Cloud is going to be an exciting area in 2014 because of the tension between cost-savings and security threats. Ironically, while Edward Snowden's revelations of the NSA's Prism cloud spying program is likely to damage users' view of the cloud, it also provides a known rather than nebulous threat. Known threats can be countered, while nebulous threats can merely be feared.
Many security companies consequently believe that cloud adoption will increase in 2014, but colored by knowledge of Prism and Prism solutions. Encryption, seen as a major defense, is thus a major consideration for the coming year. "The recent moves by Google and Yahoo to upgrade encryption levels are just the beginning. In 2014, we’ll see providers continue to fortify their networks," says Paige Leidig, SVP at CipherCloud. For the user, he adds, "Encryption gives customers the tightest control over their data when they hold the keys because this prevents third party access to the keys and encrypted information."
"We will see further investment in key management systems that allow organizations to keep control of their encryption keys themselves vs. entrusting that critical security measure to the same vendor that holds their data," agrees Eric Chiu, president and co-founder of HyTrust.
One new technology that "will become more popular in 2014 is split key encryption," says Lior Arbel CTO of Performanta Ltd. Here "the encryption key is split in two, one half held by the provider and one by the customer meaning that the customer’s database can only be accessed [by the provider and/or the NSA] with their active participation."
Garry McCracken, VP of technology partnerships at WinMagic, also sees encryption as the means to solve the BYOD/file sharing problem, which he believes is only going to get worse. "Instead of IT turning a blind eye, a top priority should be to find a way to properly encrypt company data without compromising user experience and productivity. Whether we like it or not cloud and BYOD adoption will continue to grow in 2014."
A second cloud influence is coming from the European Union. The Prism revelations in 2013 gave new impetus to the proposed General Data Protection Regulation and the protection of PII. Whether the GDPR is actually approved in 2014 or not, companies will be preparing for it by seeking greater control over and protection of personal data stored in the cloud.
Steve Durbin, global vice president with the Information Security Forum, explains the problem: "In moving their sensitive data to the cloud, all organizations must know whether the information they are holding about an individual is Personally Identifiable Information (PII) and therefore needs adequate protection. Different countries’ regulations impose different requirements on whether PII can be transferred across borders. Some have no additional requirements; others have detailed requirements. In order to determine what cross-border transfers that will occur with a particular cloud-based system, an organization needs to work with their cloud provider to determine where the information will be stored and processed."
Kevin Bailey, head of market strategy at Clearswift, uses a cloud/weather analogy. "Cloud providers in 2014 will need to visibly demonstrate how they have shored up their defenses so they are able to identify breaches of access or as with the bi-product of a cloud, rain, when sufficient saturation (breaches) happens, precipitation (cloud providers) will fall to the surface, and evaporate (go out of business)."
One perceived weakness in currently securing data in the cloud, whether PII or not, is inadequate access authentication. Ian Lowe, a senior product marketing manager at HID Global, sees a potential solution in the growing availability of NFC on smartphones. "NFC-based authentication has the potential to solve the security, convenience, cost and complexity problems of earlier solutions," he suggests. It provides "a valuable platform for extending strong authentication to include a third factor in the form of something the user is;" that is, the use of face, voice and increasingly fingerprint biometrics with the template stored on the phone.
However, one company sees an even greater threat to the internet itself, forced by the global mass surveillance of the Five Eyes intelligence alliance and different government requirements for privacy: the balkanization of the internet itself. "The Internet has begun to break up into national segments," notes Kaspersky Lab. "Until recently this only really applied to the Great Firewall of China." But now other countries, including Russia, it adds, "have adopted or are planning to adopt legislation prohibiting the use of foreign services. Snowden’s revelations have intensified the demand for these rules. In November, Germany announced that all communications between the German authorities would be fully locked within the country. Brazil has announced its plans to build an alternative Internet channel so as not to use the one that goes through Florida (USA)."
But apart from the effects of Prism and the GDPR, traditional threats to data are also likely to increase. "2014 will also see a rise in attacks on cloud providers directly," warns Lior Arbel. Attacking providers is more difficult than attacking traditional company networks because of the constant and concentrated defenses mounted by the cloud operators. "However," he adds, "the target is lucrative which makes it worth the increased difficulty for cyber criminals. A well-executed attack on a cloud provider's database can give access to the information of all of their customers and lead to further penetration from the cloud onto the internal intranet and LAN systems of customers."
The one thing that nobody is predicting is a decrease in cloud adoption in 2014. The irony over increased knowledge of severe security threats to the cloud discovered in 2013 is that cloud adoption is likely to increase in 2014 with improved use of encryption, better knowledge of where data resides, and more secure access methods. Now that we have a better understanding of the threats, we are more able to defend against them.