In 2017, we’ve all heard of cloud computing and most of us use it every single day. What you may not know is that this service, which makes our working lives a whole lot easier, has some major security concerns.
Last year, the CSA (Cloud Security Alliance) met and listed the most dangerous security issues in cloud computing. The report was meant to help customers and providers ramp up their defenses because the on-demand nature of the cloud opens up businesses to a wealth of new security breaches. I’m going to outline the CSA’s most dangerous cloud security issues below, and tell you just how much you need to worry. The best offense is a good defense, so it’s best to be proactive.
Table of Contents
- What Is the Cloud?
- Why Do We Use the Cloud?
- No. 1 Threat: Data Breaches
- No. 2 Threat: Compromised Credentials and Broken Authentication
- No. 3 Threat: Hacked Interfaces and APIs
- No. 4 Threat: Exploited System Vulnerabilities
- No. 5 Threat: Account Hijacking
- No. 6 Threat: Malicious Insiders
- No. 7 Threat: APT Parasites
What Is the Cloud?
The cloud is a term that many people find difficult to describe, even though most everyone uses it. If you use Google Cloud, AWS, Windows Azure or any sort of online storage, you’re already on the cloud. Savvy businesses use the cloud for their infrastructure because there are so many advantages. So what is it? The name almost feels like you’re shooting off information into the sky, but that is not actually case.
The cloud isn’t one physical thing. It’s a whole network of servers – and each is responsible for a different task. For example, if you take a picture, it is stored on your smartphone. You are not using the cloud. If you upload the photo to Instagram, you are uploading the picture to a remote server. You are using the cloud. Some servers on the cloud provide an online service (Adobe Creative Cloud, etc.) and others are for storing data that helps your business run (Google Drive, Oracle Cloud, etc.).
Why Do We Use the Cloud?
We use the cloud because it has a ton of benefits, especially if you’re operating a business. I’ve already outlined the pros in a previous blog post, so I won’t touch too much upon them here, but one of the major benefits is that the cloud makes life a whole lot easier – and I’m not the only one who thinks so. According to a 2014 survey by Harris Interactive, 39 percent of Americans use the cloud, and 86 percent of those Americans say it has improved the life of those who work. In 2017, that number has only grown.
The chart above shows some of the top benefits of cloud usage. Nearly half of those surveyed believe it makes sharing easier (it definitely does) and helps them feel better about data back-ups (having just one copy on one, physical server is dangerous).
While cloud computing may save your business money and make it easier to share documents among an entire team, it isn’t all roses and sunshine. There can be some major, major cloud computing security issues if you‘re not careful. To combat these issues, you’ve got to know what they are and approach them head-on.
No. 1 Threat: Data Breaches
Download Our Project Specification Template
Just like traditional corporate security networks, data stored on cloud services can be a major target which can be devastating if you’re a business with a large client base. Your data needs to be secure, and that’s the bottom line, but we’ve seen horrible breaches happen in recent years that tarnished brands and left customers’ sensitive information exposed.
Most recently, this happened at the massive web-hosting service Weebly, which compromised millions of individuals and businesses who ran their websites through the service. In October of 2016, over 43.5 million accounts were affected, and information such as user names, email addresses, passwords and IP addresses were exposed. Thankfully, Weebly said that they don’t believe any credit card information was taken, but if it was, it could have been disastrous. There’s a whole lot someone could do with email addresses and passwords, and you can’t allow your business to be exposed that way.
How Data Breaches Happen, and How You Can Protect Your Business
Perhaps one of the most famous examples of a recent cloud data breach was when iCloud was hacked and a wealth of private photos from celebrities like Jennifer Lawrence and Kate Upton were leaked online. The reason this happened wasn’t just because some people are terrible (yes, I’m talking to you, hackers) but because of a lack of two-factor authentication. Two –factor authentication requires users to provide two forms of identification, and without it, hackers could easily sign in again and again. To fix this issue, Apple created iCloud backup alerts and expanded its two-factor authentication to additional Apple services like iCloud. So, next time you find it difficult to login because you have to type in so many passwords and confirm on different devices, at least smile in knowing a data breach is less likely to happen.
According to Yvonne Li, co-founder of SurMD, a leading provider of HIPAA compliant cloud services, not only is a data breach a huge risk, but many cloud services have issues protecting data while it’s ‘in flight’ (transferring/sharing). This is where you need protect yourself the most.
“It is important to create several points of unique user identification, authentication, and automatic logoff timers. Data must be encrypted during transferring and later decrypted once received,” she said. “Data ‘at rest’ on servers can still be stolen, and should be encrypted as well, although this can prove to be costly. Data at rest refers to inactive data which is stored on the cloud, on mobile devices, thumb drives, and other inactive mediums. This provides control over the data as well as deters data breaches.”
So, protecting your business is simple. Make sure you use services that have several points of unique user identification and automatic logoff capabilities, just in case you forget. Make sure everything is encrypted, so even if it’s stolen, it will be useless.
Should I Be Worried?
