World's Largest Data Leak Shows Private Cloud Isn't Always Best

Many people assume that dedicated private clouds are more secure than virtual private clouds hosted on public clouds.  All else being equal, that should be correct as dedicated clouds are protected against the largely theoretical risk of co-tenants breaking through the logical partitioning keeping tenants apart on multi-tenanted hosting platforms.

However, there is often a dangerous assumption underpinning the 'dedicated = more secure' viewpoint - that dedicated private clouds are patched as often as virtual private clouds.

In the real world, dedicated clouds often become outdated, as their tenants are usually focused on functionality - and are often happy to avoid the potential disruption and expense of software and hardware upgrades. Cloud providers tend not to argue with their clients' wishes.

We saw the result of this in China, where over a billion citizens' information was leaked from a Shanghai police database via a dashboard hosted on the cloud, allegedly because the dashboard was using software several years out of date. 

Dedicated Private Cloud Isn't Right For Most Organisations

Although we offer dedicated cloud hosting, we don't expect most customers to select dedicated hosting in the end. Virtual private clouds make more sense for the vast majority of organisations.

Building an enterprise-grade dedicated cloud that's scalable is expensive! We know that because we've built quite a few of them. If you want your hosting to be resilient, you'll need at least two servers and at least two data centres. That means costs more than double - as in addition to buying two of everything, you'll need to link the sites together via multiple high-capacity, low-latency connections.

It's no wonder most firms choose Virtual Private Clouds in the end. They benefit from such infrastructure without having to pay for the whole infrastructure by themselves.

The truth is you're not MI5, BAE Systems, Open AI or AstraZeneca, guarding valuable secrets of strategic importance. Nation states are unlikely to take advantage of multi-tenanted cloud platforms to actively target your organisation's data.

A virtual private cloud is probably good enough for your needs, especially if your monthly hosting budget is three or four figures rather than five or more.

Patching Clouds Matters

Just because something is hosted on a cloud doesn't mean it's secure. Guest OSes and common attack targets still need to be patched, especially if they are accessible via the public Internet.

So check if guest OS patching can be included as part of your cloud hosting service.

If you're using database software, check whether your hosting provider is willing to patch it or whether that will remain your responsibility.

The Biggest Clouds have Security Problems Too

It's tempting to think that if you go for a big-name cloud provider, you won't need to worry about security. That may be where Shanghai's Police went wrong. They may have assumed that their big-name cloud provider would take care of such matters.

Unfortunately, life isn't that simple. Even the biggest cloud providers routinely have issues. 

Luckily, you've been somewhat protected by security by obscurity: your systems are insecure, but no-one noticed.

Unfortunately, that's starting to work less well, as public IP address ranges are now routinely scanned, looking for exploitable hosts.

When you're working on web sites that aren't linked to externally, bear in mind that the URLs of your site can become public - even if you tell no-one external to your organisation about them. Your sites likely have SSL certificates, sometimes issued automatically. It's not well-known but non-wildcard SSL certificate issuance is public and searchable.

If your internal tools, development sites, testing sites or customer portals are accessible via the public Internet, you should assume they are being scanned for vulnerabilities, and that lists of vulnerable systems are for sale on the dark web.

That's not to say those vulnerabilities will be attacked. They may not be. But that's more down to good luck than good security practices.

If you're like to be a bit more systematic, our managed cloud hosting can help you keep your UK cloud-hosted VMs patched.

Going Dark

It's worth considering whether internal apps, development sites and testing sites hosted in the cloud should be accessible via the public Internet at all. You would be far better off restricting access - so they're only accessible via your business VPN's IP addresses or your wide area network's IP addresses. That creates an extra layer of protection between your vulnerable systems and potential attackers.

This has two major benefits - it reduces the likelihood of your vulnerable hosts ending up on a list of vulnerable hosts - ready to be attacked by others - and it buys you a bit more time to patch your systems. Which is useful!

People often don't realise that it's possible to get your own dedicated connection to public clouds such as AWS, Azure and Google Cloud Platform. These offer high throughput and relatively low-latency connections and make it possible to lock down access to cloud resources, so they're no longer accessible over the public Internet.

Your WAN and VPN users can continue to access your cloud-hosted resources as normal, oblivious to the fact they are getting special treatment not available to general Internet users trying to connect to the same sites.

You can take this idea of hiding resources from those who don't need to know they exist further by deploying Zero Trust Network Access. ZTNA helps protect your cloud-hosted systems and everything else on your network from internal threats as well as external ones.

It's easy to assume that ransomware attacks and hacking will happen to others. While your organisation might not merit an organisation-specific attack, that doesn't mean you're not a target.

By choosing cloud hosting with managed OS patching, clarifying who is responsible for patching other systems and restricting who can access your cloud, you can cut your risk of being the next victim.