Gartner predicts that from 2013 to 2016, $677 billion will be spent by cloud customers to create cloud advertising and other business services. This estimate does not even include the billions of dollars of private cloud infrastructure investment. So when a modern bank robber is asked why he is targeting cloud services, he will most likely answer, “Because now that’s where the data is” — so that’s where the money is.
What are today’s bank robbers attempting to do? Some are using cloud services to run their Zeus botnets and other hacking infrastructures. Other risks include hacktivists who target your service provider with DDoS attacks, rendering your business service unavailable for hours or days because the cloud provider didn’t have the bandwidth or controls in place to contend with the attack.
So what are obvious considerations to protect against these emerging threats?
1. Know what data your company is storing in the cloud.
– Don’t find out after someone else publishes it on the Web or sells it to a crime syndicate.
– Be aware what types of data your business is producing or holding during the initial stages of the project.
2. If you are storing any confidential data in the cloud, encrypt it.
– Assume the data is going to be attacked and potentially leaked in the future.
– Encryption increases the costs for hackers to gain access to your data and may thwart their efforts.
3. Have a Plan B for critical business services.
– Assume that your cloud provider is going to have a disruption in the future.
– Determine how much downtime you can handle and still remain profitable and consider designing redundant services between multiple providers.
4. Choose a cloud provider that is aligned with your risk tolerance.
– Assess various cloud service providers and choose that one that best fits your budget and risk tolerance.
– Don’t bargain-hunt for a cloud provider — you may one day wish you had chosen a provider with stronger security.
Robert Malmrose is Chief Security Officer at Quantitative Risk Management and a featured speaker in the Cloud Security and Risk Summit at Cloud Connect Chicago 2013. This post is a summary of Robert’s article that was published in InformationWeek.