Revelations from such major events as the Snowden incident last summer have greatly set back the adoption of cloud services. There are a number of industry surveys (including this one commissioned by NTT Communications) that support the idea that potential customers are taking a more cautious approach to the cloud. With these stories only building, there is no question that the public image of the cloud has suffered, but are the dangers real for small businesses?
Unfortunately, the cloud security dangers for small businesses are very real. In a case that came to light in April of 2013, a systems administrator of a hosting company in Texas installed a root kit enabling remote access to 2,700 hosted servers. The case highlights the need for security controls at the cloud service provider, and for transparency from service provider to customers about those controls.
In terms of what might have been done, the cloud service provider likely needed to do a better job of screening employees, and perhaps should have put more controls in that limited system access to impact administrators’ ability to do harm (an admittedly hard problem). Customers of cloud services, particularly those storing sensitive or confidential data, are advised to ensure backups are taken, and to implement controls independent of the service provider that secure data in the cloud service.
As noted earlier, how small businesses can still use the cloud and protect their services all starts with control. Potential cloud adopters can mitigate some risks by assuming the control for securing the data planned for cloud themselves, and controlling encryption keys themselves. In addition to continuing to ensure there is control, the single biggest piece of advice for small businesses is not to assume that by outsourcing computing to a cloud service, all risk has magically been outsourced.
Small businesses still own the risk, and need to understand the risks, and manage them. This includes understanding the controls in place in SaaS cloud applications, and understanding (via audits) the state of these controls.
Utilizing a hybrid cloud approach is another option to help mitigate the risk of the cloud. Hybrid approaches can ensure that more sensitive data is kept on-premises, and is adequately secured on-premises, to again keep control intact. Key to note for small businesses is that hybrid isn’t always a given, and for some customers, especially SMB’s, security provisions in the cloud service may be more robust than those they replaced on premise. Small businesses must ensure there are solid security controls in place on-premises and in a cloud service. There must be a full understanding of the risks in the cloud, so there can be proper mitigation of unacceptable risk through the addition of other controls.
Another important note is that for SaaS-based cloud services, the customer organization will have to use an RFP process to identify the security controls that are important, and to then select a cloud provider that most closely fits your requirements. Adopting cloud services for small businesses is possible, but proper assessment of individual needs and unique landscapes is key to make it work.