What is ‘the Cloud’? And How Secure is It?

A notable 34 percent of the respondents to Motorola Solutions' recent 2014 Public Safety Industry Study have moved or are considering moving data applications to a cloud-based solution over the next three years. This is a trend occurring across many industries. At the same time, current news headlines have caused discussion and doubt about the security of cloud services. So, what is ‘the cloud’, really? Is it secure or insecure? How can we properly leverage cloud services in a public safety environment?

The term “cloud” comes from the standard symbol that network engineers have used to represent the internet for decades. On diagrams of organizations’ network devices and cabling, it’s an abstract concept which represents everything outside of the engineer’s control and sight. This abstractness has translated into the way we talk about cloud services today – we refer to ‘the cloud’ in a broad sense as some conceptual place we outsource our data for storage or processing. We might perceive internet-based services differently today if the standard symbol had been a menacing dragon, or perhaps most accurately, a question mark.

So what is “the cloud”, really? The first and most crucial thing to understand is that cloud services aren’t abstract at all. The cloud is essentially a term for other organizations’ computer systems. Every bit of data we send to a cloud service provider is ultimately stored in some form on real hard drives, traverses real network cabling, and is processed by real software. Cloud providers use similar technologies to those we use within our own organizations. However, they do so at an exponentially larger scale, allowing them to offer services to many organizations simultaneously and at significant bulk cost savings.

When we think about the cloud this way, our perspective should change. “The cloud” isn’t inherently more or less secure than any other digital system. These services are tools of varying quality which we can use to cost-effectively centralize our data storage, applications or processing. They provide us access to centrally-hosted hardware and software that may be more cost- and time-effective than in-house solutions.

This centralization does provide an opportunity for improved security. Our data can be stored in a single defensible location, with uniform security controls. Since many organizations’ networks have grown too large and too piecemeal for limited IT staff to monitor accurately, a homogenous environment can make security monitoring and management more effective, less costly, and easier to handle. In an era of budget cutbacks, this can be a big help in getting our networks under control.

However, cloud services come with an equal amount of security risk if they’re not used properly. We must keep in mind that cloud services still reside on real computer systems.

1. First, we need to be fully aware of what data we are sending to the cloud provider. Are we certain we want to send all of our data outside our network?
2. Secondly, we have to evaluate the level of physical and logical data security the cloud provider offers. What security controls do they have in place? Who has access to our data? How often do they perform certified security audits and scans, and can we see the results? Are they properly insured? What are their retention and destruction policies? Since cloud providers may spread data over many systems, in certain cases we may also be concerned with which countries our data is physically stored in.
3. Next, we need to properly monitor the security of our data. If we rely on the cloud provider’s security monitoring, we need to understand what it involves and how soon we will be notified of an attack or data breach. Preferably, we should be receiving meaningful security and access logs for our own review.
4. Lastly, we must ensure that our data is secure as it is transmitted to and from the cloud provider. We’re transferring our sensitive data to the cloud provider, and it may be at its most vulnerable as it is transmitted between our networks. We must ensure it is properly encrypted and controlled in transit as well as at both endpoints.

Cloud-based services can provide cost savings, centralization, and easier management and monitoring of data and applications for public safety organizations. They can also provide a standardized and defensible security platform for our data and applications. Despite this, we must carefully evaluate these services as what they actually are: off-premise computer systems which are only as secure as they are designed, implemented, and monitored to be. By understanding this and asking the right questions, we can make educated decisions about how we can best leverage cloud service providers.

See my other security awareness blogs on Motorola Solutions Fresh Ideas on Public Safety https://communities.motorolasolutions.com/people/LCarhart/content