There is a tremendous growth in cloud computing in past five years. Cloud is basically a group of securely networked physical servers to which customers upload and store data and it can be accessed from anywhere.
Adoption of cloud computing by businesses and government has increased remarkably and has transformed the business technology to a greater extent.
Cloud technology has created a paradigm shift in the way companies and businesses think about computing technology and applications, i.e. a move from server-based approaches to more of a service-based approach.
The emergence of cloud technology has created several opportunities as well as challenges. New technology means new security vulnerabilities, new challenges, and amplification of many existing challenges.
Exclusive use of cloud technologies may provide a cost-effective and efficient solution for an organization. While adopting cloud-based technologies, there is often a tendency to drop the need for a dedicated information security officers in some of the smaller organizations which may introduce more losses due to the hidden challenges in cloud-based services.
Efficient adoption of cloud technologies needs to take into account business level security policies, processes, and best practices. In the absence of proper standards, the gain from adopting cloud technology will be nullified by the losses incurred from security breaches.
The first and foremost step in minimizing risk in the cloud is to identify the top security threats.
Cloud Security Alliance (CSA) has created industry-wide standards for cloud security. In this article, we will briefly cover the key points listed below
- Data Breaches
- Weak Identity, Credential, and Access Management
- Insecure APIs
- System and Application Vulnerabilities
- Account Hijacking
- Malicious Insiders
- Advanced Persistent Threats (APTs)
- Data Loss
- Insufficient Due Diligence
- Abuse and Nefarious Use of Cloud Services
- Denial of Service
- Shared Technology Issues
Image text: The key points from Cloud Security Alliance (CSA) on industry-wide standards for cloud security
Data breaches and theft of intellectual property
Data breaches and loss of sensitive information is one of the biggest challenges faced by traditional corporate networks and continues as one of the biggest challenges faced by organizations even in the age of cloud computing.
A data breach can be the result of a targeted attack towards an organization or it can be the result of a human error or a vulnerable application and unsafe security practices within an organization.
A study from Ponemon Institute showed that the organizations using cloud services have faced more data breaches than non-cloud users.
The impact of a data breach is extensive and can range from damage to the reputation of the brand, loss of business, may incur fines, or they may even face lawsuits or criminal charges.
The best defense against data breach is an implementation of an effective security plan. Multifactor authentication and encryption are two unavoidable ingredients for cloud security.
Weak Identity, Credential, and Access Management
Account hijacking and unauthorized access is another major issue faced by organizations while adopting cloud-based services. Sloppy authentication systems, weak passwords, and poor certificate management can lead to an authorized access.
Implementing the rule of minimum permission is often neglected and sometimes organizations struggle with allocating appropriate permissions to match with a specific user’s job role. Removing user access when a user leaves their job and when their job role changes are vital elements in data security.
Centralized key management can be a valuable point for attackers and extreme care should be used in implementing such a system and potential risk-benefit evaluation should be done.
Developers often leave or embed authentication details in source codes and can lead to potential data breaches. Recent incidence of hackers scrapping GitHub source codes for cloud authentication API is an example.
Business impact of unauthorized access can be potentially catastrophic and can cause irreversible damages to end users and organizations
System and Application Vulnerabilities
This is not unique for cloud but is applicable to any software systems. Bugs have been a problem ever since the invention of computers and are exploited by attackers to gain unauthorized access to networks and data.
This kind of attacks can be mitigated with regular vulnerability scanning, and installation of security patches to close the security gaps left open by system vulnerabilities. But it shows the need for a proper information security plan.
The cost of putting infrastructures and security personnel to discover and repair vulnerabilities is small in comparison to the potential damage they can cause.
This is another old technique which is amplified by the inappropriate and naive adoption of cloud technologies in the absence of a proper IT security infrastructure. Attack techniques such as phishing, social engineering, and exploitation of software vulnerabilities are used to steal credentials.
If a hacker or attacker gains access to credentials, they can create havoc by data leakage, data alteration and redirect legitimate users to illegal websites. Attackers can misuse the credibility and reputation of an organization to launch further attacks and social engineering strategies.
