As more individuals and companies move their data to the cloud, the most common question is, “Are you sure this is safe?” One of the common “memes” on computing forums is that storing data on the cloud provides a security risk. But is that “common sense” opinion based on facts?
For small companies, it’s hard to believe that taking data from your local storage server and moving it to cloud storage can be as safe and secure as storing it yourself. This is an understandable question because when you store your data locally, in your office, you have complete control over your data. When it’s moved to the cloud, the cloud provider has control, although you actually still retain much of the control yourself.
Somebody must maintain physical and software security of servers
Let’s say that you are suspicious of moving your data to the cloud so you store it on your local Miscrosoft SharePoint server. If your data is stored locally, you will have to constantly spend time maintaining security- software security as well as physical security, to ensure that none of your data is compromised. However, breaches can happen. Your IT (and in small companies that may be just a couple of people) might forget how to install the latest security patches, somebody in your company might install software on your local data server which is not secure, etc.
But what if your data is stored on the cloud, couldn’t the same things happen? Not exactly. Sure, breaches can still happen (hackers can steal your laptop and gain access or malware programs can steal your information or password as well). But physical and software security of many reputable cloud services (Dropbox, Basecamp, Google Drive) ensure that nobody can access your data without proper authentication.
Technology has gotten extremely more complicated in recent years and hackers have become much more sophisticated in order to battle new protections and security. If you are storing data locally, the local infrastructure must be constantly updated and improved in order to keep up with the latest challenges.
Verizon Business Data Breach Report for 2012
An excellent recent study (conducted by the Verizon RISK team, Australian Federal Police, Dutch National High-Tech Crime Unit, Irish Reporting and Information Security Service, Police Central e-Crime Unit and the United States Secret Service) shows us that hacking and malware account for most breaches. Some form of hacking was used in 81% of all breaches while 69% of all breaches incorporated malware in order to gain access. As malware is implemented by hackers, the 69% is by far the largest cause of all breaches.
We will analyze the data in the report and try to understand if whether moving data to the cloud will increase your data vulnerability.
96% of all data breaches are based on simple attacks
The first important fact is that 96% (Yes- nearly 100%) of all data breaches are based attacks and not very sophisticated. Nearly all attacks (97%) could have been avoided by very simple intermediate controls. For example, a small organization’s most important task is to implement (and maintain) a basic firewall and change the default credentials on their other internet-facing devices.
Data breaches for locally hosted data is 80% vs. 26% for cloud hosted data
As mentioned above, malware accounts for 69% of all breaches. Now if you look into the section describing the data breaches in cloud computing and the bring-your-own-device (bYoD) movement, it shows that data breaches for locally hosted data is 80% while for cloud hosted data it’s just 26%.
So What About Storing Data in the Cloud?
So, are there breaches that compromise assets in the cloud? Yes; absolutely. Are there any successful attacks against cloud storage services? No; not really.
Basically that make sense: data breaches in the cloud can be caused by an attacker/hacker getting user credentials (username/password) via simple attacks such as malware and non-secure passwords. And because the cloud storage provider’s infrastructure is both physically secure and their software is updated, it is nearly impossible for the attacker to gain data by directly attacking storage service.
On the other hand, if you have all of your data stored on your local storage server, you do need to maintain security – both physical security and software packages need to be maintained on a constant basis. For example, new software packages usually come with default credentials and these must be changed and updated for security. Management of your own infrastructures is typically less focused on the day-to-day security than what cloud services do. Basically, if you are a small organization, it is much more secure to store data on a proven cloud service provider than to store the data locally and have to maintain your own security.
The other thing to remember is that malware is the largest cause of data breaches and you still need to check for malware. The cloud provider will help ensure that your data is protected against data breaches which involve a direct attack on the servers but malware is one of important causes of breaches.
We’ve said it before, and we’ll say it again here: the cloud is really about giving up control of your assets and data. The cloud has not nothing to do with less or more security of your data.
If you want to have your data secure and backed up: encrypt it and replicate it.