As the adoption of cloud technologies continues to thrive and grow, the associated problems and complications with regard to cloud security have come to the forefront. This is crucial because the vulnerability of cloud systems exposes not only customers’ Personally Identifiable Information (PII), but valuable corporate secrets, data, and proprietary information as well.
The accelerating demands of technology fostered by our digital age with the emergence of big data have rendered traditional storage systems inadequate for most organizations, in addition to demanding more sophisticated tools for data discovery and pattern recognition.
The cloud – or more appropriately, cloud computing – entails the delivery of software and occasionally hardware services through a network of remote servers over the internet.
In an analysis of over 135,000 organizations, the results show that globally, cloud adoption has reached 81% as measured by the use of cloud productivity platforms by enterprise organizations. And it appears to be a trend that is gaining steam exponentially with each passing year.
Gartner forecasts that by 2022, 90% of companies in the market will be using cloud services, generating a total value of $278.3 billion, with the fastest-growing segment being Infrastructure as a Service (IaaS).
However, the growing popularity of the cloud has also been accompanied by several security headaches. Although it is currently superseded by other issues, for a long while up to 90% of organizations had security concerns as their overriding concern with public cloud security.
Security of data deployed in the cloud is paramount to these concerns, as companies are becoming increasingly under attack by lone hackers, criminal organizations, and even state-sponsored groups all jostling to steal sensitive corporate data.
Paradoxically, while organizations use cloud technology strategies to cut costs and reduce risk, the latter rationale is increasingly being challenged as hackers are becoming more adept at exploiting vulnerabilities in cloud systems.
According to the most recent Cloud Adoption, Practices and Priorities Survey Report produced by the Cloud Security Alliance (CSA), cybersecurity professionals view some of the top security issues plaguing companies on the cloud in this order: the proliferation of malware (63%), advanced persistent threats, (53%) compromised accounts (43%), insider threats (42%).
The general concerns organizations have regarding their cloud infrastructure usually center around the visibility and security of their data, control over its access, and enforcement of regulatory compliance.
To effectively secure their data on the cloud, companies first have to understand the potential points of failure through which their assets can be compromised.
This is the lens through which we’ll view cloud security issues.
But first, we’ll examine some cloud security stats.
Cloud Security Statistics
- As much as two-thirds of businesses and enterprises view cloud security as the biggest impediment to adoption
- Almost half of business (49%) don’t have their cloud databases encrypted, leaving their info vulnerable
- According to Unit 42 Cloud Security Trends, 29% of enterprises in the cloud have experienced potential account compromises
- Up to 27% of enterprises on the cloud permit root user activities
- Credential compromises are now more commonplace, with 41% of access keys remaining unchanged in the cloud in the past 90 days
- Cryptojacking, which usually targets public cloud environments, fell by 11%
- A merger 7% of companies have comprehensive visibility on their critical data on the cloud
- Compared to the above, only 58% acknowledge having only marginal control over their organizations data in the cloud
- A McAfee’s Cloud Adoption and Risk Report of 2019 details the following statistics: among all the files hosted on the cloud, 21% have sensitive data included in them
- This figure represents a 17% increase in the past two years
- A worldwide, 83% of businesses store sensitive data on the cloud
- With respect to global cloud use, 22% of users on the cloud routinely share files
- As much as 48% of files on the cloud eventually get shared
- A year-to-year rise of 53% was observed for the number of files containing sensitive data found on the cloud
- In a glimmer of good news, the report observed a 20% decline from the previous year on the Personally Identifiable Information (PII) deployed to the cloud
- Email services account for 20% of the sensitive data that passes through the cloud
- This volume has risen in the past two years by 59%
- Gartner predicts that by 2025, 99% of failures in cloud security will be due to customers fault
A powerful model for cloud security: shared responsibility
Companies don’t get to just deploy their applications and data on the cloud then go about living happily-ever-after like a Disney movie. While cloud platforms provide most of the overarching security and protection required to safeguard data, individual companies that migrate their apps and resources to these platforms equally have a role to play in the protection of their assets.
McAfee shows how a shared responsibility is used by cloud service providers to cover their own end of the cloud security spectrum and how much responsibility is devolved to the customers themselves. However, to comprehend how these responsibilities are shared, it is first necessary to understand how the cloud industry breaks down its categories:
- Software as a Service (SaaS): in this cloud framework, instead of installing the software on your own servers, SaaS enables you to rent and use software owned by other providers, delivered remotely, and usually for a monthly subscription fee.
- Infrastructure as a Service (IaaS): this demands more computing horsepower, and the storage and networking capabilities are available for rent to customers on-demand.
- Platform as a Service (PaaS): Encompasses a broad collection of middleware services and application infrastructures, such as application platform, integration, and database services.
As the table below depicts, whether the service provided is a software-as-a-service (SaaS) like Salesforce or infrastructure-as-a-service (IaaS) like Rackspace, there is a differentiation of tasks between the host cloud provider and the customer.
The subsequent segments list the most pressing security concerns facing SaaS, IaaS, and PaaS cloud frameworks. Most of the vulnerabilities and issues they face are overlapping, so you’ll see some commonalities in their description, but we have provided a context to highlight their nuanced difference.
