By the end of 2017, the value of the global cloud computing market will go past the $260 billion mark – marking an impressive 18.5% YoY jump. The growth is all set to pick up further momentum in the next few years, with a Forbes report estimating that the cloud services market will be worth a whopping $411 billion by the turn of the decade. Both infrastructure-as-a-service (IaaS) and software-as-a-service (SaaS) will be important drivers of this growth, with 23.3% and 15.7% estimated CAGRs for the 2016-2020 period respectively. In the US, 8 out of every 10 companies have expanded their use of cloud computing services in one way or another. Adoption and use of public cloud, private cloud and hybrid cloud platforms are all on a rapid upward spiral.
While the advantages of cloud computing regarding greater flexibility and more scalability (also, cost-efficiency) are beyond the scope of doubt, shadows remain over the security aspects. In a recent survey among businesses, 25% of the respondents highlighted ‘security’ as a major concern, while a further 23% mentioned ‘compliance’ as another important point of concern. The biggest of tech giants – from Microsoft and Yahoo, to Apple and Dropbox – have suffered serious data breaches over the years. In 2016 alone, over a billion identities were compromised as a result of cloud services being hacked. Not surprisingly, investment on cloud security is also increasing, and is set to touch $3.5 billion by the end of 2021. Let us here look through the most serious types of cloud computing risks:
Authenticity and reliability of cloud vendors
Channels like Google Cloud Platform and Microsoft Azure are, obviously, secure – but the same cannot be said about all the third-party cloud service providers out there. The problem is further compounded by the fact that many small and mid-scale businesses do not really make an attempt to track the robustness of the technology support offered by these vendors. A wide range of uber-important ‘business critical data’ is stored on cloud platforms by companies – and when handled inefficiently (or in the hands of the wrong person) – can spell doom for the concerned businesses. The lack of knowledge about how a cloud vendor work and the integrity/efficiency of the individual workers over there is also an issue. When an obscure cloud service provider messes up stored data, the reputation of the companies takes a serious hit.
The security assurance (or lack thereof)
In September 2013, the large-scale data breach at Vodafone (the banking data of over 2 million customers were stolen) made a lot of news. Over the years, the threat has intensified more – with tech entrepreneurs highlighting security threats as a major barrier in the way of large-scale cloud implementation. The onus lies on companies to read the fine print on what security standards a cloud service provider abides by, how the data would be stored, and how data integrity levels will be maintained at the time of outsourcing. In addition to these, the agreement should also clearly mention the extent of data the cloud platform will have access to – and the players who will be able to retrieve it (as and when required).
Note: Since cloud storage is done on distributed networks, recovering from hack attacks is generally quick. Other such wholly internet-based services have similar security risks.
Lack of vulnerability assessment of cloud service provider
Every cloud vendor claims to have the best security practices in place. However, that should not be enough – and businesses should ideally do a thorough vulnerability assessment study on the vendors they are considering to partner with. An idea of how these cloud platforms can recover from data theft attempts and breaches (disaster recovery) is also important. Virtual machines, malicious bots, infected software and brute force attacks are all becoming alarmingly common – and unless a vendor is well-equipped to handle such attacks, the problems will remain.
Unauthorized third-party data access
Think of it this way: a company maintains all of its data on its local server. Now, it decides to start using a cloud server for data storage. Understandably, more people (outsiders) will have the chance to snoop around this proprietary data than what was earlier the case. As more and more small small and mid-level businesses start using cloud services (i.e., the cloud platforms start aggregating more and more data) – single points of attack are created, just like what the phishing experts and miscreants would love. Companies generally feel that their data security levels get boosted when they switch to a cloud platform – but that factor is partially offset by the fact that more people have to be trusted now, more people have access to data, and chances of attacks become higher. It’s a necessary evil…but still, an evil.
No standardization affects cloud services
What is a ‘safe cloud system’? Get in touch multiple vendors – and chances are high that you will get varying replies, highlighting totally different factors. This lack of standardization forms yet another risk – since companies do not have a pre-specified benchmark to judge the quality of operations of the service provider. Once again, it is up to the clients (i.e., businesses) to ascertain the technological expertise and platform stability of the vendor – before actually storing data with the latter. The initial contract should clearly mention that if a company is not happy with the services of a cloud vendor, it can switch to another service provider without having to pay anything extra. Hopefully, the regulatory bodies will come up with some standardized practices in the near future.
