Cloud computing is transforming businesses across the globe at an unprecedented pace, creating a fundamental shift in the way they think and operate. Cloud migration adds several benefits, but without business-level security policies and processes, it can also give rise to security vulnerabilities that can erase all gains attained by the switch to cloud technology. After looking at the promise and risks associated with cloud computing, we took the effort to expand our understanding of 12 critical cloud security concerns. They are:
- Data Breaches
- Weak Identity, Credential, and Access Management
- Insecure APIs
- System and Application Vulnerabilities
- Account Hijacking
- Malicious Insiders
- Advanced Persistent Threats (APTs)
- Data Loss
- Insufficient Due Diligence
- Abuse and Nefarious Use of Cloud Services
- Denial of Service
- Shared Technology Vulnerabilities
1. Data breaches
Data breach is an incident in which an unauthorized individual gains access to sensitive, protected, or confidential information, including personal health information, financial information, personally identifiable information (PII), trade secrets, and intellectual property. It can occur because of a targeted attack or the result of human error, vulnerabilities, or inadequate security practices. Although all data breaches are problematic, the sensitivity of the data usually determines the extent of the damage.
In many parts of the world, laws and regulations oblige organizations to exercise specific security standards to ensure the protection of sensitive information against unauthorized use. When a data breach occurs, companies may incur hefty fines and may also be subject to civil lawsuits and, in some cases, criminal charges. A company also accrues costs related to investigating a breach and notifying affected customers. Indirect impacts include damage to a brand’s reputation and loss of business, which are much harder to calculate.
2. Insufficient Identity, Credential, and Access Management
Generally, data breaches occur due to four different reasons: (1) lack of a scalable identity access management system, (2) failure to use multi-factor authentication, (3) weak passwords, and (4) lack of ongoing automated rotation of cryptographic keys, and certificates.
Identity access management systems handle the lifecycle management of users. They support the provisioning of access to resources when personnel changes or role change occur. They ease the burden of user maintenance, but the organizations planning to unify identity with a cloud provider should understand the security around their cloud provider’s identity solution, including processes, infrastructure, and segmentation between customers.
Multi-factor authentication systems, such as a smartcard, OTP, and phone authentication, help address password theft, where stolen passwords enable access to resources without user consent. Credentials and cryptographic keys, on the other hand, create a bit of a problem when they are embedded in source code or distributed in public-facing repositories such as GitHub. Keys need to be appropriately secured, and a well-secured public key infrastructure (PKI) is necessary to ensure proper key-management activities.
Any centralized storage mechanism, containing data secrets such as passwords, private keys, confidential customer contact database, is an extremely high-value target for attackers. Therefore, monitoring and protection of centralized key management systems should be a high priority.
3. Insecure Interfaces and APIs
Software user interfaces (UIs) or application programming interfaces (APIs) are the most exposed part of a system. Used by customers to manage and interact with cloud services, these assets are a frequent target for attackers, and adequate controls protecting them are the first line of defense and detection, from authentication and access control to encryption and activity monitoring. Reliance on a weak set of interfaces and APIs exposes organizations to a variety of security issues related to confidentiality, integrity, availability, and accountability.
4. System Vulnerabilities
System vulnerabilities are exploitable bugs in programs or the components of the operating system – kernel, system libraries, and application tools – that attackers can use to infiltrate a computer system to steal data, take control, or disrupt the service. These vulnerabilities and attacks can be mitigated with basic IT processes such as regular vulnerability scanning, following up on reported system threats, and installation of security patches or upgrades. The impact of unpatched system vulnerabilities on information system security is profound and costly. However, the costs for protection are relatively small compared to other IT expenditures.
5. Account Hijacking
Account and service hijacking, usually with stolen credentials or methods such as phishing, and exploitation of software vulnerabilities, remains a top threat. Attackers can often access critical areas of cloud computing services with stolen credentials, allowing them to compromise the confidentiality, integrity, and availability of services. Attackers can leverage account access to steal data, impact cloud services and systems, damage tenant reputation, and more. Organizations should seek to ban the sharing of account credentials between users and services and, where possible, leverage robust two-factor authentication techniques. All accounts and account activities should be monitored to a human owner, and traceable.
6. Malicious Insiders
A malicious insider is a current or former employee, contractor, or other business partner, who has or had authorized access and misused the access in a way that negatively impacts the confidentiality, integrity, or availability of an organization’s information or systems.
