Before one starts to set up a cloud computing solution it's actually necessary to understand the security concerns that accompany this kind of system and more importantly, how can they be addressed.
Cloud computing is no longer just an empty buzzword. Almost every enterprise is already running or piloting a cloud solution of some kind. The ubiquitous Google Drive has altered the perception of the internet as a wild and dangerous place to store data. However, the question is, has the internet altered itself? Hmm, probably not. So before one starts to set up a cloud computing solution it's actually necessary to understand the security concerns that accompany this kind of system and more importantly, how can they be addressed.
Let’s say our company wants to use a cloud email service. We choose a provider and an address where we can log in and start to work. But how safe is such a service? Let’s put on our black hat and see what we can leverage to get into your mailbox ;)
If the server which you rent in the cloud infrastructure is public, it means that anyone can connect to it. Guys with black hats write so called “bots” - programmes which try randomly or by a predefined pattern to connect to public servers - to do just this. So if a server is pubic it will be attacked In my experience the average time between two such visits is in the order of minutes.
What does such a bot do? It has a long list of the known vulnerabilities and bugs of multiple applications, databases and operating systems and it tests each one of them, one by one to see if your administrator has kept up-to date with the patching and all of the known holes have been closed. Sometimes it takes a vendor months to distribute a patch…
The total number of known security vulnerabilities as of 19th October 2014 - 67k known vulnerabilities that can be used to hack a system - with 27k of them critical! i.e. a successful attacker would gain complete control of the system. (source)
So what should we check when starting a cloud solution?
If you are security conscious, then you should require that only you and your employees can connect to the server from your network. It's done using a technique called a virtual private network (VPN). The cloud server is isolated from the rest of the internet and only you can connect to it. If you use proper encryption techniques then anyone spying on the traffic will only see “sand” flowing in the pipeline between your company and a black hole in the internet. If anyone else would like to connect to the server it will behave like a true black hole - nothing will come out of it and if the attacker is persistent it might even ignore him and stop existing for him for some time.
Your provider should take care of the perpetual patching of any software used in the cloud (it is necessary to this literally on a daily basis) and make backups.
A backup is one of the trickiest and most underestimated activities I know about. Believe me when I say, you have to lose valuable data and suffer the consequences of the loss before you learn its true value. Most people are happy with the fact that there is a backup mechanism deployed. BUT have they ever done a backup restore exercise to actually make sure that the backups work? The statistics say that you have 1:3 chance that it will.
The very last thing I'd like to mention is a password. We all have a plethora of passwords to remember. However, any password can be stolen or guessed. Protection by password is not safe any more - especially in the cloud world. Good practice for protecting a login is to request “something you know and something you have”. Banks have known this for a long time and I’m sure that you're not logging into your internet bank account using just your password. You either receive an SMS with a code by phone (“something you have”) or use a physical device to generate a one time password. This technique is called two-step verification and you should be using it for logging into any publicly available addresses.
In summary, how to make sure that your cloud hosting is being done safely:
Use a VPN connection so the server exists only for you and no one else can touch it.
Make sure that the server is being monitored in real time, to protect it from brute force attacks.
Make sure that the server is patched every night for known vulnerabilities.
Don't just backup, but at least once a year try to restore the server from the backups.
Use two factor authentication for logins.
the database of known security vulnerabilities http://www.cvedetails.com/
VPN - https://openvpn.net/
protection from brute force attacks http://www.sshguard.net
Who supports two factor authentication