Many companies have migrated to cloud-based technologies in the past year due to stiff competition and the high demand for business-critical applications to be accessible in the face of remote working. In Australia alone, 55% of businesses have incorporated paid cloud models into their budgets from 2019 to 2020. Figures indicated that the larger the size of one’s workforce, the greater was its level of cloud adoption: among businesses with 200 or more employees, 81% of organisations have shifted to cloud based systems. The percentage was 76% among firms with 20 to 199 workers and 65% for businesses with five to 19 staff members. According to Infosys, companies with at least 60% of their computing infrastructure on cloud platforms saw higher profitability.
However, cloud security threats lurk behind the promise of scalability. Sixty-five per cent of the 446 data breaches reported to the Office of the Australian Information Commissioner in the first half of 2021 were malicious or criminal attacks, 43% of which were cyber incidents. The remaining 34% of the breaches were results of impersonation, insider threat, and theft of storage devices or paperwork. In a separate report from Trend Micro, 24% of organisations experienced at least seven breaches involving customer data in the past year.
Still, companies can no longer avoid the cloud. Businesses of all sizes now need always-on systems to support their workforce and to stay in touch with customers. This requires cloud computing services to ramp up security to address current market demands.
Types of Cloud Services
Companies use cloud services in the following ways:
- Software as a service or SaaS. includes project management tools, web-based email, file storage, and backup
- Infrastructure as a service or IaaS. virtual machines that give you access to servers, memory, firewall, and storage so you can manage your software as a service tool
- Platform as a service or PaaS. covers the computing platform where software developers can build custom applications online.
Types of Cloud Environments
Some cloud environments can be more open to risk than others. To know what setup will fit your business, it’s best to understand the main types of deployments that cloud service providers can provide.
Public
A public cloud service is provided by third-party vendors such as Google Cloud, Microsoft Azure, and Amazon Web Services. Companies can access cloud resources for free or through a paid subscription. Due to their massive amount of space, you can get more capacity on-demand without having to pay for additional hardware and staff. The infrastructure and operating system are under the cloud service providers’ control. The cloud provider has its own security and disaster recovery plan and conducts maintenance and upgrades. However, modern computing security challenges that threaten the public cloud may require new tools that come with a cost.
Private
Unlike a public service, a private cloud service isn’t shared by multiple businesses and caters to only one organisation. Only authorised users can access, store, and use data and computing resources from anywhere, making it ideal for firms working with highly sensitive data. While private clouds offer more data security and control, it’s more costly. Clients can only scale by paying for more hardware and storage capacity. It’s also up to the in-house team to perform regular cloud computing security maintenance and updates.
Hybrid
A hybrid cloud environment features both private and public clouds that work seamlessly together. This model works well for industries with strict data privacy requirements such as healthcare companies. Businesses may use a private cloud with firewalls and encryption protocols to house data and proprietary applications and then a public cloud for non-critical applications. Each cloud environment should undergo strong risk assessments and data encryption to prevent eavesdropping and other service attacks.
Community
A community cloud service is a type of private cloud that’s built for a targeted group. It’s shared by organisations with common security, compliance, and performance requirements—typically within the same industry (for example, banking) or departments of one organisation. Entities that need to access similar resources and use a common application for a project or research topic will benefit from this model.
Security Considerations and How to Mitigate Them
Shifting proprietary information and customer data—including personally identifiable information—from on-premise facilities to the cloud exposes companies to potential security threats. Many of the cloud computing security measures, practices, and technologies needed to set up a secure cloud environment are similar to those used for physical data centres and network infrastructure. However, these services are activated to protect your cloud-based data.
Securing digital assets is a shared duty in cloud computing. The cloud service provider handles the security of the infrastructure that runs the services, while the cloud users take care of the security of applications and virtual machines (servers) being run.
The Cloud Security Alliance (CSA), a non-profit organisation that promotes the research and use of cloud computing best practices, recently released their “Top Threats to Cloud Computing,” featuring “The Egregious 11” security issues. This list of security concerns is based on the results of a poll involving over 240 industry experts.
1. Data breaches
The ease of data sharing, including sharing links to our websites or company’s network, through email or social media is one of the main advantages of operating on the cloud. But when your data is accessible online, hackers may gain access into the organisation’s wider cloud infrastructure.
CSA advice: It’s best to determine who will have access to data and what the impact of any broad network access will be before saving anything to the cloud. As part of security management, make sure to restrict access, use encrypted data, and have a well-tested incidence response plan that incorporates privacy for data and your provider.
2. Misconfiguration and inadequate change control
Cloud computing assets and access are misconfigured or incorrectly set up when standard controls are disabled, access privileges are excessive, or default credentials are left unchanged. Your data and resources can be deleted or modified, ultimately leading to service interruption. Nearly 70% of enterprises regard misconfiguration as one of the leading contributors to a vulnerable cloud.
CSA advice: Businesses need to adopt cloud computing security technologies that continuously scan for misconfiguration and correct problems as they’re detected. Tools like cloud security posture management software can automatically identify such issues and compliance risks.