Top 10 cloud SaaS (software-as-a-service) security issues:
The problems surrounding SaaS are usually centered around data and the resultant access to it. This is because, with the SaaS framework, the cloud shared security responsibilities invariable leave these two as the sole responsibility of the customer.
This makes sense since organizations should and do have the responsibility of determining and understanding what data is deployed to the cloud, the individuals allowed to access it, and what granular level of protection should be applied to it.
Understanding the role of the SaaS providers is important because they provide an access point to an organization’s processes and underlying data. Malicious attacks such as GoldenEye and XcodeGhost ransomware show that attackers are quite cognizant of SaaS cloud providers as being lucrative sources as vectors through which larger assets can be attacked.
Below are some of the security issues usually keeping SaaS customers awake at night. They have an overriding theme of minimal control over the underlying infrastructure on which their processes are based:
- The inability to see or perceive what data resides within cloud applications.
- The inability to control and keep track of data both in transit to and from cloud applications.
- Malicious actors stealing data in cloud applications.
- Lack of total control over who can access sensitive data in the cloud.
- Shadow IT resulting from cloud applications being provisioned outside the view of IT staff.
- The current state of information technology is such that most organizations grapple with the lack of skilled staff to manage the security of cloud applications.
- The inability to prevent the misuse of data or outright theft by insiders.
- The challenge of maintaining regulatory compliance with assets and resources on the cloud.
- Organizations lack the ability to assess the security operations of their cloud service providers.
- Ever-present threats and attacks from malicious actors.
Cloud IaaS (infrastructure-as-a-service) security issues
The customer’s responsibilities go up several notches when they adopt IaaS. Since IaaS services now extend to applications, operating systems, and network traffic, protecting data becomes more critical as additional threats are introduced by these expanded attack vectors.
Hackers and malicious actors can mount a hostile takeover of these computing resources and use them as bots to launch attacks against third parties and other aspects of the enterprises’ infrastructure. Or, they might even use the computing resources to mine cryptocurrency, which normally requires substantial computing resources.
As a result of this multitude of potential threats and vulnerabilities, when companies are building their infrastructure in the cloud, they should be cleareyed about evaluating their ability to adequately control access and prevent theft.
Some of the things to incorporate as action plans when deploying data and processes to an IaaS are the following:
- The organization’s ability to track resource modifications in order to identify behavior that appears abnormal.
- Decide who is qualified or not to enter data into the cloud.
- Both harden and secure the orchestration tools that enable the automatic configuration, coordination, and management of computer systems.
- Network analysis at either direction of traffic: north-south, east-west in order to identify or signal any potential signs of compromise
Below are some of the standard security concerns faced with IaaS cloud infrastructure deployments at scale:
Top 10 cloud IaaS (infrastructure-as-a-service) security issues:
- The threat of malicious actors stealing data hosted in the cloud infrastructure.
- Shadow IT resulting in the creation of accounts and cloud workloads outside of traditional IT visibility.
- Lack of control over who can access sensitive data on the infrastructure
- Difficulty to prevent theft from criminals intent on stealing or misusing data
- Inadequate personnel with IT skills to secure cloud infrastructure
- The specter of advanced persistent threat attacks mounted on the cloud infrastructure
- Inability to see what data resides in the cloud.
- Unable to clearly monitor the cloud workload application and systems for vulnerabilities
- The ever-present possibility of a lateral spread attack migrating from one cloud workload to another.
- The challenge of implementing consistent security controls that oversee both on-premise and multi-cloud environments.
In the shared responsibility model table depicted at the beginning of this segment, the only thing that separates PaaS and SaaS is the fact that the customer’s applications fall under the purview of the cloud provider responsibility for SaaS, while it doesn’t for the former.
As a result, we didn’t see any need to duplicate the cloud security risks of PaaS since almost all are covered under SaaS, and the cloud security implications for the application can be deduced from IaaS.
Relevant factors in deciding between the public or private cloud
The decision process involved in choosing either to go with the public or private cloud often hinges on the level of fine-grained control an organization desires over their cloud resources.
Private cloud models provide more levels of micro-control; therefore they provide a level of supplementary protection than compensates for the other downsides and limitations of using a private cloud.
On the flip side, however, maintaining that level of fine-tuned control creates more complexity beyond what exists in public cloud environments.
This is because, like most products designed for the general public, public cloud providers take it upon themselves to maintain most of the infrastructure themselves. They employ abstraction of controls in order to simplify security management, which in turn reduces the overall complexity of the underlying system.
Top 5 security issues facing private cloud systems:
- Increased level of infrastructural complexity that results in more time and effort maintenance and implementation.
- Inadequate staff with the requisite skills to manage the level of security necessary for a software-defined data center that encompasses networking, storage, and virtual computing capabilities.
- Insufficient security controls that span from traditional servers to private, virtualized cloud infrastructures.
- Dealing with advanced attacks and threats.
- Inadequate security controls for both virtualized private cloud infrastructures and traditional servers.
