Cloud computing has in recent years become both an essential service used in many industries and a ubiquitous part of the daily life of consumers. By offering remote access to computing services that can be rented out on a flexible, efficient, as-needed basis, it gives companies access to greater computer power and storage capabilities than they might be able to maintain on their own legacy servers and do more advanced analytics with their data.
According to a report from the National Institute of Standards and Technology (NIST), “The cloud computing model offers the promise of massive cost savings combined with increased IT agility.”
Cloud computing has become a particularly critical feature of modern life since the start of the COVID-19 pandemic, as many employees moved to remote workplaces and had to use cloud services in order to collaborate with their colleagues.
The opportunities that cloud computing offers, however, also come with challenges in the realm of data security. Cloud servers can contain highly sensitive personal data that could be lost in leaks or stolen by hackers, such as medical data from hospitals, financial information from banks, or data on young children in schools. It is not always clear, when using third-party cloud services, which party is in charge of maintaining security protocols, complying with privacy laws and data regulations, and monitoring for leaks or vulnerabilities. It’s therefore crucial to understand how data security intersects with the cloud.
What Is Cloud Computing?
Cloud computing is a service that allows users to access computing power and resources, such as data storage, servers, and computation, without needing to be in the same physical space as the computing equipment. The aforementioned NIST report defines cloud computing as “a model for enabling convenient, on-demand access to a shared pool of configurable resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
For example, if files are stored on Google Drive instead of on a user’s local computer or device, they are being stored in the cloud. If a user streams a movie on Netflix instead of watching a physical DVD or a movie saved on their computer, they are accessing a resource from the cloud.
In a broad sense, everything on the internet is also in the cloud. The cloud is a service that provides remote access to computing power, resources, and storage, while the internet is how users access that service.
The origins of cloud computing therefore go back to the origins of the internet in the 1960s. The use of cloud technology began to become a common feature of everyday life in the late 1990s and early 2000s, as major companies began providing cloud-based services. Salesforce started to offer software downloads over the cloud in 1999, Amazon Web Services and Google Docs both launched in 2006, Netflix in 2007, Apple iCloud in 2011, and Oracle Cloud in 2012.
Cloud computing can cover a wide variety of services, including Infrastructure as a Service (IaaS), Software as a Service (SaaS), Platform as a Service (PaaS), and Workstations as a Service (WaaS). The last service is particularly fast-growing, as the pandemic caused many offices to move to remote work. Clouds can be public, private, or a hybrid of the two.
What Is Data Security?
Data security is the practice of ensuring that data is protected from being stolen, breached, misused, or accidentally exposed to unauthorized parties. The Data Management Body of Knowledge (DMBoK) defines it as “the planning, development, and execution of security policies and procedures to provide proper authentication, authorization, access and auditing of data and information assets.”
Lack of security has serious consequences: According to IBM, a typical data leak costs a small business $7.7 million. Ultimately, data security is critical on both an ethical level and a practical level, as a commitment to security reduces legal and financial risks and allows a firm to maintain a reputation for integrity, reliability, and trustworthiness.
Protecting data involves taking into account the needs of stakeholders, business owners, and government regulators, as well as keeping abreast of all relevant laws, regulations, and best practices.
Trends and Challenges of Data Security in the Cloud
The pandemic led millions of people around the world to spend more of their life on computers than they ever had before. Students went to school online, workers went to the office remotely, patients used telemedicine more often, and consumers bought more items online instead of going to a store. U.S. e-commerce sales soared in 2020, growing more than 30% from 2019.
All of these functions rely on cloud computing, which means that questions about the security of data in the cloud are more salient than ever. A survey of chief information officers from the aforementioned report found that security requirements were the second-biggest concern when companies migrate to the cloud. (The biggest concern was talent gaps, including technical and managerial talent.)
A number of laws govern data security and data privacy, particularly if it involves sensitive information such as medical records. Notable laws include the General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA) in the U.S., the Family Educational Rights and Privacy Act (FERPA) for student data, and the Health Insurance Portability and Accountability Act (HIPAA) for medical data. A third-party cloud service may not necessarily comply with these laws out of the box, making it necessary to adjust the software.
To help combat these challenges, cloud data loss prevention (DLP) tools have become increasingly popular. They are integrated directly via an API, allowing users to deploy tools quickly. As described by Rohan Sathe:
“Cloud data loss prevention programs will scan and audit data to detect and encrypt PII and other valuable information shared across cloud environments. And, while legacy DLP tools are often seen as complex to deploy and difficult to manage, the next generation of cloud DLP integrates directly via API – meaning that users are typically up and running within a few minutes.”
Another trend is security as code: built-in security protocols that will automatically stop production of an app that has security vulnerabilities, or reject insecure code submitted by a developer. Stephen Schmidt, the former chief information security officer of Amazon Web Services, described the benefits of security as code this way: “We implement automation and use of code for security purposes because it applies universal rigor throughout the organization. It solves the issue of human error that is the common denominator across cloud breaches.”
The Future of Data Security in the Cloud
Cloud computing requires companies to pay serious attention to data security. However, the cloud itself can also be a tool for data security. For example, a McKinsey report on risk management described how a bank was able to use cloud services to detect a data breach and find the individual responsible within two weeks. Another company hit by the same data breach took a year to detect and then respond to the issue.
The pandemic has led to a surge in new customers for cloud-based services, particularly e-commerce and cloud-based workstations. Other major trends we can expect to see more of include open-source applications, cloud automation to reduce workloads and eliminate repetitive processes, and edge computing to improve processing speeds. Ultimately, understanding how data security intersects with the cloud is critical to managing risk while still taking full advantage of all the opportunities that cloud computing has to offer.
Image used under license from Shutterstock.com