A Thorough Analysis of Risks and Security Measures
Cloud services have become commonplace for managing internal materials and managing employee and customer information. The security risk is a concern as data stored on the cloud is increasing rapidly. Is it possible to manage operations safely while services that can access data from anywhere via the cloud have become commonplace?
What is Cloud (Cloud Computing)?
“Cloud (Cloud Computing)” is a general term for services that can use various IT resources on-demand, including computing, databases, storage, and applications via the Internet from the cloud service platform. By using the cloud, it reduces the necessity to spend a lot of human resources for the initial heavy investment involved in hardware installation, the troublesome work such as resource procurement, maintenance, and capacity usage planning. There are three types of cloud, SaaS, PaaS, and IaaS, depending on the service type.
SaaS is an abbreviation of “Software as a Service” and is a service that allows software that was previously provided as a package to be used via the Internet, therefore, users do not need to purchase or install the software as a package. This applies to Google Apps such as Gmail, which allows users to manage emails and schedules on the browser.
PaaS is an abbreviation for “Platform as a Service”. It is a service that provides an application development environment provided by SaaS, and a set of functions for developing platform OS, server, etc. can be used. Typical examples of PaaS are Amazon Web Service (AWS) and Microsoft Azure.
IaaS stands for “Infrastructure as a Service”. It provides infrastructure such as OS, servers, storage devices, and network devices via the Internet.
Benefits of Adopting Cloud Services
- No need for an in-house server
- Reduce the risks of IT investment
- High expandability
- Always up-to-date with no maintenance required
- Reduce the burden on internal staff for maintenance
By eliminating the need for an in-house server, the initial cost is often kept low, and the monthly cost can be reduced if the pay-as-you-go system is selected.
On-premise, initial costs tend to be high, and depending on the size of the company, the adoption may not be an option. Adopting cloud services will also reduce the risk of IT investment. Although the data itself is managed at the data center owned by the service vendor, it is safer than managing it at one site because it is distributed and managed at each site.
In addition, it is highly scalable, and during busy periods, it is possible to temporarily increase the server specifications and handle a large amount of access. In the case of on-premise, it is necessary to rebuild the server again in order to increase the spec.
And server maintenance, which was difficult for on-premises, is not necessary for cloud servers. This also reduces the burden on internal personnel for installation and maintenance and has the advantage of saving labor, time, and costs. As a result, the number of companies that have adopted convenient cloud services in-house has increased rapidly in recent years.
Security Measures Required in the Cloud
The demarcation point of responsibility differs for each SaaS / PaaS / IaaS, and it is divided into “security that the cloud user company itself takes measures” and “security that the cloud operator takes measures”.
Companies using SaaS need their own security measures only for data and content. On the other hand, in the area from application to the service operation, cloud operators implement security measures.
Companies using PaaS need security measures in the area from data to applications. It is also important to take measures against the latest security threats by conducting periodic vulnerability diagnosis and malware scanning.
Companies using IaaS need security measures in the area from data to middleware. Amazon‘s AWS provides an OS that runs on a virtual machine. The user company installs and uses middleware for this OS. It is necessary to take countermeasures such as patching middleware and dealing with vulnerabilities.
Data encryption and access control are the security measures that cloud-based companies must implement for data and content in all SaaS, PaaS, and IaaS services. In the cloud, data is stored in the data center of the cloud operator, so services are usually used via the Internet. Going through the Internet creates risks such as eavesdropping and tampering on the communication path.
Unless it is public information, communication data must be encrypted with SSL. Even in an intranet environment such as a private cloud, the risk of eavesdropping inside the organization can be avoided by using SSL server certificates and SSH.
Cloud Security Risk
Incorrect login countermeasures
You can use the cloud service simply by logging into your account from a browser or app. Therefore, the level of security varies greatly depending on the level of security measures for the account and device. The risk of unauthorized login due to server attacks increases if general security measures are not used, such as when the terminal’s passcode is not locked, automatically logged into the account or via the usage of free Wi-Fi that can be used without a password.
By using a one-time password, which is a password that is changed every time, and by providing strict access control for resources, the risk of unauthorized access and information leaks can be reduced. Moreover, if it is not managed by appropriate access control, it will be possible to leak data by taking malicious data from inside or downloading it. The Thales report also reported data breaches by insiders, including internal access partners (52%), privileged users (49%), employees, other non-IT users, services A mix of provider accounts (41%) has been identified.
Cloud services can be implemented at low cost and can be used regardless of location. On the other hand, because the cloud is connected to the Internet, security risks are likely to increase. Because of its simplicity, it must be used after understanding the security risks. Make sure you have the right knowledge about “data encryption” and “access control” to avoid information leaks and unauthorized access.