3. Absence of cloud security architecture and strategy
Cloud data is the prime target of so-called threat actors. Over 20% of files contain sensitive data, such as company information, personal health, and payment data. They adapt their tactics to the cloud infrastructure they wish to penetrate. Therefore, companies migrating to the cloud must be aware of the threats they’re up against. They should know their role in ensuring their assets will function safely in the new, virtual environment.
CSA advice: Security monitoring should be coupled with continuous awareness of emerging threats. This will allow companies to adjust strategies and properly allocate resources into appropriate cloud computing security tools and protocols.
4. Weak identity, credential, access, and key management
Encryption keys secure data in use, in transit, and at rest. It authenticates users and makes transactions close safely with digital signatures and certificates. With insufficient authentication and weak passwords, your business processes are at high risk of security issues. A Verizon report said that 61% of data breaches involved credentials.
CSA advice: Limiting privileged accounts should be one of your top security considerations. Provisioning management—or granting access to data or the network based on user credentials—should be based on business needs and the principle of least privilege. Unused credentials and access privileges should be deleted. At the same time, centralised key management is recommended to prevent unauthorised access to sensitive information, even for multi-cloud architecture.
5. Account hijacking
Hackers can hijack cloud service accounts or subscriptions through phishing and stolen credentials. When this happens, even the account holder’s or customer’s data can be lost or leaked and business continuity disrupted.
CSA advice: This threat calls for more than just a password reset. It requires defence-in-depth or layered security features consisting of technical, physical (security cameras and locked doors), and administrative (procedures and policies) controls. Technical controls include firewalls, intrusion detection, and prevention systems, segmentation or splitting the network into sub-networks designed around business needs, and endpoint detection response, among others. Identity and access management for user access control is also necessary to avert account hijacking.
6. Insider threat
Threats don’t only come from malicious strangers but “insiders”—current and former business staff, business partners, and contractors. Nearly 80% of chief information officers fear that their company’s workforce is taking IT policies lightly. This is based on findings that 27% of network security risks were due to admin’s mistakes (27%), accidental data sharing among workers (26%), cloud service misconfiguration (16%), and data theft by staff (14%).
CSA advice: Businesses should provide regular training about security issues and data protection measures for workstations, mobile devices, and backup devices. They should also inform staff about the consequences of malicious activity, including sanctions. Only authorised users should have access to critical systems, including servers that should be routinely audited for misconfiguration.
7. Insecure interfaces and APIs
APIs and user interfaces are among the most exposed parts of cloud environments. Your employees and customers use them to connect to software and apps. They control the flow of data between programs, including sensitive ones. Hackers may be able to access company data when interfaces lack authentication or have half-baked access controls. One of the ways they take advantage of poorly designed APIs is by overwhelming the targeted server or its surrounding infrastructure with network traffic—also referred to as distributed denial of service (DDoS) attack, resulting in disrupted service.
CSA advice: IT departments should secure their API keys and conduct regular monitoring and auditing. Moreover, companies should go for standard frameworks like Open Cloud Computing Interface and Cloud Infrastructure Management Interface.
8. Weak control plane
The cloud’s control plane can be likened to air traffic control in aviation—it’s the part of a network that regulates how data is sent from one place to another. With a weak plane, external actors can modify your network’s access controls and configuration. This can result in data theft or corrupted data. Companies can face penalties if affected data involves customer information.
CSA advice: In simple terms, a cloud provider with a secure control plane should be able to fulfil the security requirements of your business: protecting data, data centres, and operating systems. Its standard suite of controls should at least include two-factor authentication.
9. Metastructure and Applistructure Failures
This refers to API flaws—usually the fault of cloud providers—that allow users or customers to discover information about security protection and operations in the cloud such as logging and audit information. Metastructure refers to mechanisms that permit the interaction between the infrastructure (network and storage where everything else is built on) and other layers. Meanwhile, applistructure covers the applications and services used to build them.
CSA advice: To control access to security information, cloud providers must conduct penetration testing and provide results to their clients.
10. Limited cloud usage visibility
Employees may set up and use cloud applications and resources without the management’s knowledge or misuse installed cloud apps. This makes any company data stored today and in the future open to security issues.
CSA advice: Organisations must have cloud usage policies and hold company-wide training on how to follow them. Their cloud security architect or third-party risk management should first review the use of any free but non-approved services. Businesses should consider using cloud access security brokers or software-defined gateways to discover outbound and analyse at-risk users and their behaviour. For inbound connections, a web application firewall can help spot suspicious trends, Botnet risks, and DDoS.
11. Abuse and nefarious use of cloud services
Cybercriminals who are able to infiltrate a company’s cloud may use it to propagate malware and gain unauthorised access. They can piggyback on a corporate account to conduct illicit activities—including phishing, email spam, or mining cryptocurrency—without paying a cent.
CSA advice: Cloud providers should give clients tools to monitor the health of their file-sharing and storage apps and cloud workload. They also need an incident response framework that will allow their clients to report abuse. Cloud data loss prevention technologies can help monitor and stop unauthorised exfiltration (transfer or removal of data from servers).
