What exactly is the cloud and how does it work?

 More and more of our daily lives takes place online, from banking and schooling to working and family gatherings, even more so amid the coronavirus pandemic. The cloud is the invisible computing architecture that keeps many of these digital platforms and tools running smoothly. Really, being in the cloud just means storing data on “someone else’s computer.” A few major tech companies run massive global networks of data centers, linked with ocean-spanning fiber-optic cables and complex systems of integrated hardware and software. So there is no single cloud per se. Rather, companies like Amazon, Microsoft, and Google each run their own systems, almost like parallel internets. The risks of a company’s whole cloud system going down at once are miniscule, though isolated outages of particular cloud services do happen.

How is this rapid shift to the cloud reshaping cybersecurity?

Many internet users are seeing firsthand how disruptive it can be when the online tools they are relying on unexpectedly go offline or experience other bugs. For instance, when the videoconferencing software Zoom went offline for several hours one day in late August 2020, virtual classes around the United States were disrupted.

Tim Maurer
Dr. Tim Maurer is director of the Cyber Policy Initiative and a senior fellow at the Carnegie Endowment for International Peace.
More >

Taking a step back, the pandemic has accelerated a decade-long transformation that was already under way. Many companies, governments, and ordinary people alike are switching from onsite information technology (IT) infrastructure to cloud computing, which provides data storage and processing services remotely. The good news is that many cloud companies have hired seasoned professional security teams with highly technical skills to protect the cloud infrastructure.

The bad news is that, as more and more people use and depend on the cloud, the risks and consequences of a systemic failure increase. Each of the major cloud providers have set up their systems to be as resilient as possible to any single-point failure—that’s why the risk of the whole cloud going down at once is exceedingly small. But that doesn’t mean that it is immune to threats—there are many ways that cloud services could be compromised or disrupted.

What are the advantages and drawbacks of having only a few major players protecting the majority of online data?

A few massive companies dominate the cloud computing market. These large cloud companies have the deep pockets and highly trained personnel needed to design and manage systems that are extremely secure and highly resilient to various risks of failure. That is why, as a rule, it is far more secure for most companies, organizations, and people to store their online data in the cloud rather than try to protect it themselves.

But there’s a catch. Hackers and other nefarious criminals know that if they compromise a cloud provider, they can essentially scoop up the valuable data of many targets at once. This risk is called the Fort Knox dilemma: the data stores of cloud companies are highly protected but also highly prized targets. There’s a reason the Ocean’s Eleven cast targeted a casino instead of a convenience store.

Garrett Hinck
Garrett Hinck was a research assistant with the Nuclear Policy Program at the Carnegie Endowment for International Peace.

And that isn’t the only issue. The potential for threats against the cloud to create systemic risk are becoming increasingly apparent. A major cyber incident could have industry-wide or even economy-spanning effects, impacting financial services or triggering a temporary outage that prevents cloud clients from processing critical data like health insurance records.

Thankfully, the chances of an incident shutting down an entire cloud provider are exceedingly low: they make their systems as resilient as possible to keep that from happening. However, if one critical cloud-based dataset or process (like an algorithm for adjusting insurance claims, for example) failed, there could be significant consequences. That’s why it’s so important to understand the potential consequences of threats to cloud customers’ data as thoroughly as possible. As more and more critical data, like financial transactions and health records, are stored in the cloud, the consequences of major breaches will only increase.

High-profile data breaches and leaks involving hackers have become all too common. How big of a threat do they pose to cloud-based data?

The cloud is not invulnerable to hackers. While cloud providers can create secure environments, some vulnerabilities remain, and the security of the environment still also depends on their clients to store data securely. Cloud companies and the customers they serve both have important roles to play to keep data safe, and they divide up the responsibilities for data security accordingly. To use an analogy, it is not enough for a cloud provider to design a highly secure virtual safe: customers also have to be sure to set a good combination and keep that information from prying eyes.

In July 2019, for instance, a hacker broke into the cloud-based databases that stored personal information of Capital One credit card applicants and later attempted to sell the stolen information online. Personal information sold on the dark web can then be used by criminals for identity theft and other forms of fraud. This incident illustrates the damage that can ensue when security measures are breached.

Aside from hackers, what other cybersecurity and data security threats are people more prone to overlook? How severe and how common are these other risks?

Hackers aren’t the only risk facing the cloud or even the most common one. Cloud services can be disrupted by many unforeseen events including lightning strikes or flooding at data centers or even human error. In one notable incident, a typo by an Amazon engineer took the company’s cloud storage service offline for many U.S.-based customers for four hours. These risks can have significant ripple effects because cloud services are complex and often rely on convoluted, interdependent internal systems. A failure can have outsize and unpredictable effects.

Additionally, vulnerabilities wired into the hardware and coded into the software that run the cloud can have broad impacts. The Meltdown and Spectre vulnerabilities, which affected the chips used in cloud servers, could have allowed attackers to spy on other cloud customers’ data. Cloud companies made herculean efforts to address these vulnerabilities and build a fix before the bugs became public in early 2018, underscoring their potential impact.

What can cybersecurity experts and consumers do to maximize the advantages of the cloud and minimize its downsides?

As organizations migrate to the cloud, responsibility for security becomes shared between cloud service providers and the organizations they serve. Having a clear understanding of who is responsible for what, especially where aspects of that responsibility are shared, is critical for pulling off a migration that leads to greater security, not less. Cloud service providers already assist their customers with facilitating this transition, and as they expand their business in the United States and abroad, it will be important that this assistance is scaled accordingly and provided equitably.

It is also clear that some reams of data are more important than others. The Health Insurance Portability and Accountability Act in the United States, for example, specifically protects medical data. Financial regulators focus on data and processes critical for the functioning of the financial system. It will become more important going forward for experts to open up the black box of cloud service providers and assess and protect risk based on how critical a particular set of data and associated services are. Finally, the tech industry remains a nascent sector. Unlike other sectors like aviation or finance, mechanisms to cooperate remain very limited among the main cloud service providers and competition even trumps shared security concerns.