The volume of public cloud utilization is growing rapidly, so that inevitably leads to a greater body of sensitive stuff that is potentially at risk.
Contrary to what many might think, the main responsibility for protecting corporate data in the cloud lies not with the service provider but with the cloud customer. We are in a cloud security transition period in which focus is shifting from the provider to the customer.
To provide organizations with an up-to-date understanding of cloud security concerns so they can make educated decisions regarding cloud adoption strategies.
The report reflects the current consensus among security experts about the most significant security issues in the cloud. While there are many security concerns in the cloud, this list focuses on 11 specifically related to the shared, on-demand nature of cloud computing.
To identify the top concerns, we conducted a survey of industry experts to compile professional opinions on the greatest security issues within cloud computing. Here are the top cloud security issues (ranked in order of severity per survey results):
The threat of data breaches retains its number one ranking in the survey from last year. It’s easy to see why. Breaches can cause great reputational and financial damage. They could potentially result in loss of intellectual property (IP) and significant legal liabilities.
Attackers want data, so businesses need to define the value of its data and the impact of its loss.
Who has access to data is a key question to resolve to protect it.
Internet-accessible data is the most vulnerable to misconfiguration or exploitation.
Encryption can protect data, but with a trade-off in performance and user experience.
Businesses need robust, tested incident response plans that take cloud service providers into account.
This is a new threat to the list, and not surprising given the many examples of businesses accidently exposing data via the cloud. For example, the Exactis incident where the provider left an Elasticsearch database containing personal data of 230 million consumers publicly accessible due to misconfiguration. Just as damaging was the case where Level One Robotics exposed IP belonging to more than 100 manufacturing companies thanks to a misconfigured backup server.
It’s not just the loss of data that companies have to worry about here, but deletion or modification of resources done with the intent to disrupt business. The report blames poor change control practices for most of the misconfiguration errors.
The complexity of cloud-based resources makes them difficult to configure.
Don’t expect traditional controls and change management approaches to be effective in the cloud.
Use automation and technologies that scan continuously for misconfigured resources.
This problem is as old as the cloud. The desire to minimize the time needed to migrate systems and data to the cloud usually takes precedence over security. As a result, the company becomes operational in the cloud using security infrastructure and strategies that were not designed for it. The fact that this showed up on the list for 2020 indicates that more companies recognize it as a problem.
The security architecture needs to align with business goals and objectives.
Develop and implement a security architecture framework.
Keep threat models up to date.
Deploy continuous monitoring capability.
Another threat new to the list is inadequate access management and control around data, systems and physical resources like server rooms and buildings. The report notes that the cloud requires organizations to change practices related to identity and access management (IAM). Consequences of not doing so, according to the report, could result in security incidences and breaches caused by:
Inadequately protected credentials
Lack of automated rotation of cryptographic keys, passwords and certificates
Lack of scalability
Failure to use multi-factor authentication
Failure to use strong passwords
Secure accounts, including the use of two-factor authentication.
Use strict identity and access controls for cloud users and identies–in particular, limit the use of root accounts.
Segregate and segment accounts, virtual private clouds and identity groups based on business needs and the principle of least privilege.
Take a programmatic, centralized approach to key rotation.
Remove unused credentials and access privileges.
Account hijacking remains the fifth biggest cloud threat this year. As phishing attempts become more effective and targeted, the risk of an attacker gaining access to highly privileged accounts is significant. Phishing is not the only way an attacker can gain credentials. They can also acquire them by compromising the cloud service itself of stealing them through other means.
Once an attacker can enter the system using a legitimate account, they can cause a great deal of disruption, including theft or destruction of important data, halting service delivery, or financial fraud. We recommends educating users to the dangers and signs of account hijacking to minimize the risk.
Don’t just do a password reset when account credentials are stolen. Address the root causes.
A defense-in-depth approach and strong IAM controls are the best defense.
Threats from trusted insiders are just as serious in the cloud as they are with on-premise systems. Insiders can be current or former employees, contractors, or a trusted business partner—anyone who doesn’t have to break through a company’s defenses to access its systems.
