Cloud technology has entered our lives with a set of new solutions for facilitating our everyday and professional activities on the web, but its growth has always been followed by certain “dark” implications. No popular trend, regardless of its potential, seems to come flawless and, in the cloud’s case, the major flaws are the questions of security and privacy.
Apart from various benefits in terms of data access and storage, the Internet and the great information revolution it triggered have also brought some new possibilities for unauthorised data access and its potential misuse. The creation of people’s online selves and the trend of moving astonishing amounts of personal information online encouraged a wave of fraudulent activities, the aim of which was to obtain users’ personal and otherwise sensitive data. Thus, cybercrime has become a constant danger for the internet users, who grew aware of its importance and kept seeking out ways to protect against it.
Cybersecurity is a particularly sensitive issue when it comes to an enterprise setting. Corporate data is a backbone of every company’s development and no serious business should ever risk losing it. Even in the pre-Internet era, data security has been one of the primary focuses for large enterprises and now, with the development of new technologies, security systems need to follow the pace of mass digital data generation.
Corporate Data Value and Cloud Hosting Threats
The cloud, as an emerging system of managing online information, has multiplied possible risks of cyber attacks, which seems to correspond to the following rule: the more data gets transferred via the web, the more opportunities for black-hat hackers to intersect them. Therefore, it is clear why such problems became an ominous shadow of the cloud’s growth and why they have always been a burning issue in the enterprise setting.
In addition to old fears of the cloud, the recent leakage of the classified data about the US National Security Agency activities has further shaken the trust in public servers as a place for storing the enterprise data.
As reported by the Information Technology and Innovation Foundation back in August, these leaks could cause the 20% loss of the U. S. companies’ market share to foreign competitors because worldwide enterprises would no longer feel as comfortable trusting their data to the US-owned companies.
This situation obviously applies to the U. S. cloud service providers only, but it has a direct impact on cloud users worldwide and increases awareness of the importance of choosing the right cloud hosting provider. European cloud hosts have seen this as an opportunity to position their services as new storage solutions in the African market, while Australia keeps pushing local companies to store critical data in Australian-owned data centers.
Cloud Data Privacy in Australia
Australia is among the countries that have a great confidence in the cloud but the companies remain concerned about the exact physical location of their data. Although the Australian government has less legal power to access users’ private data than the US government, privacy and security are still quite sensitive issues in the region. This is why Australian companies and government sector in particular need to remain loyal to local hosts and make sure their data protection strategies are well-developed.
As pointed in the Privacy and Cloud Computing for Australian Government Agencies guide from 2013 “agencies need to be aware of their privacy and security obligations, conduct a risk-based analysis of their information, and ensure that the contractual arrangements they enter into with ICT providers adequately address their privacy obligations.”
Similar to the government agencies, businesses in Australia must also be aware of the potential threats and risks of storing data on public servers, especially if they are outside the country. By trusting data to the foreign vendors, Australian companies risk making it a subject to international laws that might even include foreign government surveillance.
This was one of the major points in the Australian Department of Defense publication, where Defense Signals Directorate strongly encouraged Australian agencies to “choose either a locally-owned vendor or a foreign-owned vendor that is located in Australia and stores, processes and manages sensitive data only within Australian borders. Note that foreign-owned vendors operating in Australia may be subject to foreign laws such as a foreign government’s lawful access to data held by the vendor.”
Since no official laws prohibit Australian companies to use offshore clouds, there still exists a possibility for their data to be exposed to international government agencies even if they are Australian-owned. To ensure full security of their data, companies must be well informed about the possible security vulnerabilities of the cloud, especially with regard to Australia’s rapid shift towards cloud solutions.
Therefore, it is reasonable to expect that security and privacy are to remain important matters of considerations for Australian businesses. Neil Campbell, Dimension Data director, noted that the year 2014 is to become the year “that everybody becomes ‘cyberfluent’” and added that “security conflicts will become more the norm and this will have a powerful influence on the perceptions of business leaders.”
Security Issues and Users’ Demands
Different studies that were carried out over the last few years confirmed that security was one of the major inhibitors to implementing cloud-based business applications in companies all over the world. In Australia, as well as in all the other regions, protecting critical data is a matter of a long-term strategy.
