Story image

Year of the cloud

01 Jan 11

During the course of 2010, most people would have heard the term ‘Cloud Computing’ at one stage or another. Some of us have a clear understanding of what this term means, whereas others are still grappling with this meteorological metaphor which refers to a class of technology destined to change lives forever.
Perhaps that last sentence was laying it on a little thick, but there is no doubt that benefits exist if you look for them. Below is a brief summary of the pertinent ‘cloud’ concepts before we delve into some of the security concerns still inherent when engaging with this technology paradigm. In ‘Cloud Computing’, users rely on another party to provide access to remote machines and software, whose whereabouts are neither known nor controllable by the user.
Cloud Storage – is the scenario where a business stores and retrieves data from a data storage facility via the internet.
Software as a Service (SaaS) – is the scenario where applications are run on a SaaS provider’s system and accessed by a customer, usually through a web browser.
Cloud Infrastructure/Platform – is the scenario where the provider operates the whole computing platform or operating system for the customer which is accessed via the internet. Applications can then be run on the cloud platform/operating system in conjunction with utilising cloud storage.
Although this technology provides great opportunities to introduce efficiencies and reduce costs, its success has always been hampered by lingering security concerns. The three issues most often raised by SMEs include concerns around data protection, data location and access to data.
Whenever data protection is raised as a concern, cloud vendors will refer SMEs to the service level agreements (SLAs) and provide assurance that best practices are being adhered to. The real test of a vendor’s confidence, however, is their willingness to take responsibility for any losses experienced by the SME as a result of a breach.
The location of your data is a valid concern due to the fact that cloud vendors often outsource data storage or use distributed, global data centres. How comfortable can a user be that they are complying with the data protection laws in their own country and the country where the data resides?
Who has access to your data? How does the cloud application handle user account creation, deletion and management? How does it manage the access and permissions granted to user accounts? These are valid concerns, as cloud services place a surfeit of valuable data from thousands of users in a single place, and access controls should be stringently applied. The level of rigour afforded to check employment history and individual integrity may result in your data being accessed by less-than-savoury individuals who do not have an allegiance to your organisation’s well-being. Any privacy discussion related to cloud computing acknowledges that most forms of cloud computing are in their infancy, and that immature technological structures are the order of the day.
Whether an SME outsources basic data storage services or utilises the entire platform offering, the consequences of a breach cannot be outsourced and therefore the responsibility for securing the data in question remains an obligation the SME has to address. Businesses interested in utilising cloud computing products must ensure they are aware of the privacy and security risks associated with using the product and take those risks into account when deciding whether to use it, especially if other individuals’ personal information is contained within the data. These security concerns are, however, no different from those that businesses have been facing for many years. The only change is in the delivery model of the services. It’s arguable that if a business takes its security seriously, the data may be just as safe in the cloud as if it were handled in-house; possibly more secure. The difference, however, is in the level of control that a business can exert to guarantee that security is maintained.
So if the migration of services to the cloud is a topic of conversation in your business, ensure that the requisite due diligence is performed, levels of service and assurance are defined, expectations clarified, and that security measures appropriate for your data are presented in a transparent manner throughout the vendor-client interaction. Ask to see software development procedures and policies, security testing policies, vulnerability disclosure policies and update schedules.
Hopefully this year’s mantra will be "2011 – Year of the Secure Cloud”. 

52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.
GirlBoss wins 2018 YES Emerging Alumni of the Year Award
The people have spoken – GirlBoss CEO and founder Alexia Hilbertidou has been crowned this year’s Young Enterprise Scheme (YES) Emerging Alumni of the Year.
SingleSource scores R&D grant to explore digital identity over blockchain
Callaghan Innovation has awarded a $318,000 R&D grant to Auckland-based firm SingleSource, a company that applies risk scoring to digital identity.
IDC: Standalone VR headset shipments grow 428.6% in 3Q18
The VR headset market returned to growth in 3Q18 after four consecutive quarters of decline and now makes up 97% of the combined market.
Spark Lab launches free cybersecurity tool for SMBs
Spark Lab has launched a new tool that it hopes will help New Zealand’s small businesses understand their cybersecurity risks.
Preparing for the future of work – growing big ideas from small spaces
We’ve all seen it: our offices are changing from the traditional four walls - to no walls. A need to reduce real estate costs is a key driver, as is enabling a more diverse and agile workforce.
Bluetooth-enabled traps could spell the end for NZ's pests
A Wellington conservation tech company has come up with a way of using Bluetooth to help capture pests like rats and stoats.
CERT NZ highlights rise of unauthorised access incidents
“In one case, the attacker gained access and tracked the business’s emails for at least six months. They gathered extensive knowledge of the business’s billing cycles."