There are still many myths about cloud services. The most persistent are those related to information security. Data protection and privacy are often considered key risks when storing personal data in a cloud. Hacker attacks and reports of mass data leaks from free file sharing networks that do not adequately protect their cloud environment, only add to the mistrust in cloud services.
While cloud security remains a top concern, in reality, public clouds are far more secure than your in-house infrastructure. And even that the total number of information leaks is increasing, this is not due to poor protection of technical channels. Most providers use reliable equipment and the best security solutions. In fact, a significant percentage of reported leaks are caused by activities of dishonest employees of the companies, which use cloud services.
Kaspersky Lab experts conducted a survey and calculated that human errors triggered by social engineering are the main cause of corporate data leaks from the clouds (about 90% of cases). That is, most often the root of problems is not at all on the side of cloud providers. Data was collected based on the survey of 6614 IT professionals from 29 countries.
Cyber-incidents in the cloud, on the contrary, are more likely to occur because of internal reasons. Thus, only every tenth (11%) data leak from the cloud was possible due to some or other actions of the provider, while a third of all cyber incidents in the cloud (31% in Russia and 33% in the world) occurred because of the trustfulness of company employees caught on social engineering techniques.
Ensuring Data Security in Cloud Computing Environments
In the cloud, a high degree of control over access to the infrastructure reduces the risk of leaks caused by human factors. Data is encrypted and is stored on a remote server. It is not easy to extract information from the remote server and share it with third parties. Access to the data center is controlled by various technical means, including biometric identification of the provider's employees who enter the data center building.
The local infrastructure of many companies is less effectively protected, and this causes many incidents. One of the key reasons for leaks in companies includes devices left unattended, lost data carriers, and sensitive data stored on a laptop.
Compared to corporate infrastructures, public clouds are predicted to be 60% less likely to face attacks. This proves once again the idea of a high level of cloud security, which includes security features such as firewalls, DDoS attack detection, and blocking; automated monitoring, integrity monitoring, and security event auditing to find vulnerabilities in the internal infrastructure. To detect new, constantly emerging vulnerabilities, various scans are regularly performed. These systems provide customers an appropriate level of security.
As for the security of personal data storage and processing in the cloud, these processes are regulated by the Federal Law No. 152 “On Personal Data”. According to the law, for storage of the personal data, a certain level of security of this data should be provided. In case of placement of personal data in the cloud infrastructure, it is necessary not only to comply with the security requirements of the cloud platform itself but also to introduce certified security features for the information system of personal data itself.
The cloud for storing personal data is an architecture, which includes means for perimeter monitoring and access control to the platform, means for its protection and separation of virtual segments of customers, as well as antiviruses for all platform components. In addition, systems for information security of the application used for data storage and processing should be implemented. All protective means must be certified by FSTEC or FSB. The certificate for the cloud platform demonstrates that it meets the regulator's requirements for personal data storage systems up to Level 3.
Data Security in the Cloud is a Shared Responsibility
While it is the responsibility of the provider to ensure control and its implementation in their cloud systems, it is also the responsibility of the customer to check that these means are appropriate and comply with regulatory requirements. In general, using cloud services means sharing the responsibility for data security. The provider is responsible for compliance with security measures, while the customer for ensuring that these measures are adequate to protect their data.
Typically, the provider and the customer conclude a service contract that details the areas of individual liability of each party as well as those of joint liability.
Conclusion
Clouds give companies numerous advantages. They are convenient, especially for those who do not have the resources or time to build and maintain their own IT infrastructure. However, when considering migration you should understand all the security risks that this entails.
No system is 100% secure, but the cloud infrastructure is getting close to that goal. Data in the cloud is stored securely, but organizations still need to take steps to ensure that everything runs smoothly.
If you have any questions regarding effective cloud implementation in your business, or how to optimize the performance of cloud services and reduce costs, please contact us by phone, email or online chat and we will be happy to help you.
