Choosing Cloud Computing Service Provider Make Security A Priority
A non-win theme?
As cloud computing services are proliferating broader, hackers and other maliciously intentioned individuals and groups infiltrating them deeper.
Various reasons for adopting cloud computing services have been mentioning:
- cost savings
- and others of this sort are among of them.
Some even take the liberty to name, inter alia, security [lnk]. But it is definitely not.
Never ever has security been a strong point of cloud computing services. And the situation is getting more complicated and trickier as more and more participants – vendors and their clients – enter the market and as more and more services they have to offer. Moreover, it seems security is not a priority at all when deploying of cloud computing is in question.
Nevertheless, these days “more data and applications are moving to the cloud, which creates unique infosecurity challenges” [lnk].
Because “with so much data going into the cloud—and into public cloud services in particular—these resources become natural targets for bad actors” [lnk].
So, as a result “cloud leaks pop up regularly…” [lnk]. Just ‘duckduckgo’ the Internet, instances are abundant.
Top Threats of Cloud Computing
Recently CSA elaborated the “Treacherous 12" [lnk] list of top threats for cloud computing. Here they are:
- Data Breaches
- Insufficient Identity, Credential and Access Management
- Insecure Interfaces and APIs
- System Vulnerabilities
- Account Hijacking
- Malicious Insiders
- Advanced Persistent Threats
- Data Loss
- Insufficient Due Diligence
- Abuse and Nefarious Use of Cloud Services
- Denial of Service
- Shared Technology Vulnerabilities
Wired just augmented it with Spectre and Meltdown exploits that are successfully used for side-channel attacks.
And DARKReading made up the list of most ‘puncturing’ attacks owners and users of cloud services have to be ready to face up to.
- Cross-Cloud Attacks
- Orchestration Attack
- Cryptojacking (!)
- Cross-Tenant Attacks
- Cross-Data Center Attacks
- Misuse of Instant Metadata APIs
- Serverless Attack (!!)
- Cross-Workload Attacks
! – most prevalent these days. !! – gaining in strength.
Who is to blame?
Unfortunately, very often a customer himself.
For many businesses, particularly SMBs, the very principles of cloud computing functioning and providing services are a black box. Also they underestimate their own role in building secure shared environment (in spite of all those ‘shared responsibility models’, etc.). In the meanwhile that is the highly challenging gap and cloud services vendors and their clients need to overcome it cooperatively.
Another reason to say that businesses do not do their best is about their lack of skills while they are in the process of choosing a supplier (vendor).
What are the initial steps on the way to ‘cloudy heavens’?
“Organizations that rush to adopt cloud technologies and choose providers without performing due diligence expose themselves to a number of risks.” [lnk]
To be successful on the way there are some compulsory ‘to-dos’ every entity has to undertake before it will get down to deploying, installing, setting up and tuning a bunch of certain services and functions (chosen deliberately!).
“The very first step is to understand the business requirements: what is the business wanting to do with the cloud vendor? What data is involved in this business process? Has the business looked at other vendors? If so, which ones?” [lnk]
Having got answers on these questions you will be able to figure out which vendor may suit you and which not. Then what would be of help to find the answers?
Ms Kristin Judge, CEO of Cybercrime Support Network advises (in “Cybersecurity for Small and Medium Businesses: Essential Training” at Linda[dot]com [lnk]) us to ask any potential provider these questions:
- Where will our data be stored?
- How secure is our data?
- Do you perform regular back ups?
- How fast can a backup be restored?
- How frequent are your service outages and how long do they last?
- What service level agreement (SLAs) do you offer?
- Can I test your system on a free trial basis?
- Can I speak to some of your current clients with a similar business to mine?
Good ones but wait a bit. There are some docs you are to ask the vendor first: these are so called SOC reports (SOC 1, SOC 2, SOC 3) and they can answer many questions you would like to ask.
Visit the page: https://www.alibabacloud.com/trust-center/soc
So do not hesitate to request them if you cannot get them on your own. Take into account that there are two types of SOC 2 Report (regarding security issues the one you must be interested most) – Type I and Type II (but not any provider has both).
Now you can ask your questions if something left unanswered after receiving all that information. And again if you have faced difficulties making you own list you can ‘borrow’ one from Vendor Security Alliance. Hope it will help a lot.
And more. From time to time various comparisons of vendors arise on the market. As a starting point in your search they are worth of reading. Here are some examples:
Public cloud services comparison [lnk]
Comparing Alibaba Cloud, Amazon Web Services (AWS) [lnk]
Comparing Security Cloud Tools: Alibaba Cloud Anti-DDoS vs. AWS Shield [lnk]
Alibaba Offers an Alternative to Amazon Web Services for U.S.-wary Cloud Users [lnk]
For any responsible vendor any knowledgeable customer is much better and preferable than any agreeable and indiscriminate one. Inasmuch as providing security in the ‘cloudy’ environment is a common responsibility, and inasmuch as in the ‘clouds’ even an inadvertent action may result in tremendous damage for third parties, every ‘celestial’ has to be aware of any potential threats he or she may encounter or, otherwise, his/her actions and/or ignorance may inflict on others.
So, choosing your cloud computing services provider prioritize priorities, put security on the top.
P.S. Since, as a new user I may use only two links per post, I am forced to remove some of them. Instead I have left hints - [lnk] - where links should be. In the case you would like to check, just ask me.