“My data is 100% safe and secure in the cloud,” said no one ever (except possibly the slick brochure from the cloud service provider).
McAfee Labs issued a report in 2017 on the various threats that face all computer users. The report focused on cloud-related threats to business, noting that hackers are constantly changing their tactics to take advantage of companies shifting data and processes to the cloud.
Certainly, cloud service providers are focusing more and more effort on security. The cloud can be a very good solution and can be as secure as any other network, but we need to be more diligent than ever. The list of what can go wrong in the cloud is essentially the same list as what can happen in any server room, except that in the cloud the risks are magnified.
1. Stolen Credentials
Want to ruin your afternoon? Leave your wallet on a park bench. Want to ruin your next six months? Let a hacker get ahold of your login credentials! If your wallet walks away, you’ll lose some cash, if you carry any. Someone may spend some quick cash on your credit cards, but most of the time the credit card companies will take care of it. You’ll have to get a new driver’s license. It’s pretty bad. But the damage a hacker with your credentials can do, to you or your business, is almost unlimited.
Often, the goal is ill-gotten financial plunder, but sometimes it isn’t. An intruder can download your company’s proprietary and confidential information, make it public, leak it to competitors or the media and ultimately ruin your reputation. They can manipulate data in any number of ways.
Of course, this threat exists in any network, any server and even any workstation — but the threat may be even greater in the cloud. With more to gain, there’s a greater likelihood your data will be targeted.
Truly professional cloud providers no doubt provide multiple layers of security, sophisticated encryption and intelligent monitoring systems to warn of attacks. Yet, these breaches still happen.
Common missteps are when users embed cryptographic keys, passwords and other credentials in the source code that can be found by hackers in a Git repository, or in an Excel spreadsheet on Google Docs.
Weak passwords and weak encryption (or no encryption) also create opportunities for unauthorized entry.
Anyone considering a data migration into the cloud needs to take a complete look at the security provided by their cloud server and look very closely to make sure they aren’t in any way compromising these measures.
2. The Dreaded Ransomware
We’ve all heard the horror stories. Your data has been encrypted, you cannot access it, and you must pay to get a key to unlock it. If you pay, you may still not get it back. More than just a problem, it’s a nightmare! Essentially, it’s a form of “denial of service” — a longstanding problem — but ransomware can be even more vicious.
In the report referenced above, McAfee comes to this conclusion: “Denial of service for ransom will become a common attack against cloud service providers and cloud-based organizations.” And they further state that, “If an organization becomes completely cloud based, there are multiple points between the business and the cloud that can be attacked to effectively shut down the business. This includes the Internet connection, DNS services, and other infrastructure components.”
Holding a company’s data for ransom is almost entirely done for monetary gain. There are no “playful” ransomware hackers sitting in their parents’ basement looking for something to fend off boredom. They are criminals. And some of them are quite tech-savvy.
What can be done? Just as defending against anything else, you need strong encryption, strong passwords, no open doors, and your data must be backed up always. In looking at cloud service providers, ask all the questions, find out how their security is set up, how they have planned for every vulnerability, whether they routinely test for weaknesses, how and where is their data backed up and how often. If you don’t ask all these questions, you will at some point wish you did.
3. Denial of Service
The term “denial of service” has been with us for a very long time. The original denial of service is just to send far too many requests to an IP address, so it cannot keep up and legitimate use is denied.
Today the attacks can be more vicious and sophisticated, coming from multiple locations. It can be harder to determine which packets are legitimate and which are designed to disrupt operations.
Cloud service providers generally handle this kind of attack pretty well, but you still want to inquire what kind of systems and tools are employed.
A massive denial of service attack can take down a company’s website or operations fully for a period. Persistent attacks require very sophisticated tools to respond effectively. But other, smaller attacks can sometimes go undetected for quite some time, not quite shutting anything down but resulting in a slow network, timeouts and errors. The attacks can be very targeted, exploiting weaknesses in databases or web servers. This kind of attack may also result in increased uses of cloud resources, for which the customer may have to pay.
4. Data Breaches
Possibly the most famous data breach is when Target Corporation was infiltrated by hackers who stole the credit card numbers and other personal information of over 100 million customers. A major embarrassment, very expensive.
The dangers of a data breach predate cloud technology. There are hundreds of stories throughout the history of networking. But now, because of the vast amounts of data on the cloud, it’s an even more attractive target.
Each business is different, and the types of data are different. For some businesses, confidentiality is among their most important assets. Medical testing companies for example simply cannot afford to allow patient data to be exposed, ever. Who would trust them again? And they may even be in violation of HIPPA (Health Insurance Portability and Accountability Act of 1996) regulations if it’s proven that they did not take adequate steps to secure sensitive patient information. Any organization may face lawsuits after a significant data breach. The effects of a data breach can be counted in millions of dollars and affect the business negatively for years.
