Users of a multi-cloud storage strategy may be twice aslikely to face a security breach as those that use hybrid or singleclouds, suggests a report UK-based security specialist Nominet released this week.
Fifty-two percent of survey respondents whoadopted a multi-cloud approach suffered a data breach over the past 12months, compared to 24 percent of hybrid cloud users, and 24 percent ofsingle-cloud users, the firm found after polling nearly 300 C-Level executives and ITprofessionals.
Moreover, companies that embraced a multi-cloud approach were morelikely to have suffered a larger number of breaches, the survey found. Sixty-nine percent of multi-cloud users suffered between 11 and 30 breaches, compared to 19 percent of single-cloud and 13 percent of hybrid-cloud users.
Such numbers aren’t likely to instill confidence in cloud users whoalready may have had serious reservations about the security of off-site storage. Seventy-one percent of users polled were either moderately, very or extremely concerned about malicious activity in a cloud-based storage solution, the Nominet survey found.
Those in heavily regulated industries expressed concerns about the security provided by cloud vendors. Healthcare providers topped the list at55 percent; 47 of respondents who had doubts about the cloudwere in financial services, and 46 percent were in the pharmaceuticalsector.
A factor for some international users is that GDPR has increased potential penalties. Fifty-six percent of respondents cited fines for data leaks as a big concern. Respondents also noted the increasing sophistication of cybercriminals as a concern.
Why a Multi-Cloud Strategy?
The main goal of a multi-cloud approach to storage — sometimes knownas a “polynimbus cloud strategy” — is to eliminate reliance on asingle cloud vendor. It differs from the hybrid cloud approach asit uses multiple cloud services as opposed to multiple deploymentmodes.
A multi-cloud approach doesn’t require synchronizationamong vendors. Businesses instead can use different cloudproviders for storage or hosting of infrastructure (Infrastructure asa Service, or IaaS), platform (Platform as a Service, or PaaS) andsoftware (Software as a Service, or SaaS).
“The devil is of course always in the details, so in theory someonecould get just the right architecture, interfaces, tools and practicesto enable a multi-cloud organization to operate efficiently and securely,” said Jim Purtilo, professor of computer science at the University of Maryland.
“And also in theory, penguins could fly,” he added.
“In the real world that I live in, however, the complexity of systemsobscures many nuanced features that no human looks at until somethingmalfunctions,” Purtilo told TechNewsWorld.
“Our sweeping technical decisions have unintended consequences — someof which introduce defects and open vulnerabilities that our opponentsnotice before we do,” he added. “The more clouds you wish tointegrate, the more organizational fault lines you introduce — and thegreater is your risk that some of those defects and vulnerabilitiesbecome an attack surface.”
Eggs in Multiple Baskets
A solution that spreads out the data could be akin todistributing one’s eggs. It may seem wiserthan taking the proverbial risk of “putting all your eggs in one basket.” However,it actually could mean exposing some data to greater risk.
“That is an apt way of looking at it,” said Stuart Reed, vicepresident at Nominet, the firm that conducted the survey.
“Invariably from a multi-cloud, or really any cloud-based solution,you are increasing the perimeters that can be hacked,” he toldTechNewsWorld.
“You are relinquishing control and increasing the touchpoints, sothat the access to the data is wider,” Reed added. “Data is valuableto someone, and that is true wherever the data is located.”
Simply put, one result is that malicious actors have more targets. While thismight mean that all the metaphorical eggs aren’t at risk, the danger of some being at risk could be greater.
“As a design principle, I would not wish to drive up the complexity ofmy architecture by trying to accommodate diverse services that areoutside my own digital perimeter,” noted UMD’s Purtilo.
“Complexity is also the overall cost driver, so when you add clouds,you multiply the overhead, if for no other reason than the ultimateclients lose some of the economy of your scale,” he suggested.”It is great for the vendors who can point a finger at the other guyswhen something on an organizational boundary inevitably breaks, but Ibet clients would prefer a lean operation.”
Trust in the Cloud
The key to the success of the cloud may depend not only on improvedsecurity, but also on a proactive approach from those utilizing the cloud,as well as cloud vendors.
“Trust is part of the relationship, and this extends to the cloud,”said Nominet’s Reed.
“When you use the cloud to store your data, you are alwaysrelinquishing part of that trust, so you have to have the same levelof diligence in protecting your data that you would whether you areworking with a third party or hosting it yourself,” he added.
To that end, the security provided by a cloud vendor should be matchedagainst any model that you’d have in your own facility, Reed explained.
“Security also needs to scale with any digital initiatives — andsecurity should be an enabler in this process instead of simply thecost of doing business,” he noted. “Here is where that diligence iscrucial; you have to make sure that the cloud vendor’s securitymatches expectations. How is the data going to be processed?”
There Will Be Breaches
It isn’t a matter of whether a cloudwill be breached but how often breaches occur, according to Nominet. The verynature of the cloud is that it can be accessed remotely, which makes itan ideal target for hackers.
More importantly, it functions much like a bank — but instead of containing money, it contains something potentially more valuable — namely, data.
For these reasons, when adopting a multi-cloud solution it isimportant to understand how one set of compromised data could putother clouds in danger. A compromised IaaS, for example, could make iteasier for a hacker to access related PaaS or even SaaS data.
“Data isn’t just dollar bills that can be stolen — it can beinformation that is copied and shared,” warned Reed.
“Protecting this involves more than physical securitythat a bank would have. It also requires a different type ofreaction,” he explained.
“It is important to have an instant reaction plan in place, which canmitigate a breach as soon as it has occurred,” said Reed.
That could be the biggest reason that for many companies a multi-cloudapproach may not be ideal — it creates many moving pieces. Eachcloud’s security depends on the others. Complexity does increase the security, but it could make the system more vulnerable to hackers.
“By the time you consider the scale of applications which might demand’multi-cloud’ integration, you should be living by the motto, ‘Simpleis good,'” said Purtilo. “We have yet to see successful projects atscale done any other way.”