Newly published research into cloud security suggests that while primary attack methodologies aimed at on-premise deployments stayed pretty flat across the previous year, those aimed at cloud deployments grew by 36% when it came to 'suspicious activity' and 45% for app attacks.
Should we be surprised that the bad guys are turning their attention to where data is increasingly being stored? No, of course not. Should we be surprised that they are attempting to compromise the various applications deployed in the cloud? Ditto.
What should surprise us, however, is that cloud computing security challenges, while plentiful, are considered to be somehow beyond the ken of your average MSP. That really shouldn't be the case, despite data security in cloud computing meaning so many different things to so many different people. And there lies the rub; getting to grips with an inclusive approach to securing your data, wherever it resides, is key to meeting cloud security challenges head on. Erroneous assumptions abound when it comes to cloud security, dealing with these is essential if you are going to get it right.
Here are three of the biggest myths that need debunking:
1/ The cloud is insecure and there’s nothing you can do about it!
Perhaps the biggest lie of all is that the cloud is not only insecure, but there's absolutely nothing you can do about it. The first part we have no truck with, from the perspective that everywhere is insecure until you take the appropriate steps to secure it. The cloud is no more insecure than your server room, truth be told, and depending upon how you define it is quite possibly a lot more secure.
The likes of Amazon, Google, and Microsoft have the resources (in terms of cash and knowhow) to secure their environments in a way that many smaller organisations operating on-premise simply cannot match. Your average client most likely wouldn't list network or data security as one of their core competencies, whereas the big boys of cloud position it right at the top of the list.
The whole 'inherently insecure' argument can safely be put to bed. At the end of the day, physical control of your data does not automatically make it secure; visibility and access, wherever the location, are far more important.
This is one of those strange double-headed arguments whereby the cloud has driven the creation of the Bring Your Own Device (BYOD) model within businesses large and small, yet it is somehow (wrongly) thought to negate the risk of mobile data being compromised at the same time.
Here's the thing, just because cloud services are being used as data depositories and often serving up the applications being run on mobile devices, does not mean those mobile devices can now be used risk free. Quite apart from the small fact that not explicitly saving data on the mobile device is not the same as data not being saved there (cached data anyone?), mobile device use of cloud-based file sharing without some clear separation of corporate and personal data is a recipe for insecure disaster.
The bottom line is that mobile content management (MCM) deployment remains as essential as ever, and MSPs are ideally positioned to both explain the need and implement the solution.
3/ Cloud security? That’s the provider’s problem
And 'implementing the solution' leads us into the third of those erroneous assumptions, namely that cloud security is the provider's problem. Sadly, we hear this particular 'responsibility shifter' all the time.
In some ways we can understand why people may think it, what with cloud service providers looking to stake a 'taking security seriously' claim in a crowded market. While the cloud provider should and, more often than not, does live up to this promise it doesn't defer all risk from you to them.
Ultimately, the security responsibility buck stops with the client whose data we are talking about. However, as an MSP there's also a shared responsibility to ensure that both cloud provider and client understand their roles and implement them accordingly. It's not rocket science, just good management practise at the end of the day: tools, processes and policies all need to be closely monitored, with implementation and maintenance lines clearly drawn.