Data breaches seem scary, but they only really matter if you have sensitive data on your devices to begin with. If you’re a business, yes, you should be terrified. Make every effort to protect yourself and your customers because one breach of information can tarnish your entire brand and put you at risk for a financial meltdown. For example, the massive retailer Target, who had a data breach in 2013 that compromised 70 million customers’ credit card information, saw a 46 percent loss of profits shortly after.
To further protect yourself make sure you don’t save any financial information on your phone or devices that may be linked to your business’ accounts. Buying supplies with services like Amazon, which can automatically store credit card data? Don’t click that save button! As long as your business chooses a cloud infrastructure with rigorous authentication, you should be totally fine.
No 2. Threat: Compromised Credentials and Broken Authentication
The CSA listed compromised credentials and broken authentication as their number two threat to cloud services. This falls under the umbrella of data breaches because it’s basically the Achilles heel of a number of cloud-based services. I already touched upon the idea of two-factor authentication, and how multifactor authentication is the best way to protect your information, but did you know your business practices – not the company who runs the cloud-based service — may be putting your business at risk as well?
How Credentials Become Compromised and How to Protect Yourself
Data breaches are often the result of individual businesses and not the cloud infrastructure they use. Some businesses may allow for lax authentication, weak passwords and poor key or certificate management. Permissions should be based on a person’s job – if someone in the company doesn’t need to see information to do their job, they should not have access to it. You would think this is a no-brainer, but many businesses trust their employees when they should not. Most importantly, many businesses fail to remove user access when someone’s job changes or they leave the company. Because cloud-based services work from anywhere, users can access data without needing to physically be at work. This can be a problem.
Developers also frequently make a major mistake by embedding credentials and cryptographic keys in source code. This lets anyone view them if they know how to look.
“Keys need to be appropriately protected, and a well-secured public key infrastructure is necessary,” said the CSA. “They also need to be rotated periodically to make it harder for attackers to use keys they‘ve obtained without authorization.”
Should I Be Worried?
Yes. Using a service with one-factor authentication always opens you up for a potential data breach. It can happen to anyone, and it has happened to me. While I’m not running a million-dollar business on my laptop or work on a cloud infrastructure that needs to be deeply protected, I do casually make purchases on Amazon. I remain logged in on my account at all times. Amazon requires no authentication beyond a password and maybe a security question or two if you get it wrong to login. My credit card information (from an expired card only) is linked to my account. Just the other day, I discovered that someone tried to make a purchase with my expired credit card. I only found out because Amazon alerted me when the payment failed. Needless to say, I deleted my credit cards and changed my passwords. This could have been a devastating breach if I was a large company. You’re only as open to data breaches as you allow yourself to be.
No. 3 Threat: Hacked Interfaces and APIs
An API is a set of routines, protocols and tools that help build software applications – some of these are customizable, some of these are simply used as they are. Almost every cloud service offers APIs which allow IT teams to manage and interact with the cloud service. Alternatively, user interfaces help IT teams and regular employees manage, monitor and orchestrate specific functions of the cloud service they use. If one of these gets hacked, it’s basically an open door to your most sensitive information. A cloud service is only as secure as its API.
How Interfaces and APIs Get Hacked, and How to Protect Yourself
APIs are one of the most exposed parts of a system because they’re usually accessible from any Internet connection. The CSA recommends you use a cloud service that has frequent security-focused code reviews to find problems before hackers find them. This includes rigorous penetration testing to ensure that hackers can’t enter the system. Using threat modeling applications and systems help detect where an API is the weakest, so you can fix it before some nasty hacker figures it out.
Should I Be Worried?
As a business owner, this is a concern. Make sure your developers know how to customize an API or UI without leaving you open to threats. Pick a cloud infrastructure that meets all the security checks I listed above. I would recommend being weary about sending important financial documents through things like Google Drive, and only use your office’s cloud to transfer sensitive documents. Never let an employee use a personal email for business purposes.
No. 4 Threat: Exploited System Vulnerabilities
Programs have bugs, and that’s nothing new. Patches are released every day that help fix problems in various apps. One of the best parts about using a cloud-based service is that you can get regular bug fixes as they’re created. Just like traditional software, bugs are a major cloud computing data security issue. Some bugs are exploitable, and as organizations use the cloud to share memory, databases and other resources in close proximity to another, the vulnerabilities become more enticing for hackers.
Read How We Helped a Marketing Company to Build a Back-Office Custom Ads Dashboard
How to Protect Yourself From System Vulnerabilities
Your best defense against system vulnerabilities and exploitable bugs is by regularly updating your cloud software. According to the CSA, “basic IT processes” frequently knock out any chance of a threat. Think about it: your cloud service is constantly evolving and getting better. If you refuse to update it because you don’t want to spend the time installing a patch, you don’t get any of the important bug fixes that may have fixed a newly-discovered vulnerability or bug. The best part is that this kind of routine maintenance – the discovery and repair of vulnerabilities – is a small cost compared to how much it’d cost to fix the major damage it could cause if left alone.
Should I Be Worried?
