Public and private clouds compared for risks and costs | Kaspersky official blog
Credit to Author: Stan Kaminsky| Date: Wed, 24 May 2023 10:20:44 +0000
The benefits to be had from cloud technologies are promoted to any and every business these days — from bakeries to banks. Meanwhile, computer clouds have progressed through several evolution steps already, and the generic term cloud now describes a number of essentially different approaches. Therefore, it makes sense to figure out specifically which cloud technology your company needs, what the cost should be, and what security measures need to be in place.
In the general sense, cloud technologies imply the use of certain computer resources (data storage capacity, computing power, or a specific app) distributed from a remote server via the internet. You’re using cloud solutions when editing a document in Google Docs, launching a site on a virtual hosting platform, or sending an e-mail through Microsoft 365. Clouds have the following main advantages:
- Speedy launch of apps and services: you can begin using cloud services almost instantly without procuring any servers or installing any apps.
- Financial flexibility: you pay only for the services you use, without any capital investment whatsoever.
- Easy scalability: you can increase server capacity in a matter of minutes, or roll it back to the previous performance and price levels just as easily when no longer needed.
Cloud types: private, public, and hybrid
The public cloud concept implies that the computing capacities are owned by a commercial provider, which sells them piecemeal to anyone who wants them. If the company wants to have high-performance computing resources and bulletproof availability, or follows strict data-processing environment requirements, it may procure the necessary infrastructure for its sole use. This is called a private cloud. Servers can reside within the organization’s perimeter (on premises) for greater security, or be leased from a commercial data processing center (hosted private cloud). Hybrid clouds combine the two approaches, keeping data and services either in the public or private part of the cloud depending on their importance.
SaaS, IaaS, and assorted other aaS
All abbreviations ending in aaS denote things provided as a service. The most popular one, SaaS, stands for software as a service. All the popular application services — including Microsoft 365, Dropbox, Slack, Zoom, and Salesforce — are SaaS. The user pays for a particular solution without paying any attention to what servers and apps are behind it or where it resides. DBaaS, PaaS and FaaS, which are commonly used in software development, work the same way: these services, via the cloud, provide databases, platforms, and functions for new apps, respectively. But those are beyond the scope of this blogpost.
At the other end of the complexity scale, there’s IaaS — infrastructure as a service. In this case, the cloud provider supplies virtual servers or containers in which clients run server applications by themselves. Clients can change server count and capacity in just a few clicks, but they also need to employ their own configuration and maintenance professionals to make the whole thing work.
For those preferring to have their own servers, but unwilling to build a data processing center, there’s DCaaS — data center as a service. The provider supplies the spaces, cooling and the rest of the engineering infrastructure, but the physical computers belong to the client organization.
SaaS services always operate in a public cloud, whereas IaaS may be public, private, or hybrid.
Cloud solution costs
Although many cloud deployments require very limited initial investments, one should pay close attention to calculating the total cost of ownership (TCO) and its growth as the workload increases. Costs to consider include the cloud provider’s services, equipment for on-premises solutions, salaries of IT administrators and developers, and licenses for related apps and services. Public clouds usually provide an inexpensive and quick way to deploy small solutions, but private or hybrid clouds will be increasingly attractive as grow in size as a company.
Cloud solution risks
Cloud providers tend to advertise security as one their key advantages, but security is far from being an inherent property of the cloud. Moreover, cloud solutions bring new types of risks.
The main risk: lack of both awareness and vigilance. Users — even IT administrators for that matter — believe that their cloud system is “automatically” protected, with everything taken care of by the cloud provider; therefore, they hardly even consider security. But in reality the cloud provider is unable to solve some issues, so these need to be addressed by the client organization. Here is a list of main cloud service risks:
- Every SaaS/IaaS solution features dozens — sometimes even hundreds or thousands — of adjustable settings, making it easy for the administrator to make mistakes, for example, by leaving an important database exposed to the internet, or by failing to block access to privileged functions. Cloud solutions from different providers have different — and not wholly compatible — configuration settings, so even competent administrators may find it hard to ensure the integrity of security policies. The misconfiguration problem has been accountable for most of the high-profile data leaks in recent years. This problem is relevant for SaaS; acutely so for IaaS/DCaaS.
- Leakage of account details. Gaining access to information in a cloud is easy — but this advantage turns into a disadvantage as soon as your employee’s password ends up in the hands of threat actors. They can get hold of account data using phishing, or by bruteforcing a weak password, or by using a data leak from a third-party service and giving the leaked passwords a try with the users’ corporate accounts. This problem is relevant for all cloud types.
- Legal issues. In cloud environments, it’s more difficult to comply with legal data storage requirements; for example, not to send clients’ personal data abroad or to have particular safety measures in place at data centers. In some cases, it’s not clear at all in which country the data is stored.
- Insufficient monitoring. Organizations often find that the cybersecurity, access control, and data-leak prevention tools they use across their office networks don’t work in cloud environments. As a result, cloud systems’ events (including logging in and downloading large volumes of data) may go unnoticed for weeks or even months. And the problem is relevant for all cloud types.
- Accidental data leaks. Careless use of the “share” function can make internal information accessible to outsiders.
- Vulnerabilities. Server apps are often found to contain vulnerabilities, and attackers find it convenient to exploit them in cloud environments. Firstly, cloud solutions can be accessed via the internet, and secondly, they’re often all configured in the same way — making it easy to replicate a successful attack against new victims. In SaaS, all vulnerabilities must be patched by the provider, with few or no options left for the user. In IaaS, the client’s IT service deals with most of the issues, and they must be really quick about it.
The correct cloud strategy
Choice of the most appropriate strategy varies greatly depending on your organization’s size, IT maturity, and objectives. The strategy must take into account whether the IT system was created from scratch or migrated from a cloudless system, what scale of operations needs to be ensured from day one, how to accommodate the regulators’ requirements, and so on. Don’t forget to plan out your security measures early on in the project and to use specialized security systems for cloud environments.
Here’s a brief summary table to help you estimate the costs, complexity and risks:
|IT/information security support costs||+||+++||++++|
|Costs in case of a major surge in volumes/usage||+++++||+++||++|
|Support complexity for IT specialists||+||+++||++++|
|Support complexity for information security specialists||++||++++||+++|
|Information security risk level||++||+++||+++|
|Information security incident investigation and correction complexity||++++||+++||++|