There is a huge rise in the use of cloud security services as well as cloud-related security incidents and breaches. Cloud services are not going away and for good reason. They offer many benefits including improved data scalability. Even the U.S. Transportation Command (TRANSCOM) uses commercial cloud services.
However, there are several considerations that must be made when securing data in the cloud. A report by Cybersecurity Insiders revealed that between midyear 2017 and midyear 2018, 18% of organizations polled experienced at least one cloud security incident.
Most of the participants stated that misconfiguration of cloud platforms is a key threat to cloud security followed by unauthorized access to the cloud and insecure interfaces/application programming interfaces (APIs). This data comes as no surprise because there will always be the human element to consider when it comes to security.
It is important to know where your responsibility lies when working with a cloud service provider (CSP). There are several key factors that influence the level of security that should be considered. Ensure you have open, ongoing and detailed conversations with your CSP to clarity specifically which party is responsible for each task involving security. Maintain control of who has access to the data and confirm that the data is encrypted. Not encrypting your data leaves your sensitive information in plain view for anyone to see. As a similar comparison, you wouldn't risk leaving your home open and unlocked. Securing your credentials by creating unique keys for each external service is another important step that should not be overlooked. Also, always practice defense-in-depth including multi-factor authentication as well as increased visibility by using security logging and monitoring. Carefully considering and executing each of these steps can help deflect the human error element of breaches.
Engaging with security professionals can help ensure you have taken the proper measures. Consider hiring a security professional to perform a Security Controls Audit. Having a 3rd party review governance, data management, environment configuration and cyber threats is very beneficial.
As threats to the cloud are always evolving, we must stay proactive in our efforts to improve security. Although this list is not exhaustive, here are some considerations to make when using the cloud.
- Customers have reduced visibility and control which also makes it challenging to verify the secure deletion of data.
- CSP's expose API's that clients use with cloud services and these are accessible via the Internet causing greater exposure than traditional data storage.
- CSP's serve multiple clients adding an increased risk of data leakage if separation controls fails between clients.
- Switching CSP vendors is a challenge some clients face because the cost/time/effort to make the move to a new vendor can be higher than initially realized.
- IT staff must learn to manage, integrate and operate securely in the cloud in addition to their regular workload.
- Malicious attacks are not the only way to lose data. For example, a client loses the encryption key to their data, a CSP goes bankrupt or a natural disaster causes data loss.
- As mentioned earlier, the responsibilities for securing data is shared. It falls on both the CSP and the customer.
- Nothing is fool proof and it is important to keep in mind that data stored in the cloud is at risk. Whether it's a Denial of Service attack or a malicious insider attack, there are always risks of cybercriminals gaining access to private information. Understanding that risk and the role you and your team plays in managing it is a critical step to mitigating risk.
Real-World Cloud Attacks
There have been numerous stories of cloud security breaches recently. Have you heard about the story of the World Wrestling Entertainment (WWE) breach? Over 3 million users' private information including addresses, educational backgrounds and earnings were exposed. All the data was stored in plain text and was not username/password protected in the Amazon cloud server.
Another story you may recall was the leak of personally identifiable data of nearly 200 million U.S. voters using cloud storage. This was a result of improperly configured security settings.
Health-insurance provider, Anthem also experienced a cloud related breach. This breach exposed the private information of over 80 million people. There are countless stories about breaches involving cloud security. Understanding the nature of how and why these breaches occurred provides valuable security insight.
CSP's offer several benefits for organizations but must be paired with exceptional security practices. Organizations must remember to prioritize security when using these services. Organizations that utilize cloud service providers need to be fully aware of the security risks and the steps required to mitigate them. In each instance of exposed data, there is a shared responsibility. You want to ensure if your company is ever named in the wake of a data breach, you have done everything you possibly can to protect people's private information. This is where Security Controls Audit is a helpful tool to provide you with a more in-depth look at your security posture.