Companies are rapidly using the cloud to revolutionize their digital transformations. According to Gartner, the global market for cloud computing is estimated to grow $266.4 billion by 2020, rising from $227.4 billion in 2019.
There are several benefits of cloud computing including potential lower cost (with more capabilities in the public cloud that could aid productivity versus more limited capabilities in private clouds) and faster time to market.
However, with the array of benefits that the cloud offers, data security is amongst the key concerns holding back enterprises from adopting cloud solutions. To back this up, a survey found that 93% of companies are moderately to extremely concerned about cloud computing security risks.
Cloud infrastructure can be complex, and we all know that complexity is the enemy of security. While most cloud security experts agree that companies can benefit from the security solutions built into the cloud, organizations can also make grave errors and expose critical data and systems.
Some of the most common cloud security risks include unauthorized access through improper access controls and the misuse of employee credentials. Unauthorized access and insecure APIs are tied for the number one spot as the single biggest perceived security vulnerability in the cloud (according to 42% of respondents). These security risks are followed by misconfigurations in the cloud at 40%.
How can companies gain the benefits of cloud computing technology while still maintaining data security?
There are several preventive measures that companies can adopt to prevent cloud security vulnerabilities in their early stages. This ranges from simple cloud security solutions such as implementing multi-factor authentication to more complex security controls for compliance with regulatory mandates.
Top 7 Cloud Computing Security Vulnerabilities and Ways to Mitigate Them
In this article, we will take a comprehensive look at the top 7 cloud computing security vulnerabilities and how to mitigate them.
1. Misconfigured Cloud Storage
Cloud storage is a rich source of stolen data for cybercriminals. Despite the high stakes, organizations continue to make the mistake of misconfiguration of cloud storage which has cost many companies greatly.
According to a report by Symantec, nearly 70 million records were stolen or leaked in 2018 due to misconfigured cloud storage buckets. The report also highlighted the emergence of various tools that allow attackers to detect misconfigured cloud storage to target.
Cloud storage misconfiguration can quickly escalate into a major cloud security breach for an organization and its customers. There are several types of cloud misconfigurations that enterprises encounter. Some types of misconfigurations include:
• AWS security group misconfiguration: AWS security groups are responsible for providing security at the source, destination, port and protocol access levels. These can be associated with EC2 server instances and many other resources. A misconfiguration in the AWS security groups can allow an attacker to access your cloud-based servers and exfiltrate data.
• Lack of access restrictions: Inadequate restrictions or safeguards in place to prevent unauthorized access to your cloud infrastructure can put your enterprise at risk. Insecure cloud storage buckets can result in attackers gaining access to data stored in the cloud and downloading confidential data, which can have devastating consequences for your organization. AWS initially had S3 buckets open by default and this led to a plethora of data breaches.
How to Prevent Misconfigured Cloud Storage
When it comes to cloud computing, it’s always a good idea to double-check cloud storage security configurations upon setting up a cloud server. While this may seem obvious, it can easily get overlooked by other activities such as moving data into the cloud without paying attention to its safety.
You can also use specialized tools to check cloud storage security configurations. These cloud security tools can help you check the state of security configurations on a schedule and identify vulnerabilities before it's too late.
Control who can create and configure cloud resources. Many cloud computing issues have come from people who want to move into the cloud without understanding how to secure their data.
2. Insecure APIs
Application user interfaces (APIs) are intended to streamline cloud computing processes. However, if left insecure, APIs can open lines of communications for attackers to exploit cloud resources.
Gartner estimates that by 2022, APIs will be the threat vector used more frequently by attackers to target enterprise application data.
A recent study also revealed that two-thirds of enterprises expose their APIs to the public so that external developers and business partners can access software platforms.
The study also indicated that an organization typically handles an average of 363 APIs, and nearly 61% of companies reported their business strategies rely on API integration.
With increasing dependence on APIs, attackers have found common ways to exploit insecure APIs for malicious activities, two examples follow:
• Inadequate authentication: Often developers create APIs without proper authentication controls. As a result, these APIs are completely open to the internet and anyone can use them to access enterprise data and systems.
