Cloud Data Security: Is “the Cloud” Secure?
Cloud technology and cloud computing are on the rise. With so much essential work being done “in the cloud,” it’s time to ask, “Is the cloud secure?” Dr. Randall Magiera, IT professional and cybersecurity professor, is here to talk about cloud data security.
See How Secure is “In the Cloud?” with Randall Magiera for a complete transcript of the Easy Prey podcast episode.
Randall is an adjunct professor at the Tulane School of Professional Advancement, where he teaches both undergraduate and graduate cybersecurity courses. He’s been in the IT field about twenty years, starting with Windows NT and Windows Server 2000. He earned his doctorate in cybersecurity in 2017 from Capitol Technology University, and has a wide range of certifications.
He first became interested in cybersecurity while working in IT and doing desktop support. As he was helping people, patching systems, and imaging systems, he realized that a lot of the companies he was looking at weren’t very secure. He saw that there was a gap and that cybersecurity was something everyone needed serious help with.
When Randall started in IT, no one had even considered the idea of “the cloud.” But technology is always changing and advancing, and now cloud data security is something a lot of companies have to think about.
The big question: Is the cloud secure?
The answer here is complex. The big cloud service providers – Amazon’s AWS, Microsoft Azure, Google Cloud – are essentially secure. Even smaller companies go to great lengths to make sure their services are secure.
However, the cloud provider isn’t the only party responsible for your cloud data security. If you’re setting up the cloud services but you don’t understand what you’re doing and set it up incorrectly, then the cloud won’t be secure – but that’s on you.
Here’s the thing with cloud computing: They provide the platform for you to use, and it’s up to you to use it. If you use it wrong, that’s on you.Dr. Randall Magiera
The major cloud providers use the Shared Responsibility Model. They clarify what they’re responsible for in terms of your cloud data security, and also what you’re responsible for. Many providers have training to advise of best practices. They’re trying hard to make sure you know what to do on your end, because if there’s a breach, they get associated with it even if it’s not their fault.
Human mistakes affect cloud data security
When you start getting into the cloud, you need to do more than pull out your credit card and sign up. You need to take the time to research what steps you need to take to be secure. For example, with AWS, new virtual servers are open to the public internet by default. Their basic protection operates like a firewall but is called a security group. You have to add IP address restrictions to limit who can access the server. If you’re not familiar with the idea of a security group, how it relates to a firewall, and the technical aspects, you might leave your cloud insecure.
When you have a production environment in the cloud, often that’s locked down and very secure. But the developers might have lower environments used for testing changes that have more lax security. This isn’t a significant risk regarding your production data, but if someone is able to compromise one of the lower, less-secure environments, they can insert their own code or add malware to your cloud.
Future risks in cloud data security
More and more things are moving into the cloud, and the question of “Is the cloud secure?” is going to become more and more relevant. Randall thinks it’s going to be interesting to see the future of cloud security. Most malicious actors are just motivated by money. They’re going to find creative ways to use the cloud to get paid, whether that’s direct hacking or using it as a tool for other scams.
Malicious actors are going to use the cloud just like all other forms of technology: as a means to their end. It’s going to be interesting to see how creative they’ll get.Dr. Randall Magiera
One thing that malicious actors do more often than we realize is crypto mining with the cloud. They’ll steal a credit card, use it to open a cloud account, create a bunch of virtual servers, and install that crypto mining software on them. Eventually the stolen card will be cancelled and the servers will get shut down. But the malicious actor still gets to keep all the crypto that they mined.
Randall recently read an article where malicious actors used AI to mimic the voice of a CEO, then called the CFO and used that AI voice to get a wire transfer. He doesn’t consider that a deep fake, but he thinks deep fakes will get more common. Cloud platforms provide a virtually unlimited amount of computer power to whoever will pay for it. Using cloud technology, they can create whatever they want and use it however they want. Once the technology allows real-time deep fakes, the old advice to get someone on a video call to make sure they’re not a scammer won’t work.
Backups are essential for cloud data security
In the cloud, once it’s deleted, it’s gone. Part of having good cloud data security is making sure anything essential is backed up.
There’s no guarantee that your cloud service is backed up by default. Some are, but it depends on the service. For AWS, S3 servers are backed up in multiple data centers in multiple locations. EC2 instances are just in one data center unless you paid extra to have it in multiple locations. It’s a risk to put everything into a single system because something could happen to that system. Cloud services make backing everything up easier.
If you have your own data center, you have to have your own physical backups of all your servers. In the cloud, it’s just an extra fee to get your data into multiple data centers in case something goes wrong.
That’s one of the things I do like about cloud computing: It builds in Disaster Recovery.Dr. Randall Magiera
Cloud disaster recover options also make it easy for IT to have that conversation about backups and disaster recovery with management. When all you need to do is look at a chart of fees and what you get for each fee, it’s easy to determine what the company wants, needs, and is willing to pay for.
Once you have that backup, though, make sure you test it. If something goes wrong and you need those backups, that’s the worst time to find out the backups weren’t written properly or aren’t functional. If you’ve been paying for these backup servers and they don’t actually function, you didn’t need to be paying for them.
Test your backup, test your disaster recovery, and make sure you actually have something that functions.Dr. Randall Magiera
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Online Privacy
- Online Safety
Most of us view the internet as a useful and benign tool. But in many ways, it’s…[Read More]
Here's an important piece of advice: You need to learn what Find My and iCloud.com can do...[Read More]