Threats that could compromise the security of your cloud environment consist of both universal and cloud-specific risks. If you examine the Cloud Security Alliance report on the 12 biggest threats to cloud computing, it includes elements such as system vulnerabilities and malicious insiders. Security issues such as these two examples have been prevalent in non-cloud computing environments for decades. Although some stated cloud security issues may be universal, you still need to follow industry best practice to ensure your environment is secure. Even though the Top 12 list includes common threats, there are a few that are unique to cloud environments. Securing your cloud requires a holistic approach. Ensuring you cover universal as well as cloud-specific threats is vital.
The introduction of commercial public clouds has permanently transformed the way we create, store, and consume data. The ability to create global computing services on-demand, scale them at will, and only pay for what you use has unleashed a wave of innovation that has changed both business and society. Every popular app or service you access on your favorite computing device is backed by some form of cloud service. However, as with any technology platform that stores a large amount of data, cloud services are under constant attack. In today’s digital age, information is the new currency making cloud data a valuable commodity. The Cloud Security Alliance keeps a list of the top 12 cloud computing threats. Named the “Treacherous Twelve”, the technology industry uses this list to identify, prevent, and mitigate attacks against cloud infrastructure. Although the list contains twelve risks, some of them are relevant to non-cloud computing environments as well. Security concerns such as insufficient identity management, system vulnerabilities, malicious insiders, and advanced persistent threats plague both cloud and non-cloud computing environments. The list below identifies the top threats paying special attention to those that have the largest impact to cloud environments.
Data Breaches
Although data breaches can affect non-cloud services, they are the top threat to cloud computing environments and deserve a special mention. When sensitive information is released or stolen by an unauthorized party, the impact to both the organization and its customers can be severe. Not only do organizations that suffer a data breach need to deal with the potential reputational damage, but they also face serious financial penalties. For example, if an enterprise processes the information of European Union (EU) citizens it must adhere to the security standards set by the General Data Protection Regulation (GDPR). Failing to do so could result in fines of up to 20 million Euro or up to 4% of their worldwide turnover.
Abuse and Nefarious Use of Cloud Services
One of the top threats that is unique to the cloud is the abuse and nefarious use of cloud services. Hackers take advantage of poorly secured deployments, free trials, and even fraudulent account sign-ups to access public cloud platforms and launch their attacks. The scale and reach of the cloud make it the perfect solution for hackers who need to crack a large set of passwords or execute a Distributed Denial of Service (DDoS) attack. As cloud services have a vast amount of computing resources, attackers target these platforms because it gives them the ability to launch large-scale attacks rapidly and cost-effectively. It is, therefore, critical that you secure access to your cloud and pay particular attention to the subscription account that has the authority to commission new services.
Denial of Service
Denial of Service (DoS) attacks come in many forms. They are not unique to cloud environments but can have a substantial impact if the attacker targets an entire platform. As cloud platforms host thousands if not millions of customers and services, an effective DoS attack can have a severe impact. Taking a site or service offline means that potential customers cannot access it. Depending on the victim, a denial of service could affect revenue if it takes down an ecommerce solution. Service unavailability could also lead to serious reputational harm.
Even though DDoS attacks that utilize multiple vectors and services to attack a single target are difficult to mitigate, cloud service providers have access to the relevant protection mechanisms. They also have scale on their side that can absorb the effects of a DDoS attack. However, a denial of service is not only attackers targeting a system with a large amount of data. A poorly configured cloud service can be taken offline if it has an open vulnerability an attacker can exploit. With a carefully crafted payload, they can render an entire service unavailable. In many instances, these types of attacks are automated taking many sites that share the same software offline. Patching and securing your cloud service is therefore a crucial administrative task as it can prevent these types of DoS attacks.
Shared Technology Threats
Cloud platforms provide cost-effective computing services by sharing pooled resources across their customer base. As one of the five characteristics of cloud computing, one could argue that resource pooling, and the resulting economies of scale, have been the primary economic catalyst that has led to the exponential increase in the consumption of cloud services. Without access to cost-effective, on-demand resources, many innovative apps and solutions we use each day would not exist. However, resource pooling is made possible by shared infrastructure. When subscribers share access, they need to ensure they perform the necessary due diligence and secure their cloud environments. Implementing security measures such as Multi-Factor Authentication, and the deployment of Firewalls and Intrusion Prevention Systems, are not obsolete in the cloud world. Effectively securing your cloud requires you to implement these conventional security mechanisms.
Securing the Cloud is a Shared Responsibility
Security in a cloud environment is a shared responsibility. While the platform provider is responsible for ensuring the security and availability of the underlying infrastructure, you are responsible for securing the apps, services, and data you host on the platform. Depending on the service model you consume, whether it be Infrastructure, Platform, or Software as a Service, the level of responsibility varies. However, no matter which service model you subscribe to, you still need to ensure you protect your environment from unauthorized access and compromise.
Cloud computing has changed the way we use technology. It has led to the creation of many innovations that we take for granted and use on a daily basis. However, as the utilization of cloud services continues to grow exponentially, the computing resources and data stored on these platforms become valuable targets for hackers. The Cloud Security Alliance has identified 12 common threats that plague cloud environments. Many of these threats are universal as they are relevant to cloud and non-cloud infrastructures. Securing your cloud services requires the implementation of conventional security best practices that can mitigate universal as well as cloud-specific threats.