White Paper

Top 5 Myths About

Cloud Security

Coresystems AG
www.coresystems.net
 White Paper: Top 5 Myths About Cloud Security

Content
#1: The Cloud is Not as Secure as Onsite IT 3

#2: All Clouds Are Created Equally 3

#3: Customers in the Public Cloud Can Attack Each Other 5

#4: The Cloud Provider Alone Protects Your Data 5

#5: You Can’t Control Where Data Lives in the Cloud 5

The Power of the Cloud 6

www.coresystems.net 2
 White Paper: Top 5 Myths About Cloud Security

Top 5 Myths About Cloud Security

Cloud computing has been around for decades but many people are not aware of this
and assume that it’s a brand new technology. To gain an understanding of how long
it’s been around, think Gmail, which is a cloud-based email service. In more recent
years, the cloud has gained traction in the business community but this was relatively
slow initially due to concerns surrounding its security. With that in mind, let’s have a
look at some of the top myths that surround the cloud and how secure it really is.

#1: The Cloud is Not as Secure as Onsite IT

Security at network level in many offices is simply not good enough and yet paradoxi-
cally, many business leaders believe it to be better than that of the cloud. For years a
layered approach to security has been suggested as the best solution, which should
include antivirus/malware software, link scanners, properly configured permissions,
hardware firewalls, patch management and file/server monitoring. However, in re-
search carried out last year, NTT Group found that of the three billion attacks that it
studied, many businesses didn’t even have the most basic security measures – such as
antivirus software – in place.
Source: nttcomsecurity.com
NTT points out that despite this, the scale and complexity of attacks are racing ahead
at a blistering pace. In order to address them, businesses have to implement a range
of security measures that can help to stop them. Antivirus software alone is not
enough – NTT claims that only 52% of threats are captured this way – it’s necessary
for applications to be secure and for other, proactive, measures put into place.
When it comes to the cloud, its security will depend on the vendor and on the type of
service chosen. For example, Shadow IT describes the use of unapproved software
and hardware on the business network. Cloud services that are designed for basic
consumer use are generally not as secure as those made for business. However, it’s
been found that many people use cloud storage services such as DropBox to save and
access files from anywhere. This is clearly convenient, but in an office environment,
which perhaps has certain regulatory steps that need to be taken to secure data, it’s
not good enough (unless of course it’s the business version of the software).
Source: techtarget.com
The cloud, rather than being some mysterious nebulous form that floats above our
heads, is made up of powerful server clusters that live in data centers. Users rent
space known as virtual machines (VM) which are isolated from other users, although
server space is shared. These are secured with numerous solutions and often, even
have physical security in place at the data center itself. This is generally far superior
to any security you will find in an office setup, although there will of course be excep-
tions.
When choosing a cloud service, you should:
− Ask what security measures are implemented
− Ask if the vendor has an incident response/disaster recovery plan
− Ask if software patches are applied as soon as they become available
− Look into your regulatory responsibilities and ensure that your data remains
compliant in the cloud
This isn’t always possible when you choose a large vendor such as Amazon Web Ser-
vices, so make sure that you have a good read through the contract, terms of service
and SLA (Service Level Agreement).

www.coresystems.net 3
 White Paper: Top 5 Myths About Cloud Security

#2: All Clouds Are Created Equally

Possibly due to the way that many people perceive the cloud as being one entity,
there’s a tendency to believe that all of the cloud is the same. For example, as men-
tioned above, cloud services developed for consumer use are rarely good enough for
use in the enterprise. The cloud is a catchall term that has been used extensively in
consumer and business circles in the last five years.
A cloud service is only as good as its underlying infrastructure and these vary when it
comes to the companies that build them, as the security that’s put in place will only
be suitable for the target audience. When choosing a cloud service, you should first
ensure that it’s enterprise-class and that it covers your needs when it comes to securi-
ty and compliance. When making your choice, you should ask exactly what the SLA
covers and how the vendor protects your data.
There are three main cloud offerings that you’re likely to deploy:
− SaaS (Software as a Service) – covers email, storage, applications deployed
in the cloud, hosted desktop and more.
− IaaS (Infrastructure as a Service) – a business can choose to have its basic
network infrastructure deployed in the cloud, accessing it through thin termi-
nals at the office, for example. Or it could choose to have part of the infrastruc-
ture hosted in the cloud and the rest at the office in a hybrid solution.
− PaaS (Platform as a Service) – this is used by software developers to create
and deploy applications in the cloud.
Beyond this, we also have the public cloud and the private cloud. The former de-
scribes a scenario in which the cloud is shared with others, all using resources along-
side you, whilst the latter is typically built or rented by an enterprise for its own, pri-
vate, use.

