While cloud adoption comes with a lot of business benefits, it has challenges and threats that are hard to ignore
Cloud computing is experiencing a significant growth over the last few years due to its rapid adoption among various regions and industry verticals across the globe. By deploying cloud solutions, organizations are benefiting in numerous ways, such as cost reduction of total ownership, increased flexibility of IT implementation, increased collaboration, work from anywhere and at any time, increased competitiveness and reduced time to go-to-market with a new product or service.
According to a study by the Cloud Security Alliance (CSA), 33% of organizations have a “full steam ahead” attitude toward cloud services and 86% of companies spend at least part of their IT budget on cloud services.
Organizations use cloud in different service models, such as Infrastructure as a Service (IaaS), Platform as a service (PaaS) and Software as a Service (SaaS). There services are deployed either as public, private or hybrid cloud.
While cloud adoption comes with a lot of business benefits, it has its own challenges and threats that are hard to ignore.
As per Gartner’s Top 10 Security Predictions for 2016, “By 2018, the need to prevent data breaches from public clouds will drive 20% of organizations to develop data security governance programs.”
Gartner recommends developing enterprise-wide data security governance (DSG) program by identifying data security policy gaps, developing a roadmap to address the issues and seek cyberinsurance when appropriate.
The study further states that “By 2020, 80% of new deals for cloud-based CASB will be packaged with network firewall, secure web gateway (SWG) and web application firewall (WAF) platforms.”
However, there are a few key challenges that pose a threat to the adoption of cloud on a large scale:
Data Breach & Data Loss
Organizations face a number of data security breaches today, not only covering traditional security threats, such as network eavesdropping, illegal invasion, and denial of service attacks, but also specific cloud computing threats, such as side channel attacks, virtualization vulnerabilities and abuse of cloud services.
A data breach is an incident in which sensitive, protected or confidential information is released, viewed, stolen or used by an individual who is not authorized to do so. This may lead to loss of personal information, customer information, financial information as well as information related to intellectual property or trade secrets. Other indirect damage caused by such data breaches are brand reputational damage, loss of business, fines or lawsuits.
Although cloud providers deploy security controls to protect their environments, organizations are responsible for protecting their own data in the cloud. According to CSA report, the best protection against data breach is an effective security program. Two important security measures that can help companies stay secure in the cloud are multifactor authentication and encryption.”
Compromised credentials due to insufficient identity and access management
Many authentication systems, such as one-time passwords, RSA-based authentication and smartcards, protect cloud services because they make it harder for hackers to log in with passwords. The Anthem breach, which exposed more than 80 million customer records, was the result of stolen user credentials since Anthem failed to deploy multifactor authentication, as a result of which the hackers were able to steal the credentials.
Most of the data breaches are a result of weak passwords, poor encryption keys or embedding of credentials in source code by developers.
Since the cloud is accessible by anyone with the proper credentials from anywhere through an Internet connection, it opens a wide array of entry and exit points, all of which need to be protected to make sure that data transmitted to and from these points are secure. Cryptographic keys, including TLS certificates, keys used to protect access to data and keys used to encrypt data at rest must be rotated periodically.
Insecure Interfaces and APIs
Almost all cloud services or applications deal with application programming interfaces (APIs) or provide user interfaces (UI) for customers to manage their administrative work. Such interfaces become a target for hackers. It is, therefore, critical that these interfaces must be designed in such a manner that they ensure strong authentication and access control mechanism.
To protect against malicious attacks, in addition to security-specific code reviews, rigorous penetration testing also becomes an additional requirement.
Hacking of accounts through methods, such as phishing, fraud, exploitation of software vulnerabilities and stealing passwords is not new and has been there since the advent of Internet. Since passwords and credentials are reused quite often, cloud applications are also commonly prone to account hacks. If an attacker gains access to your account, he/she can do eavesdrop on your activities and transactions, manipulate data, and use your credentials for malicious activities.
As per CSA recommendations, organizations should look to prohibit the sharing of account credentials among users and services and leverage strong two-factor authentication techniques where possible. All accounts and account activities should be monitored and traceable to a human owner. The key is to protect account credentials from being stolen.
One should also ensure not to store any passwords in applications, keep changing passwords frequently and ensure passwords are strong and not easily hackable.
Advanced Persistent Threats & Denial of Service
Advanced security threats and denial of service attacks have gained prominence with the increased adoption of cloud computing. Such attacks are now more targeted and stealthy.
They no longer focus on denial of service alone, but on the valuable data residing in the cloud, datacenter and applications/databases leading to permanent data loss and impact on availability. Common points of entry include spear phishing, direct attacks, USB drives preloaded with malware, and compromised third-party networks.
Awareness programs that are regularly reinforced are one of the best defenses against these types of attacks, because many of these vulnerabilities require user intervention or action.
To conclude, a cloud provider must have an incident response framework to address misuse of resources, as well as handle such attacks. A cloud provider should include relevant controls that allow a customer to monitor the health of their cloud workload.
Cloud computing can be seen as a new phenomenon that is being seen as a key security trend in 2017. Hence, any organization moving into cloud should do a thorough risk assessment before it exposes itself to a myriad of commercial, financial, technical, legal, and compliance risks that can jeopardize its success. They should define a strategy for moving applications/datacenters into cloud and plan a phased approach rather than a big-bang move from the legacy way of working.
Additionally, due diligence must be done to engage the right service providers and choose an appropriate deployment model noting the business specific data privacy, data security, legal and regulatory compliance requirements. Service Level Agreements (SLAs) with cloud service providers must ensure mechanisms to prevent data loss, detect fraud, encryption and multi-factor authentication and authorization of users.
Meetali Sharma is Corporate Risk, Compliance & Security Leader at SDG Software India. She has over 15 years of experience in the IT and security space.