An insider does not need to have malicious intent to do damage; they could unintentionally put data and systems at risk. The Ponemon Institute’s 2018 Cost of Insider Threats study, which states that 64% of all reported insider incidents were due to employee or contractor negligence. That negligence could include misconfigured cloud servers, storing sensitive data on a personal device, or falling victim to a phishing email.
Conduct employee training and education on proper practices to protect data and systems. Make education an ongoing process.
Regularly audit and fix misconfigured cloud servers.
Restrict access to critical systems.
Falling to number seven from number three last year, insecure interfaces and APIs are a common attack vector, as Facebook knows. In 2018, the social media service experienced a breach that affected more than 50 million accounts that was the result of a vulnerability introduced in its View As feature. Especially when associated with user interfaces, API vulnerabilities can give attackers a clear path to stealing user or employee credentials.
The report says organizations need to understand that APIs and user interfaces are often the most exposed parts of a system, and it encourages a security by design approach to building them.
Employ good API practices such as oversight of items like inventory, testing, auditing and abnormal activity protections.
Protect API keys and avoid reuse.
Consider an open API framework such as the Open Cloud Computing Interface (OCCI) or Cloud Infrastructure Management Interface (CIMI).
A control plane encompasses the processes fro data duplication, migration and storage. The control plane is weak if the person in charge of these processes does not have full control over the data infrastructure’s logic, security and verification. The controlling stakeholders need to understand the security configuration, how data flows, and the architectural blinds spots or weaknesses. Failure to do so could result in data leakage, inavailability of data, or data corruption.
Make sure the cloud service provider offers the security controls needed to fulfill legal and statutory obligations.
Perform due diligence to ensure the cloud service provider possesses an adequate control plane.
A cloud service provider’s metastructure holds security information on how it protects its systems, and it discloses that information via API calls. CSA calls the metastructure the cloud service provider/customer “line of demarcation” or “waterline.” The APIs help customers detect unauthorized access, but also contain highly sensitive information such as logs or audit system data.
This waterline is also a potential point of failure that could give attackers access access to data or the ability to disrupt cloud customers. Poor API implementation is often the cause of a vulnerability. It’s been noted that immature cloud service providers might not know how to properly make APIs available to its customers, for example.
Customers, on the other hand, might not understand how to properly implement cloud applications. This is particularly true when they connect applications that were not designed for cloud environments.
Make sure the cloud service provider offers visibility and exposes mitigations.
Implement appropriate features and controls in cloud-native designs.
Make sure the cloud service provider conducts penetration testing and provides findings to customers.
A common complaint among security professionals is that a cloud environment makes them blind to much of the data they need to detect and prevent malicious activity. We break down this limited usage visibility challenge into two categories: Unsanctioned app use and sanctioned app misuse.
Unsanctioned apps are essentially shadow IT—applications employees use without permission or support of IT or security. Any app that does not meet corporate guidelines for security represents a risk that the security team might be unaware of.
Sanctioned app misuse might be an authorized person using an approved app or an external threat actor using stolen credentials. Security teams need to be able to tell the difference between valid and invalid users by detecting out-of-norm behaviors.
Develop a cloud visibility effort from the top down that ties into people, processes, and technology.
Conduct mandatory company-wide training on accepted cloud usage policies and enforcement.
Have the cloud security architect or third-party risk management personnel eview all non-approved cloud services.
Invest in a cloud access security broker (CASB) or software-defined gateways (SDG) to analyze outbound activities.
Invest in a web application firewall to analyze inbound connections.
Implement a zero-trust model across the organization.
Attackers are increasingly using legitimate cloud services to support their activities. For example, they might use a cloud service to host disguised malware on sites like GitHub, launch DDoS attacks, distribute phishing email, mine digital currency, execute automated click fraud, or carry out a brute-force attack to steal credentials.
Cloud service providers should have mitigations in place to prevent and detect abuse such as payment instrument fraud or misuse of cloud services. It’s also important for cloud providers to have an incident response framework in place to respond to misuse and allow customers to report misuse.
Monitor employees’ cloud usage for abuse.
Employ cloud data loss prevention (DLP) solutions to monitor and stop data exfiltration.