Top of the Charts in Cloud Risk: Data Breaches

The Cloud Security Alliance (CSA) this week, as part of the RSA 2013 Conference, released its “Notorious Nine”. This is a list of the top threats associated with cloud computing. At the top of the charts for 2013 – data breaches. With data breaches going to the top of this list, now is probably a great time to ask yourself the question: When should I consider placing personal privacy information from my customers and others in the cloud?

The risks and associated liabilities of breaches of privacy-protected information are only growing. The cloud offers a “target rich environment” for those who are looking to mount cyber attacks, with the intent of either disrupting commerce or more typically monetizing the data through criminal means. So what should you do before implementing systems that migrate your organization’s privacy data into the cloud? Jay Heiser at Gartner Group notes that while data breaches are a concern, that cloud outages that lead to data loss are even more likely a risk, a perspective that appears in contrast to that of the CSA. He suggests that “many enterprises are ill-prepared for [data breach] incidents”.

Given that fact, evaluating and improving your organization’s preparedness for a data breach incident would seem prudent. That is why increasingly organizations are carrying out “simulated incident response” scenarios as desktop exercises for testing their incident response plans.

He also looks to data classification as a way to evaluate what data and what risks you incur when moving information to the cloud. “Incomplete or nonexistent data classification is a common problem. If the buyer doesn’t know what the security requirements are for a specific piece of data compared to other data, it’s difficult to assess whether the provider can provide adequate security.”

Given the general risks associated with the newness of cloud systems, something an organization might consider is keeping its most sensitive data, say personally identifiable information (PII) and protected health information (PHI), which have enhanced regulatory requirements and oversight, and the greatest liability profile when breached, within your organization’s environment rather than migrating them to the cloud.

You may argue that cloud providers can do a more thorough job of data security, given that their livelihoods are based on providing computing services in a safe and secure manner. But unfortunately, the more data that they are entrusted with, the bigger the target on their backs from the perspective of cyber criminals. A recent report from ENISA, The European Network and Information Security Agency, titled “Critical Cloud Computing” discusses the importance of “preventing large cyber-attacks and cyber disruptions.”

They note that while offering significant benefits, the “concentration of IT resources” in cloud services represent a “double edged sword. On one hand, large cloud providers can deploy state of the art security and business continuity measures and spread the associated costs across customers. On the other hand, if an outage or a security breach occurs then the consequences could be big, affecting many citizens, many organizations, at once.”

Such is the risk inherent to cloud computing. Cloud providers who are hosting applications or data with mandated privacy protections, like PII and PHI, are more likely targets for cyber criminals, and are more likely to have the “mother of all data breaches”, if they at penetrated and the bad guys are able to acquire data without detection, at least for a while.

Bryan Ford from Yale University in his paper “Icebergs in the Cloud: the Other Risks of Cloud Computing” illuminates the fact that privacy risks associated with data hosted it he cloud are likely to evolve over time, but unlikely to be eliminated any time soon. He highlights what he considers “less well-understood” risks that may emerge including stability risks, availability risks, and preservation risks. Of all of these, it is the last one that concerns me most.

He discusses how cloud-based applications and services eliminate the property of decentralized archivability. Using books as an example, he notes that because of the physical nature of books, they inherently are de-centrally archived. As we become more dependent upon cloud-based services, over time, one can see the risks associated with the preservation of historical content of all types.

So for today, those of our organizations that maintain private information on customers, and other organizational stakeholders, should focus on managing cloud risks around data breach and service interruption, especially related to cyber attack. We should be intentional about the data that we choose to host in the cloud. We should carefully assess the security capabilities of our cloud provider. And revisit them often. And we should work with them to prepare for the unwelcome event of a data breach incident.

Once we get our arms around these risks, as Dr. Ford notes, there will be many new, unexplored risks to cloud computing for consideration in the future.