Is my stuff safe in the cloud?

What can I do to make my cloud secure? This simple question is commonly asked but uniquely answered since the concept of ‘cloud’ can be as varied as the business.

It's amazing to look back on my days with the Microsoft Network when internet browsing and email were in their infancy, and the possibilities of what could be achieved with e-commerce, online gaming and online communication were only starting to be explored. Fast forward two decades and it's impossible for many people to comprehend a world without the level of connectivity we have today.

Much more than just someone else's computer

A tongue in cheek definition says 'the cloud is just someone else's computer'. However today's cloud represents much much more. It offers an agility, flexibility and immediacy which enables organisations of all types to do more of what they want, how they want and when they want. For smaller businesses the cloud offers everything they could need to support and fuel their growth, increasing efficiency, accessibility and removing the high barrier of entry to tools previously reserved for larger enterprises.

Microsoft's Office 365 and Google's G Suite are two of the platforms that represents the core of the 'cloud' for many businesses. Enterprise grade email, collaboration and productivity tools without the need to buy servers and licences, install or support. Other online applications you may use such as Saleforce, Slack, QuickBooks etc. are known as Software-as-a-Service (SaaS) and this is just one of the main three models of cloud services, the others being Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS). Of the three, SaaS is the most likely model to be used by businesses of all sizes.

PaaS is a service that is specifically aimed at businesses looking to develop software and offers a platform that provides developers with everything they need to build applications including infrastructure, operating systems and development tools. IaaS on the other hand is for businesses looking to benefit from infrastructure (routers and racks to servers and storage) that is managed and hosted in data centres offering the the flexibility to do what they want with them - run enterprise applications, have development environments, run commercial web services etc, as well as the ability to add new servers on demand.

Let's grab a pizza

The Pizza as-a-Service analogy is a good way to explain the different types of cloud services in comparison to the traditional on-premise model.

On-Premise (Home-made pizza)

To make a pizza at home, you need everything. A kitchen with an oven, electricity/gas to power it, utensils, ingredients including the dough and the toppings and finally you need to cook it. You have to procure, manage and operate everything in order to achieve your goal - a pizza.

Infrastructure-as-a-Service (Renting a kitchen)

With IaaS, you're effectively renting a kitchen. All the infrastructure is there for you to use. All that's required is for you to bring your pizza ingredients and cook the pizza. Want to cook multiple pizzas simultaneously? Then simply grab more worktops to prepare the pizzas and turn on additional ovens as required.

Platform-as-a-Service (Bring your own toppings)

With PaaS, you're given everything you need to make a pizza. All the infrastructure is there for you to use, all the utensils, and perhaps even your choice of pizza base. All that's required is for you to bring your pizza toppings and cook the pizza. Want to make a traditional Napolitan pizza, or a deep pan, thin and crispy, calzone, pizza-a-metro, baguette pizzas, manaeesh? Want to diversify into making focaccia? Simply bring your imagination and toppings - the rest of the environment is already there.

Software-as-a-Service (Go to a restaurant)

By going to a restaurant, you won't need to do any cooking and you can choose exactly what type of pizza or pasta or whatever else is on the menu. SaaS can provide you will the tools to build a website for you to resell the pizzas from this restaurant, manage the finances of your new venture, hire and manage the staff to run your delivery company, promote offers and incentives whilst keeping in touch socially with your customers through apps on their smartphones.

From floppies to the flick of a switch

Having to install enterprise software suites from CDs (or floppy disks – remember them?) onto local servers is an activity that has been consigned to the past. The time, effort and expense of procuring suitable server hardware, sufficient paper-based user licenses, training IT staff to install and support the software as well as train and support users has effectively been replaced by a few clicks on a website. The huge capital expenditure (CapEx) outlay previously required and the headache involved with upscaling has been replaced by operating expenditure (OpEx) monthly, per user, per feature-set payment models. New staff to be added, additional functionality required, it’s all provisioned with a virtual flick of a switch. No wonder then that SaaS solutions dominates modern business.

Cloud driving Innovation

Cloud has become a real driving force, with businesses moving data and applications out of on-premise server rooms, in order to cut costs and increase agility and innovation. From start-ups to a large global enterprises, there is an as-a-Service offering for all areas of the business to meet all your requirements. This innovation in turn breeds further innovation as both new and established players alike use the same cloud technologies to build the next generation of products and services.

