How a Cloud Service Without Role-Based Access Controls is Asking For Trouble

Cloud computing started out as a trend, but it’s become a staple in the modern business environment. A recent poll of IT and business executives by Harvard Business Review and Verizon shows that 84 percent of respondents have increased their use of cloud services in the past year, 39 percent of which “increased significantly.” The issue that comes from such an increase is the idea of employees accessing information that they aren’t supposed to.

This particular type of security problem is called role-based access control, which is an increasing cause for concern in the cloud environment. Despite role-based access control being a prevalent part of network security, perhaps due to the cloud’s ease of use, user permissions are a problem that often get overlooked in cloud computing.

User permissions are an ordinary part of any traditional in-house IT infrastructure. They’re ordinarily handled by your in-house IT staff or a trusted IT professional. One of the main advantages of an in-house network is that your technicians will generally understand each employee’s role within the organization, especially if the business is small or medium-sized. The issue at hand is the fact that your cloud service provider will be responsible for the security oversight of your cloud network, and it’s more likely than not that they will be unfamiliar with your organization’s personnel infrastructure.

For the record, we aren’t suggesting that outsourced network security is bad. In fact, we highly recommend it; we’re just trying to raise awareness of the fact that cloud computing isn’t a service that can be implemented without security in mind. For example, you’ll want to make sure that your chosen cloud solution provides the level of control that you need, along with security that can be implemented on different levels according to each user’s role within the organization. Doing so will likely require a dedicated administrator within the company, or ensuring that you retain proper relations with the cloud provider so they can cater to your specific role-based control needs.

NetworkComputing explains:

When you have employees with different roles in your company, access control is a key feature that can help ensure basic cloud administrative security. You’ll need to exercise caution to prevent credentials from being compromised, and to ensure menial errors don’t spoil your day. Implementing robust and powerful access control is important to protect company resources.

Furthermore, you’ll want to make sure that any information that’s required for a user’s role will available to them, and only them. For example, in-house IT workers have access to more information than the average worker, much of which is sensitive in nature. Despite this, according to a recent study by Intermedia and Precision Sample, IT workers are 10 percent more likely than non-IT staff to give away their login credentials for superfluous reasons.

The idea behind limiting access to data on a per-user basis is to limit the data’s exposure to potential threats. Much of the time, however, you want to have secondary layers of protection up and running in order to maximize the security of your business. For example, two-factor authentication uses an SMS message or a phone call to deliver a secondary credential for use when accessing an account. These types of precautions can aid in role-based access to information, making it much more difficult for other users to access critical information.

Cloud computing is such a powerful and efficient practice that it’s no surprise it’s grown so rapidly over the past few years. The best way to approach cloud security is by understanding the services you’re taking advantage of, and relying on a trustworthy cloud service provider. GTSS can assist your business with all of its cloud computing needs, including the maintenance, upkeep, and management of your cloud data.

For more information about how we can help your business with cloud computing, contact GTSS at (803) 298-3008.