What is cloud computing?
Typically, an individual stores computer data or applications on their hard drive or on a shared local server within their organization. Cloud computing is a method of storing, processing and managing data on a remote server hosted through the internet. These remote servers are physically housed at data centers, which can be located and accessed from anywhere in the world. Two types of clouds exist; public clouds and private clouds. Data stored on a public cloud can be comingled with data from multiple organizations or individuals. A dedicated private cloud can be defined as infrastructure provisioned for a single entity, which can be located on or off premise.
How can my organization save money with cloud computing?
One major benefit of cloud computing is a reduction in technology costs. Cloud computing shifts an organization’s investment from capital expenditures to operational expenditures, and that can represent a significant savings. Storing data remotely eliminates many infrastructure purchases and reduces equipment maintenance staffing – businesses access cloud servers, rather than owning their own. In 2013, Forbes reported that the federal government saved an estimated $20.5 billion by adopting cloud computing practices.
Cloud data is accessed similarly to a utility, like electricity, in a pay-as-you-go model. Organizations use the storage space they need – scaling up and down with usage requirements. While burstable costs can be a concern, scaling models remove the guesswork from data storage infrastructure purchases.
What are the security risks?
Data breaches from successful hacking attempts are the biggest security risk with remote storage. Apple’s iCloud service, which allows its users to upload backups of images, calendars and contacts, has had a number of data breaches. In 2014, celebrities such as Jennifer Lawrence, Kirsten Dunst and Kate Upton had their images stolen from the backup located in Apple’s iCloud. The images were then distributed to the public via the internet. In 2016, more than 40 million iCloud accounts were compromised; giving the attacker access to lock and remotely wipe the mobile devices, along with placing a ransom image on their lock screen.
Successful phishing attempts are another example of a data breach caused by end users. Phishing is the criminal activity of attempting to obtain sensitive information, such as account numbers or passwords, by posing as a legitimate organization or interested party. A lack of clarity between businesses and their cloud service providers regarding incident response plans, security controls and responsibilities can also present major risk.
How can I protect my data?
The National Institute for Standards and Technology (NIST) has developed a number of free data security publications for federal agencies and private companies. These documents provide security professionals with step-by-step instructions on conducting risk management evaluations and implementing frameworks to increase data security posture. This solution is an invaluable cost-free resource for organizations that have high-level information security professionals on staff.
Businesses might consider cloud service providers that offer “zero knowledge” encryption. The providers store data without knowledge of the key, leaving only the user of the account the ability to encrypt and decrypt the information. Multifactor authentication, a security measure that requires two or more methods of authentication to verify a user’s identity, adds another layer of data protection.
For companies of any size, training is key in mitigating security threats. Human error is cited as a major contributor to data breaches. Ensuring all staff receives some form of end-user security training will limit the chances of incident.
Merit Network offers customized private workshops and training programs for individuals and organizations. These include executive-level cybersecurity overviews, risk management workshops and more than forty nationally recognized cybersecurity certifications, such as Certified Information Systems Security Professional (CISSP) and Computer Hacking Forensic Investigator (CHFI).
For more information on building your customized training program, visit Merit.edu/CyberTrain