Securing the Cloud

As the Covid-19 pandemic accelerates the transition to a digital economy, companies have adapted to remote and hybrid working models. In this context, the cloud has provided necessary tools to operate outside a quintessential office environment. At the same time, it has emerged as one of the most targeted environments for cyber-attacks.

Background

Cloud computing traces its origins to a military mainframe developed in the 1950s, which connected computer terminals across an internal matrix. A decade later, John McCarthy- an American computer and cognitive scientist, had advanced the revolutionary proposition that this ‘non-local storage technology’ can be sold as a utility.

However, it took almost forty years for this idea to materialise. In 1999, a software company called ‘Salesforce.com’ delivered applications to users through a simple website, giving rise to the concept of ‘SaaS’ (‘Software-as-a-service).Over time, this industry expanded to cover applications like PaaS (Platform-as-a-Service) and IaaS (Infrastructure-as-a-Service).

For example, in 2006, Amazon Web Services launched its Elastic Compute Cloud (EC2) that enabled people to rent virtual computers. This server virtualization pioneered the delivery of IaaS. Other companies like Google and Microsoft also entered the fray and captured a significant share of the cloud computing market. 

Analysis

Today, cloud computing has emerged as an attractive solution that facilitates a scalable online environment. It offers powerful processing and storage resources that optimise infrastructure usage and reduce dependence on legacy software. However, as the pandemic hastens the migration of data to the cloud, there are several security risks that arise.

Virtual servers are susceptible to malware infections, data breaches, identity theft and other social engineering tactics, just like any other aspects of cyberspace According to a 2020 report by the Trustwave Global Security, attacks on cloud services account for nearly 20% of cyber incidents. In fact, the recently discovered SolarWinds attack has exposed the unique vulnerabilities of the cloud. As can be recalled, hackers had penetrated the cloud systems of numerous organizations by compromising their local network identity systems. Having gained access to the cloud, they were able to disguise their activities as benign network traffic.

Apart from data security, the concentration of cloud service providers in a few key companies has also added significant risks. When few technology vendors have a large proportion of customers relying on their services, a single breach or outage can have a cascading effect.

Against this backdrop, organisations around the world are reconfiguring their security architectures. Given the growing use of cloud platforms in critical infrastructure, governments have also stepped up their regulatory oversight. For example, nationalist forces are exercising more control over strategic cloud assets, by restricting the free flow of data and mandating localisation requirements.

To offset the risks arising from a concentration of cloud providers, jurisdictions like the EU have also pledged €10bn for building their own native cloud infrastructure. 

Counterpoint

Although security and sovereign pressures are forcing national governments to look inwards, the cloud should be viewed as a ‘global commons’. It requires comprehensive data protection solutions that absorb global best practices and facilitate cross-border intelligence sharing.

Secondly, the implementation of robust security measures cannot come at the cost of innovation. Policymakers have to consider mechanisms that foster technological enterprise and promote healthy competition in the cloud-based environment. 

Assessment

Incidents like the SolarWinds hack have demonstrated the importance of strict access controls within a cloud environment. It is important to integrate ‘zero trust’ frameworks within the security architecture.

While the development of centralised incident response and reporting agencies is essential, there is a need to remove barriers to real-time information sharing between public and private sectors across national borders. 

*This article is based on the 103^rd virtual forum on the ‘Future of Cloud Security’ organised by the Synergia Foundation. Key participants included Lt. Gen Rajesh Pant (National Cyber Security Coordinator, Government of India); Ariel ( Eli ) Levite (Former Israeli Deputy National Security Advisor); Matt Carling (Cyber Security Solutions Architect, CISCO Systems), Col. KPM Das (Retd) (National Cyber Security Officer, CISCO); S Chandrasekhar (Director of Government Affairs & Public Policy, Microsoft India); Chelsea Smethurst (Senior Security Strategist, Microsoft) and Monica Pellerano (Research Analyst, Carnegie Endowment for International Peace).