Top 12 Security Issues Facing Cloud
Cloud computing has big business advantages for storage, computing scalability for global distributed computing resources, and services delivery in a way that on-premise systems cannot match.
Despite its great advantages, there are serious data security issues in cloud computing. The same data security issues threaten every network, not just cloud-based ones. But with Tier 1 applications and highly sensitive data moving to the cloud, you must do your due diligence on your cloud provider and your provider must have sufficient systems in place to guard against serious threats to cloud computing data security.
See how Zetta protects your data and helps you avoid downtime.
The Top 12 Security Threats to Cloud
- Data Breaches. A data breach occurs when a hacker steals, uses, or releases sensitive information. Data breaches also occur when a hapless human being makes a mistake and accidentally exposes data to unauthorized viewers. The former is criminal and the latter personally embarrassing. Both cause serious harm to the business. The type of protected information that make for the worst scenarios are the usual suspects: financial or health information, personally identifiable information, or PII, IP, and trade secrets. Always do your due diligence on cloud-based security. Never assume that just because a cloud provider has a big name that they are immune from breaches.
- Poor User Access Management. Data breaches and other types of attacks thrive in environments with poor user authentication and weak passwords. Look at the serious attack on Sony that happened just a couple of years ago. They are still feeling the financial and social effects of the hack, which largely succeeded thanks to executives using weak passwords. The cloud is an especially attractive target because it presents a centralized data store containing high-value data and centralized user access. Use key management systems in your cloud environment, and be certain that the encryption keys cannot easily be found online. Require strong passwords and put teeth in the requirement by automatically rotating passwords and other means of user identification. Last but not least, use multi-factor authentication.
- Insecure Interfaces and APIs. APIs and UIs are the lifeblood of computing connections and integration between users and cloud computing. Cloud APIs’ IP addresses expose the connection between users and the cloud, so securing APIs from attack or human error is critical to cloud security. Work with your cloud provider and application vendors to build data flows that do not expose APIs to easy attack. Invest in applications that model threats in a live environment, and practice frequent penetration testing.
- System Vulnerabilities. System vulnerabilities are exploitable program bugs in the OS that hackers deliberately use to control or infiltrate a computer system. Luckily, basic IT hygiene goes a long way towards protecting you from this type of serious attack. Since machines exist in your cloud provider’s data centers, be certain that your provider practices regular vulnerability scanning along with timely security patches and upgrades.
- Account Hijacking. You might have seen an email that looks legitimate. You click on a link, at which point sirens blare and warning lights flash as your antivirus program goes to battle. Or you may have been truly unlucky and had no idea that you were just the victim of a phishing attack. When a user chooses a weak password, or clicks on a link in a phishing expedition, they are at real risk of becoming the channel for serious threat to data. Cloud-based accounts are no exception. Institute strong two factor authentication and automate strong passwords and password cycling to help protect yourself against this type of cyber attack.
- Malicious Insiders. Most data loss or damage occurring within an organization is human error. However, malicious insiders do exist and they do a lot of damage. A malicious insider is a current or former employee, contractor, or partner who has the credentials to access company data and deliberately uses, steals, or damages that data. Defense centers on secure processes such as strong access control, and constantly monitor processes and investigate actions that lie outside the bounds of acceptable functions.
- Advanced Persistent Threats. Also called APTs, hackers design these long-term cyberattacks to give them ongoing access into a network. Examples of entry points include phishing, installing attack codes via USB devices, and intrusion via insecure network access points. Once in, the intrusion appears as normal network traffic and the attackers are free to act. Aware users and strong access controls are the lines of best defense against this type of attack.
- Data Loss. Any data loss can represent serious damage to the business. Cloud data is subject to the same threats as is on-premise data: accidental deletion by users or provider staff, natural disaster, or terrorist attack. It is the cloud provider’s responsibility to guard against human error and to build robust physical data centers. However, IT must also protect against cloud data loss by establishing SLAs that include frequent and verifiable backup to remote sites, and encrypting files in case of accidental data exposure.
- Insufficient Due Diligence. Systematize your process so that you understand precisely what you need to ask cloud providers, what you can reasonably expect, how much you pay for what you need, and how to enforce signed SLAs. Know ahead of time how flexible the provider can be with new cloud applications, and what your ongoing costs will be for adding and modifying your cloud computing environment.
- Fraudulent Use of Cloud Services. Many cloud applications are geared towards user interaction, but free software trials and sign-up opportunities expose cloud services to malicious users. Several serious attack types can ride in on a download or sign in: DoS attacks, email spam, automated click fraud, and pirated content are just a few of them. Your cloud provider is responsible for strong incident response frameworks to detect and remediate this source of attack. IT is responsible for verifying the strength of that framework and for monitoring their own cloud environment for abuse of resources.
- Denial of Service. DoS attacks overwhelm a cloud service’s resources so users cannot access data or applications. Politically motivated attacks get the front headlines, but hackers are just as likely to launch DoS attacks for malicious intent including blackmail. And when the DoS attack occurs in a cloud computing environment, compute cycle charges go through the roof. The cloud provider should reverse the charges, but negotiating over what was an attack and what wasn’t will take additional time and aggravation. Most cloud providers are set up to deny DoS attacks, which takes constant monitoring and instant mitigation.
- Shared Technology Issues. Cloud providers grant services to thousands to millions of tenants. Services range from cloud backup to entire infrastructure, platform, and applications as a service. The provider should design their architecture for strong isolation in multitenant architectures: a successful attack on one customer is bad enough. A multitenant attack that spreads from one customer to thousands is a disaster. When you look at cloud provider and multitenant services, make sure that they have implemented multifactor authentication on all server hosts and operate modern intrusion detection systems.
As unpleasant as the above may be, don’t let them keep you from adopting cloud computing in your organization. The same threats exist on any network, whether yours or the cloud provider’s. But just as you carefully protect your network against cloud computing data security issues, be sure that you are exercising the same level of care in your cloud environment.
Zetta is committed to keeping your data secure in the cloud. Find out how.
Read more about cloud computing data security issues in the study conducted by the Cloud Security Alliance: The Treacherous 12 - Cloud Computing Top Threats in 2016.