Seven deadly sins of cloud security

Man in suit pressing padlocks in the shape of a cloud

Survey after survey, statistic upon statistic, show that security (or the perceived lack of it) is consistently at the top of the list when it comes to reasons why organisations do not migrate data to the cloud. But how does that perception translate into reality? The cloud isn't inherently insecure, but it's true to say it does have some common security sins; the trick is knowing how to combat them...

1.Privacy: Big Brother can see my data in the cloud

In this post-Snowden era of mistrust, a common concern is that putting your data into the cloud is the equivalent of giving the state-sponsored agencies carte blanche access to your confidential information. Of course, government agencies have always been able to require a view of specific data if a court deems it reasonable so to do; the difference is that the Prism revelations appeared to remove the specificity requirements along with letting you know it was happening.

The solution to this covert access visibility is simple enough; encrypt your data and don't give your CSP access to the keys. Bring Your Own Key schemes should ensure that your data remains private even if Big Brother asks your CSP to reveal it. If they want to see your stuff, they would have to ask you ...

2. Ownership: data sovereignty and the cloud

Following on from the first 'sin' comes the thorny question of when your data is in the cloud just who can ask for that visibility with, or without, a court order; determined, in part, by where your data is stored.

The cloud, in reality, could be a server farm in any number of locations. Indeed, your data could be stored and moved between any number of locations, anywhere in the world; leaving it at the whim of whatever national jurisdiction it may be in or have been in.

There are obvious security impacts here, and any regulatory data protection compliance scheme could be shot to bits accordingly. The trick is to control where your data is stored, and that means talking to your CSP about geographically ring-fencing data storage.

It also means choosing a CSP that isn't headquartered somewhere that could give it a legal in to your information. Post-Snowden, this isn't as difficult as you might image. Most of the big players, and plenty of niche ones, will work with you to ensure data sovereignty needs are well met.

3. Danger, public cloud: model misconceptions

One of the biggest areas of confusion when it comes to cloud security hits right at the heart of the cloud itself, at infrastructure level.

This isn't helped by a general belief that the public cloud must be avoided at all costs as it is insecure and dangerous. Although there is some truth in this, as far as public cloud services are not best suited to all applications, it's not the whole truth.

As usual, the solution is to apply proper risk auditing from the outset, so the correct use of the right cloud model will mitigate risk.

Public cloud services can be perfectly acceptable for public data, while you probably wouldn't want to throw highly confidential and financially sensitive information up there.

Choose the appropriate cloud model, or more to the point the right combination of them, to achieve the best security posture for your business in the cloud. Hybrid clouds can span deployment models to enable the secure movement of data between public and private platforms.

4. The bottom line: cloud security costs too much

It is generally accepted by IT security professionals that some 80 per cent of your security resources, and 80 per cent of your security budget, is best directed at securing the most valuable 20 per cent of your data.

Unfortunately, many CFOs don't see things the same way and instead focus on the cost of securing everything in the cloud.

No wonder, then, that many organisations mistakenly believe that cloud security is just too expensive to achieve. The solution to this one requires an understanding that not all data is created equal, and so doesn't need to be secured equally either.

Data classification is the key here; determine what is the most valuable data and the most at risk and secure that with the highest priority and with most investment. Most of your data holds very little profitability (and by implication interest) to those who might steal it. You still need to secure it, but at a more basic level which costs less. Sensitive, confidential and business critical data demands the most security, and the lion's share of the budget allocation.

Thinking like this will not only provide better value to your organisation, but better security as well.

5. BYOD: the shadow IT threat

Cost and convenience are at the heart of the BYOD threat to enterprise data security, while the cloud is often cited as compounding the problem.

Let's get this straight, BYOD is far from being a cloud-specific security issue but it is one that is magnified by the availability of cloud-based data to improperly secured mobile devices. A typical employee might use his or her own smartphone, tablet or laptop (and often all three) to connect to myriad cloud-based services and manipulate data where enterprise controls cannot exercised.

The legitimate concern is that opens the door to malware, regulatory compliance issues and the danger of data theft should such an endpoint device or cloud service be compromised.

The solution is face-slappingly obvious: secure endpoint devices through the application of formal BYOD policies and effective controls over the use of corporate data. Which means a separation of business and personal data along with encryption and device loss strategies.

6. Interface insecurity: cloud connections

Cloud security concerns do not start and end with storage issues; just as important, and so of concern to would be migrators, is how you interface with cloudy data.

At the core of this concern is that third party connectors to cloud services might allow compromise through the exploit of unintentional (or even deliberate) vulnerabilities.

The application programming interface (API) certainly has the potential to be something of a weak link in the cloud security chain, especially as it will define verification and access methodologies. Unfortunately, just as there is no such thing as 100 per cent secure anything, so no API can be deemed totally safe.

The solution is to mitigate the risk, and therefore the concern, by applying due diligence when it comes to the services that are used. Ensuring third parties make use of OAuth-supporting APIs for public connectivity is a good start but only a start.

Ask questions of the provider regarding the API security controls being used, and don't be afraid to look for other solutions if you don't like the answers.

7. The small matter of trust: CSP auditing

The first six potentially deadly cloud security sins have inevitably led us to number seven, which can best be summed up by a single word: mistrust.

The biggest security concern that most organisations express is quite simply that they don't feel comfortable trusting the cloud. What they really mean is that they don't trust the cloud service provider, a totally different thing.

The cloud itself is not inherently insecure, but insecurities can be introduced at many levels. In order to best mitigate these you need to be working with a CSP that you can trust; but blind trust in any CSP is a route you shouldn't go down.

Instead, apply age old due diligence procedures and either employ a security consultancy to audit the potential CSP, or look for once that has passed industry acceptable certification levels (which should mean they have been effectively audited already). The Cloud Security Alliance (CSA) STAR certification scheme is as good a place to start as any, and also keep an eye out for ISO 27017 when it finally arrives as well.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at