How Much of a Security Concern is Cloud Computing Really?
Before cloud computing had even gotten off the ground, people were talking about the security implications of computing in the cloud. When you step down from the semantic sugar and look at the basics, cloud computing is not fundamentally different from any other technology. When a technology can be influenced to execute outside of its intended purpose, a vulnerability is present. The following elucidates some of my thoughts regarding cloud computing.
Let me start off with enterprise vulnerabilities. First off, enterprises face exactly the same vulnerabilities whether they’re using on-premise equipment, cloud computing, or some combination thereof. The standard enterprise vulnerabilities range from the Open Web Application Security Project (OWASP) Top 10 to the low level buffer overflow, all of which people have been fighting for the past 15 years or so. The big change with mobile rising from cloud adoption is that vulnerabilities move from something the enterprise owns and controls to something a third party owns and controls. It raises the question about who owns the vulnerabilities and who is able to find the vulnerabilities and remediate them.
There is also no difference in using social media as an avenue for attack (one of the biggest threats for most organizations) when comparing on-premise versus mobile computing. A computer accessing Facebook or Twitter is just as easily hacked as a mobile device accessing those same sites. That’s because the fundamental constructs of accessing a site over mobile or via a traditional method are identical. Despite the device the consumer is using, hackers can still get to sensitive data by exploiting the same vulnerabilities present in the various social media platforms.
In my opinion, the more real and immediate dangers of cloud computing impact individual consumers, but not enterprises. For example, consumers have traditionally been able to protect their data by using the latest patches and avoiding risky behavior while on the Internet. As consumers use more mobile technology tied to the cloud, attackers looking to compromise data are going to have an easier time finding specific consumer's data, and may do it at any time throughout the day.
This is a new paradigm because consumer data has historically been available to attackers only when consumers’ computers have been on or they’ve been browsing Web sites. Consumers have been able to unplug their computers from their network and turn them off in order to protect their data. With cloud computing, there is a server out there with available data 24 hours a day, seven days a week. It will no longer matter what steps consumers take to protect their data - the onus shifts to the third party MSP, and IT departments need to be constantly vigilant.
Another real consumer danger: if an attacker is able to compromise the credentials in a cloud-based environment, they can access all of the data. This is often not an issue with enterprises since passwords are generally just the first line of defense. But, with consumers, usernames and passwords are often the only lines of defense for cloud computing (consumers don’t need usernames and passwords if their data resides on their hard drives). Often times, password compromise is the easiest way to gain access to a system.
As cloud adoption continues to become more prevalent, vulnerabilities within Web browsers will matter less to attackers. The data that is valuable to attackers will soon be predominantly located on cloud-based computing servers, rather than on consumers’ systems. Although getting into cloud-based computing servers will be a more difficult task, the reward will be greater. Compromising a single entity will lead to the exfiltration of a large number of consumers’ personal information.