet or similar item of data, and edit it for the benefit of every user in the sharing loop. By that same token, accidental corruption or deletion of shared documents also spreads that data loss to every member of the sharing loop. While some cloud applications offer the ability to limit access and sharing privileges — and thus limit susceptibility to mass user error — cloud applications on the whole do not and cannot provide the same level of access controls as on-premise systems.
5. Physical Access Controls Are Largely Lost (Both for Hardware and Personnel)
By definition, cloud applications do not offer you physical control over the servers that maintain your cloud data. For some organizations — most notably law enforcement agencies with high-end security requirements — this lack of physical control will preclude the adoption of cloud apps. Cloud providers can and do make guarantees about the physical integrity of their infrastructure, but you must concede both responsibility for and control of your servers when you adopt cloud systems.
By the same token, end-user hardware is now under less control after the adoption of cloud applications. Most cloud applications allow your users to access company data from virtually any web-connected PC, which means that attackers also have the same opportunities. An end-user’s home computer may not (and likely does not) have the same PC-level defenses against malware — let alone unauthorized access — as PCs issued by your I.T. department, or confined to your company offices. Physical access to the corporate network is no longer necessary for attackers to expose, corrupt or delete your data. Of greater concern is that your users can now be targeted for social engineering attacks outside the confines of your company premises. Without the oversight and support of company I.T. staff, it becomes statistically more likely that your employees will compromise the security of your cloud data.
What are your greatest security concerns about migrating to the cloud? Do you believe the risks faced by cloud data are higher, lower or simply different than those faced by on-premise data? We welcome your feedback in the comments section.