• Insufficient authorization: Too many developers do not think attackers will see backend API calls and don’t put appropriate authorization controls in place. If this is not done, compromise of backend data is trivial.
How to Prevent Insecure APIs
Encourage developers to design APIs with strong authentication, encryption, activity monitoring, and access control. APIs must be secured.
Conduct penetration tests that replicate an external attack targeting your API endpoints and get a secure code review as well. It is best to ensure you have a secure software development lifecycle (SDLC) to ensure you continually develop secure applications and APIs.
Also, consider using SSL/TLS encryption for data-in-transit. Implement multi-factor authentication with schemas such as one-time passwords, digital identities, etc. to ensure strong authentication controls.
3. Loss or Theft of Intellectual Property
Intellectual property (IP) is undeniably one of the most valuable assets of an organization, and it is also vulnerable to security threats, especially if the data is stored online.
An analysis found that almost 21% of files uploaded to cloud-based file-sharing services contain sensitive information including IP. When these cloud services are breached, attackers can gain access to sensitive information stored in them.
For many organizations, the IP is the data they own and data loss means they lose their IP. Let’s take a look at the most common causes of data loss:
• Data alteration: When data is altered in a way and it cannot be restored to its previous state, it can result in loss of complete data integrity and might render it useless.
• Data deletion: An attacker could delete sensitive data from a cloud service which obviously poses a severe data security threat to an organization’s operations.
• Loss of access: Attackers can hold information for ransom (ransomware attack) or encrypt data with strong encryption keys until they execute their malicious activities.
Therefore, it’s essential to take preventive measures to safeguard your intellectual property and data in a cloud environment.
How to Prevent Loss or Theft of Intellectual Property
Frequent backups are one of the most effective ways to prevent loss or theft of intellectual property. Set a schedule for regular backups and clear delineation of what data is eligible for backups and what is not. Consider using data loss prevention (DLP) software to detect and prevent unauthorized movement of sensitive data.
Another solution to prevent loss or theft of data is to encrypt your data and geo-diversify your backups. Having offline backups is also very important, especially with ransomware.
4. Compliance Violations and Regulatory Actions
Enterprises must have steadfast rules to determine who can access which data and what they can do with it.
While the cloud offers the benefit of ease of access, it also poses a security risk as it can be difficult to keep track of who can access the information in the cloud. Under compliance or industry regulations, it is important for organizations to know the details about their data storage and access control.
Moving your applications to the public cloud certainly doesn’t guarantee regulatory compliance and usually makes compliance more difficult. The “shared responsibility model” offered by service providers means they own the cloud security, you must maintain your data security in the cloud.
Privacy mandates such as CCPA, PCI-DSS, and GDPR all apply to cloud computing and if your company manages a lot of sensitive data such as PII (personally identifiable information), moving to cloud computing could make compliance more of an issue.
How to Prevent Compliance Violations and Regulatory Actions
The first and foremost step for compliance in the cloud is to thoroughly analyze the cloud service agreement and ask for cloud and data security policies from your service provider.
It’s worth noting that the responsibilities for maintaining cloud security will depend on the cloud service level, whether it is infrastructure as a service (IaaS), platform as a service (PaaS), or software as a service (SaaS). This will influence the security and ownership responsibility for both your cloud provider and organization.
Make sure you implement a model for access management where you can see the record of what systems are deployed and their cloud security levels. Here are some quick tips:
• Know all of your users, roles, and access permissions.
• Have a clear identity and be able to track all assets across all geographic locations and control what data can be where.
• Maintain strong configuration management with frequent and automated scanning of templates.
Implement an incident response plan for violations related to cloud computing. This way, you can quickly identify and mitigate security vulnerabilities in case a cloud data breach occurs, or a vulnerability is exposed to attackers. The response strategy should be well documented and approved within your organization’s overall incident response plan.
5. Loss of Control Over End-User Actions
When companies are not aware of how their employees are using cloud computing services, they could lose control of their data assets and ultimately become vulnerable to breaches and insider security threats.
Insiders don’t have to break through virtual private networks (VPNs), firewalls, or other security defenses to gain access to the internal data in the cloud of an enterprise. They can directly access sensitive data in the cloud infrastructure without much hassle.
