Protect your business online
Cloud security risks and solutions
Cloud security takes in a range of policies, technologies and security controls that serve to protect data, applications and the infrastructure associated with cloud computing.
Cloud security risks
Two main types of cloud security threats relate to issues faced by:
- cloud providers - who look after the infrastructure and the client's data and applications
- cloud customers - who rely on password protection and authentication measures
Key risks in the cloud include hacking, data theft, server faults and non-compliance. You can address each by deploying the same security solutions you would normally use to protect your in-house IT devices and networks.
Cloud security controls
Many of the common cyber security measures apply in a cloud-based environment as they do in conventional IT systems, including:
- firewalls and perimeter protection
- traffic monitoring and reporting
- spam filtering
- real-time alerts and analytics
The National Cyber Security Centre (NCSC) offers detailed guidance to help you configure, deploy and use cloud services securely.
Your security responsibility if you use cloud services
Providers and customers share the responsibility for maintaining and protecting the security of cloud services and systems. As a buyer, your responsibilities will vary depending on the type of service involved. Your responsibilities will be the largest when using Infrastructure as a Service (IaaS).
Cloud security and data protection - things to consider
If you are processing and storing sensitive business or personal data in the cloud, you will want to check that your provider takes security seriously. Things to consider include:
Cloud provider vulnerabilities
Are they following best security practices, patching up regularly, implementing proper security controls? Can they guarantee that your assets will be protected against physical tampering, loss, damage or seizure?
Are there weaknesses in the host system or server configuration? Can you get assurances that the technology is secure? Will it be reliably accessible and available when you need it?
Did you agree standards and responsibilities between yourself and the provider? Defining roles and responsibilities can help ensure secure coverage and prevent potential liabilities in case of cyber incidents.
Will the provider limit access to the cloud service to only those who need it? How will they minimise the risk of accidental or malicious compromises of your data by their personnel?
Service level agreements
Can you establish a documented standard with your cloud provider, including their duties in relation to ongoing management, response times and support?
Risk assessment and analysis
Does your provider have an adequate incident plan in place to quickly deal with and mitigate any potential damage?
Legal and regulatory implications
If you're storing or processing personal data in the cloud, you will have to comply with the UK General Data Protection Regulation (UK GDPR). For more information, you can read the NCSC's report on cloud computing and data storage.
If you're using software that interacts with cloud services, you may also want to read about managing the risk of cloud-enabled products.