It is crucial for an organization to be vigilant about similar attacks and should ban the sharing of account credentials among users and should enforce strong two-factor authentication(TFA) techniques where possible. Furthermore, all accounts and account activities should be monitored and should be traceable to a responsible human element.
It may sound strange but an attacker inside an organization is a reality and exists in many cases. An employee can use their cloud access to create havoc and loss to the business.
As per the definition from CERN, a malicious insider is:
“It can be a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems”
The impact of such a threat depends on the level of access given to such a person. It should be also kept in mind that, an insider may not be always malicious but it could be an accidental upload of sensitive data to a public repository or similar.
Advanced Persistent Threats (APTs)
Advanced Persistent Threats (APTs) is a form of targeted attack that tries to establish a base station in the computing infrastructure of companies and organizations to leak and smuggle data and intellectual properties.
APTs achieve their goals silently over extended periods of time. They evolve and adapt to the changes in the security measures implemented in a company and the sole goal is to spy on business secrets and intellectual property.
Mitigating and blocking advanced APTs need advanced security controls, incident response plans and training of information technology staff. The cost of this may be small compared to the extent of damages caused by such attacks in mission critical organizations.
An example case for APT is Carbanak gang who targeted banks internal systems and operations which resulted in a multichannel robbery that averaged $8 million per bank.
Data loss can result from non-malicious reasons as well. This can be an accidental deletion by the cloud service provider, a physical catastrophe such as a fire or earthquake.
If your business is planning to implement cloud solutions, it is important that you should review the contracted data loss provisions and enquire about the redundancy of a cloud provider’s data storage solution.
A clear understanding of who or which entity is responsible for data loss and under what conditions will give a clear idea of adopting alternate contingency plans.
An example case is in April 2011 when Amazon EC2 suffered a crash that led to significant data loss for many customers.
Insufficient Due Diligence
Most of the challenges discussed above were technical in nature, however, this particular security challenge can occur when an organization is devoid of a clear plan for its goals, resources, and policies for the cloud. This is a human entity.
This is a critical entity for an organization whose data falls under regulatory laws like PII, PCI, PHI FERPA and those companies dealing with financial data.
Abuse and Nefarious Use of Cloud Services
Relatively easy signup procedure for cloud-based systems and infrastructure as a service (IaaS) has been utilized by cyber criminals for carrying out various malicious activities. Relative anonymity behind many of these cloud platforms and their registration and usage models has allowed spammers, malware authors, and other criminals to carry out their nefarious activities. This can be curbed to a greater extent by stricter initial registration and validation processes as well as detection of fraudulent credit card usages for registrations. In addition, strict monitoring of the customer network traffic is needed.
Denial of Service
The denial of services and the distributed denial of service attacks are the most challenging threats to the cloud computing. These are not new but continues as an important challenge in computing systems.
Some of the possible countermeasures against these types of threat include the use of Cloud Trace Back (CTB) to identify the source of the attack and using services like Cloud Protector to remove these types of attacks. Cloud defender system (CSQD) is another solution which can help in mitigating XML vulnerabilities in web services.
Shared Technology Issues
Cloud service vendors deliver their services in a scalable way by sharing infrastructure. This means that the underlying components that make up this infrastructure (e.g., CPU, GPUs, etc.) were shared among several users and hence there is a need for a good isolation to prevent each customer from interfering with other customers.
Technical flaws and vulnerabilities in the compartmentalization systems such as hypervisors can be a threat to cloud security. A thorough monitoring of the systems and regular vulnerability scanning and configuration audits are required to minimize the risks.
Security challenges associated with the use and adoption of cloud computing are gaining importance due to the increase in popularity of cloud-based systems. Cloud computing has become an emerging and promising computing model. As with any technology, cloud computing has its own challenges as well.
This article aims to serve as an overview and a starting point for further exploration into this topic and I hope this will help business organizations to keep in mind the challenges while adopting a new technology.