How Safe is the Cloud?


If you are on the fence about using third-party cloud-based applications or data management tools, it is probably because of concerns around the security of any information or other proprietary data that you would have to expose to make use of these tools. With all the data breaches in recent memory, including Target, Home Depot, Neiman Marcus, and others, it is no wonder we question if we really want to entrust proprietary data to any third-party organizations — whether they are cloud-based or not.

But what does cloud-based security really mean? Figuring out which aspects matter most for data security are difficult to nail down. Identifying the risks is only a small part of ensuring data security; Making sure data stays secure takes some dedication on the part of the cloud-based vendor, as new threats emerge daily. If you think about it, on the other side of the fence are the criminals who put in an equally huge effort to break through or dismantle security measures put in place by organizations doing business in the cloud. The height of the fence should be set by the value of the information being protected. This will continue to be an ongoing issue as society becomes more and more clouddriven.

However, there is a lot to gain from moving to the cloud: less infrastructure and IT within your organization, easier sharing and collaboration, and more streamlined and efficient processes with less overhead. This eBook will examine some of the key factors you should consider when sharing your data with cloud-based applications.

Transparency in Vendor Cloud Security Policies

In terms of cloud security, many organizations, such as Intermap, have adopted the Council on Cyber Security (the Council) Critical Controls Guidelines to ensure that the most important aspects of security of data and software have been addressed. This set of criteria was initially compiled by the Sans Institute, with input from a vast number of organizations working to enhance cyber security. The Council took over the stewardship of the Critical Controls Guideline list in 2013, with SANS as a founding member. The security items the Council focuses on have been boiled down from a longer catalog of potential threats that the U.S. National Institute of Standards and Technology (NIST) has developed over time. The 20 items the Council addresses focus on actionable controls with a higher payoff, which should be done first to ensure security in a cloud or enterprise environment.

The bottom line is that you want to ensure that the security policies of any cloud vendor you use are transparent to users and robust in nature.

Data Security: Data in Transit and Data At Rest Encryption

You should expect that the third-party cloud vendor has designed movement and storage of your proprietary data in a way that is encrypted. Data protection involves a combination of encryption, integrity protection, and data loss prevention techniques.

With the move toward cloud computing and greater mobile access, data management becomes increasingly important — and at the same time, more difficult. Encrypting data, both in transit and at rest, helps to mitigate data compromise as long as the processes and technologies associated with the encryption are robust.

Classic examples of data compromise include network snooping for data in transit and reuse for data at rest. Snooping on data in transit happens frequently, so many people are already aware of this type of data breach. However, protecting data at rest is less common.

When moving data to the cloud, organizations should understand the security controls applied to data in a multi-tenant environment in the cloud, and determine the best course of action for application of encryption controls. Data encryption provides an extra level of assurance that even if data is compromised, it is impractical to access the plaintext without significant resources.

Cloud-based vendors should also mitigate the potential threat of data compromise to begin with. In many cases of data theft, according to the Council, the victims were simply not aware of the sensitive data they were leaving on their systems because, as an organization, they were not monitoring data outflows. The movement of data across network boundaries has to be carefully scrutinized to minimize its exposure. The loss of control over protected or sensitive data by organizations is a serious threat, but while some data is leaked or lost as a result of theft or espionage, the vast majority of these problems result from poorly understood data practices, a lack of design in software architectures, and basic user error.

Organizations should have a robust data loss prevention control policy that includes the protection of sensitive data at rest, along with methods to securely discover sensitive data across an enterprise or cloud environment. They should also have controls for enforcing, reporting, and auditing to ensure policy compliance.

Example of data at rest protection:

Some smaller cloud providers have a webserver that holds credit card information. When the information is no longer needed, the instance is deleted. When the next customer comes along and requests a new instance, the credit card data is still actually on the hard drive, where it can be accessed. This data should be encrypted at rest to protect it from being accessed by other customers, as well as the cloud provider itself.

Some of the ways the Council recommends that data be secured include:

  • Deploy encryption software to mobile devices and systems that hold sensitive data.
  • Ensure that cryptographic devices and software are configured to use robust, publicly-vetted algorithms.
  • Assess data to identify sensitive information that requires the application of encryption and integrity controls.
  • Review and ensure cloud provider security practices are adequate for data protection.
  • Monitor for sensitive information, like personally identifiable information, for example, to discover unauthorized attempts to steal data across the network and ensure that these attempts are blocked while alerting information security personnel.
  • Use network-based data loss prevention solutions to monitor and control the flow of data within the network for anomalies that exceed the normal traffic patterns.
  • Perform an annual review of any algorithms and key lengths in use for protection of sensitive data.

Application Software Security

Here we examine how in-house software security measures are developed at the software vendor. According to the Council, vulnerabilities can be due to several things, such as coding mistakes, logic errors, incomplete requirements, and failure to test for unusual or unexpected conditions.

Some of the things commercial software developers need to consider, particularly when deploying cloud-based software applications, include ensuring that the cloud-hosting vendor (such as Azure, 3Scale, and Amazon) has measures in place to protect applications and data from outside attack. The software vendor should ensure that all traffic flowing to the Web application is inspected for things like cross-site scripting, SQL injection, command injection, and directory traversal attacks.

Some of the other factors that the Council calls out for software vendors to address regarding security include:

  • Explicit error checking.
  • Ensuring that system error messages are not displayed to end-users.
  • Maintaining separate environments for test and production of software so that vulnerabilities aren't introduced in the production versions that are deployed to customers.
  • Ensuring that all developers get training to write secure code.
  • Using standard hardening configuration templates for applications that rely on databases.

While this is not a complete list, you can see that the software vendor has a lot to consider to develop robust and secure software.

User Authentication

Two key points regarding user authentication are: 1) Not everyone should have access to your data; and 2) Sensitive data shouldn't be stored on the same server with less sensitive data. In some of the high-profile breaches over the last couple of years, attackers were able to gain access to highly sensitive data that was stored on the same servers with the same level of access as far less important data. The Council proposes that sensitive data be stored on separated VLANS with firewall filtering. They also advise that any communication to this information should be encrypted and that the network should be segmented with different trust levels.

Along the same vein, many breaches of sensitive data occur when administrative privileges are misused in an organization. In a Web-based environment, it is important that the cloud provider has systems in place to protect data stored in the cloud. But at the same time, it is important that the software has been developed in a way to protect data when being used by the application as well.

The best way to minimize these types of threats is to monitor and ensure tight controls over administrative use of infrastructure and data within an organization. Vendors can do this through constant monitoring and frequently revisiting who has access to sensitive data or systems so that, for example, when employees leave or changes are made in the organization, access to data is constrained to only those who currently need access to the environments in question.


This eBook has provided an overview of some of the main concerns that need to be addressed when working with third-party cloud-based vendors, particularly when you have to transmit and store proprietary data with the provider. Knowing the risks and gaining an understanding of how they can be mitigated will allow you to enjoy the benefits of cloud-based software with peace of mind.