Cloud security: Frequently asked questions

Cloud security FAQ

What is cloud computing security?

Cloud computing security, also known as cloud security, refers to technologies, policies and applications that are utilised to protect devices, services, data, applications and infrastructure. 

From a customer perspective, the approach is often wider. When customers do assessments on the security of our cloud services, some assess not only the cloud service itself but also our organisation, internal IT, buildings and people. 

The narrow definition comes down to securing the cloud computing environment. Cloud security is designed to protect our customers’ data. When it comes to the physical devices affected, it is typically the protection of the servers and equipment processing and storing the data.

How does cloud security work?

Several initiatives are working together to secure a cloud solution. First, the servers the data is located on are placed in data warehouses that most employees don’t have access to.

Secondly, the files that are stored on cloud servers are encrypted, making it harder for cyber criminals to access the data. In addition, cloud providers also frequently run some security measures to protect your data: 

• Regularly security updates
• Auto-patching and artificial intelligence to seek out and identify possible vulnerabilities 
• Third-party security testing
• Built-in firewalls
• Redundancy

“To make cloud security “work”, you need an end-to-end framework with relevant controls for all the elements of the delivery of a cloud service. Often this is referred to as an ISMS, (Internet Security Management System). An ISMS will often be based on a standard like ISO 27001. 

It would cover everything from development to production and will be based on well-known security standards for secure development, testing and operations,” explains Stian Estil. 

How secure are cloud solutions? 

How secure a cloud solution is, depends on the quality of the service. People tend to think that online banking is safe, and usually, it is due to the banking industry’s high-security standards. 

There are many reasons why cloud solutions oftentimes are more secure than traditional on-premise. For example, using a cloud provider means that the servers your organisation’s data is hosted on are always updated with the latest security measures, it has built-in firewalls, auto-patching, and third-party security testing. 

What are some common cloud security risks?

There are many risks to take into consideration when building secure cloud solutions. The obvious one is securing the physical data storage from intruders. That is the easy part. 

The hard part is to develop software without serious vulnerabilities that can be exploited by cyber criminals. A cloud solution is usually dependent on third party code components as well, and control of third party code is a standard measure in cloud security.

We can normally split security concerns associated with the cloud into two categories: security issues faced by cloud providers, and security issues faced by their customers. 

The provider is responsible for ensuring that the infrastructure is secure and that their clients’ data is protected. The customer is responsible for using strong passwords and authentication. 

Because the data and applications hosted in the cloud aren’t physically accessible to the organisation, fewer employees have access to this data. However, potentially sensitive data is at risk from insider attacks from employees working for the cloud provider. 

Cloud providers must make sure to run through background checks for the employees who do have access to the servers in the data centre. 

A cloud provider must also frequently monitor the data centres for any suspicious activity. Also, if the provider stores more than one customer’s data on the same server, they must ensure logical storage segregation and data isolation. 

Why is cloud security important?

With a steady rise in the number of malicious acts and more sophisticated attempts, it’s becoming increasingly important to focus on cyber security. 

Cloud security in itself is important for many reasons, but most of all, because the customers trust us to protect their data. For us at Visma, and other companies, this is a matter of trust and reputation. 

Cloud security is also important for customers. If you as a customer are using a cloud solution, you are also responsible for protecting the data. Depending on the different cloud service types, the cloud provider and customer have different levels of responsibility: 

• Software as a Service (SaaS) – You as a customer are responsible for securing the data and user access.
• Platform as a Service (PaaS) – You as a customer are responsible for securing data, user access, and applications.
• Infrastructure as a Service (IaaS) – You as a customer are responsible for securing data, user access, and applications, operating systems, and virtual network traffic.

That means, in the occurrence of a “breach”, you are responsible for those affected, no matter if they are employees, suppliers or customers.

What is the difference between a private and public cloud in terms of security?

The difference is that a private cloud is only for you, but a public cloud is shared by many.  In a private cloud, you can usually tailor the delivery, but in a public cloud, it is a “one size fits all” delivery. The public cloud is not less secure than the private cloud.

In cloud computing services provided by public cloud providers, data and applications are hosted with a third party rather than within a self-controlled network as in traditional IT. 

What is the difference between cloud security and cyber security?

For most customers that will be the same. For security professionals, the difference is a matter of definition. Cyber security covers a broader scope than cloud security. Cloud security could be scoped down to securing the data in the cloud. 

What are the most important cloud security challenges today?

New technologies and techniques are evolving at a high speed. We are faced with several challenges when it comes to keeping cloud solutions secure: 

• Cloud breaches – Data breaches in the cloud often occur using native functions of the cloud. A cloud-native breach is a series of actions in which actors exploit errors and vulnerabilities in a cloud deployment without using malware. Such actors “expand” their access through interfaces that are weakly configured or don’t have enough protection to find valuable data that they then export or transfer to their own data storage location.
• Access to data and applications – Users may be able to access data and applications via the internet, and from any device or location. Also, access by cloud provider personnel could bypass your security controls.
• Visibility into data – Oftentimes, cloud services are accessed from devices that aren’t managed by your company’s IT department- This means that the IT team needs the ability to see into the cloud service itself to have full data visibility.
• Compliance – Cloud computing services adds another dimension to both internal compliance and regulatory requirements. 
• Control over data – IT teams also have less control over the data because they no longer control servers and applications on their premises. Also, cloud customers are given limited control, and access to underlying physical infrastructure is not available.
• Misconfiguration – Oftentimes, the configuration of a cloud service is the responsibility of a cloud customer. Research has shown that many companies cannot currently audit their IaaS environments for configuration errors–which may lead to misconfiguration. That makes the misconfiguration of Infrastructure as a Service (IaaS) an “easy” way for attackers to successfully access and export data. 
• Insider threats – A dishonest, or rogue, employee, is capable of exposing an organisation to a cyber security breach with the use of the cloud. Some examples can be that the employee exports data after being fired, sell company data for his or her financial gain, or exposes customer records.