The most common cloud computing security risks
Although there are several security issues arising from cloud computing, the benefits still overwhelmingly outweigh the risks. The security concerns detailed below should be top-of-mind for organizations intent on avoiding falling prey to malign actors who are fixated on exploiting them.
1. Distributed Denial-of-Service Attacks (DDoS)
Initially, it was difficult to perpetuate this type of attack on cloud computing platforms. This was due to the sheer amount of resources cloud computing services handled, thereby making it extremely hard to successfully initiate DDoS attacks against them.
However, this all changed with the advent of the Internet-of-Things (IoT), along with the proliferation of smartphones and similar other computing devices that has made mounting a DDoS attack much more viable. This changed the calculus, as hackers can now employ these devices like foot-soldiers to initiate enough traffic to overwhelm cloud platforms.
2. Compromise through shared cloud computing services
Although most cloud platforms are now sophisticated to provide adequate security between clients on shared hosting, however, the risk still exists that insufficient delineation might result in the leaking of shared resources.
This can, therefore, allow threats that originate from one client to permeate across to other clients within the cloud computing service. As a result, threats that start with one client can easily impact others.
3. Insider threat from employee negligence
Employee mistake and negligence are of the most vexing security issues confronting clouding computing systems. Lax security practices can create vulnerability for companies, for example, through logging into their organization’s cloud infrastructure using their mobile phones and home tablets, thereby leaving a vulnerable access point through which the organization can be compromised.
4. Inadequate backups and data loss
When attacks like ransomware strike, an organization had better have adequately backed-up and recent data files. Criminals use ransomware to “lock up” an organization’s data in encrypted files.
Without an adequate, up-to-date system backup, companies are vulnerable in the event that ransomware or system failure strikes. Companies cannot afford to call the bluff of these criminals and so would have to heed to their demands if they want to recover their data.
To avoid this cloud threat, companies should ensure that they regularly and periodically backup their data and mandate they also have proper data synching in place.
5. The hijacking of accounts
The adoption of the cloud in many organizations has opened up a whole new set of security issues. One of these is account hijacking, which provides attackers with the avenue to use a firm’s employees login information to remotely access corporate data and resources on the cloud.
Once inside the corporate cloud network, malicious attacks can then use these hijacked credentials to manipulate, falsify, and steal information. In addition, this method has the added bonus of hiding the identity of the true perpetrators.
What makes this a potent security issue is that there are several means through which hackers can hijack accounts, such as deploying phishing, keylogging, and buffer overflows. The most common of these security exploits is the cross-site scripting (XSS) attack.
Amazon, one of the premier public cloud services, faced such an attack when perpetrators used XSS to steal the session IDs that granted users access to their accounts once they entered their credentials and were logged in to the main Amazon.com page. Most still, the users whose accounts had been compromised were blissfully unaware that anything nefarious had happened.
“Man in the Cloud” (MITC) attacks are gaining a lot of notoriety as the most notably new threat facing cloud-based systems. MITC attacks cloud storage systems and this vulnerability is quite innovative because they potentially grant hackers access to data from systems such as Dropbox or OneDrive through their syncing without ever requiring them to possess the user’s login credentials.
6. Malware injection attacks
These are malicious program scripts that masquerade as “valid code” that malign actors inject to be executed along within cloud services. This nefarious code is viewed by the cloud system as part of the normal software service code and therefore executes with disastrous results.
7. System vulnerabilities
System vulnerabilities due to exposure from third-party applications are usually prolific sources of trouble for cloud computing services, especially those with complex infrastructures. Incorporating third-party software is almost impossible to avoid in software development, and organizations that embed these third-party applications don’t have any control over their source code.
As a result, once vulnerabilities from these third-parties are discovered, they can easily be weaponized against the companies that use them.
8. Insufficient due diligence
Not adequately performing due diligence is mostly a non-technical, people-oriented factor. It is similar to insider threats due to employee negligence presented earlier. This concern usually presents a security issue when companies migrate to the cloud too quickly and without having a clear plan of action.
9. Insecure APIs
Application programming interfaces are computing interfaces or software intermediaries that defines and allows interactions between multiple software applications.
In the context of the cloud, they allow both users and personnel to customize some features of the cloud for regulatory compliance, fit business needs, provide authentication, encryption, and a host of other requirements. While the purpose of APIs is to provide better service to those that deploy them, some of them are focused more on business needs rather than ensuring they are securely designed.
Consequently, these insecure APIs are a veritable source of risk exposure that might prove catastrophic when developed to sensitive or mission-critical applications like financial services.
The cloud and its associated software services encompass internet-based platforms that provide data storage, data security, software-as-a-service applications, with increased flexibility and collaboration.
Global cloud adoption has been experiencing a torrid pace. The reasons for this massive migration is because organizations want to reap such benefits as paying lower fixed costs, the convenience of automatic software updates, the freedom from a centralized location which in turn fosters remote work, along with increased collaboration and flexibility.
However, the benefits of cloud-based services are tempered by the security issues surrounding cloud use and deployment. Therefore, understanding the risks associated with cloud usage and how to mitigate them is paramount for companies to gain their full benefits.