Running applications in the cloud is becoming popular, but many Australian businesses are staying away from cloud computing. Many companies are reluctant because they don’t trust the security of cloud-based applications. While the cloud has its risks, the overall benefits can be significant.
When you develop applications that are required to scale out, you could either continue to run them on more of your own your data centre resources or migrate them to a cloud service. The cost of housing and maintaining the app in your own data centre has just increased. The data centre will consume additional electricity, hold additional hardware, require additional maintenance, which all adds up. Costs benefits may well be available from migration you are right to doubt the security of cloud-based applications.
Who controls cloud application security?
To protect your cloud-based applications, your application data is encrypted. This means that it cannot be accessed without the unique encryption key. Were a person to access your application platform in the cloud, they won’t be able to change or benefit from that data without the encryption key.
The majority of cloud service providers store the encryption key for use by the application. When you log into the system, the provider retrieves the key from their secure keystore and your session will be able to unencrypt your data.
This arrangement is likely safer and more convenient than when you store the encryption key on your self-managed devices. The security of your application may be at risk were a device to be compromised.
Unless the cloud service provider has a weak security implementation, nobody can access your data without being authorized to use the application.
Risks of cloud-based applications
Although most cloud security services are secure, they are not entirely immune to cyberattacks. Hackers can access your cloud-based applications and cause extensive damage. There have been many instances where hackers correctly guessed passwords and bypassed login security questions.
Another significant risk is the loss of proprietary software. A hacker may not be able to copy or steal data immediately, however they may progress by first viewing your software code. Experienced hackers can create copies of your software or customise malware to infiltrate your programs and provide themselves a means to gain access to your data.
Another risk is that government authorities can compel cloud computing providers into releasing your details. Applications housed on Microsoft and Google Cloud platforms have ended in government hands in several nations.
You should consider whether, were these risks or circumstances to eventuate, these may hinder your business operations and / or damage your brand.
Cloud security controls
Cloud service providers offerings include services eliminate or manage threats and increase system security. There are numerous security controls in a cloud platform, these are categorized by control type as follows:
Preventive controls
Preventive controls enhance the strength of the system by removing vulnerable components or maintaining components with the most current level of security patching. For example, secure authentication of application users is enforced so that access your cloud-based applications is limited to only explicitly authorised persons.
Deterrent controls
Deterrent controls reduce the number of attacks on the cloud platform. They work like warning signs on a property or fence to deter hackers from attempting any cyberattack. Demonstrable adverse consequences are a part of deterrence controls. Hackers know that there will be severe consequences if they try to bypass security protocols on the cloud.
Detective controls
With the continuing evolution of advanced techniques and attack methods, it may not always be possible to prevent the occurrence of a cyber attack incident. Nevertheless, the situation can still be managed by the provision of effective detective controls. Cloud service providers use detective controls to identify and stop cyber attack incidents at an early stage, often before a full-on assault is launched, or failing that as soon as an attack occurs. Network and system monitoring is used to detect intrusions at the early stages. Automated response mechanisms provide support to the infrastructure and systems to protect the critical applications they house.
Corrective controls
In some instances, hackers may successfully infiltrate cloud-based applications. The efforts of detective controls may not be enough to prevent a high severity incident. Were this to happen, cloud service providers will limit the damage through their corrective controls. The capability to restore an application or system comes from properly implemented corrective controls. After the cyber attack has occurred, the system has likely been corrupted or otherwise compromised. Restoring compromised systems to proper working order is accomplished by corrective controls.
Bottom line
Cloud-based applications with effective controls should be considered as relatively safe. However, no system is completely safe and we should be prepared for any eventuality. So long as you have selected your service provider wisely and your application is cloud-environment ready, the benefits of running scaled applications in the cloud should outweigh the potential risks.
