Explained: the cloud
Explained | News

Explained: the cloud

Posted: November 14, 2017 by Pieter Arntz

Even if you are reading this post because you have no idea what the cloud is, you might be using it more often than you realize. Twitter, LinkedIn, Dropbox, Google Drive, and Microsoft Office 365 are some of the most well-known cloud apps.

Let’s start with a definition of the cloud to get a grip on things:

Cloud computing, often referred to as simply “the cloud,” is the delivery of on-demand computing resources—everything from applications to data centers—over the Internet.

Cloud resources are often split up in three different ways:

  • Public: cloud services are delivered over the Internet and sold on demand, which provides customers with a great amount of flexibility. You only pay for what you need.
  • Private: cloud services are delivered over the business network from the owner’s data center. You have control over the hardware, as well as the management and related costs.
  • Hybrid: a mix of the above. Businesses can choose to have control over the most sensitive data or their average user and use public services to cover the rest of their needs.

Multi-cloud is another expression you may have come across. This means that companies use more than one public cloud provider, maybe for specific applications or as a method to cover outages. When using hybrid and multi-cloud solutions, it is important to spread the workload in a cost-effective manner.

Perceptions of the cloud

There are a few expressions about saving your data in the cloud that are not completely true, but will give you an idea of people’s perception of the cloud and what risks might be involved.

  • Your data is on someone else’s computer.
  • Your data is in a huge server farm.
  • You can’t be sure where your data is right now.

As you can probably tell from these statements, the main concern about the cloud is a lack of control over the data. This is not surprising, given the number of breaches that have occurred in recent times. According to an article on CSO, more data records were lost or stolen in the first half of 2017 than in all of 2016.

So what we really want to know is: Who actually has access to our data? This is not only relevant with regards to cybercriminals that can gain access through breaches. The Patriot Act gives the US government a lot of freedom to access and investigate data that is stored in cloud infrastructures. And of course, the cloud provider who stores that data can see it. Depending on the provider, they can even advertise to you based on your data, as is the case with most social media platforms.

And in case of a breach? Is your data stored and sent encrypted? What if someone manages to intercept the traffic? These questions may not all be relevant in your case, but they are worth thinking about.

Pros and cons

As with all technology, there are pros and cons to using the cloud. Here are a few:

Pros

  • scalable and flexible, so you can quickly react to ups and downs
  • cost effective—you pay for what you use
  • off-site backup, so no need to worry about losing it all in a fire or other catastrophe
  • access to data in any location

Cons

  • less direct control
  • potential for privacy and security violations (breaches)
  • different security measures from what you may be used to
  • access dependent on access to the Internet, which means services outages could lock you out of your data
secured cloud

Choosing the right cloud service

First and foremost, when looking for a cloud service provider, you should consider one that not only suits your data storage needs, but also is a reliable partner. Look at their track record and ask for references. With public cloud solutions, you need to consider the possibilities of traffic being intercepted, maybe even being altered, and data being stolen. And always look for providers that offer encryption and multi-factor authentication.

Because running cloud applications requires more attention then straightforward data storage, it’s helpful to distinguish Infrastructure-as-a-Service (IaaS) from Platform-as-a-Service (PaaS) when you are talking about cloud security.

  • IaaS is when your systems are running on virtual servers in the cloud.
  • PaaS is when your applications are running on cloud environments.

For IaaS situations, the security problems that are left up to you to take care of are not that different from the ones in your regular environment. You should be able to treat the servers as if  they were in your own network. They require the same security solutions as your own, which could be anything from anti-malware software to a firewall.

For a PaaS environment, application hardening will be different as it may require a web-application firewall. As the applications are not running from the systems within your intranet, they will very likely be using different Internet connections to send and receive traffic. This is something to determine with the cloud service provider. Who takes care of what?

One other thing to consider when choosing your cloud service provider is the physical location of your data. It is your responsibility to make sure you remain compliant with laws and industry regulations. This can also be an important consideration when you are about to decide which data you will move to the cloud and which should be kept in-house.

Summary

The cloud is in essence a method to use other resources than your own to run applications or store any kind of data. It offers users flexibility, scalability and puts the care of systems in other hands than yours. The price, besides the fees, is a loss of control over the resources and data. For businesses, compliance is another factor to weigh. When talking to potential cloud service providers, security should always be a point on the agenda. It has to be clear who takes care of which aspects of cloud security, otherwise it could slip through the cracks.

RELATED ARTICLES

Fishing in a lake
Cybercrime

Law enforcement reels in phishing-as-a-service whopper

April 18, 2024 - A major international law enforcement effort has disrupted the notorious LabHost phishing-as-a-service platform.

CONTINUE READING 0 Comments
Cerebral logo
News | Privacy

Mental health company Cerebral failed to protect sensitive personal data, must pay $7 million

April 18, 2024 - The Federal Trade Commission (FTC) has reached a settlement with online mental health services company Cerebral after the company was charged with failing to secure and protect sensitive health data.

CONTINUE READING 0 Comments
JuicyFields investment scam
News | Scams

Cannabis investment scam JuicyFields ends in 9 arrests

April 18, 2024 - JuicyFields was an investment scam that urged victims to invest in cannabis production.

CONTINUE READING 0 Comments
A mobile phone in the hands of a young woman in a dark colored t-shirt.
Privacy

Should you share your location with your partner?

April 17, 2024 - Location sharing is popular among couples. But is it something you want in your own relationship?

CONTINUE READING 0 Comments
Giant Tiger logo
News | Personal

Giant Tiger breach sees 2.8 million records leaked

April 16, 2024 - A threat actor claims to be in possession of 2.8 million records originating from a hack at Canadian retail chain Giant Tiger

CONTINUE READING 0 Comments

ABOUT THE AUTHOR

Pieter Arntz

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams