Users of a multi-cloud storage strategy may be twice as
likely to face a security breach as those that use hybrid or single
clouds, suggests a report UK-based security specialist
Nominet released this week.
Fifty-two percent of survey respondents who
adopted a multi-cloud approach suffered a data breach over the past 12
months, compared to 24 percent of hybrid cloud users, and 24 percent of
single-cloud users, the firm found after polling nearly 300 C-Level executives and IT
professionals.
Moreover, companies that embraced a multi-cloud approach were more
likely to have suffered a larger number of breaches, the survey found. Sixty-nine percent of multi-cloud users suffered between 11 and 30 breaches, compared to 19 percent of single-cloud and 13 percent of hybrid-cloud users.
Such numbers aren’t likely to instill confidence in cloud users who
already may have had serious reservations about the security of off-site storage. Seventy-one percent of users polled were either moderately, very or extremely concerned about malicious activity in a cloud-based storage solution, the Nominet survey found.
Those in heavily regulated industries expressed concerns about the security provided by cloud vendors. Healthcare providers topped the list at
55 percent; 47 of respondents who had doubts about the cloud
were in financial services, and 46 percent were in the pharmaceutical
sector.
A factor for some international users is that GDPR has increased potential penalties. Fifty-six percent of respondents cited fines for data leaks as a big concern. Respondents also noted the increasing sophistication of cybercriminals as a concern.
Why a Multi-Cloud Strategy?
The main goal of a multi-cloud approach to storage — sometimes known
as a “polynimbus cloud strategy” — is to eliminate reliance on a
single cloud vendor. It differs from the hybrid cloud approach as
it uses multiple cloud services as opposed to multiple deployment
modes.
A multi-cloud approach doesn’t require synchronization
among vendors. Businesses instead can use different cloud
providers for storage or hosting of infrastructure (Infrastructure as
a Service, or IaaS), platform (Platform as a Service, or PaaS) and
software (Software as a Service, or SaaS).
“The devil is of course always in the details, so in theory someone
could get just the right architecture, interfaces, tools and practices
to enable a multi-cloud organization to operate efficiently and securely,” said Jim Purtilo, professor of computer science at the
University of Maryland.
“And also in theory, penguins could fly,” he added.
“In the real world that I live in, however, the complexity of systems
obscures many nuanced features that no human looks at until something
malfunctions,” Purtilo told TechNewsWorld.
“Our sweeping technical decisions have unintended consequences — some
of which introduce defects and open vulnerabilities that our opponents
notice before we do,” he added. “The more clouds you wish to
integrate, the more organizational fault lines you introduce — and the
greater is your risk that some of those defects and vulnerabilities
become an attack surface.”
Eggs in Multiple Baskets
A solution that spreads out the data could be akin to
distributing one’s eggs. It may seem wiser
than taking the proverbial risk of “putting all your eggs in one basket.” However,
it actually could mean exposing some data to greater risk.
“That is an apt way of looking at it,” said Stuart Reed, vice
president at Nominet, the firm that conducted the survey.
“Invariably from a multi-cloud, or really any cloud-based solution,
you are increasing the perimeters that can be hacked,” he told
TechNewsWorld.
“You are relinquishing control and increasing the touchpoints, so
that the access to the data is wider,” Reed added. “Data is valuable
to someone, and that is true wherever the data is located.”
Simply put, one result is that malicious actors have more targets. While this
might mean that all the metaphorical eggs aren’t at risk, the danger of some being at risk could be greater.
“As a design principle, I would not wish to drive up the complexity of
my architecture by trying to accommodate diverse services that are
outside my own digital perimeter,” noted UMD’s Purtilo.
“Complexity is also the overall cost driver, so when you add clouds,
you multiply the overhead, if for no other reason than the ultimate
clients lose some of the economy of your scale,” he suggested.
“It is great for the vendors who can point a finger at the other guys
when something on an organizational boundary inevitably breaks, but I
bet clients would prefer a lean operation.”
Trust in the Cloud
The key to the success of the cloud may depend not only on improved
security, but also on a proactive approach from those utilizing the cloud,
as well as cloud vendors.
“Trust is part of the relationship, and this extends to the cloud,”
said Nominet’s Reed.
“When you use the cloud to store your data, you are always
relinquishing part of that trust, so you have to have the same level
of diligence in protecting your data that you would whether you are
working with a third party or hosting it yourself,” he added.
To that end, the security provided by a cloud vendor should be matched
against any model that you’d have in your own facility, Reed explained.
“Security also needs to scale with any digital initiatives — and
security should be an enabler in this process instead of simply the
cost of doing business,” he noted. “Here is where that diligence is
crucial; you have to make sure that the cloud vendor’s security
matches expectations. How is the data going to be processed?”
There Will Be Breaches
It isn’t a matter of whether a cloud
will be breached but how often breaches occur, according to Nominet. The very
nature of the cloud is that it can be accessed remotely, which makes it
an ideal target for hackers.
More importantly, it functions much like a bank — but instead of containing money, it contains something potentially more valuable — namely, data.
For these reasons, when adopting a multi-cloud solution it is
important to understand how one set of compromised data could put
other clouds in danger. A compromised IaaS, for example, could make it
easier for a hacker to access related PaaS or even SaaS data.
“Data isn’t just dollar bills that can be stolen — it can be
information that is copied and shared,” warned Reed.
“Protecting this involves more than physical security
that a bank would have. It also requires a different type of
reaction,” he explained.
“It is important to have an instant reaction plan in place, which can
mitigate a breach as soon as it has occurred,” said Reed.
That could be the biggest reason that for many companies a multi-cloud
approach may not be ideal — it creates many moving pieces. Each
cloud’s security depends on the others. Complexity does increase the security, but it could make the system more vulnerable to hackers.
“By the time you consider the scale of applications which might demand
‘multi-cloud’ integration, you should be living by the motto, ‘Simple
is good,'” said Purtilo. “We have yet to see successful projects at
scale done any other way.”
Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and FoxNews.com.
Email Peter.