Security is both a benefit and a concern for enterprises when it comes to cloud computing. On the one hand, Datamation found in its State of the Cloud, 2019 survey that many organizations are moving to the cloud because they found that cloud-service providers (CSPs) offer better all-around security than they could achieve by themselves. Specifically, Datamation noted that CSPS “not only hire the top security experts, they have a lot more data to use for machine learning, to proactively stop security threats.” On the other hand, the cloud sparks privacy and data concerns for many organizations. Seventy-seven percent of respondents to RightScale’s 2018 State of the Cloud Report said cloud security was their top challenge, for example. Along those same lines, nine in ten security professionals who responded to a 2018 Crowd Research Partners survey said they were worried about achieving and maintaining security in the cloud. Organizations clearly want to enjoy the cloud for its security benefits. Before they can do that, however, they need to familiarize themselves and craft a proper response to some of the most salient cloud-based threats. Let’s help them by examining four of these risks below.
1. Data Breach
With organizations turning to the cloud to store business-critical data, bad actors are increasingly looking to compromise cloud service providers. It’s no surprise why. A successful hack could net them the personal and/or financial information for hundreds and millions of users. They could then abuse those to commit identity fraud or monetize them on the dark web. Such exposure could damage affected companies’ reputations and force them to assume responsibility for legal fees, complimentary identity monitoring subscriptions and replacement payment cards. The threat of a cloud data breach is troubling because organizations are ultimately responsible for protecting their customers’ information regardless of where they store it. Enterprises must, therefore, trust that their CSP has implemented adequate security measures to prevent a breach. By extension, companies that don’t research their CSP won’t know what safeguards it’s implemented to help protect their customers’ data. They might also lack insight into what steps they could take to keep their customers’ data safe in the event of an incident involving their CSP.
2. Lack of/Weak Identity Access Management and/or Authentication
Malicious actors use various techniques to crack into organizations’ protected systems. Some tactics are more prevalent than others. In its 2018 Data Breach Investigations Report, for instance, Verizon Enterprise found that “81% of hacking-related breaches leveraged either stolen and/or weak passwords.” Organizations aren’t powerless to defend against these types of security incidents. Using multi-factor authentication (MFA), they can protect cloud-hosted data and assets even if digital attackers have compromised a privileged set of credentials. They can also use identity access management (IAM) to define the scope of access to work-related resources for each authenticated account as well as monitor for suspicious activity that violates those expectations. In the absence of these controls, organizations place themselves in a difficult position. They won’t be able to prevent bad actors from authenticating themselves using stolen credentials. Furthermore, they won’t be able to deter things like insider threats, lateral movement and data exfiltration, as they won’t have any say on what an authenticated account can and cannot do.
3. Data Loss
Not every bad actor who gains access to a cloud service provider’s saved information wants to abuse or monetize it. A hacker’s sole mission might be to delete the information. In the absence of backups and other security measures, data loss could spell disaster for the enterprise or even threaten its longevity in the event something happens to its intellectual property. Digital attacks aren’t the only causes of data loss in the cloud. Sometimes technical issues can also inadvertently result in data loss. What happened to Microsoft Azure customers in early 2019 illustrates this perfectly. On January 29, the tech giant’s cloud service suffered an outage in which internal code customers’ databases that used KeyVault keys for Transparent Data Encryption (TDE). Microsoft ultimately restored customer data from a snapshot taken five minutes before the incident began. But as The Register notes in its reporting, customers might have still lost transactions, updates, orders or other important data events that took place during that window. Ultimately, CSPs make use of servers and hard drives like anyone else. It doesn’t happen all that often, but sometimes these technologies fail. Service providers can usually recover that data, but as Microsoft’s outage illustrates, companies should still take extra precautions with their data.
4. Lack of Due Diligence
Whenever enterprises adopt new technology such as the cloud, they need to do so with their business strategies and assets in mind. It’s therefore important that organizations take the time to do their due diligence and evaluate how a service or technology fits into their business road map. Failure to do so could spell trouble. For instance, organizations might decide to roll out a new application that relies on their CSP to operate at an optimum level. But the service offered by the app might not be a priority for the provider, and issues could arise in obtaining the necessary operational and architectural support for the new technology. Legal and compliance complications could also arise from storing customers’ information in the cloud, issues which could result in fees and other penalties.
Hope for the Future
Every organization should address the threats of data breaches, insufficient IAM and/or authentication, data loss and a lack of due diligence before migrating to the cloud. They should take two steps as part of this risk management process. First, they should confirm that their CSP implements safeguards 24/7 monitoring and other multi-layered security measures to protect companies’ data. Second, they should use security measures like encryption, IAM and data backups to protect their information that’s slated for storage in the cloud. These efforts will help make sure their information is safe even in the event their CSP suffers a security incident. Enterprises might also want to consider using a hybrid cloud to store their data. This type of cloud computing arrangement makes use of on-premises, private cloud and third-party public cloud services. As such, the mixed infrastructure allows businesses to enjoy the benefits of the cloud while also preserving their on-site responsibility for safeguarding their information.