An efficient data protection strategy is a responsibility of every company, and the first steps towards it are choosing a reliable provider and determining the sets of data that would be sent to external servers. On the other hand, cloud service providers should introduce adequate measures to ensure maximum server performance and implement advanced security systems that would minimise possibilities of security breaches on server side.
Therefore, securing the cloud is a two-way street: both clients and service providers must be equally aware of their responsibilities and focus on strengthening security practices. Considering the cloud’s proven vulnerabilities, there are several key security prerequisites that should be fulfilled.
One of the major trends connected to the mass adoption of cloud technology is the increase in the number of Distributed Denial of Service (DDoS) attacks. As Australia is currently one of the leading cloud adopters, this issue is especially important for stability of the national companies.
As the number of enterprise tenants on cloud servers increases, they are becoming a more frequent target for hackers, which poses advanced protection against these as a rule. DDoS attacks can be highly detrimental and potentially lead to taking down a transit layer (upstream network provider), even when the actual target of an attack is a single client.
Therefore, web hosts need to provide active server monitoring, constant backups and hire highly professional staff that knows server configuration in detail and reacts as soon as unusual activities are noticed.
Access Authorisation Regulations
Most cloud vendors have a team of employees who are authorised to access users’ data for security reasons. Even though this is generally a healthy security practice, end-users do not always feel comfortable with having external staff accessing their data. This makes it obligatory for cloud providers to introduce access authorisation regulations and ensure the highest possible reliability of the staff in charge of handling users’ data.
In order to make it a reliable host, a cloud service provider must organise adequate trainings for the employees who need to be savvy with both technology and security practices. Raising awareness of the importance of data security among the employees is also mandatory, and so is introducing regulations to which personnel must adhere to when handling user data.
When it comes to clients, they are also expected to meet certain requirements in this respect. Similar to providers, client companies need to implement stable data protection measures, especially in BYOD settings, where it may be highly difficult to monitor who accesses data and from where. Thus, the companies that heavily rely on mobile policies need to ensure their employees access corporate data via secure networks only and require user authentication for every access attempt.
Data encryption is one of the most potent ways to secure sensitive data both in transit and at rest. Considering recent developments in the cloud, encryption has practically become a standard for both service providers and client companies. Dave Frymier, chief information security officer at Unisys recently pointed to the importance of encrypting cloud data not only as a means of protection against government surveillance but against malware as well:
“When you look at the increasing sophistication of malware, it becomes apparent that you need to establish highly protected enclaves of data. The only way to achieve that is through modern encryption, properly implemented.”
However, introducing encryption standards may be a challenging task for cloud hosts considering the volume of data that is generated in large organisations. The major problem that arises is encryption key management, which may require considerable investments and strategic planning. From this perspective, encryption may appear as a complex issue for many companies, but it is certainly one of the key activities IT departments should work on.
Security Focus for 2014
Being a critical issue as it is, security must definitely remain the focus for cloud service providers in 2014. Australia and other world regions that have high cloud adoption rates must specifically encourage implementation of strong cloud security practices in order to ensure the best possible service for end-customers. When it comes to the Australian cloud hosting industry in general, it should definitely keep working on improving the offer in terms of security, and set the following tasks as a priority:
- More services provide encryption as a standard practice
- Raising general user awareness of the best security practices
- Introducing international cloud security standards
Though this may appear easier said than done, the steps outlined above should be seen as a key factor of securing the Australian cloud over the next few years. By eliminating security as an obstacle for moving to the cloud, local providers can substantially increase growth opportunities for businesses of all sizes and contribute to general economic stability.
The advent of cloud computing has posed a variety of new challenges for both end-users and service providers but, as it matures, some important issues seem to be more easily resolved. Security and privacy remained the major disadvantages of the new technology and many improvements can be made in this respect. However, as long as more people are willing to learn about these problems, more things can be done for their elimination.
Obviously, these two issues should not be taken for granted and it is a task for all cloud users to do their share in coping with them. Australian companies have demonstrated a great understanding of the cloud’s potential and they must keep on expanding their knowledge about it in future.
While cloud hosts need to follow the highest security standards, clients should invest greater efforts in improving internal security strategies, a part of which is definitely choosing a suitable provider.