When you use cloud providers you are at the mercy of the provider. Yes, there are contractual agreements and clauses that are ‘required’ (how do you verify the requirement is actually being met?) but all equipment is reused. The reason cloud service providers are such an appetizing option is because they can bring computing power at scale which is possible because so many organizations can be put on the same sets of physical hardware or be placed on physical hardware that has been refreshed after a previous organization has stopped needing it. This means that an organization whom uses a cloud service provider isn’t just trusting the cloud service provider, the organization is trusting all employees that formerly, currently, and eventually will work for the provider in addition to all organizations whom have had access, currently have access, or will have access to the hardware spaces the organization utilizes. Yes, some spaces use encryption; however, if a previous hardware tenant were able to install a form of malware the former tenant could steal the encryption keys. Furthermore, it is rare to find a cloud service provider that does mot store the encryption keys within the same tenant that uses the encryption. This mean, despite cloud service providers vehement denial it does have access to the encryption keys for the data stored on its servers, the keys might just take a bit to retrieve. So, what can be done? Well, as mentioned above, contracts. Ensure you use good vendor management with stringent security requirements that include clear punitive repercussions for noncompliance and the ability to verify the requirements are being met all the time (not just once per year during ‘audit season’). If you can’t prove your service provider is doing the right thing they aren’t doing the right thing and any of your data that leaks, is stolen, ransomed, damaged, or tampered is your failing. Your data can be outsourced, your reputation can’t so protect your data no matter where it goes because your data is your reputation.
ANTHKOAndrew Kosakowski’s Official Digital Presence