The cloud computing giants, Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) offer a myriad of tools that work natively with their infrastructure and platform as-a-Service offerings. Amongst these are developer tools that make it easier for developer teams to be set up and made productive more quickly, as well as tools to facilitate continuous integration to continuous deployment. Somewhere, in the midst of all of this is security.

DevSecOps

The term DevSecOps was coined to emphasise security's role in the development lifecycle. Previously, when development cycles lasted months or even years, security was a consideration thrown in at the final stages of development. However, long development cycles have been discarded in favour of a continual integration and continual development/deployment (CI/CD) model as companies abandon the big Release Day. In the race to gain competitive advantage or catch up with their competitors, DevOps ensures rapid and frequent development cycles (sometimes weeks or days) however outdated security practices were significantly out of step.

In DevSecOps, security is treated as an integral shared responsibility where application in infrastructure security is considered from the start. Selecting the right tools to continuously integrate and automate security, as well as nurturing behaviours that lead to developers having more awareness on the security of their code. Automated testing is run throughout development to scan for and identify security vulnerabilities in custom code. Whilst in production, 'blackbox tests' which are carried out without knowledge of the internal source code or application architecture, essentially uses the same techniques that an attacker would use to find potential weaknesses in the application. There is a wealth of security testing tools available for DeSecOps teams to use, so would this mean that my SaaS solution is secure?

Choose your solution partner wisely

Many businesses may have had to fast track their digital transformation plans due to the coronavirus, whilst others will have scrambled to sign up for SaaS solutions to help organise, communicate and work with their previously office-based staff. Operational effectiveness and minimising the disruption to daily business will have been top of mind, but for companies working with personal data, GDPR requirements are still in force and if anything the threat of attacks will have increased as hackers seek to find vulnerabilities in hastily configured solutions.

Update: 10th April 2020.

One of the tools that has seen a dramatic surge in users is Zoom, a video conferencing tool whose founder and chief executive Eric Yuan helped to create the WebEx which was later sold to Cisco. In December 2019 the number of daily meeting participants on the platform was 10 million, by March the number of daily participants had reached a staggering 200 million as lockdown measures in countries around the globe kicked in. Not only have businesses been using this, but also familial, social and religious groups as well as world leaders.

The UK Prime Minister Boris Johnson, proudly tweeted that he carried out the first ever video conference Cabinet meeting with a screenshot that advertised details of the meeting ID, raising concerns about security.

It appears that the meeting was password 'protected' unlike other instances which experienced a phenomenon termed Zoombombing in which people would join meetings uninvited and shout abuse, share pornography or make racist remarks. Without the password all anyone would need to get in is the meeting ID either a personal meeting ID or a randomly generated one. But it seems that there have been some instances of people randomly entering nine-digit numbers until one matches a Zoom meeting ID - an issue Zoom was made aware of last year.

On the 27th March the BBC published an angry response from Zoom after suggestions that it was not entirely secure:

"Globally, 2,000 institutions ranging from the world's largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare and telemedicine practices have done exhaustive security reviews of our user, network and data centre layers confidently selecting Zoom for complete deployment."

But within a week, on the 1st April (this was not an April fools joke) CEO Eric Yuan publicly apologised on the company blog for "falling short" on security issues, making you wonder just how 'exhaustive' the security reviews mentioned above were exactly.

"...we recognise that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry,"

Three days later, another apology appeared in the Wall street Journal.

"I really messed up ... This kind of thing shouldn't have happened,"

It turns out that amongst other issues, including lying about having end-to-end encryption as it is commonly understood, Zoom has also been routing user data through China as uncovered by The Citizen Lab at the University of Toronto.

Since then Zoom, which went Public on the NASDAQ in April last year, is appearing on a growing number of ban lists globally amid security concerns and rumoured links with the Chinese Government. The government of Taiwan, the US Senate, the German Ministry of Foreign Affairs, Singapore's Ministry of Education, Google have all issued bans on using the Zoom.