Not really. Obviously, you shouldn‘t choose a cloud service provider that is renowned for being buggy and having system vulnerabilities, but the people behind your average cloud service are constantly working to make it better as soon as a bug or threat is brought to their attention. If you install all updates and patches as soon as they are available, there’s not much you have to worry about. Now, I don’t blame you for kicking yourself over how many times you didn‘t update your iTunes software when it asked. Get on it!
No. 5 Threat: Account Hijacking
Have you ever gotten an e-mail saying someone logged into your Google account from another country, but Google had blocked it? This is some of the security Google has in place to prevent your account from being hijacked without your knowledge.
Since the beginning of the Internet, phishing and fraud have been happening. If you move your business to the cloud, you are opening your business up to everything terrible the Internet has been doing for the last 30 years. Yes, a hacker can hijack your account, watch your online activities, make or manipulate transactions, modify your data and even use your account to launch attacks on other unsuspecting individuals. The hacker can be a stranger, a disgruntled past employee, or a shady friend-of-a-friend.
How to Protect Yourself from Account Hijacking
To protect yourself from account hijacking, have a secure password. This should be a mix of numbers, symbols, capital letters and lower-case letters. You’re even safer if it’s not a dictionary word or combination of dictionary words. Basically, the less likely you are to remember a password, the stronger it is. Also, use a cloud service that has automatic log-out capabilities so you’re not logged in longer than you’re using the service. Some services, like Google, also alert you when you login on a new device. Always enable this option when available.
If you’re a business, follow all of the above advice but also prohibit the sharing of credentials between users, services and employees. Enable multifactor authentication and monitor every single transaction that occurs. If you catch a hacked account early, you can shut it down.
Should I Be Worried?
Yes, but being proactive limits your vulnerability. Phishing emails have been around since the beginning of time. Almost everyone has heard the story of some sort of Arabian or African Prince needing your bank account information to transfer you millions of dollars. Don’t fall for it. Think before you share your information, and as long as you stay on your toes, an account hijack is unlikely. Even if your account gets hijacked, if you catch it right when it happens, it’s easy to change passwords and shut the hacker out.
No. 6 Threat: Malicious Insiders
Cloud services can’t prevent malicious insiders on their own. This falls mainly on your company policies, but is still considered a vulnerability within cloud-based services. It used to be that you fire an employee and make them immediately leave the office without touching their computer. This prevented them from accessing company servers and stealing confidential and sensitive information. With the cloud, employees can access information remotely. This means they don’t have to be in your office to get the details they want.
How to Protect Yourself from Malicious Insiders
I’d hate to say that the best way to protect your business from a malicious insider is to be a good boss. If you have a happy work environment, foster a feeling of teamwork, and pay your employees fairly, they’re less likely to turn on you in the future. This is obvious, but it also doesn’t account for the fact that some people are just bad seeds.
To protect yourself from a malicious insider, the CSA recommends that you control the encryption process and keys within your cloud-based processes. Minimize access given to users and segregate duties. Employees should have the minimum amount of access required to do their jobs. You should also have a system in place that logs, monitors and audits administrator activities. Proper training and management is key.
Should I Be Worried?
For most businesses use the cloud, this is a low-level worry. I guess it would really depend on how many enemies you think you have. Proper management and training should help protect businesses from making these sort mistakes.
No. 7 Threat: The APT Parasite
APT Parasites, or advanced persistent threats, are the CSA’s seventh biggest threat. The difference between an APT and a virus is the fact that it’s so much more advanced. It’s bigger than a simple Trojan virus, some malware or malicious code. In fact, often times antivirus software does not detect an APT.
An APT is a set of stealthy and continuous computer hacking processes. These are often targeted towards private organizations, states, and even governments for business or political reasons. APTs move through the network undetected by blending in with normal traffic and reaping the information they need over a long period of time.
How to Protect Yourself Against APT Parasites
All major cloud providers have advanced techniques that they use to detect APTS and prevent them from happening. There’s always more you, as a user, can do to help prevent them on-premises. The most common ways for an APT to get loaded onto your server is through phishing, direct attacks, third-party networks and USB drives loaded with malware (see the above section about malicious insiders).
To protect yourself, keep your users alert and train them on how to avoid being tricked into letting an APT in. Avoid using third-party networks and be weary of those promotional USBs mailed to your company. You never know.
Should I Be Worried?
APTs can affect every user. Most companies are already weary of such things happening — but your employees may not be. If you love to stream movies without actually paying for them, be weary of pirating websites that are notorious for loading your computer with malware. If your employees download a program for work, make sure they download it directly from the company who makes it, and beware of scams that tell you to download programs because your computer has a virus. That‘s the quickest way the Internet scares people into downloading malware. If you train your team properly, you’ll be able to steer them clear of APT parasites.
The same reason the cloud makes it easy to run a business from anywhere is the same reason why it’s open to so many threats. Stay proactive, train your staff and keep up with all patches and bug fixes to better protect yourself.
If you’re worried about picking the safest cloud infrastructure for your business, DevTeamSpace makes migration safe and easy. Post a request about the cloud, and they can help you move your whole business, with the highest level of security.