The Security Risks of Cloud Computing
Table of Contents
- By Alison OLeary
- Apr 14, 2022
Most people who use the internet have some of their data "in the cloud." But what is cloud storage? It sounds like a space-age concept, but it simply means the data is off-site, on servers elsewhere.
Data can be in the cloud if:
- You subscribe to a remote backup service to save your files.
- You use a specific service such as Flickr to save certain data types, like images.
- Your email is on a remote server that can be accessed from any internet-connected computer.
- Companies you do business with save your data that way.
If you've ever dropped a computer and damaged the hard drive so severely that you can't retrieve information from it, cloud storage sounds like a great idea, but cloud storage security is a significant consideration. Who can access your cloud data? Is it safe from hackers? Much depends on the companies that you do business with and the cloud services they use to host their products.
There's a lot more to cloud computing than having your photos and files stored in such a way that you can retrieve them remotely. The data you send to the cloud via your remote email server, your file backup system, and your data storage provider are just the tip of the iceberg when it comes to information in the cloud. Your insurance, banking, online shopping, streaming services, investments, medical files, and credit card transactions all likely pass through the cloud. And companies are competing to handle more data that way.
Why is Cloud Computing so Popular?
Cloud computing services seem like the perfect solution to so many companies' needs, from the nearly unlimited capacity to universal access, to a more extensive customer base. The convenience makes it easy to overlook any potential flaws in this new opportunity. Yet, it could be costly financially and in data losses.
Cloud computing usually includes the following components (clients may not use all of them):
- Runtime cloud.
Companies are adopting cloud services (called migrating to the cloud) at high rates, according to a 2021 survey. Many are doing so incrementally, contributing to staggering statistics: 90 percent of enterprise businesses are cloud-based. The industry could hit $623 billion by 2023. For comparison, the U.S. government's defense department's $10 billion cloud computing contract, which attracted attention from the biggest names in computing, has been snarled in controversy for several years. Major bidders Microsoft and Amazon each filed lawsuits over alleged unfair practices in awarding the contract.
Cloud services allow companies to offer customers their software and services without needing on-site physical infrastructure, which is a considerable saving over traditional business methods.
What is the Shared Responsibility Model?
Cloud computing certainly makes things easier. At first glance, the host handles everything, and you just do what you want. It's understandable to think that they take on the entire burden of security as well. However, that isn't the case.
The "shared responsibility model" describes how Cloud Service Providers (CSPs) and their customers work together to secure a cloud environment. It outlines the areas where each party should implement their own security measures for a tightly woven net.
In this model, CSPs must secure vital infrastructure. They ensure the cloud platform's resilience and maintain end-user accessibility at all times.
On the other hand, customers are responsible for securing their data and applications within the cloud. This involves tasks like configuring access controls, data encryption, and managing user identities.
Customers must also comply with each country's information laws, and each user must work to protect their credentials against bad actors.
How Secure Is Cloud Data?
Cloud data security is in the hands of the companies that run cloud services. Those companies are usually three steps removed from ordinary people whose data is processed in the cloud.
Individuals control only a small amount of their data sent through cloud computing and cloud storage systems. Unless you pay bills by writing paper checks, don't have credit cards, see a country doctor who doesn't use centralized medical records and billing software, and don't use a smartphone, your data is shared by many cloud services that make business systems work.
For instance, your medical data is likely uploaded to a cloud-based database by a doctor's office that uses a cloud-based software product. The security of the data is the responsibility of the cloud host, not so much the software company or the doctor's office.
The Weak Points of Cloud Computing
Cloud computing allows businesses to save resources on infrastructure and data management. While this is a huge benefit, like with all new technology, using the cloud also opens your data up to a new set of problems.
Poor Identity and Access Management (IAM)
Identity and Access Management (IAM) policies determine what each user’s role is in a cloud environment. Restricting users to only the necessary permissions and powers to perform in their role is one of the first lines of defense against human error. Following this policy prevents hackers and con artists from gaining disproportionate access to sensitive data from targeting low-level employees.
Hackers can start from the bottom of the totem pole and progressively steal credentials from higher-end users. Eventually, they can access administrator privileges and copy, modify, or delete important data. This is a veritable death blow for many organizations.
Additionally, users could have their endpoint devices stolen or compromised. Limiting the permissions of less secure endpoints helps mitigate this risk.
It’s essential that you set up a data governance framework as soon as possible and reorganize all user accounts accordingly. It’s appealing to assign permissions on a case-by-case basis, but that also increases the workload whenever you need to change things up. Connecting all users to the central directory allows you to monitor and edit permissions at the drop of a hat.
Distributed Denial of Service (DDoS) Attacks
DDoS attacks involve overloading a server with requests until it collapses under the stress. This manifests in a dreaded error screen, leaving all the information on that cloud server inaccessible. DDoS attacks are a favorite among hackers and are one of the most common attack forms professionally.
One way to deter DDoS attacks is to keep unused bandwidth on your server. The more leeway you have, the harder it’ll be for hackers to push you past the breaking point. Although, this is more of a passive solution and not exactly foolproof.