Need for infrastructural change for cloud compatibility
There is very little room for doubting that ‘being on the cloud is the way to go’. However, things might not be as simple as they seem on paper. Companies have to make wholesale changes to their traditional IT system in general, and data infrastructure in particular. Making such changes can be both time-consuming and expensive. In addition, large companies typically have to go for the more advanced cloud-subscription plans and packages – given the sheer volume of ‘mission-critical’ data that has to be stored on the network. Unless an organization makes sure that the storage and protection benefits from a cloud service provider are commensurate with the subscription prices – there can be quite a lot of unnecessary expenditure.
Note: By May 2018, around 80% of the total IT budgets of large organizations will be used up on cloud services.
Privacy can be compromised
And in a big way. When a business starts using a cloud platform for storing critical data (in a public cloud) – it effectively allows shared access of processors, storage units, memory, namespaces and other things. That, in turn, opens up the possibility of third-party agents getting access to other people’s data (accidentally or otherwise). An apparently minor bug in the cloud platform can allow attackers (powered with the access to the data owners’ resources) to steal/manipulate data, and even assume the digital identity of others (i.e., identity theft). In what should be a new and empty storage network, users might find the records of other customers – which is far from an ideal scenario. Before subscribing to a cloud storage plan, there should be a service level agreement, or SLA, – clearly stating the ways in which the vendor would protect the privacy of its users.
The risk of downtimes
The leading cloud vendors all promise ‘round-the-clock’ availability. That, however, is nearly never practically possible – since some maintenance downtimes (an hour everyday?) are definitely required. Since cloud technology is entirely web enabled, the chances of internet outages/bandwidth interruptions cannot be ruled out either. Businesses also have to factor in the occasional connectivity problems in their own IT systems – which will have a ‘trickle down’ effect on the cloud resources. These downtimes, if they happen during business hours, can lead to significant loss of value for companies. Even in the best-case scenario, around 15-17 days in a year can be lost due to connectivity problems, and the resultant unavailability of cloud services.
Note: To be fair, most cloud vendors make a conscious attempt to schedule maintenance downtimes at odd hours.
Probable legal and/or compliance breaches
When a company makes the switch to a cloud platform, it gives permission to the vendor for storing critical business data in multiple data centers. These data centers might be present at different locations, and even in different countries. That, in turn, brings the importance of the varying data regulation policies in different countries in focus. Once more, it is the responsibility of the client company to find out ‘where’ its data will be stored, ‘how’ the database will be maintained, and ‘who’ will be able to access it. In the absence of this information, a data compliance breach on a cloud platform might put the ‘owner’ company in a legal soup – with the service provider avoiding all blame.
Note: Data security and privacy policies differ across regions. Companies have to keep track of such changes, and monitor how such locational differences might pose a problem.
10. Need for record retention
Conformity with record retention agreements (if any) are also often overlooked. The vendors should know: a) the meaning of record retention, and b) the time-span for which each data-record should be stored/retained. It can also happen that a cloud vendor simply wounds up its business at any point in time. In such scenarios, its client companies should be able to get back all its critical data – without any transfer or sharing with other, unauthorized agents. The same provisions should be present at times of termination of contract between a company and its cloud service partner.
11. Lack of constant monitoring
The tendency of handing over key data to the cloud platform and resting easy after that can be fatal. Many companies also do not have the setup to perform regular monitoring of the cloud services network. As a result, data breaches, connectivity interruptions (potentially affecting business continuity) and other operational glitches can remain detected – leading to serious complications later on. Business owners would do well to remember that starting to use cloud services does not represent a complete transfer of responsibility – and having a reliable, end-to-end cloud data monitoring system can be very useful.
12. Skill shortage
As the demand for secure cloud computing for businesses is increasing, the need for qualified, experienced cybersecurity professionals is coming into focus. That’s precisely where the problem of skill shortage is also becoming prominent. A recent study revealed that close to 47% organizations are facing such problems at present. Interestingly, 55% of the respondents also opined that the lack of adequate skilled personnel is putting additional pressure on existing teams – increasing chances of ‘early burnout’. Over the last 2-3 years, the cybersecurity skills shortage has persisted at fairly steady levels. Lack of skilled professionals is also preventing many startups or small businesses make full use of cloud networks.
Faulty system performance, inability to troubleshoot problems on a real-time basis (due to lack of monitoring), suspicions over the business viability of the service providers and unintentional data leakages also feature among the prime risks generally associated with cloud computing. While our analysis might paint a grave picture at first, the good thing is – most of these risks are manageable, and can be mitigated with due care on the part of businesses and the cloud vendors. As cloud technologies become more advanced and users learn to use them better – most of the above risks might very well cease to matter.