Users of a multi-cloud storage strategy may be twice as likely to face a security breach as those that use hybrid or single clouds, suggests a report by UK-based security specialist Nominet released this week.
Fifty-two percent of survey respondents who adopted a multi-cloud approach suffered a data breach over the past 12 months, compared to 24 percent of hybrid cloud users and 24 percent of single-cloud users, the firm found after polling nearly 300 C-Level executives and IT professionals.
Moreover, companies that embraced a multi-cloud approach were more likely to have suffered a larger number of breaches, the survey found. Sixty-nine percent of multi-cloud users suffered between 11 and 30 breaches, compared to 19 percent of single-cloud and 13 percent of hybrid-cloud users.
Such numbers aren’t likely to instill confidence in cloud users who already may have had serious reservations about the security of off-site storage. Seventy-one percent of users polled were either moderately, very, or extremely concerned about malicious activity in a cloud-based storage solution, the Nominet survey found.
Those in heavily regulated industries expressed concerns about the security provided by cloud vendors. Health care providers topped the list at 55 percent; 47 percent of respondents who had doubts about the cloud were in financial services, and 46 percent were in the pharmaceutical sector.
A factor for some international users is that GDPR has increased potential penalties. Fifty-six percent of respondents cited fines for data leaks as a big concern. Respondents also noted the increasing sophistication of cybercriminals as a concern.
Why a Multi-Cloud Strategy?
The main goal of a multi-cloud approach to storage — sometimes known as a “polynimbus cloud strategy” — is to eliminate reliance on a single cloud vendor. It differs from the hybrid cloud approach as it uses multiple cloud services as opposed to multiple deployment modes.
A multi-cloud approach doesn’t require synchronization among vendors. Businesses instead can use different cloud providers for storage or hosting of infrastructure (Infrastructure as a Service, or IaaS), platform (Platform as a Service, or PaaS), and software (Software as a Service, or SaaS).
“The devil is, of course, always in the details, so in theory, someone could get just the right architecture, interfaces, tools, and practices to enable a multi-cloud organization to operate efficiently and securely,” said Jim Purtilo, professor of computer science at the University of Maryland.
“And also, in theory, penguins could fly,” he added.
“In the real world that I live in, however, the complexity of systems obscures many nuanced features that no human looks at until something malfunctions,” Purtilo told TechNewsWorld.
“Our sweeping technical decisions have unintended consequences — some of which introduce defects and open vulnerabilities that our opponents notice before we do,” he added. “The more clouds you wish to integrate, the more organizational fault lines you introduce — and the greater is your risk that some of those defects and vulnerabilities become an attack surface.”
Eggs in Multiple Baskets
A solution that spreads out the data could be akin to distributing one’s eggs. It may seem wiser than taking the proverbial risk of “putting all your eggs in one basket.” However, it actually could mean exposing some data to greater risk.
“That is an apt way of looking at it,” said Stuart Reed, vice president at Nominet, the firm that conducted the survey.
“Invariably from a multi-cloud, or really any cloud-based solution, you are increasing the perimeters that can be hacked,” he told TechNewsWorld.
“You are relinquishing control and increasing the touchpoints so that the access to the data is wider,” Reed added. “Data is valuable to someone, and that is true wherever the data is located.”
Simply put, one result is that malicious actors have more targets. While this might mean that all the metaphorical eggs aren’t at risk, the danger of some being at risk could be greater.
“As a design principle, I would not wish to drive up the complexity of my architecture by trying to accommodate diverse services that are outside my own digital perimeter,” noted UMD’s Purtilo.
“Complexity is also the overall cost driver, so when you add clouds, you multiply the overhead, if for no other reason than the ultimate clients lose some of the economy of your scale,” he suggested.”It is great for the vendors who can point a finger at the other guys when something on an organizational boundary inevitably breaks, but Ibet clients would prefer a lean operation.”
Trust in the Cloud
The key to the success of the cloud may depend not only on improved security but also on a proactive approach from those utilizing the cloud, as well as cloud vendors.
“Trust is part of the relationship, and this extends to the cloud,” said Nominet’s Reed.
“When you use the cloud to store your data, you are always relinquishing part of that trust, so you have to have the same level of diligence in protecting the data that you would whether you are working with a third party or hosting it yourself,” he added.
To that end, the security provided by a cloud vendor should be matched against any model that you’d have in your own facility, Reed explained.
“Security also needs to scale with any digital initiatives — and security should be an enabler in this process instead of simply the cost of doing business,” he noted. “Here is where that diligence is crucial; you have to make sure that the cloud vendor’s security matches expectations. How is the data going to be processed?”
There Will Be Breaches
It isn’t a matter of whether a cloud will be breached but how often breaches occur, according to Nominet. The very nature of the cloud is that it can be accessed remotely, which makes it an ideal target for hackers.
More importantly, it functions much like a bank — but instead of containing money, it contains something potentially more valuable — namely, data.
For these reasons, when adopting a multi-cloud solution, it is important to understand how one set of compromised data could put other clouds in danger. A compromised IaaS, for example, could make it easier for a hacker to access related PaaS or even SaaS data.
“Data isn’t just dollar bills that can be stolen — it can be information that is copied and shared,” warned Reed.
“Protecting this involves more than physical security that a bank would have. It also requires a different type of reaction,” he explained.
“It is important to have an instant reaction plan in place, which can mitigate a breach as soon as it has occurred,” said Reed.
That could be the biggest reason that, for many companies, a multi-cloud approach may not be ideal — it creates many moving pieces. Each cloud’s security depends on the others. Complexity does increase security, but it could make the system more vulnerable to hackers.
“By the time you consider the scale of applications which might demand multi-cloud integration, you should be living by the motto, ‘Simple is good,'” said Purtilo. “We have yet to see successful projects at scale done any other way.”