Cloud providers show 'little thought' for security says forensic expert

Onus for improvement on customers, not providers, he adds

Many users of cloud data services are entirely unaware of inherent security risks, and security can only improve if customers pressure providers to deliver it, Frank Coggrave, VP of sales, EMEA & APAC at Guidance Software, has told Computing.

The company, which 18 months ago was responsible for assisting Sony in clearing up its widely-publicised and reputation-damaging PlayStation 3 server hack, sees a distinct lack in security provisions in many cloud providers' commercial offerings.

Coggrave believes security provision in cloud companies falls into two categories.

"Some of these providers are providing applications, so for example Salesforce is a cloud application," said Coggrave.

"A lot of these are quite well-structured and have a lot of inherent security in them. However, in a lot of the cloud services where you're just basically renting a bit of logical disk space, I think there's more questions you have to ask about the providence of those people."

Storage is now so cheap, especially when consolidated, argued Coggrave, that companies are building a business model on simply providing as much low-cost - or even free - storage as possible to as many customers as possible, with little thought for security.

"The likes of Evernote and Toodledo are all saying 'Hey, without paying for it, have 2GB of disk space'," said Coggrave. "And they're offering that at such a cheap rate because they have the economies of scale that the more customers they get, the cheaper discounts they get from the disk suppliers, the bigger disks they can get. Those things mean they want to drive people to put more data out there."

Coggrave's fear, therefore, is that customers who lean towards the cheaper end of cloud solutions, can leave themselves open to all kinds of legal problems.

"Customers are making cloud decisions for cost-saving reasons, which is very relevant due to current financial constraints," he said.

"But what they have to ask is, ‘Am I thinking of the ramifications of that decision when something goes wrong? What happens when I have to do an investigation that includes that cloud service? Do I have the legal capability of investigating the cloud service provider's machines as well as my own machines? Who owns that data when it goes on the cloud?' We're starting to see these problems coming about."

Cloud providers show 'little thought' for security says forensic expert

Onus for improvement on customers, not providers, he adds

The bottom line, said Coggrave, is that cloud providers are no more obliged to provide security, outside specifically contractually-based, for clients than any real-world banking facility.

"Cloud computing is no different to saying ‘I'll just put all my jewels in a big centralised bank'," said Coggrave. "The challenge with that is when you host your own data you can put your own controls and management on it. But when you give it to the bank - a cloud provider - they've got better facilities, so if someone breaks in, the riches are so much greater for them. So that's what [hackers] want to do."

Coggrave stated that, for these reasons, the onus is on the customer to check and, if necessary, insist upon more defined contracts in terms of security.

"It's about making sure that people explore how they're gong to do it, and that the contract you have has the provisions in it so that, for example, if one of your providers' other customers gets a breach, will your provider tell you about it?" said Coggrave.

In addition, Coggrave warned that employees within cloud organisations should also be properly screened and checked. "Around eight per cent of breaches are inside jobs, whether they're a result of accidents or social engineering," explained Coggrave.

Coggrave believes that greater security on cloud would be a win/win situation for both customers and providers if properly implemented. Sticking with the jewel metaphor, he told Computing:

"One of the big advantages of cloud from a security perspective is, if you've got 100 organisations and they're all trying to defend their jewels, that's 100 different safes you've got to build; 100 different environments to protect things," said Coggrave.

"It's always buyer beware," concluded Coggrave. "There's no legal obligation on a bank to look after your stuff. They could put your jewels in a bin in my back garden, but that's your own fault. So when you're going into a cloud environment, make sure you investigate all aspects, not just the cost.

"Customers need to ask companies how they make sure data's secure, and what kind of checks they do on people within their own organisation.