The Cloud Availability vs. Security Debate
In the digital age, we want to make our data to be 100% available to ourselves whenever and wherever but we want it to be 0% available to anyone else too. Naturally, this causes problems. The more available we make our data to ourselves, the more likely it is that we make the same data available to someone else who we don’t want to see it. We need security protocols that we as the owner can step through very easily, but other people find impossible to step through.
So, first, let’s look at each aspect individually.
The Availability Argument
To understand this, we need to understand the psychology of ‘stuff’. Human beings by nature, as anyone who has ever tried to move house can attest to, love to hoard stuff. Why? – because we see the things we own as extensions of who we are; they’re an expression of our personality. For example, I love tennis, therefore, I have about 15 tennis rackets which step by step trace out my history in the sport. But, I only actually use the most recent one. I keep the rest because I am personally attached to the journey that I walked to become the tennis player I am today, and the rackets are a physical representation of that journey.
As the world has digitised, this expression of human behaviour has shifted to files and data. We would much rather find ways of accumulating more data than we would go through what we have and delete old files.
With cloud storage, not only do we get our sought-after hoarding capabilities, but unlike ever before, we now have the infrastructure to summon that ‘stuff’ at a moment’s notice. If you want to draw up a funny photo from 10 years ago it would take you all of a few minutes. Go back 50 years and attempt the same – how many hours or even days would you have to spend searching through your photos to find that one photo?
So, as you can see, we chase availability not consciously but because it is a fundamental human instinct.
The Security Argument
To kick things off here, we first need to look at the different types of cloud because this has a lot to say in the availability-security trade-off.
Public Cloud: The first type is the public cloud. This offers high availability but potentially higher security risks. This is because users receive a lot less personalised attention from public cloud providers. This is best for unstructured data like files in a folder.
Private Cloud: Private cloud hosting solutions are essentially on-premise solutions. The user has full control over the level of security, but this significantly compromises availability. The user will most likely have to be connected to a local network to gain access to the data.
Hybrid Cloud: This tends to be the most popular option. Low-risk, high volume data is made available on the public cloud and high-risk, sensitive data is hosted locally in the private cloud.
With that cleared up, let’s delve into the specifics a little more.
As you’re probably very aware of by now, I like stripping it back to the basics, so here I go again:
A cloud system works by users sending copies of files over the internet to a data server in a remote data centre where the information is recorded. (When I say ‘remote’ I don’t mean an isolated island in the middle of the Pacific, I mean located somewhere else other than your current position). When the user wishes to access their data, they access the data server storing their data using any device connected to the internet. The user can then make changes to the data currently residing in the server or request to have it transferred back to them.
Now, this reveals multiple potential security flaws. How secure is the data centre in which my data resides? How secure is the network over which my data travels?
There are multiple tools at the disposal of a cloud provider to keep your data secure:
The first is Advanced Firewalls. Likening it to something we’re all familiar with, they are like security at the airport. They examine the content of your data packets and map these against known security threats, exactly like a baggage check in the airport.
The second is Event Mapping. Clever digital tools monitor and record all known network actions to help identify any potential flaws. These flaws can then be patched before they are exposed by someone with less honourable intentions. Keeping with the airport security analogy, this could be compared to a police officer patrolling the airport looking out for anything from suspicious behaviour to a door left open that should be locked.
The third is Internal Firewalls. These are in place to make sure that if one area is breached, the rest remains secure. Again, using the airport, if one Terminal is breached, the other Terminals remain secure.
Lastly, and probably the most obvious, is Physical Security. Data centres have extensive on-site security to ensure that no-one can physically breach the servers on-site. No analogy needed here - I would imagine this is pretty self-explanatory.
So, this answers how data residing inside the data centre is kept secure, but what about the network?
The Transfer Myth – Data Encryption
When you’re using a public cloud system, your data might pass over a public network. To this you might scream insecure, but your data can be made secure by transforming it into an encrypted format. This means it might pass through an untrusted network, but it remains perfectly secure. This can be compared to the difference between walking through a dodgy neighbourhood or driving through it. Walking is your unencrypted alternative, you feel and are much more exposed to the potential dangers around you. When you’re in a car you are much more protected, exactly like with encryption.
