The Elephant In The Room on Cloud
Are Public Clouds Secure Enough for CIOs or for Expanding Global Enterprises and Corporations as we progress through the Twenty Twenties? Especially after major breaches in the UK Market in the Autumn of 2015
Gone are the times when sharing information between computers required people exchanging floppy disks. With the onset of the networking era and the Internet coming into its own, emails with attachments became prevalent (one could argue they still are) and I still see the use of USB memory sticks for this purpose. We all know how email clutter has become too much to handle and the fact that mail servers couldn’t handle very large files as attachments, which also drove people to USB drives. Now cloud storage has come along and completely changed the way people share files. Whether CIOs like it or not users have been using cloud storage and Dropbox and Google deserve much of the credit for completely changing the file synchronisation and sharing paradigm in such a fundamental way, that now several players (Microsoft and Apple included) are in the race to dominate the cloud storage domain.

Why some CIOs are worried about risks with Public Cloud!

While cloud storage has certainly revolutionised the way people store and share data – all is not as well as it might seem. The problem is a little thing called “Privacy”. Most of the companies that provide customers online storage in the cloud have privacy policies, but that doesn’t necessarily mean they’re guaranteeing your privacy. In many cases, when you say “I agree” to a Privacy policy, you’re actually granting the company certain permissions and/or licenses to your data. If you read through the legalese patiently, you’ll find out that in almost all cases, you’re giving away permissions to these companies and allowing access to your information to varying degrees. With several cloud services the cloud vendor gets a license to your information as soon as you upload it. One leading cloud drive vendor’s terms of service state clearly that you’re giving them the “right to access, retain, use and disclose your account information and your files”. Twitter has a more user-friendly policy which states that it will only disclose user information “in compliance with US law, to valid legal process. For example, requests for contents of communication require a US search warrant. The fact remains that your data is still not private, even if only from the US government. What amplifies this risk is how simply ubiquitous cloud based storage has become. Your employees probably routinely use file sharing services to exchange sales and marketing data, not to mention strategic plans in the form of power point slides. Most new services are now available exclusively in the cloud – be it source code control repositories, customer resource management tools, or HR management software. This is the conundrum that most users have to wrestle with when it comes to cloud storage. How do you trade off the convenience with the compromise of privacy? Sadly many users are unaware of the implications of saying “I agree” to the privacy policy – and the ones that do care have simply reconciled to the fact that they can’t store certain types of information on public cloud storage. Hardly an optimal situation.

What can one do about it?

Fortunately, there are solutions that don’t need you to make these compromises. Encryption for one! One approach is to encrypt the data that is kept on the cloud storage. But, wait – surely companies like Google and Dropbox are encrypting the data their customers are entrusting to them? Sure, they are – but they are using encryption keys which also allow them to decrypt the data should they want to. It is locking your front door, but entrusting the keys to Dropbox or Google. Would you feel as safe about that arrangement as you would if you had the keys with you? An approach that works is to have a way to encrypt the data, with your encryption key, before it leaves your home or office on the way to the cloud. And similarly decrypt the data as it comes back into your home or office and before it gets served up to you on your computer or tablet or smartphone. Solutions such as this exist – but they’re inherently a bit clumsy because they are software based solutions which require you to download a special client onto your computer which performs the encryption and decryption for you.

Is Tokenisation & Obfuscation the right answer?

Another approach that is especially useful when you’re using a SaaS application is to have software that intelligently monitors the data traffic as it leaves and enters your data centre. Using pattern recognition methods, the software can identify strings that may be confidential in nature or personally identifiable information (PII) and selectively obfuscate those. This is done in such a way that the SaaS application server in the cloud still believes it is dealing with valid data. When data is returned back into the data centre from the SaaS servers the process is reversed for the benefit of end users.

Or do you just do Private (or personal) Cloud

Yet another approach that is really simple is to simply not put your data out there in the public cloud but that would be going back a hundred years, it is an option but not one that I would certainly make. I do however believe that a combination, or hybrid approach can address more concerned businesses about their applications from a security perspective to consider a combination of Private Cloud (In-house). With the increase in awareness around privacy and the pitfalls of letting personal data take its course in the hands of the public cloud vendors, we’re sure solutions to address application access in the public cloud are going to gain traction and public cloud services will certainly become more mainstream as innovation drives more secure access.

Consider – Innovative Secure Cloud Login

So to that end, in scouring the market for those innovative companies that are addressing security access solutions for users wanting to access more cost effective options by using Public Cloud has led me to a number of solutions. One such solution comes from a start-up company providing what they call Secure CloudLink, which has a Patent pending Federated security solution that opens up the door to much easier access to applications that sit in many domains, and potentially across all the areas of Public, Private Cloud and in-house secure zones across all user devices.
“There are many other solutions out there some more ‘clunky’ than others attempting to address this, but this solution from Secure CloudLink certainly unlocks the benefits of cloud for any Enterprise business.” Says Craig Ashmole, Founding Partner of London based IT Consulting CCServe. “It does not send Personal PII data or log-in passwords across the network and does not cost a fortune to implement.”
Secure CloudLink’s Digital Identity Platform for Enterprise provides a single secure identity layer for directories. Users and customers can access customised, legacy and cloud applications without any useable identities ever stored or replicated in the cloud. This is a key fact that should be seriously considered. With this enhanced Single Sign-on administrators can also deploy pre-integrated In-house or 3rd party apps to new users and customers with one-click deployment, a massive ‘time saver’ option. The solution also has a powerful set of analytic tools which monitor user log in history and applications used across ones workforce or your customers, enabling clear concise auditing records. cl1 Unlike some security token passing solutions Secure CloudLink provides a unique, federated security standard by ensuring your user’s security credentials are never replicated or passed over the web during authentication into their provisioned applications. Please contact CCServe Ltd if you have any potential queries or interest about Secure Cloud requirements or for Federated Single Sign-on and we can introduce you to the technology. 
Having spent a majority of my career working with and supporting the Corporate CIO Function, I now seek to provide a forum whereby CIOs or IT Directors can learn from the experience of others to address burning Change or Transformation challenges.
Craig Ashmole

Founding Director CCServe