Businesses of all sizes are turning to cloud services to ensure efficient and reliable operations and to provide better customer service.
Because of the scalability of Software-as-a-Service (SaaS), even small businesses or individual workgroups of a large business can start with entry-level usage and expect the service to grow with their needs.
Whatever the size or scope of your deployment, it will be necessary to incorporate targeted measures in enhancing security, especially given the potential risks involved with having all infrastructure and systems owned by the service provider, as opposed to running an on-premises system in which you can have total control.
According to Ovum, about 80 percent of companies now use the cloud in some capacity. However, more than 90 percent of global enterprises have concerns about the security of their cloud infrastructure and are likewise worried about the lack of visibility and transparency when it comes to security measures and controls from their provider.
Data Leaks and Privacy Issues
The growing popularity of cloud services also comes with concerns about privacy and security. Even with increasingly transparent security offered by the service provider, there may still be security vulnerabilities that attackers can take advantage of. For example, hackers using new approaches, such as the Man-in-the-Cloud attack, to obtain the valid credentials to a Box account provides the bad actor with full access to your sensitive and regulated data. Or at the very least, your organization might have avoidable leaks, which could compromise the business, even inadvertently.
True enough, SaaS providers will mostly provide a secure connection, which will include end-to-end encryption from your users’ devices to the provider’s server. With this, there is very little likelihood that a third party can eavesdrop to access information across the connection between device and server.
However, the concern should not end there. What happens to your information that is available in Office 365, for example, once it is stored on an employee’s laptop, tablet or smartphone? What if he or she is lured into sharing or divulging information or account details? What if they have excessive sharing permissions on files in OneDrive that allow your company information to be easily proliferated to unknown users?
The Rise of BYOD
Bring-your-own-device (BYOD) arrangements are becoming more and more popular among businesses, especially considering different user preferences and business’ cost considerations. BYOD adoption is growing at 25 percent per year, and businesses are starting to leverage employee data and connections as part of the organizational knowledge base.
Most companies implement certain privacy or security policies that define usage standards, in the aim of preventing misuse of resources or data. To this end, IT departments often implement some sort of administrative control over personal devices used for work purposes. A big concern with allowing employees to connect their personal devices for work purposes is that organizations cannot implement device-based access policies for the cloud, as opposed to on-premises applications, which give more control to IT managers.
Related Article: Tech Savvy: How to Talk Cloud at Cocktail Parties
With a BYOD arrangement, you don’t have 100 percent assurance that employees are using their cloud-based accounts correctly--meaning some might be sharing information inappropriately, whether intentionally or not. Another concern: some users might even be accessing the data from untrusted devices, which can be a likely concern when they synchronize their accounts using new devices or when they log in through other shared devices (such as a computer at home or a hotel business center).
This becomes a big deal. Even if you are assured of a secure end-to-end connection between your user’s device and the cloud service provider, whatever happens to files, data or information stored on that person’s device is anyone’s guess.
According to Skyfence, enforcing unique controls between managed and unmanaged devices can influence the integrity and security of corporate data. Cloud security is a shared responsibility between the service provider (such as Microsoft Office 365) and the IT department. A cloud access security broker, Skyfence monitors sanctioned and unsanctioned cloud apps, and enables IT managers to determine potential risks, control user access, and detect anomalous behavior on cloud networks that could indicate an attack.
Social Engineering Still a Danger
Even with the best administrators and IT managers, however, endpoint vulnerability is a big risk factor when it comes to managing a cloud deployment.
As individuals, users are still highly susceptible to social engineering attacks. These could include the likes of phishing or website spoofing, or even confidence-based fraud or identity theft, in which a scammer pretends to be a colleague. Perhaps no amount of security is enough if users are not aware of their own responsibilities in keeping the network safe from attacks.
Cloud applications are particularly sensitive to identity-based attacks. First, they are globally-accessible, unlike on-premises infrastructure which will require access via VPN. Secondly, IT managers don’t exactly have direct control over access, and so it will require coordination with the cloud provider in the event of an identity-based breach.
No matter the strength of encryption, compromised user credentials (such as a simple username and password) can be enough to compromise whatever data and networks that particular user can access.
In this regard, user education can be key in preventing security breaches. Don’t let your employees fall victim to these cons, confidence attacks and social engineering. Equip them with the right knowledge by engaging them in seminars and training that stress awareness of such security risks.
Related Article: 6 Industries that Could Benefit from the Cloud
The SaaS industry has been an essential part of doing business in the recent years. However, it still has a lot to improve in terms of its security and privacy aspects. IT managers will need to leverage tools that give better control over precious data and who can access that data. Everyone concerned will also need to do their part in securing the enterprise from vulnerabilities with a human attack vector.