This can lead to the loss of intellectual property and proprietary information which has clear implications for the organization.
Dealing with loss of control over end-user actions requires surveillance, monitoring, escalation, post-incidence analysis, remediation, investigation, and incident response, all of which should be integrated into the company’s data security plan.
How to Prevent Loss of Control Over End-User Actions
Provide training to your employees to teach them how to handle security vulnerabilities, such as phishing and malware. Educate them about cloud computing and how to protect confidential information they carry outside the organization on their mobile devices or laptops. Inform them of the repercussions related to malicious activities.
Routinely audit servers in the cloud infrastructure to identify data security vulnerabilities that could be exploited and fix them in a timely manner.
Focus on approved hardened images that are scanned routinely for security risks and vulnerabilities. Then deploy new servers from these images and continually scan for proper configuration and to detect vulnerabilities. Focus on "cattle not pets". If a server is vulnerable or out of compliance, don't repair it, replace it with an approved hardened image.
Ensure that privileged central servers and access security systems are limited to a minimum number of people, and that those employees have adequate training to securely handle their administrative rights in the cloud server.
6. Poor Access Management
Improper access management is perhaps the most common cloud computing security risk. In breaches involving web applications, stolen or lost credentials have been the most widely used tool by attackers for several years.
Access management ensures that individuals can perform only the tasks they need to perform. The process of verifying what an individual has access to is known as authorization.
In addition to standard access management issues plaguing organizations today, such as managing a distributed workforce and user password fatigue, there are several other cloud-specific challenges that organizations face, including the following:
• Inactive assigned users
• Multiple administrator accounts
• Improper user and service provisioning and deprovisioning - for instance, companies not revoking access permissions of former employees
• Users bypassing enterprise access management controls
Furthermore, the creation of roles and management of access privileges within the cloud infrastructure can also be challenging for enterprises.
How to Prevent Poor Access Management
To combat poor access management in cloud services, enterprises need to develop a data governance framework for user accounts. For all human users, accounts should be linked directly to the central directory services, such as Active Directory, which is responsible for provisioning, monitoring, and revoking access privileges from a centralized store.
Additionally, enterprises should use cloud-native or third-party tools to regularly pull lists of roles, privileges, users, and groups from cloud service environments. AWS Command Line Interface and PowerShell for Azure can collect this type of data, and then the security team can sort, store, and analyze it.
Organizations should also ensure logging and event monitoring mechanisms are in place in cloud environments to detect unusual activity or unauthorized changes. Access keys should be tightly controlled and managed to avoid poor data handling or leakage.
7. Contractual Breaches with Customers or Business Partners
Contracts in cloud computing are somewhat tricky. It often restricts who is authorized to access the data, how it can be used, and where and how it can be stored. When employees move restricted data into the cloud without authorization, the business contracts may be violated and legal action could ensue.
For instance, if your cloud service provider maintains the right to share all data uploaded to the cloud with third parties under their terms and conditions, they are breaching a confidentiality agreement with your company.
This could lead to leakage of data from your customers, employees, and other stakeholders that may have been uploaded to the cloud.
How to Prevent Contractual Breaches with Customers or Business Partners
The cloud service contract should include the rights to review, monitor, and audit reports. This way, any security risk can be identified at an early stage before it becomes an issue. Companies should also ensure that they are not locked into a service contract and switching vendors can be a smooth exercise.
This means that the service contract should include service termination rights for the business (for example, change of control, service deterioration, regulatory requirements, security/confidentiality beach, etc.)
The service contract should also highlight the intellectual property risk, as cloud services may include the use of IP or other software rights under a license agreement. The organization could then be dragged into a legal dispute if a third party claims infringement against the cloud service provider.
Companies operating in the cloud are taking a preventable yet big risk if they are not looking at mitigating the risks that come with it. Businesses must have strong cloud security policies that can be well integrated into the IT processes that teams use to build applications and deploy in the cloud infrastructure.
The adoption of cloud computing has transformed the way both companies and hackers work. It has brought a gamut of opportunities as well as a whole new set of cloud security risks. Enterprises need to continuously address cloud security risks and challenges while adopting the right security tools to help make the operational work easier.
This post was originally published at CypressDataDefense.com.