Protecting shared computation (cloud security)

Event report

Cloud has moved from buzz to reality. It is used in all sectors of the society and government. It is particularly useful for growing businesses around the world, which can be scaled easily and affordably by outsourcing third party infrastructure and services per demand. Further, the internet of things (IoT) – connected devices like sensors, controllers, and smart objects everywhere around us – rely on connectivity technologies (like 5G, Bluetooth, or wireless) to transfer data, and on the cloud and shared infrastructure to store and process data (including using AI algorithms). 

Yet, this convenience comes at a cost: users are left without control over the security of those third-party infrastructures and protection of data in the outsourced services. Cloud has expanded the ‘perimeter’ of defence for organisations beyond their physical reach. This, along with many instances of incidents and the impact of cloud disruption of downtime on education, health, and other critical systems, led to a diminishing trust in the cloud. 

Perception of threats and insecurity, however, differs around the world, depending on the primary concerns and context of the use of the cloud. Security is observed differently in context of users, manufacturers, underlying technologies and protocols, etc. It is not binary – being fully secure, or fully insecure – but it is very nuanced, and spread across many layers of the cloud and its ecosystem. The first step, therefore, is to better understand the related infrastructure and risks, as well as related responsibilities.

Cloud services have a ‘front end’ (accessible to users) and a ‘back end’ (containing databases and performing data processing), which may be vulnerable or misconfigured. Organisational policies include authentication of who is sending or creating data, who is authorised to receive and process data, who can have access to the network, cloud infrastructure and services, etc. Skills of the involved workforce for mitigating risks is of great importance, as well. Terms of reference for cloud services often exist, but users have no choice but to accept them. All this impacts users’ trust, more so in developing countries where their data is typically stored overseas. 

There are multiple existing international, regional, and national mechanisms and instruments in place to enhance security. EU has the General Data Protection Regulation (GDPR), a strong regulation about data going out of the continent. Africa has the Malabo Convention, yet it still needs few signatures to enable it to come into force – which signals the lack of understanding of its importance. International Telecommunications Union (ITU), the European Telecommunications Standards Institute (ETSI), and the International Standards Organisation (ISO) have relevant standards related to security of the cloud infrastructure, and the flow of and access to data.

However, their implementation depends on the type, size, and resources of the organisation: they are more applicable to developed countries’ entities, while organisations in developing countries are often not able to comply. Similarly, the implementation of the Malabo Convention, even once it comes into force, will not be straightforward. On national levels, developing countries lack data protection laws and capacities of legislators, law enforcement, and data protection authorities. Further, the very core of the internet – the protocols – are not secure, as they were developed without security in mind; this brings risks to secure exchange of data across the cloud. Not least, the threat landscape is very dynamic, with new threats being born every day.

Cloud operators should implement regular security audits and embrace due diligence, best practices, increase cybersecurity measures and authentication protocols, and train their staff. Software and infrastructure architects must know how to transform regulation, policies, and standards into lines of code. In terms of developing new products, security-by-design – including integrity, privacy, and trust – should be embedded in both cloud services and IoT already in the phase of an idea or a concept. For this to happen, there is a need to address this issue, as well as ethics, in the teaching and training curriculum, so that the future workers can embrace it. 

Corporate and national policies, while being built on standards and protocols developed in other geographies and context, should consider the local context in order not to miss important aspects. In addition, users should influence policy making and awareness where possible. Authorities need to go beyond development and adoption of instruments like data protection laws – till their enforcement. 

Finally, users need to better understand the cloud, ownership of infrastructure, their own responsibility, as well as the responsibilities of cloud providers, in order to understand the risks and know how to mitigate them. For this, digital literacy is the key.

By Vladimir Radunovic

The session in keywords