Should we be afraid of the big bad Cloud?
23 05 2018
In the vast forest we call the Internet, we Little Red Riding Hoods have had plenty of time to map out the best paths to follow. Nowadays, our online adventures and transactions generally run smoothly. But over the last ten years, a new character has stepped out of the shadows, appearing like our well meaning grandmother: the Cloud, kindly offering to store our data online and make it easier to use software and storage space. However, none of this happens without a certain air of suspicion... So, why is the big bad Cloud so scary?
Worry over the Cloud stems from that primary human fear of losing control when outsourcing and leaving ourselves vulnerable to potential hacking. Accessing information and apps anywhere, anytime, and on any device, means we have to agree to store our data on someone else’s server, somewhere else in the world - often, without even knowing exactly where. According to the Computing Cloud Report 2018, nearly 90% of respondents are concerned about security breaches and other data loss in the Cloud environment. What lies behind these fears is a simple reality: one security flaw alone can lead to the theft and disclosure of millions of pieces of information, as we saw in the unfortunately notorious cases of Yahoo and Twitter (to name a few). The concept of trust is, therefore, essential. Four years on from the stolen celebrity photos scandal and five years on from Edward Snowden’s revelations, which decidedly tarnished the Cloud’s reputation, trust in the Cloud is once again on the rise. Though the threats haven’t disappeared, the idea that risks involved in using the Cloud can be managed is starting to make its way into our consciousness.
Nearly 90% of respondents are concerned about security breaches and other data loss in the Cloud environment
Cloud Act vs. GDPR
The Cloud Act, signed into law by Donald Trump at the end of March, brought to light the ghost of data interception on transatlantic digital platforms, which Edward Snowden previously put into the spotlight. The Cloud Act would provide a legal framework for institutions to collect personal data hosted on American servers, including when data centres are physically located in Europe. Given the leading Cloud and SaaS providers (Microsoft Azure, Amazon Web Services and Salesforce) are based in the United States, any concerns we may have around the confidentiality of this valuable data aren’t entirely unwarranted.
But do we really need to worry? The Cloud Act appears to provide a set of measures to ensure data access isn’t savagely attacked, particularly by introducing prior agreements with the countries involved. It’s still too early to tell how these agreements will be effectively put in place, how individual freedoms will be guaranteed and how the provisions of the General Data Protection Regulation (GDPR) will be upheld within the framework of the Cloud Act. Let’s hope that European opinions are properly respected and that our data won’t be freely exposed to prying transatlantic eyes with impunity.
New regulations, new benefits
Since January 2006 in France, a decree related to hosting personal health data has set out the initial requirements for service providers storing medical data. In particular, it established the need to obtain permission to host this type of data. With the ‘Secure Cloud’, then ‘SecNumCloud’ benchmarks, the ANSSI (French National Agency for Digital Security) embraced the topic within France, before launching a new Franco-German standard for trusted Cloud services at the end of 2016, the ‘European Secure Cloud’. With these regulations, and now the GDPR, will the big bad Cloud now find itself on the end of a tight leash? At cybersecurity conferences taking place across the Atlantic, the key issue on everyone’s lips is about being able to adapt European legislation to remain compliant whilst keeping customers on board. The real advantages of the Cloud need to prove they outweigh the disadvantages.
And there certainly are a lot of advantages! They begin with the money saved by renting servers and software from outside the company, rather than purchasing them outright, as well as gains from the fact that IT system updates are no longer the responsibility of the company, but rather the operators of the servers they’re using. No need to take your site offline for updates or resort to expensive equipment replacements. No need to worry about maintaining operating conditions, or having to deal with security vulnerabilities: service providers handle issues most of the time, keeping the site operational 24/7.
There are also enormous benefits in terms of scalability. In the same way a Netflix user can easily upgrade or downgrade their subscription from one month to the next, services can be stepped up without having to face the laborious migration issues that come with installing new server hardware. Scalability is also being refined, with Cloud models monitoring consumption on demand. In contrast, we can also avoid paying for unnecessary resources when there’s a reduction in the number of services required. In just one click, the required power and usage can be changed. With its Pay As You Go offer, for example, Stormshield provides the opportunity to adapt your consumption of security services according to the volume of assets that need to be protected and the processing power of virtual firewall appliances.
A valuable collaborative tool
But, above all, the Cloud is a must-have asset for businesses, primarily as a collaborative tool. Available in both fixed and mobile setups, open to company ecosystems and accessible from any terminal, the data and applications hosted in the Cloud are all part of the exchanges, agility and performance of the organisations using them.
To secure their applications and information available anywhere in the world, security managers are now implementing the same levels of protection as they do with their traditional company boundaries, especially with virtual firewalls placed within Cloud infrastructure. The encryption of data stored online also provides proper protection. Whilst it’s true this can limit certain collaborative features, it also prevents any illegitimate access whatsoever to data should a Cloud Provider be compromised. It also responds to the challenge of unwanted data interception by the Cloud Provider (particularly in the context of the Cloud Act). Some situations may dictate these precautions – for example, imagine data related to a merger/acquisition between two companies where accidental disclosure of the deal could lead to insider trading or legal proceedings. If the need for constant global access to information is there, it's always better to encrypt information in the Cloud. Once again, solutions do exist, such as Stormshield Data Security for Cloud and Mobility, which allows users to encrypt data stored within outsourced applications, while retaining their own decryption keys, as well as completely avoiding those of the Cloud Provider. The NSA will have to try again...
Whatever the devices and technologies involved, the risk of piracy will never go away. But it would be absurd to simply avoid the Cloud at all costs in the name of some unrealistic corporate fantasy for sanctuary, just as it would be a mistake to imagine the big bad wolf doesn’t exist, or that our big online forest is totally free of danger. At the moment, good IT security requires knowledge and careful analysis of the risks involved with the systems and applications in use, as well as introducing appropriate protective measures, whether as a secure wall around the physical business or in the Cloud. And in weighing up the pros and cons of migrating to the Cloud, the trend is for the pros to prevail – when implementing adequate security solutions, of course.
Thanks to Franck Depierre, Cloud Offer Manager, Jocelyn Krystlik, Data Security Product Marketing Manager, and Stéphane Prevost, Product Marketing Manager at Stormshield for their invaluable help in writing this article, in collaboration with Usbek & Rica.