The major risks associated with cloud computing

  • Guides

The benefits of easy access, remote access, and collaboration features mean that more and more businesses are adopting cloud computing in some form. But is cloud computing as safe as it seems? Find out about the security risks inherent in cloud computing and what you can do to protect your information.

How does cloud computing put you at risk?

Cloud computing offers myriad benefits to many types of business. In fact, the type of organisation with remote workers across the world probably wouldn’t even exist without cloud computing. But, with 21% of files uploaded to cloud computing services containing sensitive data, organisations need to identify the problems inherent in cloud computing and ensure they have processes and measures in place to protect their information.

Breach disclosure

The presence of sensitive information in the cloud means that any breach falls within the scope of GDPR, which requires organisations to report data breaches and disclose them to their customers.

This means that your organisation may be required to disclose breaches due to failings on the part of your cloud computing service. For instance, a security flaw in their service that results in a breach would require you to disclose a potential breach to your customers and suppliers, even if your organisation wasn’t a target.

Potential breach of contract

At the time of writing, Google’s terms of service state:

“When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones.”

It also states that:

“Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.”

While it’s made clear that Google undertakes these activities purely to improve their own services, your clients and suppliers may nevertheless take issue with documentation related to their business being analysed and stored in such a way.

In fact, with the advent of GDPR, your clients and suppliers will likely have put into place strict controls around their information, and require you to do the same. Depending on the terms of their contract, they could potentially deem your use of a cloud computing service a breach of contract and cease working with you.

Inadvertent sharing

The collaborative features of cloud computing mean it is vital to be able to share files with different levels of access; you may want a supplier to be able to view (but not edit) a contract, but enable a contractor to make changes to a time-logging file. The majority of cloud computing services provide a variety of user roles that you can assign when sharing a file.

However, some of these settings can be overridden by universal or master settings, or can interact in an unexpected way with other settings. One company accidentally shared their entire system of files, suffering a data breach without even realising that a hidden setting was overriding the sharing preferences they’d specified.

Bigger targets

Because of its high market share, Microsoft Windows has been the victim of far more viruses than other operating systems. After all, an attack on this platform will have a statistically higher chance of success because there are more potential victims.

The same is true of cloud computing services. Successfully breaching Office 365, Google Docs, or Apple iCloud will reward the attacker with a high number of potential victims. In fact, vulnerabilities have already been discovered in all of these platforms. The National Cyber Security Council has issued advice for mitigating against the rise of Office 365 compromise; Google Docs has been the subject of a successful phishing attack. And a flaw in Apple iCloud’s security was publicly identified when a journalist found his account had been hijacked.

The target painted upon these cloud computing services is balanced, of course, by the resources these companies have to invest in their security. Nevertheless, you should not rely on them entirely; ensure that you have processes in place to keep your information as secure as possible.

The danger at the desk

The biggest cloud computing services have the resources to invest in robust security, but no matter how much they invest, security is only as strong as the user. And if that user gives away (or inadvertently reveals) their username and password, your data is potentially at risk.

This is the entire goal of a phishing attack. Rather than launch an assault on the robust security of the cloud computing service, a cyber criminal instead attempts to trick or manipulate a user into revealing their login details. This might take the form of an email that leads the user to a fake login page, which collects the login details and passes them to the criminal. With this, they can gain access to your files.

This is exactly how cyber criminals gained access to the information of 145 million eBay customers in 2014: the criminals launched a phishing attack on eBay employees, gather 100 logins that granted access to eBay’s customer database.

Awareness of phishing can help avoid an attack, but disturbing figures reveal that any given phishing campaign will enjoy success with an average of 4% of people. And, incredibly, the same report has found that the more links in phishing emails someone has clicked, the more likely they are to click links in further phishing emails.

Steps to secure your cloud computing

It wouldn’t necessarily be wise to give up on cloud computing because of these risks. After all, shifting to a local computing solution would come with its own set of risks. But taking measures to protect against these risks means you can mitigate the risk to your organisation, such as the methods outlined below.

Enable multi-factor authentication

Also known as two-factor authentication (2FA), this security feature adds an extra step to a login process by requiring the user to provide extra proof of their identity. This proof can take many forms, from providing a code sent to them via text message to inserting a physical security key into their device.

This extra layer of authentication means that a phishing attack that successfully gains access to an employee’s login details still can’t access your files unless they also have access to the second method of authentication.

Backup your files

This might seem counterintuitive at first; after all, one of the greatest benefits of cloud computing is that your files are stored in the cloud. But if the worst does happen and your account is compromised, a local backup could protect your data from malicious damage or deletion.

Google, for instance, offers its own Back-up & Sync tool, but there are third-party options available.

Conditional access

Look into whether your cloud computing service offers control over who can access your files. Office 365, for example, offers functionality for restricting access to anyone outside of your country, or anyone outside of your IP range.

Such settings aren’t enough to secure your files by themselves, but can bolster your security when combined with other features, such as multi-factor authentication.

Security awareness training

A recent report revealed that just 29% of staff receive cyber security training but, where an organisation is using cloud computing, it’s all the more important for your team to be aware of the steps they need to take to secure sensitive information.

Data protection policy

It’s important to have a policy that makes clear how your organisation handles information, what it does to secure it, and how your staff are expected to behave to keep that information safe.

Such policies can serve as a useful resource for staff who come across a new situation, advising their next steps or who to escalate a problem to. Putting together the policy will also help to raise questions around current practices and potentially alert you to risks or gaps in your security processes.

Implement an Information Security Management System

Your organisation’s particular use of cloud computing will differ to how others use it, and you’ll likely face your own unique set of information security risks. An Information Security Management System (ISMS) will provide the tools needed to establish bespoke processes and policies to combat your unique security challenges.

For instance, part of implementing an ISMS involves proactively identifying risks, which can help expose any gaps in your current setup. It also involves establishing training records, which will ensure your employees know what they need to do to keep your organisation’s information secure, and putting in place specific policies that help to ensure your organisation’s security is not compromised.

To find out more about how an ISMS can help your organisation, take this free online course about Information Security Management Systems.

profile image of Elizabeth Sheldon
Written by Elizabeth Sheldon

ISMS Scheme Manager - Experienced Senior Lead Auditor with a demonstrated history of working in the information services industry. Skilled in ISO 27001 ISO 9001, ISO14001 and ISO 45001.