However, the cloud can be confusing and surrounded by myths and misinformation. With this in mind, we take a closer look at some of those common misconceptions, specifically in the context of using the cloud to host websites, email services and online file storage.
1. Distrusting the security of the cloud
An age-old concern with cloud services is that security is poor compared to businesses that handle their own hardware. However, this misses the point. Few small businesses can even afford to set up their own IT department, much less hire dedicated security staffers with the skillset and experience to properly protect their organizations from the bad guys.
Cloud businesses have every incentive to not only defend their infrastructure against hackers, but have more resources to monitor for breaches and to handle any intrusion that occur. Because the cloud is about economies of scale, this is also achieved at a price point that is cheaper than similar arrangements such as an on-premises deployment handled under a managed services contract.
The superior security of the cloud is most apparent with large cloud-based services such as Gmail and Office 365, which runs on infrastructures maintained by Google and Microsoft, respectively. Certainly, small businesses are freed from the need to constantly monitor new security patches or updates, and from having to schedule service downtimes to install them.
No organization can claim to be immune from security threats. This includes specialized password management companies,billion-dollar security firms or even the National Security Agency (NSA). However, a large cloud provider is far more equipped in terms of both the will and the means to protect their digital turf.
Organizations working within certain regulated verticals will, of course, need to adhere to compliance regulations, regardless of their size. Yet a clear distinction between the types of data exists even in such situations, allowing businesses to host their websites, for example, on a cloud platform while their email and file storage is deployed on-premises or in a private cloud.
2. Misunderstanding encryption
An overemphasis on encryption by marketers has led to confusion about the role of encryption. To be clear, encryption is typically applied either to data in transition or data at rest. The former is easy to understand, as technologies such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are used to protect data against snooping as it travels between two points on the Internet.
Protecting data at rest, however, entails encrypting data that is written onto a storage drive. Similar to how encryption protects an organization from data leaks stemming from a stolen laptop, this ensures that data cannot be read by an intruder who successfully makes away with a storage drive. Obviously, this is of limited utility for cloud service providers, considering that their servers are already housed within data center installations with a high level of physical security.
On the flip side, the cloud service provider must hold the decryption key in software, unlike a laptop which has a hardware chip (Trusted Platform Module) designed specifically to protect it. In theory, this means that a hacker who has successfully gained unauthorized access to the cloud service could conceivably acquire the decryption key and gain access to your encrypted data. It is hence important to understand that data encrypted at rest in the cloud is a world of difference from encrypting the data on a TPM-enabled laptop.
To enhance their security, some Web services make it a point to not hold the decryption key. For example, both Chrome and Firefox browsers use a scheme in which data is encrypted with a key derived from the user password before upload to the cloud. Moreover, cloud storage services such as SpiderOak have architected its service so that the decryption key is accessible only to the account owners.
With practically every Web service touting its encryption capabilities as evidence of its robust security, it pays to understand how encryption is implemented in order to make an informed assessment. As a general guideline, cloud services that allow you to edit your files from the Web browser are in all likelihood unencrypted when at rest or encrypted with a key that is held by the cloud service.
3. Considering the cloud to be infallible
Despite the advantages it offers, there’s no myth more dangerous about the cloud than its infallibility. Cloud service providers go to great lengths to put multiple levels of redundancies in place and to ensure that all data are adequately backed up. Unfortunately, even the most brilliant engineers can make mistakes, which is compounded by the sheer complexity of the cloud environment and the fact that cloud services are expected to be perpetually “live.”
Even Google has experienced at least one outage where multiple copies of data was corrupted, forcing it to turn to tape backups to recover data for some affected users. As it is, the batch nature of tape backups makes it highly plausible that some of these affected users could have experienced some amount of lost data – but they may not have realized it.
Technical issues aside, hacking and financial insolvency are probably the next two top reasons why cloud services fail. As we reported last year, a promising cloud service was abruptly put out of service after hackers gained access to their Amazon Web Services (AWS) EC2 control panel used to power their service.
In what appears to be an extortion attempt gone awry, critical data backup repositories and their backups were deleted as the hacker retaliated when the rightful owner attempted to regain control of the account. Unfortunately, the lack of off-site backups meant that irreplaceable data and systems could not be recovered, and resulted in the cloud service being shuttered.
Separately, financial insolvency has closed more than one cloud service, and these typically occur on very short notice. There are two lessons to be learned here: Avoid relying on a single cloud platform; and perform regular offsite or offline backups of your data.
Fortunately, the maturity of the cloud today has opened the door to more backup options, allowing for backups to a PC, storage appliance or even to another cloud location. For one, software clients that connect to cloud storage services such as Amazon S3, Microsoft Azure and Google Cloud for easy download onto a PC for offline safekeeping.
For those who prefer automated downloads, Network Attached Storage (NAS) makers such as Synology have offer support for a variety of cloud storage services. Finally, cloud-to-cloud backups are also possible with a service such as cloudHQ, a cloud service capable of synchronizing data between multiple cloud services in real-time.