At the end of 2022, Gartner forecast a 20% increase in worldwide spending on the public cloud in 2023. Such growth has raised a number of questions, with more and more people publicly questioning the “all cloud” philosophy. Why? Because the issues of data governance, compliance and data security in general are still raising just as many questions in response to growing cyber risks. So are those risks imaginary, or reality?
A study by 451 Research, published in late 2022, even quoted a figure of 54% of respondents who had withdrawn their data from the public cloud in the past year. But are such risks justified? Should we consider returning to the traditional “on-premise” model? Could more effective cloud security be the key? We offer some explanations and answers.
The dangers of the cloud
Whether it's a question of infrastructure, software or platform, the “as-a-service” model has become a must-have for many businesses and institutions. Its advantages are undeniable, including flexibility, scalability, high availability, data accessibility and pay-as-you-go options. But any discussion of the cloud must cover the concepts of both public and private clouds, as well as SaaS (Software-as-a-Service), IaaS (Infrastructure-as-a-Service) and PaaS (Platform-as-a-Service). And each of these cloud types comes with its own economics and risks.
Despite the ubiquity of such services, concerns about data security in the cloud are being voiced with increasing insistence. A certain feeling of loss of control has created a perceived link between the cloud and data fragility. Firstly, there are concerns over the confidentiality of data stored via US platforms, following the adoption of the Cloud Act by the US in 2018. Secondly, there is concern over the risk of human error, as incorrectly configured security settings can result in massive data leaks.
The second widespread fear is the hidden cost of the cloud. Often presented as a less expensive solution than “on-premise” IT infrastructures, the truth about the cloud is actually somewhat more nuanced. At an event, Computacenter CEO Mike Norris gave a clear-cut statement: “Cost control is the biggest challenge (with the model) of cloud computing because it's not software as a service, it's software as a hostage.” There are several reasons for overspending: increased storage costs, higher operating and data deletion costs, miscalculated transit costs, etc. Meanwhile, the energy price crisis has (re)opened people's eyes to energy consumption at datacentres.
The final fear linked to the use of the cloud is the vulnerability of the data stored there, which is a prime target for cybercriminals. To access this data, cybercriminals can attack various elements of the cloud, including IT services, storage services and applications. In 2021, for example, a study announced that 90% of S3 buckets on the Amazon Web Services platform were vulnerable to ransomware. In the same year, Cognite, Facebook and Kaseya all fell victim to cyberattacks on cloud databases. In December 2022, Rackspace Technology, one of the largest cloud hosting providers in the USA, also suffered a cyberattack that led to outages in its hosted Microsoft Exchange service. These few examples of attacks (among many others) are contributing to the feeling of insecurity that businesses have about the cloud. After all, even cybersecurity solutions are being attacked in the cloud – for example, search engines are full of articles about attacks on LastPass and its secure password storage services. For although cybersecurity is not a barrier to the adoption of the cloud, it remains a major concern for 95% of companies, according to a survey by another publisher.
And the situation is even more complex than that; for in addition to attacking them, cybercriminals are using cloud environments as a vehicle for some of their attacks. That’s right: malware is increasingly being distributed via cloud services. In its latest study, Cloud and Threat Report, publisher Netskope reported that the number of cloud applications spreading malware had... tripled by 2022.
Is it time to exit the cloud?
The cloud has been the subject of questions for several years now. Some companies have taken public action: among them, the branch in charge of advertising at France Télévisions switched its cloud backups to on-premises infrastructure in 2020. More recently, in early 2023, 37signals – the publisher of the Hey and Basecamp collaborative platforms – announced a $7 million saving by withdrawing from Amazon's cloud.
But moving away from the cloud is not a decision that can be taken lightly, and requires an impact assessment to be carried out beforehand. Both the questions to be asked and the resources required need to be considered in advance. Infrastructure migration, data and user migration, tailoring of security rules, change management... these are just some of the issues that can prevent businesses from moving to the cloud. By outsourcing resources through cloud computing, companies have divorced themselves from the human and material skills that on-premise requires. An investment in both material and human resources would therefore seem to be required. However, leaving the cloud does not necessarily mean returning exclusively to on-premise infrastructure. Intermediary solutions exist, such as renting space (hosting for a bay or an entire room) in private data centres, or taking out an outsourcing contract with a service provider. These two solutions enable companies to exploit existing infrastructure (peering, secure premises, electrical infrastructure, air conditioning) and redundancy certifications (Tier I - II - III - IV) to avoid colossal investments.
Combining cloud and cybersecurity
Another approach exists: combining cloud and cybersecurity. This approach is all the more important given that “cloud security” often actually means “clouds security”. The security components specific to the various marketplaces need to be strengthened or replaced by the capabilities of pure-player cybersecurity providers (internal segmentation, filtering between different resources, intrusion detection systems, identity and access management tools, trusted VPN links, etc.). From this multi-cloud perspective, the choice of a pure-player firewall brand to be deployed in each cloud makes sense in terms of expertise, visibility and management, compared with having to administer the various configurations of each cloud's own native firewalls.
And how do you choose between the various cloud platforms? In other words: how do you select a secure cloud? The French government is attempting to answer that question with the SecNumCloud standard, which provides qualification for cloud service providers. Guillaume Poupard, former Director General of the ANSSI, once said, “To promote a protective digital environment that keeps pace with technological developments, including for the most critical data and applications, you need to identify trusted cloud services.” This label provides evidence of the trust of the French government by meeting the stringent cyber-requirements set by ANSSI. Compliance with the highest level of data protection security, a precise service level agreement and guaranteed data localisation: qualified clouds offer greater protection against non-European laws.
But none of this should detract from the importance of ensuring secure exchanges in the cloud. This is because cybercriminals will usually try to exploit a flaw in a client instance and then attempt to penetrate the overall system, rather than attacking it head-on. At a time when collaborative tools in the cloud (such as Google Workspace and Microsoft 365) are becoming increasingly widely used in organisations, information is exposed to the risks of data interception, leakage and theft. Encrypting your files enables you to exchange sensitive data securely: sensitive data is automatically encrypted and decrypted for authorised persons. But to be effective, securing sensitive data must be combined with the ease of use provided by the platforms. However, that’s a subject for another time...
Fears about the fragility of data in the cloud mean that we need to be asking the right questions about this very special environment. They highlight the vulnerabilities of the cloud and the associated security requirements. Security in the cloud is not something to be considered in isolation: companies must also make their employees aware of the wider scope of cyber-threats. This is the only way to raise the level of security not only for your assets in the cloud, but also for your entire perimeter. After all, in the cloud, security is an issue at every level.