Encryption is key, but not the only answer. Again, multiple layers of security are required along with intelligent monitoring and a robust quick action plan for when your data has been accessed.
5. Loss of Data
In the early days of computers and networking, data loss was possibly the largest risk we faced. When a disk drive failed without a backup — which happened often — data was permanently lost. Today, such losses are nearly unheard of in the world of cloud storage. Data could be lost if files are encrypted and the encryption key is lost, but this is a rare occurrence. Daily backups, or even real-time backup, are commonplace and necessary as well as sound procedures for disaster recovery.
Data loss today is much more likely to be a result of malicious activity, so again all the measures of security and routine backups need to be in place. Normally, backups are kept in a different geographical location.
In many industries, there are specific regulations (and/or state or Federal statutes) about how long certain types of records must be retained, and also stipulating how such records must be stored and secured. A company can be subject to fines and other penalties if these are violated. Learn more about the importance of correctly handling Personally Identifiable Information (PII) here.
6. Insufficient Credentials
One of the most common ways data attacks occur is a lack of sufficient access management. This can mean anything from a weak password to a poorly-devised authentication system. It also includes giving too much access to low-level users or forgetting to take former employees out of a system after they’ve left the company.
In short, it means you’ve left your entire system vulnerable to intruders.
If the intruder is malicious in their intent, they can do anything from reading and releasing to modifying and deleting your data. They can also release malicious software into your system that can destroy or alter management functions so you cannot reverse or mitigate their actions. Unauthorized access due to insufficient credentialing can be catastrophic to your organization.
Companies of all sizes fall prey to this mistake — for example, a breach at Anthem resulting from stolen credentials exposed upwards of 80 million records of customer data. The reason for the theft? A lack of multifactor authentication within their cloud-based system. The breach left them vulnerable and cost them millions of dollars.
The final cost to your business often depends on what the intruder ends up doing. If financial gain is their goal, you could end up with drained accounts. If it’s corporate gain, your proprietary information could be leaked to competitors. If it’s general mischief, they could do all of the above. Any of these options could result in lost business, a decimated reputation and extensive financial losses.
Preventing such issues requires multiple layers of security as well as security-minded design. Many developers embed credentials in the source code of a system, making them available to anyone who can access this information. On top of the standard encryption and monitoring systems that can be used to protect these credentials, additional authentication procedures must be in place on the user’s end.
Multifactor authentication systems using one-time passwords or phone authentication steps are some of the best ways to keep passwords out of hackers’ hands. Additionally, many corporations use identity systems, minimum password requirements and regular password changes to keep hackers at bay.
7. Hacked Interfaces
Cloud computing services include interfaces to allow users to interact with the service. These interfaces, called application programming interfaces, or APIs, determine the basic security and availability of these cloud services. As companies and third parties build on these interfaces to improve their range of services, they can directly expose themselves to security issues down the road, including those associated with the confidentiality and availability of their data.
APIs, and any type of interface, are common points of attack for hackers. The interface, by definition, is a point where other systems can connect in to perform actions and get information. If any interface is accessible via the Internet, it’s potentially vulnerable. If the interface is weak enough, the hacker can then use this point of contact to breach company data.
While most cloud providers include basic security in these interfaces, a persistent hacker can exploit even the best-hidden weak points. In 2015, the IRS exposed over 300,000 records via a vulnerable API, and that’s just from a benign hacker. A malicious hacker could have used those same vulnerabilities to pull confidential records, breach company data and potentially cost companies hundreds of thousands of dollars.
In this case, building a secure interface is crucial. Use detailed threat modeling and penetration tests as a standard portion of your system testing throughout the development cycle. This will ensure your systems are built securely from the ground up, so vulnerable APIs won’t end up costing you.
8. System Vulnerabilities
Modern computer systems and networks are highly complex. Various programs and many hardware devices are vulnerable points where hackers may access the information. These access points are hardly news, if you’ve been in the software industry for a while. With cloud computing and network sharing, however, they’re becoming an even bigger problem.
According to a 2014 report, about 75% of attacks use publicly-known vulnerabilities in software that could have been prevented with a basic patch. Unfortunately, far too many users, and even some professional IT personnel, have a bad habit of overlooking or ignoring upgrade notices.
The more times a program runs, though, the more chances for a bug to happen. This is especially true for shared networks over the cloud — with each new piece of hardware on the network comes a possibility for an exploitable bug to occur.
