Blog · 26 Apr 2018

Vetting the cyber risks with cloud

Cloud can seem like the Holy Grail to businesses. It’s cheap, simple and fast. But what about the security implications?

Bas de Graaf
Head of ethical hacking services

A trip to the vet

The idea for this blog stemmed from the last place I’d be expecting to think about cyber security — a recent visit I made to the vet.

At this vet, the medicine I needed for my pet was in an open cabinet. But this cabinet held not only the medicine for my pet, but also the medication for other animals at the practice. And here’s the worrying part — each package in that cabinet had the personal details of the pets’ owners. Right there for anyone to take.  

This alone was quite unnerving. It would be easy for a criminal to steal those personal details and use them for whatever nefarious purpose. If this were digital data, the vet would surely have been more careful about how it was stored, especially with GDPR on the way. Or would they? How did this vet deal with people’s personal data?

I asked, and discovered that the practice was relatively new and had, understandably, decided to use a cloud solution to hold customer data. But I wondered if this solution was secure. When I got home, I searched the internet for vet-specific cloud solutions — and discovered that not one of them had a serious security accreditation or even described how they deal with personal data. So, how did this vet come to choose its cloud service provider (CSP)?

To answer that question, we need to first look at businesses’ relationships with cloud investment today.

Considering data security right from the beginning

Today, buying a cloud solution is as simple as popping your card details into Amazon, and off you go. It won’t cost you a fortune and it’ll offer you a speedy network. You activate it and, on the same day, you can work with it. Easy, right?

Sure, it’s easy, and there are plenty of benefits. But that’s not the whole picture. There are many data security considerations you need to bear in mind. Take the vet, for example: they need to secure their data wherever it is, be that on the label of a bottle, or in the cloud.

When it comes to finding a cloud solution that’s secure, as well as fast, easy and cost-effective it’s a bit like searching for the Holy Grail.

But, unlike the Monty Python movie, this Holy Grail can be found. Let’s take a look at how.

Potential security pitfalls in the cloud

Here at BT, we have an ISO 27001 accreditation, which proves our security processes are tried and tested. But none of the cloud service providers providing services for veterinary practices I looked at had any such accreditation.

That’s the thing with many cloud service providers — it’s easy for them to set up a service and offer great benefits. But it’s all too easy for many to forget security.

In fact, the Cloud Security Alliance put together a list of what it sees as the top security threats to cloud computing. These range from data breaches and malicious insiders through to account hijacking and denial of service attacks.

At our vet practice, for example, the risk of a data breach could mean the addresses, bank accounts and contact details of pet owners are leaked onto the internet. An attacker might bring down the complete environment or even be able to modify the medical records. And when you’re dealing with valuable animals such as racehorses, there’s an attraction for cyber criminals.

A vet must also make sure it has the right administrative set-up in place. This is important for the health of the animals, and in terms of law and legislation. Being unable to show accurate records for the vaccinations of cattle, for example, may result in considerable fines by the authorities for both the vet and the cattle farm. And not knowing which animals have been vaccinated and when, might result into unsafe conditions with consequences for human health as well.

Altogether, the cloud services provider used by our veterinary practice must ensure the confidentiality and integrity of the data at all times. Choosing the wrong CSP and experiencing a security breach could lose the trust of customers. As the data also contains my personal data, you can imagine I’m interested in which solution our vet has chosen and how the cloud service provider guarantees data security.

You can see that there’s an extensive list of risks at play. It should make you think twice before you entrust your data to a supplier or jump blindly into any cloud investment. Any of the above could have a serious impact on your business and reputation.

Then there’s the issue of the incoming General Data Protection Regulation (GDPR). If you’re storing customers’ personal data in the cloud, is the way you do that going to meet the stringent security requirements of GDPR or other relevant data protection legislation? If not, you could face a hefty fine.

Does all this mean you should avoid cloud altogether? Obviously not. The benefits are all there. The question is simply: how can you leverage everything the cloud has to offer while sidestepping these security issues? Although the answer is not so simple…

Questions you need to ask

The key to finding this Holy Grail — all the benefits of cloud, without the risk — is asking the right questions. If the cloud providers you are looking at don’t have the relevant security accreditations, then you need to ascertain how secure they are, and if they’re compliant with the requirements of GDPR.

Here are my suggestions for what you could ask any prospective cloud service provider:

  • What are your security procedures?
  • Do you have any certifications?
  • Do you have a security team?
  • Who else do you work with?
  • Have you been penetration tested recently and what was the scope?
  • Can you share the penetration testing report?
  • Where do you store personal data and how is access to it managed?
  • How will you isolate my data from that of other customers?
  • How do you support data portability should I decide to go to a different provider?
  • Can I delete my data permanently from the cloud if I need to? What happens with backups?
  • Are the security measures in my contract in line with the GDPR? What evidence do you have about the implemented cloud security measures?
  • What procedures do you have in place to inform me of a security incident as soon as possible?
  • How can I best get in contact with you if it’s urgent?

If a provider can’t help you with any of these questions, it might be prudent to move on and ask another.

On the other hand, if a cloud provider can prove to you that they fulfil your security standards, then you’ll be one step closer to reaching that ever elusive Holy Grail.

And remember, there’s also the option of working with us here at BT. Our managed Cloud Security service can help you ensure security in the cloud.