In conclusion to this in-depth study on Cloud Security, whose principles have already been outlined, we will consider two aspects peculiar to a sector that differs from traditional Information Technology and, consequently, the approach to security.
The vulnerabilities
Lack of awareness of risks and threats to cloud environments is the most critical aspect in terms of security. A survey by the Italian Cybersecurity & Data Protection Observatory paints a mixed picture on the subject, in which two elements are evident
- the larger increase in attacks compared to traditional systems
- the presence of intrinsic vulnerabilities in applications.
Always according to the survey, there is a low level of control and visibility over the Cloud infrastructure and configuration errors in the various platforms, plus the difficulty of integrating Cloud systems with the security solutions already adopted by companies and organisations, usually with a customisation-driven logic, in order to be as close as possible to the customer's needs.
A further sore point regards the educational side: the staff is not sufficiently trained to manage the security of Cloud systems, which are regulated by different logics and mechanisms than on-premise systems.
At last, it's considered the relationship with Cloud service providers. 74% of the panel surveyed stated that the greatest challenge lies in negotiating power with the Cloud service provider, followed by the difficulty in carrying out security assessments and monitoring the provider's security. Other critical issues are attributed to the supplier: lack of visibility into the security practices implemented; insufficient precision of security measures, which are too often set according to generic standards that do not take into account the specific aspects of the organisation to be protected.
The Cloud Security Specific
Cloud models are perpetually connected systems, and - as anticipated - this represents a profound distinction from classical IT models. Cloud-based infrastructures significantly reduce the costs of system development and maintenance, as they do not oblige users to systematically control them. Cloud-based infrastructures and apps are also modular and quick to operate. While this allows systems to be uniformly adapted to organizational changes, it creates concerns when a company's development needs exceed its ability to keep up with security.
The topic of interfaces is a further peculiarity to be considered. Cloud systems interact with many other systems and services to be protected. The issue is crucial on the subject of access permissions, to be preserved at all levels (end-user devices, software, network). In network environments, a single device can become the weak link from which malware can unleash its potential. Cloud providers are more exposed to cyber threats from the end-users with whom they interact, which entails additional security responsibilities for them.
The proactivity of users and providers, both in private and corporate environments and with reference to their role in cybersecurity, is therefore essential in the cloud world. Transparency and accountability are indispensable features within a well-configured, secure system, and with a specific focus on everyone's awareness of cybersecurity.