The effect of even a small system vulnerability can be catastrophic. Data breaches, data losses and system downtime are a few things that can result from such bugs. These losses and costs, in turn, can result in thousands of dollars lost to fines and legal fees.
Fortunately, these problems are simple and relatively cheap to mitigate, especially compared to the costs of a breach. Your IT managers can scan software on a regular basis to identify any bugs or vulnerabilities.
Some best practices include regular bug scanning followed by quick follow-ups on potential system threats, with emergency patches and formal patch requests. You should also stay updated on the news about your systems so you know as soon as a new bug is identified. Usually, the vendors of your system will offer free patches within days of a potential threat coming to light, so the cost to you is minimal.
9. Malicious Employees
Some of the biggest threats to company information come from inside the organization. These insiders come in many forms — current and former employees, contractors and business partners, to name a few. Any of these may be responsible for a host of network problems, intentional or unintentional. Systems that depend on the security provided by their cloud service provider present a particular risk.
The malicious insider’s agenda can be anything from theft to revenge. In any case, they can cause serious damage. A malicious insider may steal data for personal gain. They may also manipulate data purely for the sake of destroying a business’ infrastructure.
On the flipside, the person or persons involved might not be malicious at all. It’s easy to misconstrue a simple mistake as a malicious activity. For example, there have been several cases of employees unintentionally sending sensitive data to the wrong people. There are even more cases of people copying sensitive data to public servers. Most of these users only need extra training to fix the problem and prevent future incidents.
Preventing these insider attacks takes organizational management on many levels. To avoid manipulation by both malicious insiders and well-meaning but poorly trained personnel, businesses need to segregate users according to their job functions. This includes minimizing user access to only what they need and adjusting this access on a regular basis to fit current needs. It also includes consistently removing former staff credentials from the business’ system as soon as the employee’s employment period ends.
Logging, monitoring and auditing network activity is another critical step in preventing insider issues. Tracking the access and actions of users in this manner lets administrators identify and handle problematic employee behaviors as soon as possible. For example, if a problem occurs in the system, an administrator can access the logs and identify whose credentials were associated with the problem.
10. Parasitic Attacks
Advanced persistent threats, or APTs, are commonly referred to as “parasitic programs.” These programs are designed to infiltrate systems silently so they can quietly extricate data from the system.
These programs will enter a system through a download, often sneaking in through a phishing scam or external device. Once downloaded, these programs establish a foothold in a system and export data over time. The most common point of entry? An employee who doesn’t know any better.
Because of their stealthy manner of operation, APTs blend in with normal network usage, making them difficult to identify.
These programs can breach and leak data, costing a company dearly. Since unaware employees and users most often download APTs, cloud security groups tend to recommend better training as a solution. Tell your staff to think twice before opening an attachment or unknown link in an email. You can post blogs about common phishing techniques and how to recognize them. You can also promote the use of the advanced prevention techniques your cloud provider recommends.
Your business can also do its part to prevent damage from parasitic programs. Stay up-to-date on the latest advanced cybersecurity attacks and implement prevention tools within your IT processes. With a combination of awareness, incident response, IT training and advanced security controls, you can combat APTs and prevent most of them from taking hold in your cloud-based system. For ideas on how to train your users how to spot things they shouldn’t click on, check out this article.
Switching over to the cloud takes lots of time and effort — at least, that’s what it should take. Too many businesses take shortcuts, switching to the cloud without considering their options. This is a mistake for several reasons.
Many users take the cloud for granted. Too many expect the software to be safe from day one or assume the cloud will be identical to their current system. Making such assumptions is dangerous for businesses, causing them to overestimate the security capabilities of their system. Whether your organization is trying to migrate your existing system to the cloud or merge with another company on the cloud, you must perform your due diligence.
Businesses that don’t pay attention to the details of their cloud systems face several risks. For example, an organization that doesn’t pay attention to a contract with a provider may get little help from the provider in the event of a data breach. They may also overestimate the security provided with their system, opting to rely solely on the provided security rather than supplementing it with their own layers of protection. Such mistakes can lead to significant losses, breaches, and even security noncompliance fines from regulatory agencies.
One common situation is performing a data migration without all the security systems being in place and thoroughly tested in advance. For more information about how to plan and successfully execute a data migration, click here.
Operational and architectural issues can also arise if a company’s development team lacks familiarity with cloud technologies. Everything from vulnerable APIs to credentialing issues can come up as a result of abnormal development. Additionally, the less familiar a team is with the system, the longer the implementation of the system takes. This can lead to significant downtime and lost productivity, which is expensive for businesses.
