Even with the global economy increasingly hinging on cloud service providers, outages are still common, with causes ranging from a faulty software update, to overloaded servers, to database errors. One infamous example came in January of this year, when a power outage at a Verizon data center brought down JetBlue Airways. In February, Microsoft customers across Europe had to endure long delays as they tried to log into Office 365 services through the web portal. One month later in March, European users were hit once again – with a major 10-hour long outage for their Salesforce applications.
Most cloud service providers provide some layer of assurance and protection against unplanned downtime or data loss or leak. But if there’s one thing we’ve learned, it is to “expect the unexpected.” If a major service provider has an outage, there’s no guarantee your data or apps will be accessible. Nor can cloud service providers fully guarantee your data and apps will never deleted, stolen or compromised. Backing up and securing data and apps running in the cloud must be a shared responsibility, and here are several considerations for cloud users to consider:
Avoid relying on one multi-tenant service provider for anything
The recent Dyn DDoS attack demonstrated that today’s hackers are becoming more like snipers, targeting the highest value targets where the smallest amount of work will inflict the most damage. Dyn is an example of a routing service going down, but it shows how organizations must have safety measures in place to support any and all mission-critical functions – no matter how reputable your chosen service provider is.
Cloud service providers are under increasing attack, and for the most part they do an excellent job. But any unexpected disruption for them is likely to mean a disruption for you. Organizations simply must have redundancies in place to support any mission-critical cloud-based data and applications, but many organizations do not pay sufficient attention to distributing cloud risk. For the greatest measure of protection, businesses should consider a multi-cloud strategy. One important caveat is that backup and redundancy plans must address the issue of data portability – we tend to think of the cloud as an open, interoperable platform, but this is not always the case.
Take Security Into Your Own Hands
Just as a growing number of evil-doers are trying to take down major cloud service providers, these service providers are increasingly the target of sophisticated cyber attacks. The reason why is simple – because the cloud represents the ultimate fruit-bearing jackpot of data. When an organization puts its trust in the likes of Google, Amazon or Microsoft to keep data safe in the cloud, it’s expected that that these large corporations will have better security. And most of the time they do, so concerned parties have no reason to rush out and pull all their data and applications back into on-premise servers.
However, this does not mean cloud users can completely check off data and app security off their to-do list. In fact, the bigger threats to the security of cloud-based apps and data often originate on the user side. One particularly rampant threat is third-party apps that connect with cloud-based SaaS applications, through programmatic (API) access. Because these apps (and by extension, their vendors) are able to view, delete, externalize and store corporate data, a malicious individual leveraging these connections can act on behalf of users to access, exfiltrate, and externalize data.
Bring Your Own Device (BYOD) is another growing user-side threat, and it will only increase as more employees prefer to use their own devices at work. BYOD has the potential to be a win-win situation for employees and employers – they connect directly to cloud-based applications, giving employees more flexibility while saving employers the expense of having to buy IT equipment. However, BYOD also brings significant security risks if it’s not properly managed. For example, if a user pulls data from the cloud, stores it on their device and the device is then lost or stolen, this sets the stage for a potential security breach that the IT team team cannot directly mitigate.
Proactive, Round-The-Clock Threat Monitoring
The greatest threat to the security of U.S. companies is no longer the hacker attacking from beyond network walls. Now, it is the insiders already within those walls, equipped with an all-access pass. Traditionally, the term “insider threat” invokes images of malicious employees lurking in the shadows of an office attempting to steal company secrets or bring down the system. The reality is that this type of evil insider is infrequent at most companies. The real threat and biggest risk to confidential data is the unaware employee, more commonly categorized as the unintentional insider threat.
Consider, for example, the Android Gooligan hackers, who just this week scored the biggest theft ever of Google account access tokens. Gooligan was ultimately proven to be a fraudulent, criminal enrichment scheme, as opposed to an attempt to pilfer juicy data residing in Gmail or Google Docs. However, the evil-doers behind Gooligan could have very well wreaked major havoc, using these tokens to gain access to corporate data and apps in G suite. Gooligan gained a foothold on devices through third-party apps available on unauthorized app stores. All it would take is for one employee to download a contaminated third-party app, in order for their device to be rooted, their tokens accessed and an entire company’s G suite data and applications compromised. This is how quickly and easily it can happen – including instances void of malicious intent.
For these reasons, organizations must implement their own round-the-clock surveillance systems, helping them identify risky third-party apps, user behaviors and data sharing practices (for example, data being pulled and shared with a non-corporate email address). Surveillance does not have to be a dirty word – in fact, it can help minimize unnecessary risk exposure, for both unwitting employees as well as the business.
Empower IT staff
The IT staffs at many organizations – though SMBs in particular – are often resource constrained. According to a recent survey of IT professionals, nearly 42 percent rely on automation for backup, showing they are advancing their strategies to require minimal human intervention.
Unfortunately, the same level of automation is not necessarily available in the cybersecurity realm. With threats – namely third-party apps connecting to the cloud – evolving at such a rapid pace, organizations simply must have some level of automation to assess the overall level of threat to cloud-based data and apps at any point in time, and alert IT teams to those that are the most pressing. This is the key to IT teams being empowered with proactive, actionable, prioritized intelligence, versus more scattershot approaches that drain resources while being less effective. Cybersecurity needs the same type of automation that backup processes deliver, in order to automatically assess threats and eliminate those presenting the biggest danger, with minimal human intervention.
We live in a tremendous age where the cloud, and free cloud-based tools like collaboration, ecommerce and file-sharing, are presenting huge advantages for small businesses. This is helping small businesses increase profitability and business growth, while reducing operational costs.
It is estimated that 78 percent of U.S. small businesses will have fully adopted cloud computing by 2020. For an increasing number of SMBs globally, their cloud applications and service providers are their IT department. However, when it comes to ensuring the survivability of a business, proper backup and security of cloud-based data and apps is critical. The incessant nature of cloud-targeted attacks, combined with a constantly evolving threat landscape means cloud users must also play a role in ensuring their own data protection and security.
This post is part of our contributor series. It is written and published independently of TNW.
Read next: The loneliness of the startup entrepreneur