Can You Hide From Cyber Threats in the Cloud?

Businesses are increasingly moving their IT infrastructure into the cloud.  The market for small and medium sized business in the cloud now exceeds $30 billion.  The big question, however, is whether it is “safe in the cloud?”  The short answer is: it depends!

Using the cloud for IT infrastructure is a grave concern for cyber security professionals.  Indeed, the 2017 Global Security Assurance Report Card notes that both cloud applications and infrastructure were graded as “D-minus.”  Survey results indicate that cloud infrastructure is the most challenging IT component for assessing security risk.  None of the other sixteen aspects of the survey gave IT security respondents more trouble.

What Exactly is the Cloud?

There are three distinct types of clouds.  Understanding the type of cloud your business is using can mean the difference between a secured network and leaving your business exposed with an unaccountable out-of-country provider

1. Internal.  A “internal” or “private” cloud involves an offsite location for servers.  This is a location that serves only one corporate user.  These are usually available for large companies and provide secure service as long as the user has in place all of the other normal precautions and investment in security infrastructure.

2. External.  “External” or “public” clouds is the “brave new world” of virtual computing.  A public/external cloud involves using a third party server’s infrastructure to hold the user’s data in the same location(s) as other users; in any event, outside the user’s direct control.

3. Hybrid.  A hybrid cloud involves using a mix of on-premises, private cloud and/or third party public cloud services in orchestration between the various platforms.  Hybrid clouds are designed for use by one organization.  The public and private sections must operate independently and communicate over an encrypted connection.  What is key is that public and private clouds in a hybrid cloud are distinct and independent which allow more sensitive and protected information to be stored on the private cloud.

How To Be Safe In the Cloud

The absolute key issue in an external/public cloud-based system is due diligence by the user.  That is, you can’t simply outsource protection of your system and assume you are safe in the cloud.  In fact, “checking out” the external cloud providers is more important than ever.

Before you retain an external cloud provider, you should understand the cloud provider’s: (a) disaster and recovery systems; (b) employee security policies; (c) protection of data; and (d) certifications.  Cloud based certification by recognized standards like National Institute of Standards and Technology (NIST), Statement of Standards for Attestation Engagements No. 16 (SSAE16) Service Organization Controls (SOC) 2 Type II, and International Organization for Standardization (ISO) 27001 is one of the best ways to ensure your system will be safe.  A cloud provider should not be considered unless it is currently certified by one of these recognized organizations.

Depending on the nature of customer data being kept on the cloud, some additional precautions may be necessary to avoid violation of state and/or federal law, including those required under Gramm Leach Billey Act (GLBA) and/or Health Insurance Portability and Accountability Act (HIPAA).  This may also mean cloud based data storage should be located in the United States and should include significant contractual security promises by the cloud provider.

Put simply, many people view using a cloud-based system as “simplifying” operations.  Nothing can be further from the truth.  A company must be more diligent in ensuring that its cloud-based vendor is engaged in adequate cyber security measures to protect company data.

Bottom Line

There is no escape in the cloud.  Diligence on cyber security is more important than ever.

Stephen E. Yoch is an attorney at Felhaber Larson in Minneapolis who represents clients on cyber security issues.  More information can be found at