The best way for a business to avoid these issues is to do research beforehand. Understand the technology, the risks and the features your company needs before looking for a cloud hosting solution, and double check on each system you look at before signing up for one. Always be sure to double-check the contract. If your talent lies outside of the technological realm, hire a trusted IT professional to do the legwork — do whatever it takes to make sure your business is fully prepared to make the transition when the time comes.
12. Shared Technology
Shared technology poses yet another significant threat to cloud computing. Cloud services provide a common infrastructure and platform upon which several pieces of hardware can operate. If a vulnerability comes up in any one of these layers, it can hurt everyone else on the system.
Such vulnerabilities can occur anywhere. Shared platform components, applications and even mobile systems can be vulnerable to attack, providing a point of entry for hacking or malware. Even if the other aspects of the system are secure, this single point of entry can bring the whole system down with it.
Preventing issues due to shared technology takes a serious defense strategy, especially in a world where mobile is king. In-depth defense strategies, including multifactor authentication systems, intrusion detection systems and network segmentation methods are just a few ways IT departments can defend a cloud system on this front.
13. Cloud Abuse
Abuse of the cloud and associated services is a serious problem that has increased in frequency lately. What is cloud abuse? Cloud abuse is the alteration or use of a cloud service to support illegal or legally-dubious activities. Some common examples include using cloud computing resources to break an encryption key or launch a DDoS attack (Distributed Denial of Service attack — the intentional paralyzing of a computer network by flooding it with data sent simultaneously from many individual computers).
Such malicious activities make victims of both recipients and other users, as well as the system provider itself. Malicious cloud activities not only reduce the system’s capacity to host legitimate businesses, but also limit the availability of support services. While support staff works to handle the malicious activity, legitimate businesses are put on hold.
These activities also put a financial burden on users. Financial abuse of cloud systems passes the cost of fraudulent payments on to other users, while DDoS attacks on cloud providers can disrupt service and cause an outage.
Any type of cloud abuse can result in lost business and increased costs, both to the cloud platform and to your company as a cloud user. Combating such abuses often falls to the cloud provider, and often includes payment validation resources, incident response systems and other mitigation methods. As a customer, you can help the fight against cloud abuse by reporting any instances of abuse to your provider whenever you see it.
Because cloud-using businesses can’t do much to combat cloud abuse directly, it’s important for you to choose a cloud provider who can protect you. Keep an eye on news regarding any potential cloud provider to judge whether they can adequately protect you from the negative effects of cloud abuse. Ask if there is a mechanism available for customers to report cloud abuse.
You should also ask your representative how the provider protects users against the effects of cloud abuse. If they can’t answer these questions, it may be in your best interest to find another provider who can.
Weaknesses of the Cloud
While the problems listed above exist in any network, to a degree, the cloud environment may add additional chances that something may go wrong, and what can go wrong might be even more catastrophic.
The APIs that are used to interact with cloud services for data transfer and management offer opportunities for unauthorized entry. These interfaces tend to be the most exposed and vulnerable part of the system as they’re open to the web. Defeating potential intruders means designing the interfaces for security and routine testing of the security measures.
The threat of a malicious insider is present in any network. In the cloud environment, the number of people with access who could potentially create intentional harm is multiplied. Systems must be in place to monitor the activity of valid users and administrators with a procedure for shutting out a malicious attack, even when it comes from inside.
Hackers can now use the power of the cloud itself against it, accessing the massive resources of the cloud to do more damage than might be accomplished with a single computer or server. Cloud services could be taken over and used to launch massive denial of service attacks, for example. Breaking an encryption key with a single computer might take years, but with additional resources, could be done in a much shorter time.
What We Can Do
Will there ever be a perfectly 100% secure network? No. Those who wish to cause trouble are not likely to stop their forward advance into new and better ways of causing trouble. IT professionals need to continue to get better at what they do, make better use of technology, and continue to be diligent. While not comprehensive, the following is a good start:
* Use strong passwords and change passwords often.
* Choose the strongest encryption available.
* Carefully evaluate the security measures provided by your cloud service provider in the selection process.
* Back up all data always, to multiple locations.
* Perform penetration tests routinely to find vulnerabilities.
* Wherever possible, institute multiple layers of security.
* Craft a quick action plan for what to do when your data is accessed and train all your personnel on it. You can find some very good information on how to train users here.
* Use one-time passwords and require phone authentication to change passwords.
* Keep yourself updated; read the latest news articles and blog posts about security issues.
* Do not embed the credentials for access in source code.
* Protect against insider attacks by segregating access to sensitive data based on job function.
* Immediately block all access to terminated employees, and employees suspected of wrongdoing.