Key considerations for your cloud

By keeping the the following considerations in mind when you're comparing and selecting a SaaS provider, you can ensure your data or that of your customers is in good hands and just as safe as it would be in your own care, if not safer.

i) Track record. What is the company's track record with security and privacy? Are they guilty of recent or even multiple breaches (anywhere within the last 10 years) and if so how long has it been since the last breach and how did they handle it? Be aware of any instances where they were slow to react even or showed little consideration for their customers. Cybersecurity press such as The Register, Krebs on Security and Graham Clueley for example, are often quick to report on companies experiencing security incidents or whose products have discovered vulnerabilities.

ii) Visible security expertise. Does the vendor have a visible and experienced full-time security team? Are they actively involved in the security industry, for example giving presentations at conferences? Do they have a voice in security best practices and standards? Smaller vendors without internal expertise should partner closely with a reputable security company that is well known for their holistic security expertise, track record and know-how. Whether large or small vendor, if this is clearly absent then there's a good chance that this vendor poses a higher risk to your business.

iii) Clear about security. Does the vendor clearly communicate how it meets security standards? When quizzing them on security, can they understand and answer your questions clearly and are they ready to provide relevant evidence on what they do to ensure your data is secure and handled in a way that is compliant with regulations such as GDPR? Don’t be fooled if vendors try and show you, for example, a certificate saying that the hosting company which they use is certified to ISO27001, as this is not direct assurance that the vendor itself, or its other suppliers and partners have undertaken the right steps to keep your data secure.

At a minimum, vendors should at least be able to demonstrate that they have enforced a comprehensive security policy and have an ongoing security testing schedule in place. This testing includes manual external and internal penetration testing by accredited pen testers, as well as a demonstrable DevSecOps environment in which security is an integral part of the development lifecycle with checks carried out throughout development and not just as an annual exercise. They should also demonstrate that they have diligently managed the security with their 3rd party suppliers and partners.

iv) GDPR compliant? The European Union with their General Data Protection Regulation (GDPR) have demonstrated that they are following up on their threats to heavily punish companies who fail to meet minimum compliance requirements as recent examples with British Airways, Marriott, Google have shown.

If you are putting your customer data (or employee data) into a SaaS solution, then as the Data Controller you’re still liable to make sure that you’re compliant with GDPR requirements as well ensuring you’ve configured the solution correctly to maximise the security.

v) SaaS native. Is the vendor a native SaaS company, or are their SaaS solutions a reaction to others on the market? Established companies native to SaaS should have a better grip on SaaS security requirements and respective controls than companies whose newer SaaS offerings were added to supplement their main line of on-premise solutions business. However this consideration is not as strong an indicator that the vendors solution deserves your trust as much as the previous four points.

Clearly both large and smaller (although established) regional players can be guilty of not carrying out security best practice security. Examples include a HR software vendor whose support teams share the administrator username and password for their customers – meaning personal data can be accessed, changed or deleted without any log of which support member accessed what; or a wealth management firm whose customer portal had vulnerabilities which may have allowed a customer level login to gain elevated access rights and subsequently access other customer accounts.

So, is your cloud secure?

This all depends on what you use as your cloud and how you use it. One common rule in cybersecurity is to be mindful of the technologies you use and aware of the risk of threats and vulnerabilities to your business.

Risk vs. Benefits

Through the use of SaaS, small and medium sized businesses can benefit from being more agile, with lower costs, taking advantage of the innovations on offer. Everything that a company needs to run can be found available as-a-Service and many are finding they don't actually need local servers.

However it is vital that you select these services properly. What level of risk does it pose for your company if they suffer a data breach? Or if your selected hosting provider or service provider goes bust, how will this affect your business? There are several cases where business have been burnt – because a company has folded. If vendors/providers are too small they may fold leaving you with all your data lost on a server somewhere that is turned off because the company went bust.

Configure well and test

Remember to configure your services well. Use multi-factor authentication where possible and train your staff. It would be catastrophic to have amazing network security technologies running across your infrastructure only for an attacker to breach your defences because of a weak passwords and poor security hygiene.

Do regular security testing on your environment. Make sure you carry out regular penetration testing to see what an attacker can achieve from the outside with no information, as well as what they can achieve from the inside with a normal user login, or a typical customer login to your web application.

And finally

So how can you tell if the SaaS solution you’re considering can really be trusted with your data? For a large part we have to place out trust that companies act ethically and professionally and that they are held to account when they do step over the boundaries such as British Airways experienced when the personal and financial records of 380 000 customers were hacked in 2018 - they were subsequently fined £183M by the Information Commissioners Office (ICO) which is the UK's data protection authority. The sum represented 1.5% of BA's global turnover in 2017.

Remember, there is no such thing as a cloud that is 100% secure. Your business must simply be able to demonstrate that you are aware of the security risks and have acted accordingly, putting in place suitable measures to mitigate these risks, complying with the relevant laws and industry regulation.