The best course of action is to perform regular penetration testing. Running scanning tools will help you find weaknesses in your setup and close the holes that allowed the attacks in the first place.
Businesses using a large number of programs need an Application Programming Interface (API) to connect them to the cloud. Doing so provides a place to communicate and share progress across devices and applications.
However, these connections to multiple programs make APIs a mouth-watering target for cloud threat actors. In fact, a team from IBM found that two-thirds of cloud breaches in 2021 were attacked through poorly protected APIs.
Microsoft OneDrive and iCloud Drive both support file-syncing. So, any files you download or modify automatically update to your cloud server. The feature is perfect for fast-paced environments that need everything to stay up to date, but it also transforms every user into a possible malware delivery system.
Additionally, if your provider services other organizations, there’s a chance that someone outside your network lets the virus in. Cross-contamination in your cloud server is somewhat out of your control, but you should still ensure that all your users are equipped with fully updated anti-malware applications.
According to a 2022 IBM report, misconfigurations are the fastest-growing threat in cloud security. Misconfigurations are caused by anything from forgetting to adjust the default settings to not having the resources to check every file for consistency.
This threat point is the biggest victim of organizations not understanding the shared responsibility model. They believe that security falls on their host’s shoulders, and they don’t bother to secure their data before uploading it to the cloud.
Some common types of misconfigurations include:
- Unrestricted ports
- Disabled logging
- Changing subdomain names
- Dangling DNSs
Assessing Risks in Conversion
While it makes sense for many businesses to take advantage of cloud services' opportunities, there are risks. Experts are available to guide companies through the transition, which should focus on streamlining operations and maintaining the integrity of processes. Any errors or gaps introduced during conversion to cloud usage could open the systems involved to hacking or malware.
An expert from Carnegie Mellon University says that companies migrating to cloud computing must take risks more seriously because:
- Off-premises IT makes it more difficult for a client company to notice problems before they get out of control.
- Hacks can leak data from one storage account into others.
Assessing Risks in the Cloud Host
Individuals and businesses considering cloud computing should look closely at any cloud storage or cloud computing terms of agreement. Some may mine your data for information about you. At the same time, others retain the right to decrypt your data and review it when the company deems it necessary.
A comprehensive report written by the University of Texas points out that there are many potential pitfalls within the terms of contracts with cloud companies, including no guarantee that the company will continue to exist indefinitely. That's a scenario that could leave you scrambling for alternatives and for help transferring sensitive information to a new service.
Companies considering cloud conversion should look closely at:
- The host company's track record.
- The host company's business plan (how long will they be around?).
- The type of security they offer.
- Does the host company have a failsafe plan compatible with the client's needs?
In addition, companies interviewing cloud services hosts should ask about:
- The company's policy on sharing data with law enforcement or partner companies.
- How employee access to client data is handled.
- Actual vs. Claimed security measures. Many are now adding automatic and on-demand scans for vulnerabilities.
- How they prevent or address issues with intercepted decrypted data (man in the middle attacks).
Are Host Clouds Capable of High Capacity?
Amazon Web Services is a giant among cloud solution companies. When its network servers were overwhelmed in December 2021, it resulted in outages and service interruptions among clients like Netflix, Slack, Coinbase, Tinder, iRobot, InstaCart, and DisneyPlus. Despite the proliferation of business technology options, it was notable that so many large companies suffered outages on the same day due to their collective dependence on Amazon's services.
To avoid potential outages due to the cloud service host company's issues, one expert says to consider:
- Develop a hybrid business model that only relies on the cloud services host for peak usage.
- Create an on-site backup system.
- Pay a premium for higher-level services with less downtime.
Be aware of the host company's capacity to avoid an Amazon-type overload outage mentioned above.
Other Risks in the Cloud
The modern threat landscape is constantly evolving, and it’s not only the technical threats you have to be wary of. Becoming overly dependent on cloud services means that you have to have contingency plans in case of circumstances outside your control.
We sometimes forget that cloud storage stems from a physical location and is at risk of extreme weather. Many American data centers are strewn around the east coast, well within risk areas for hurricanes. One company had to manually deliver fuel to their backup generators due to Hurricane Sandy in 2012.
Aside from natural disasters, extreme heat, and wildfires can also strain a data center’s ability to operate normally. While these may not completely shut down their services, there’s the risk of reduced speeds and general maintenance.
If you’ve ever traveled to China, you’ve undoubtedly run into the roadblock known as the “Great Firewall of China.” The Chinese government blocked services from Google back in 2010 due to the search engine pushing back against harsh censorship laws. This means that Google Drive is inaccessible from China without aid from virtual private networks (VPN).
In another instance, GitHub Enterprise Cloud, the internet’s largest source code sharer, blocked users located in Iran, Crimea, and Syria in the Summer of 2019. This decision was politically motivated by American trade restrictions on those countries. GitHub even went as far as to prevent using VPNs as a workaround.