Notably, the insider threat does not always involve malicious actors. Insiders might not necessarily be malicious but are “just trying to get their job done.” For example, they might accidentally upload a customer database to a public repository or copy sensitive data between jurisdictions or countries. The controls to limit risk from malicious insiders include controlling the encryption process and keys, ensuring that you have proper policies, segregating duties, minimizing access by role, and effective logging, monitoring, and auditing of administrators’ activities.
7. Advanced Persistent Threats
Advanced Persistent Threats (APTs) are a parasitic form of cyberattack infiltrating systems to establish a foothold in the infrastructure from which data and intellectual property are smuggled. APTs stealthily pursue their goals over extended periods, often adapting to the security measures designed to defend against them. Spearphishing, direct hacking systems, delivering attack code through USB devices, penetration through partner networks, and the use of unsecured or third-party networks are common points of entry for APTs. Once in place, APTs can move laterally through networks of data centers and blend in with regular network traffic to achieve their goals. Although the detection and elimination of APTs can be challenging, some can be stopped by proactive security measures. Awareness programs, because many of these vulnerabilities require user intervention or action, are one of the best defenses against these attacks.
8. Data Loss
Data stored in the cloud can be lost for reasons other than malicious attacks. A fire or earthquake can also lead to the permanent loss of customer data unless the provider or cloud consumer takes adequate measures to back up data, following best practices in business continuity and disaster recovery – as well as daily data backup and possibly off-site storage. The data can also be lost if a customer encrypts the data before uploading it to the cloud but loses the encryption key. Cloud consumers should review the provisions on contracting data loss, ask about the redundancy of a provider’s solution, and see which entity is responsible for data loss and under what conditions.
9. Insufficient Due Diligence
Developing a good roadmap and due diligence checklist is essential for the highest chance of success while considering moving into the cloud or merging with or acquiring a company that has already moved into the cloud. An organization that rushes to adopt cloud technologies and select CSPs without due diligence is exposed to a myriad of commercial, financial, technical, legal, and compliance risks that are threatening its success. Enterprises moving to a model of cloud technology must execute extensive due diligence to understand the risks they assume by adopting this model of technology and involving the suppliers who provide it.
10. Abuse and Nefarious Use of Cloud Services
Poorly secured cloud service deployments, free cloud service trials, and fraudulent account sign-ups can expose cloud computing models such as IaaS, PaaS, and SaaS to malicious attacks. Examples of misuse of cloud service-based resources include launching DDoS attacks, email spam, and phishing campaigns; “mining” for digital currency; large-scale automated click fraud; brute-force compute attacks of stolen credential databases; and hosting of malicious or pirated content. Malicious use of cloud service resources can reduce the available capacity for legitimate customers hosted by cloud service providers. Responding to malicious use can also reduce the availability of response resources for addressing other customer support issues. Mitigations for misuse of cloud services include CSP detection of payment instrument fraud and abuse of cloud offerings, including examples of inbound and outbound network DoS attacks.
11. Denial of Service
Denial-of-service (DoS) are attacks meant to prevent users from being able to access their data or applications. By forcing the targeted cloud service to consume excessive amounts of finite system resources like memory, processor power, disk space, or network bandwidth, the attackers cause an intolerable system slowdown, leaving legitimate users confused or angry as to why the service is not responding. Asymmetric DoS attacks at application level take advantage of vulnerabilities in web servers, databases, or other cloud resources. Asymmetric DoS attacks at application level take advantage of vulnerabilities in web servers, databases, or other cloud resources. An attacker may not be able to knock your service off the Internet entirely but may cause it to utilize so much processing time, forcing you to take it down yourself.
12. Shared Technology Vulnerabilities
Most cloud service providers provide their services scalably by sharing infrastructure, platforms, or applications. Cloud technology divides the “as a Service” offering without substantially changing the off-the-shelf hardware/software, sometimes at the expense of security. Underlying components (e.g., CPU caches, GPUs, etc.), comprising the infrastructure supporting cloud services deployment, might not be designed to offer strong isolation properties for a multitenant architecture (IaaS), re-deployable platforms (PaaS) or multi-customer applications (SaaS). It can lead to shared technology vulnerabilities, potentially exploited in all delivery models. The organization requires a defense-in-depth strategy that should ensure the service model is IaaS, PaaS, or SaaS.