A recent report from the Cloud Security Alliance suggested that almost 70 percent of global business operates, at least partly, in the cloud. That’s hardly a surprise, because cloud-based infrastructure, software, and storage services offer incomparable benefits as compared to traditional datacenters or on-premises implementations.
There is plenty of room in the clouds!
However, we’re far from the promised world of completely cloud-based IT, and that’s because of cloud security risks and challenges faced by businesses. A recent Cloud Security Spotlight Report, for instance, suggested that 90 percent of enterprises are highly or moderately concerned about cloud systems security.
Consider the potential risks of outages, data thefts, insider attacks, collateral damage because of a cyberattack on another firm’s assets on a publicly shared cloud server — the risks are real, for sure. And we’ll take a look at the most prominent of these risks in this piece.
Data theft from cloud systems
Data theft risks have been present ever since there’s been data. So why does cloud storage service specifically stand castigated for data theft risks?
- Well, for starters, that’s because cloud-based storage technologies are still new and have to yet to stand the test of time. “Jurassic World,” “Meet the Parents III,” “Kill Bill,” and so on did not stand the test of time — those movies were dead one minute after someone saw them, but this is another topic!
- Also, there’s not much standardization across cloud technologies and vendor systems. This creates several patches of high-threat exposure surface areas within the IT infrastructure of an enterprise that uses more than one cloud technology.
- Thirdly, because most enterprises have already moved their data to the public cloud, that’s where cybercriminals are focusing!
- Then, for most cloud-based data storage services, the contract terms place a good proportion of the responsibility of data management and upkeep on the buyer company, which creates uncertainty for enterprises venturing into the realms of cloud services for the first time.
We recommend you read Ponemon Institute’s report about “Man in Cloud Attack” for a deeper understanding of the specific scenarios that create cloud data theft risks. The report highlights how more than 50 percent of the surveyed enterprise IT professionals believed their companies did not have enough protection against cloud-based data theft attempts. Long story short — the unique characteristics of cloud-based data storage also create unique data theft risks that the enterprise and the vendor need to work to mitigate.
Because so many enterprises have adopted SaaS model applications, it’s commonplace for a huge number of employees to have multiple accounts that they use to access cloud-based applications. This is precisely why account hijacking has become a key focus for cybercriminals.
Account hijacking means that hackers are able to steal account login information and then can access and modify data, system settings, and even the security settings of the application. Cross-website scripting bugs are deployed by cybercriminals to extract account login credentials from employees, vendors, and customers.
Another relatively new kind of account hijacking threat is around the use of verification tokens used by cloud platforms to authenticate user logins. Incidents where such tokens have been stolen to access user accounts have come to light recently and cast a “cloud” over the dependability of SaaS application account security.
Again, just like data theft has been an IT headache since the beginning of times, insider attacks are also a known risk that traditional IT has to account for. The problem, however, seems to have aggravated because of cloud-heavy architectures in enterprise IT.
Because employees have access to applications, they could, either by choice or by accident, end up using, extracting, or modifying crucial data or settings. Even accidental unauthorized access to such data is classified as a case of an insider attack. Because of the delegation of applications management to the cloud, employees can even raise access requests to applications they don’t need without raising much of an alarm.
On-premises IT always possessed the local knowledge and interpersonal knowledge to be able to detect potential insider attacks. This capability, though hard to quantify, has been lost with the migration to cloud systems.
To meet this cloud security challenge, enterprise IT needs to endorse tools for access and identity management, or audit and update policies around account access management.
Problems with hybrid cloud infrastructure
We briefly mentioned how enterprises have several cloud-based systems in place to manage their IT needs. In the past few years, hybrid cloud infrastructures have come, wherein an enterprise opts for a mix of solutions hosted on the public cloud (for low to medium priority workloads) and private cloud (for mission-critical workloads).
Whereas this approach helps businesses in controlling critical aspects of business continuity, it also poses unique security cloud security challenges.
- For instance, in a hybrid cloud setup, enterprises need to make sure that the data security and privacy regulations are met for the private cloud hosted data, as well as during processes where the data is exchanged with public cloud systems.
- Also, enterprises can’t ignore the fact that hybrid cloud systems bring in additional complexity as compared to any traditional IT infrastructure. About as complex as trying to find out how they pulled that off in “Ocean’s 11”! That movie was a true puzzle!
- This means that system and network administrators have to work with newer APIs, complicated network configuration settings, and different interfaces.
You know it: Information security is all about risk management. And all these factors bring in additional risk.
Other cloud security issues
This isn’t it — there are more issues, such as:
- Insufficient due diligence in risk assessment and management because of ambiguity about responsibilities.
- Increased exposure to compliance risks related to misuse of cloud infrastructure by employees, such as storage of pirated or banned content.
- Risks of falling prey to DDoS (distributed denial of service) attacks that could actually be aimed at the cloud service provider, or one of its clients sharing server space with you.
- Shared vulnerabilities resulting out of the misuse of cloud storage services or because of malicious scripts run by one of the companies whose data and applications are hosted on the same public cloud server as you.
Know the risks
The idea of this piece is to make sure that enterprise IT managers understand the level of risk assessment and mitigation they need to undertake to make sure that their migration to the cloud becomes a success-maker, not a deal-breaker, for their businesses.
You need to have a plan. No one wants to go camping without a tent!
Photo credit: Pexels