The providers of Cloud services are gaining lots of small and mid-sized business clients because of their inherent convenience. Such customers generally lack the staff to create and maintain a secure data infrastructure, which is a selling point of Cloud services. Most small companies assume that the Amazons, Apples and Googles of the world have better protections in place for their customers’ data than the customer could ever have alone. While this might be true, let’s investigate the reality first.
The 2011 Verizon Data Breach Report indicates that 83% of all victims surveyed were felled by opportunistic attacks. These victims had publicly vulnerable computers accessible to the internet, fell victim to a mass phishing or drive-by-download attack, or had services with weak or default passwords. The remaining 17% were targeted. These victims possessed enough valuable data that it was worth finding a unique vulnerability in order to gain access to said data. Whether it was a human- or technology-based vulnerability, finding it took significantly more time, money and energy to uncover so the reward had to justify the cost.
Which category does your company fall into? If you don’t have an IT staff, or one that keeps abreast of the latest cyber threats, and you don’t have a lot of readily monitizable data, you probably fall into the opportunistic category. Hiring a Managed Security Service Provider to keep watch over your IT and data is probably a good idea. However, if you possess lots of PCI, PII, PHI, or intellectual property, your company falls into the targeted category and should be investing a considerable amount of money and human resources in security.
The vast majority of companies are somewhere between these two points. They are able to do basic security, but what they are protecting is not so valuable that legions of hackers are trying to break in. It’s these companies that should spend the most time assessing the additional risks of using cloud services.
A recent IEEE article found that “the majority of the cloud service providers felt that security wasn’t really their domain but that of their customers.” That’s not to say they aren’t providing any security at all, just that it’s not their focus. When you look at the fierce competition in this space, can you blame them? What’s worse, even the National Institute for Standards and Technology (NIST) doesn’t think cloud providers should be responsible for securing the data they possess. In fact, their definition of “cloud” seems to be in stark contrast to security. They use words like “convenient”, “on-demand”, “shared”, and “minimal management effort&