Costin Raiu

Is data in the cloud as vulnerable as the industry seems to think?

Although cloud computing has had a significant impact on information security in general, it is unfair to assume data stored in the cloud is inherently insecure.

According to Costin Raiu, global research and analysis team director at Kaspersky Lab" rel=tag>Kaspersky Lab, very often, when it comes to cloud technologies, the major concern of many businesses is whether it is more dangerous or not to store data in the cloud or on a physical server. “Just because information is hosted on a company’s own servers does not mean it is better protected than if it was stored in the cloud. Despite all the obvious risks, it shouldn’t be presumed that data that ends up in the cloud suddenly becomes accessible to someone else. It is not uncommon for data stored in the cloud to be protected better than if it were stored inside a company.”

That said, the emergence of cloud computing has had an undeniable impact on data security - although not necessarily more so than it has on any other area of IT.

“Essentially, everything and everyone is connected in a digital world that’s only about 20 years old and growing at such a rapid rate, making it increasingly difficult for our human minds to understand sufficiently how to secure our assets from threats,” says Clive Brindley, HP’s country manager. “Nothing connected is safe! Cloud shifts an entity such as a user, device or information asset, which previously had a geographic location, into a virtual location somewhere into the fussiness of the Internet.”

Phillip Gerber, MD of Magix Security explains, “The arrival of ‘the cloud’ and ever-increasing consumerisation of IT has provided end-users the ability to drive technologies that are neither understood nor managed by their internal IT staff, immediately increasing the complexity and associated risk.”

According to Simon Campbell-Young" rel=tag>Simon Campbell-Young, CEO of Phoenix Software, if you are visible on the Web, then you are potentially scammable. “The greatest risk to corporate networks at the moment comes from malware infections distributed via social networks,” he says. “The behaviour of people using social media is like their behaviour using e-mail 10 years ago. With e-mail, we’ve learned to never click on anything. But inside social media, people click on every tiny URL because they trust the sender. That’s why botnets that were successfully rebuffed five years ago are now coming back via social media.”

INEVITABLE CHANGE

As Raiu states, “It is not a case of traditional security solutions not being sufficient anymore, but rather the fact that the security needs of a business have changed and as such, a business must invest in solutions that meet their particular security needs, especially when we consider trends such as cloud, virtualisation and mobility – a traditional security solution has not been developed with such trends in mind.”

Furthermore, he adds, cyber criminal activity remains rife globally; where Kaspersky Lab is seeing 125 000 unique malware samples appear per day.

Campbell-Young says modern malware has become so pervasive and so adept at hiding within corporate networks, that according to a Computer Security Institute survey, four out of 10 organisations experienced an incident such as a malware infection, botnet, or targeted attack in 2011 - and another 10% didn’t know if their networks had been breached. According to Juniper Networks, he says, over six million unique malware samples were identified in the first quarter of 2011, a 26% increase from Q1 of 2010 and far exceeding any first quarter in malware history.

“And to make matters worse, malware is not the only risk factor on social networks. Nearly one out of four organisations in the US has lost sensitive data when employees spilled the beans online – and South Africa is following hot on America’s heels.”

Bruce Goodwill, sales director of EMEA, LATAM and Australia for AVG, ascertains, “Malware forms aren’t changing much, but the means of delivering it, and its intent, is becoming more stealthy and sinister. The malware itself has little need to change because the underlying platforms are still the same, but the cyber criminals that are responsible for these infections are going to be using new vulnerabilities to blast their way in and do the damage they’re designing it to do.”

He advises businesses of all sizes should treat online security the same way they treat corporate governance and brand protection - and to make it a boardroom issue. “This is not just a technology debate,” he stresses. Brindley believes it is best to incorporate the security strategy into the business strategy from day zero in order to effectively defend it against loss - whether it be loss of revenue, litigation, intellectual property, customer data or reputation.

“A smart approach is to start with the assumption your network has already been compromised and design security around that,” Campbell-Young concludes.