Repelling targeted attacks in the cloud

In a previous blog post, ‘The rise and rise of public cloud services‘, Quocirca pointed out that the crowds heading for Cloud Security Expo in April 2016 should be more enthusiastic than ever given the growing use of cloud-based services. The blog looked at the measures organisations can take to enable the use of cloud services whilst ensuring their data is reasonably protected; knowing what users are up to in the cloud rather than just saying no.

However, there is another side to the cloud coin. For many businesses, adopting cloud services will actually be a way of ensuring better protection of data, for example from the growing number of targeted cyber-attacks. A recent Quocirca research report, ‘The trouble at your door‘, sponsored by Trend Micro, shows that the greatest concern about such attacks is that they will be used by cybercriminals to steal personal data.

The scale of the problem is certainly worrying. Of the 600 European business surveyed, 62% knew they had been targeted (many of the others were unsure) and for 42%, at least one recent attack had been successful.  One in five had lost data as a result; for one in ten it was a lot or devastating amount of data. One in six say a targeted attack had caused reputational damage to their business.

So how can cloud services reduce the risk? For a start, the greatest concern regarding how IT infrastructure might be attacked is the exploitation of software vulnerabilities. End user organisations and cloud service providers alike face similar flaws that are inevitable through the software development process. The difference is that many businesses are poor at identifying and tardy in fixing such vulnerabilities, whilst for cloud service providers, their raison d’être means they must have rigorous processes in place for scanning and patching their infrastructure.

Second, when it comes to regulated data, cloud service providers make sure they are able to tick all the check boxes and more. After personal data, the data type of greatest concern is payment card data – a very specific type of personal data. Many cloud service providers will already have implemented the relevant controls for the PCI-DSS standard that must be adhered to when storing payment card data (or of course you could simply outsource collections to a cloud-based payment services provider). They will also adhere to other data security standards such as ISO27001. Cloud service providers cannot afford to claim adherence and then fall short.

If infrastructure security and regulatory compliance is not enough, think of the physical security that surrounds the cloud service providers’ data centres. And of course, it goes beyond security to resilience and availability through backup power supplies and multiple data connections.

No organisation can fully outsource the responsibility for caring for its data, but most can do a lot to make sure it is better protected and for many a move to a cloud service provider will be a step in the right direction. Quocirca has often posed the question, “think of a data theft that has happened because an organisation was using cloud-based rather than on-premise infrastructure“: no examples have been forthcoming. Sure, data has been stolen from cloud data stores and cloud deployed applications, but these are usually the fault of the customer, for example a compromised identity or faulty application software deployed on to a more robust cloud platform.

Targeted cyberattacks are not going to go away, in fact all the evidence suggests they will continue to increase in number and sophistication. The good news is that cybercriminals will seek out the most vulnerabile targets, and if your infrastructure proves too hard to penetrate they will move on the next target. A cloud service provider may give your organisation the edge that ensures this is the case.