Cloud computing has experienced significant growth over the years, owing to the logistical and economic benefits that it offers to organizations. However, there have been major concerns about the security of data stored on both private and public cloud systems. Cloud providers offer services, such as cloud email hosting, that eliminate the need for organizations to host in-house IT infrastructure. This might sound beneficial, but some organizations feel that the absence of in-house servers and equipment denies them control, as well as the ability to protect their critical data.
How Secure are Cloud Services?
An online integrated system that handles sensitive data such as cloud email services must be protected from hackers and other threats.
Cloud email service providers like Mimecast use four types of security controls, namely:
- Preventative Controls:
These are security measures put in place to detect vulnerabilities in the cloud system. As such, the cloud service providers are able to address potential weaknesses that hackers might exploit to breach the system, and minimize the damage caused by any such breach.
- Deterrent Controls:
These are warning mechanisms set up to alert the cloud provider of potential signs of security breaches in the system including viruses and incidences of hacking. The warnings enable cloud providers to take immediate remedial action to prevent damage or loss of data.
- Detective Controls:
These controls are set up to identify potential and existing attacks in the system. When the deterrent controls trigger a warning of potential threats, the detective controls come into action to check if there has been an attack, and signals the preventative and corrective controls to take remedial action.
- Corrective Controls:
The controls take appropriate measures to prevent access to sensitive information and data loss, once an attack occurs. In addition, the corrective controls work together with preventative controls to stop attacks from bringing down the cloud system.
The Types of Cloud Security Systems
- Role-based Security
Role-based security refers to the model of assigning individuals different security levels, depending on their responsibilities within an organization. For instance, the security clearance for cloud email services enables respective employees to only access relevant information that they can use to execute their duties. The permissions are not assigned directly to individuals, but through their roles within the corporate structure.
The role-based security model allows for effective data manipulation, management, routing and even modification within protected and segregated resources in a public or private cloud network. Cloud-enabled organizations are able to assign or reassign the roles of individual employees for various reasons including logistical control, flexibility, or to enhance security. However, the cloud-defined roles remain constant, regardless of employee assignment/reassignment.
- Key Management
This refers to a security model that uses an independent credentials system, which is separate from the file system, to protect sensitive information in the Cloud. In this model, an isolated portion of the cloud application that is inaccessible from the Internet is used for storing authentication keys, user accounts, and sensitive data.
Cloud-enabled organizations are allowed to specify the keys to be used in the authentication and encryption credentials. The key encryption takes place on an inaccessible server, outside the cloud. In the event of unauthorised access to the file system, the sensitive information remains secure. Some important factors to consider when implementing key management include:
- Data Encryption: Most cloud providers use Advanced Encryption Standards (AES) to protect keys from hackers. An AES256-encrypted database is used for storing customer credentials (authentication and encryption).
- Key Storage: All keys should be stored outside the public cloud infrastructure, file system, or credentials management zone.
- Backup: Organizations should have a back up of all sensitive information including file system and encryption keys.
Written by: Nathan Morgan has been an IT professional for 14 years. His work is currently focused on Linux servers. In the past he has worked on secure data encryption and the development of a comprehensive data protection strategy, including off-site backups and rapid data recovery.