Encryption is something we’ve all heard a lot about, as is often the case with many of the principles I have discussed so far. But if you’re anything like me, you’re asking yourself the question how does it actually work?
I’ve already described data as a ‘packet’. So, just because I love an analogy, let’s go back to the airport. Your data packet is your suitcase. Your suitcase is filled with lots of items, many of which identify you personally and many of which don’t. However, when they’re all in the same suitcase, the items that don’t identify you directly can be attributed to you indirectly by being with the items that do. What if you’re really image conscious and want your clothes to pass through security anonymously without being attributed to you? (I know, bit of a stretch but bear with me).
The answer is simple – separate the unidentifiables from the identifiables.
At airport security we have a series of belts rather than just the one. Now if we separate the items in our suitcase and pass them through random belts, they should pass through without being attributed to you. We do the same with our data packets. We slice it up so that each individual piece doesn’t make sense by itself and pass each part through the network randomly before we gather them all together again at the end.
An example is shown by the following:
If this doesn’t fully ease your mind, additional security measures like Virtual Private Networks (VPN) also exist. A Virtual Private Network (VPN) forges a private tunnel through the public network through which your data travels. This significantly improves your privacy by masking your browsing history, web activity, IP address and Location. All of your actions past or present are untraceable. Going back to our dodgy neighbourhood, a VPN ensures that no-one ever knew you passed through it in the first place.
Again, VPN’s and other more sophisticated security protocols are becoming increasingly common. Security is just an ongoing game of tit for tat. We improve our encryption methods and our less honourable counterparts spend a bit of time getting smarter and developing new ways of getting around these improved methods. So, we need to develop something even more secure and then the game starts again. For example, today, using AI, we can crack the famous Enigma code, from the Second World War and the film The Imitation Game, in just 10 minutes!!
Cloud security is the same, we are constantly looking at ways of making our data more secure and what works today won’t necessarily work a week from now. So, how does the cloud actually make it easier to keep our data secure?
Security Benefits of the Cloud
As previously discussed, cloud providers host all of your data in their massive data centres. Centralising data all in one place makes it much easier and cheaper to secure data. In terms of physical security, the cloud provider only has one site to manage. In terms of internal security, they can setup high-tech monitoring teams and keep the findings of this team contained and private. For smaller organisations we can see why a cloud solution might be more attractive from a security standpoint. They wouldn’t be able to afford this level of security if they were managing all of their data out of a private cloud system themselves. It’s much better to outsource it to a company where security is one of their main focuses and who are experts at what they do.
Constantly monitoring the network allows you to dictate who has access using Access Controls and allows you to adopt certain protocols to ensure that the person requesting access is exactly who they seem using Authentications. This ensures security but also manages the integrity of your data. Role-based access controls ensure that employees only see the portion of the picture they have clearance to see. This avoids accidental changes to data that could be at best disruptive and at worst damaging to the organisation. In addition, the likes of 2-factor authentication ensures that only employees with the appropriate parts of the puzzle can gain access in the first place.
The Biggest Killers
To close this off, I wanted to talk about the biggest killers – what are the common causes of security breaches?
The only way these security protocols work properly, is if they are applied properly. This means that a company’s security is reliant on every individual employee sticking to the best-practice principles which have been put in place. In other words, the best investment a company can make in managing its security is educating its employees. If your employees understand the consequences of their actions, they are likely to be a lot more disciplined.
In fact, it is more often than not the basics that aren’t applied correctly. By this I mean password strength or being prudent with emails from unknown senders to avoid phishing scams. These are easy to teach or make employees aware of like by circulating the below:
The security concerns of many people come by intuition rather than through understanding. They assume that sending data over a network is dangerous yet think their 5-letter password is unbreakable. However, the truth is that their network is unbreakable because the company is using high-level encryption and a VPN that they don’t know about or understand, but it is their password that is the massive security vulnerability. So, somewhat surprisingly, the key to security lies in education. Ensure your employees know the consequences of their actions, so they understand the implications of how they operate on a daily basis.