Organizations are increasingly creating new applications or migrating existing applications to the cloud. While there are numerous benefits to cloud migration, it does come with additional risks, threats, and security challenges.
Cloud Computing Risks, Threats, and Security Challenges
In some ways, cloud environments are exposed to similar threats as traditional data centers. Software is run with vulnerabilities that malicious hackers try to exploit.
The key difference with the cloud is that – unlike traditional data centers – the cloud distributes the security responsibility between the cloud service provider and the consumer. With this in mind, it’s paramount that you understand where your responsibility lies.
Reduced Visibility and Control
During cloud migration, you may lose visibility and control over your assets. If you’re using external cloud services, some of the responsibility rests with the cloud service provider. How much responsibility depends on the cloud service model.
You must perform monitoring and analysis of information about the data, applications, services, and users without relying on network-based monitoring and logging.
Increased Risk of Unauthorized Use
Cloud service providers offer on-demand self-service provisioning features that enable users to gain additional services without IT authorization. When services are provisioned or implemented without IT authorization, the organization is vulnerable to an increase in data exfiltration or malware. Simply put, you can’t protect what you don’t know exists.
Compromised Internet-Enabled Management APIs
Organizations use APIs to manage, orchestrate, and monitor assets and users, but they contain the same vulnerabilities as an API for an operating system. These APIs are accessible through the internet, leaving them at a greater risk of exploitation.
Malicious hackers search for weak points in management APIs, and if they discover them, they can contribute to a successful breach that compromises cloud assets.
Incomplete Data Deletion
The multi-tenancy environment of cloud infrastructure spreads data across multiple storage devices. When you have limited visibility into your data storage, you can’t verify that your data was securely deleted and that remnants aren’t vulnerable to malicious hackers. And the more cloud service providers you use, the more risk you take on.
Cloud and On-Premise Threats and Risks
Having a hybrid of cloud and on-premise data centers has its own risks, which include:
Stolen Credentials
If a malicious actor gains access to a user’s credentials, they can provision additional resources using their authority (if permitted) and target your organization’s assets. They could also leverage cloud resources to target other administrative users, the service provider’s administrators, or other organizations using the same provider.
Vendor Lock-In
When you move assets and operations from one cloud service provider to another, vendor lock-in can become a problem. If the cost or time is higher than anticipated, or the proprietary services aren’t ideal, you could become dependent on that service.
In service models that put more responsibility on the provider, vendor lock-in is more common. Organizations become more exposed to the provider’s proprietary implementations and a lot of change is required to move to a different provider. Worse yet, that provider can go out of business, leaving you with lost data or data that can’t be transferred quickly or easily.
Increased Complexity
Migrating to the cloud introduces complexity into IT operations. The IT staff must learn a new model to manage, integrate, and operate in the cloud, so they have to have the skills to do so while keeping up with their existing responsibilities for the on-premise IT.
Encryption services and key management are also more complex in the cloud. The techniques and tools to monitor cloud services often vary across different service providers, leading to even more complexity. IT staff must also manage the new threats, adding to the complexity and potential security gaps.
Loss of Stored Data
Data stored in the cloud can be lost for reasons other than attacks. It can be deleted by accident, either by the organization or the provider, or a natural disaster like a fire or tornado can occur.
Avoiding data loss is not entirely the responsibility of the provider. You could encrypt the data before uploading it to the cloud but then lose the encryption key, for example. It’s important to put a plan in place for data recovery and prepare for all the risk scenarios.
Insufficient Due Diligence
Insufficient due diligence is a big problem for organizations migrating to the cloud. The data may be moved without a full understanding of the security measures employed by the service provider or what responsibility they have to protect their information.
Abuse of Authorized Access
Staff and administrators for the organization or the provider have the potential to abuse authorized access to the network, systems, and data. While this may be rare, their position gives them more leverage to cause damage or exfiltrate sensitive data. They may also be able to provision resources.
Security Solutions for Cloud Migration
As mentioned, cloud service providers use a shared responsibility model for security. It’s vital that you understand what you’re responsible for and take appropriate measures to protect your organization.
Due Diligence
As a consumer, you must understand the network to determine how to provide resilience and security for cloud-deployed systems and applications. Due diligence is required across the organization’s cloud-based systems, including planning, operations, and decommissioning.
Access Management
Access management is key for identifying and authenticating users, assigning appropriate access rights, and enforcing access policies. Multi Factor authentication (MFA) can reduce the risk of compromised credentials.
Privileged access management (PAM) exerts control over privileged access and permissions for users and accounts across the IT environment, reducing the attack surface to prevent or mitigate the potential damage of external attacks. With PAM, users have the right access at the right time, and for a limited time, providing more visibility, control, and auditing.
Data Protection
In addition to access control, data protection involves specific challenges in protecting the data from unauthorized access. Additionally, preventing the accidental disclosure of data that was supposed to be deleted. Further, ensuring continual access to vital data when errors or failures occur.
Cloud Security Comes Down to You
Though the security risks with the cloud are multifaceted, the common theme is that you, as a cloud consumer, must have an in-depth understanding. Understanding of shared responsibility and what measures you need to take to ensure your organization is protected.
About the author:
Joseph Carson is a cybersecurity professional with more than 25 years’ experience in enterprise security and infrastructure. Currently, Carson is the Chief Security Scientist & Advisory CISO at Delinea. He is an active member of the cybersecurity community and a Certified Information Systems Security Professional (CISSP).
