What’s Next for Cloud Security
If you care about computer security, you take steps to secure systems under your direct control. Typically, this means you adjust settings to require multi-factor authentication, encrypt data stored on your device, and remove or disable software you don’t need. For internet-connected systems, you configure networks to restrict connections and data routed to undesired destinations, such as advertisers, trackers, and other sources. And, of course, you apply security updates regularly.
Cloud security, though, is about how to secure data on systems outside of your direct administrative control. With cloud systems, you can only adjust settings the cloud service provider allows. Otherwise, you’ll need to rely on publicly available code, vendor-disclosed information, and third-party reviews of the provider’s systems. (For many organizations, cloud security concerns can be reduced to a simple comparison: Who has the larger and more knowledgeable team of computer security professionals, your organization or the cloud provider?)
But the state-of-the-art in cloud security design and practices continues to evolve. Here’s a short summary of a few current and future security approaches and structures.
Current Security Practices
Major cloud vendors offer systems that require authentication and implement encryption.
Enterprise authentication that relies on a combination of a password and a security key seems to have the most widespread success and adoption to date. This configuration means that an administrator may require three things for access: an account name (e.g., an email address), a password (typically with character length and complexity requirements), and a hardware token (e.g., a security key, such as a Yubikey). Google’s BeyondCorp framework extends authentication a step further and requires additional device and/or network authentication. Similarly, many companies seek to implement various aspects of a Zero Trust architecture.
Additionally, security-focused cloud providers also ensure appropriate encryption. That means, at a minimum, the vendor seeks to secure data both while in transit (conveyed over the internet) and at rest (stored on the provider’s systems).
Near-term Security Trends
With many cloud security systems, the vendor retains access to encryption keys, which makes data search practical and account recovery possible. The latter situation is a common concern, especially for enterprise computing: If the customer is the only holder of encryption keys, then if the keys are forgotten or lost, there’s no practical way to recover encrypted account data. The bigger challenge, though, is that operations on encrypted data, such as search or collaboration, remain technically difficult. However, when both the customer and vendor have access to encryption keys, the potential remains that customer administrators, vendor employees, or untrusted third-parties (e.g., government agencies) might access data.
For more secure configurations, you might use cloud systems without the need to share encryption key access. Some vendors allow this today for services such as file storage (See “How to Choose Cloud Storage for your Company” for details.) More broadly, though, cloud vendors are in the early stages of offering the ability to access and run computing tasks securely. At the moment, many of these capabilities are available only for very specific types of tasks. Several organizations participate in the Confidential Computing consortium with the goal of allowing data to be secured while in use.
Long-term Security Potential
Customer data stored on a company’s systems, such as financial data, health records, and private communications, turns a cloud vendor into a significant target for criminals. Decentralized systems may eventually deliver an alternative to the cloud data stores we have today, where a few large vendors dominate the market.
Tim Berners-Lee, the creator of the world wide web, for example, has been working to develop systems that give people control over their data. His project, Solid, and his startup company, Inrupt, are building tools and systems that let an individual manage and control who may access personal data. That’s security that shifts control from companies to people.
Alternatively, other startups, such as Internxt, work to build open source, decentralized solutions that rely on distributed networks and data stores. In this architecture, encrypted data is redundantly stored on a wide range of internet-connected systems, not all controlled by a single company. This sort of solution shifts security from centralized companies to trust in algorithms and encryption (or, succinctly, math).
For organizations, cloud security in the future will no doubt rely on a blend of all of the above components. A prudent CIO will want to make sure their current cloud vendors comply with present practice, while at the same time monitoring developments in confidential computing and decentralized systems.