#3: Customers in the Public Cloud Can Attack Each Other

As discussed, a public cloud allows you to share a pool of computing, storage and net-
work resources with other customers. This has led to a common belief that other cus-
tomers can potentially attack your data as they share resources. This is not the case;
the cloud uses something known as hypervisors which are not simple to attack.
There have thus far been evidence of a very small number of attacks made at hypervi-
sor level but as the virtual machine within the cloud has to be elevated in terms of the
permissions that it’s allowed, it means that in order for an attack to be carried out,
the infrastructure will have been improperly configured in the first instance.
Source: johncouzins.wordpress.com
In a multitenant environment, the VLAN for a business is generally isolated from oth-
ers and whilst it’s also possible for an attack to be carried out at management level,
this can be overcome with effective patch management and the isolation of the man-
agement interface from end users.
Check the SLA thoroughly to ensure that the vendor carries out thorough patch man-
agement. Some multitenant providers also offer options to further mitigate the risk of
attack to, but overall, even the public cloud is pretty secure, as it’s just not easy to
attack.

www.coresystems.net 4
 White Paper: Top 5 Myths About Cloud Security

#4: The Cloud Provider Alone Protects Your Data

Whilst the cloud is inherently secure, many business leaders believe that the use of a
trusted provider absolves them from the responsibility of protecting their own data.
It’s true that researching cloud solutions for business usually involves looking for in-
dustry regulations, certifications, etc., what isn’t true is that the provider is responsi-
ble for your data.
Whatever IT setup your business uses – onsite, in the public or private cloud or hybrid
– it remains your responsibility to ensure that you meet with regulatory requirements
and safeguard sensitive data. Amazon Web Services (AWS) is the largest public cloud
provider globally, and its terms state: “AWS has secured the underlying infrastructure
and you must secure anything that you put on the infrastructure.”
That means securing your accounts in initial setup and your data by using encryption.
Fully encrypted data can’t be accessed by anyone but those you give the key to – not
even your cloud provider and certainly not any hackers that may gain access to it. You
should of course always setup any accounts for business using complex passwords,
which you can store using a password manager such as Last Pass.
Remember, your data is your responsibility alone and as such, it’s up to you to secure it
and ensure that it meets regulatory conditions.
Source: aws.amazon.com

#5: You Can’t Control Where Data Lives in the Cloud

Some industries are required to jump through a lot of regulatory hoops, such as
health care and finance. Across industries, if you take credit cards, then you have to
comply with PCI DSS regulations. This often means that you have to have full control
over your data at all times and many wrongly believe that this isn’t possible in the
cloud. However, by working with a cloud provider that allows you to store your data at
a specific geographic region, you can maintain control and governance.
If this isn’t good enough, businesses can use a private cloud where they have even
more control compared to the public cloud. However, this is a solution for highly reg-
ulated industries as it is possible to achieve PCI DSS compliance in the public cloud.
Another solution is to use a hybrid setup where data subject to compliance is stored
onsite and non-compliant workloads being stored in the public cloud. This allows you
the flexibility and scalability of the cloud, whilst remaining in full control of your data
at all times.
Source: techtarget.com

www.coresystems.net 5
 White Paper: Top 5 Myths About Cloud Security

The Power of the Cloud

The cloud is powerful and flexible and provides countless benefits to business. Not
only does its use reduce the need for capital expenditure on IT hardware and applica-
tions, it’s also inherently secure, depending of course on your provider. Where once a
business would have to build and maintain its own network infrastructure and soft-
ware licenses, now it’s possible to rent it all in the cloud on a monthly basis. It’s easy-
to scale up and down so a business only ever has to pay for what it’s actually using and
it offers more powerful capabilities that are usually out of reach for SMBs. The cloud
has helped to level the playing field when it comes to the technology that smaller
businesses can access. It had also enabled a better support model within the IT indus-
try as security can be deployed in the cloud and systems monitored more effectively.
Security in the cloud has been a concern since its inception but for the most part, re-
searching providers that match your requirements will do away with any concerns
you might have. Onsite security is often lacking in businesses of all sizes whilst at-
tacks are becoming increasingly complex. The incidences of DDoS attacks have in-
creased in the past few years and it’s now simple for unskilled attackers to hire a bot-
net at as little as $200 per day. This means that businesses have an increased need to
ensure that systems and data is protected and so it’s not hugely surprising that the
cloud worries IT professionals. However, for the most part it’s an unnecessary con-
cern as cybercriminals tend to attack weak targets. For this reason, it’s usual to see
businesses coming under attack due to inadequate security on the network such as a
lack of AV software and outdated applications.
Source: sitepoint.com
When choosing a cloud provider, you should study the terms and the SLA to ensure
that the provider is doing all that they can to protect systems and your data. As dis-
cussed, it’s not simple to attack even the public cloud from within, so don’t be dis-
couraged by scaremongering.
The cloud can make for an agile, flexible and profitable business if it’s setup and used
correctly. Shared workspaces allow for better collaboration, which in turn boosts pro-
ductivity and profits.
Cloud providers are of course aware of the concerns surrounding security and for this
reason, it’s often a part of their core business to ensure that security is baked into
each and every process.

About Coresystems
Coresystems is a leading provider of mobile and cloud-based field service and
workforce management software for mid-sized and large enterprises’ field service
organizations. Since Coresystems’ founding in 2006, more than 190,000 users
across the world have utilized Coresystems’ innovative, real-time field service
management software to improve their business and field service processes. Core-
Coresystems systems has also pioneered “crowd service” – which allows customers to leverage
CH: +41 56 500 22 44 an Uber-like platform to find available field service technicians in real-time. Core-
DE: +49 761 887 95 777 systems is headquartered in Switzerland with international offices in San Francis-
USA: +1 (415) 887-1944 co, Miami, Berlin, Freiburg, Shanghai, São Paulo and London.
www.coresystems.net

www.coresystems.net 6