Top Cloud Security Risks and How to Address Them
Shivani Jariwala, Director - Cloud Security Services at CPX and Oscar-Iván Lepe-Aldama, Manager - Cloud Security Services at CPX on emerging security risks that can hinder the expansion of cloud services, and recommendations to mitigate them.
Organisations are rapidly migrating to cloud computing for increased efficiency and scalability. With this surge comes new and more sophisticated cloud security concerns. For organisations to continue reaping the benefits of the cloud, they must plan for these risks rather than merely reacting to them.
This article takes into consideration emerging security risks that can hinder the expansion of cloud services and provides recommendations to mitigate them.
- Legal and Regulatory Non-Compliance
Organisations need to abide by local, regional, and international laws and regulations. In countries like the UAE, these laws are still evolving, as seen in the new Personal Data Protection Law.
Ultimately, organisations must understand where their data resides and travels, and how they audit information and provide access controls. This requires mapping out the compliance and regulatory landscape for internal and external stakeholders such as internal business stakeholders, vendors, and clients. Identifying the ideal cloud service provider (CSP) and application trust boundaries, while carefully reviewing CSP contracts around export controls is also essential.
- Loss or Theft of Intellectual Property
Companies increasingly store sensitive data in the cloud. An analysis by Skyhigh found that 21% of files uploaded to cloud services contain sensitive data, including intellectual property. When a cloud service is breached, cybercriminals can gain access to sensitive data. Understanding which data will be processed, stored, and transmitted by applications is necessary as standard CSP contracts will not accept liability for sensitive data. Thus, CSP contracts need to be reviewed so terms and conditions are amended for the handling of such data.
- Loss of Control
A significant challenge that cloud services create is the loss of control over management of complex architectures. Without considerable planning, an organisation’s existing monitoring frameworks cannot effectively track both on-premises and public cloud environments. Relevant teams must proactively assist with monitoring requirements and processes during cloud design stages. It’s nearly impossible to implement effective monitoring as an afterthought.
- Data Breach Notifications
If sensitive data is breached, your organisation may be required to disclose the breach. Following legally mandated breach disclosures, regulators can levy fines, in addition to potential consumer lawsuits. Evaluating CSP contracts and how they handle their breaches gives you insights into their process. It is also important to note that, upon go-live, a channel of communication should be established, and responsibilities assigned for incident communications.
- Data Disclosures
Cloud customers have little to no control over data disclosure whenever a Mutual Legal Assistance Treaty (MLAT), or similar Foreign Access, is requested. It can intrude upon any client data with the CSP. Data encryption and key management controls can help limit data disclosures, but this is an area that has yet to mature. These security services are typically added afterwards due to late recognition of customers’ increasing data security concerns. For example, when CSPs offer the Bring Your Own Key (BYOK) option, it creates the perception of increased security and control. Digging deeper into the BYOK model reveals that it is applied only at varying tiers of the key hierarchy across CSPs, and customers are not necessarily in control of the keys that actually protect data. Organisations must carefully review encryption and key management architecture provided by the CSP.
- Loss of Governance
Statistics show 80% of workers admit to using SaaS applications at work without getting approval from IT. To reduce the risks of unmanaged cloud usage, organisations need to define their cloud policy, obtain visibility into the cloud services in use by their employees, and understand what data is being uploaded to which cloud services. This allows organisations to better govern and protect corporate data.
- Magnified Impact of Configuration Mistakes
As per IBM’s 2020 X-Force Threat Intelligence Index, threat actors took advantage of misconfigured cloud servers to siphon over 1 billion records from compromised cloud environments in 2019 alone. Misconfiguration occurs when computing assets are set up incorrectly, leaving them vulnerable to malicious activity. The reality is that cloud-based resources can be complex and dynamic, making them challenging to configure.
Organisations should embrace automation to continuously scan for misconfigured resources and remediate problems in real-time. Enabling multi-factor authentication (MFA) and ensuring staff undergo adequate technical training is also vital.
- Deploying Applications Designed to Run On-Premises
Digital transformation initiatives push for faster software development cycles. Security is often considered last, resulting in additional time and effort spent fixing vulnerabilities. The risk is worse if on-premises applications are deployed on the cloud. For instance, a cloud-native app must include special means for logging state and performance. They must support technology agnostics APIs and Zero-Trust identity management. To mitigate the risk of deploying non-cloud adapted apps into the cloud, organisations should consider establishing a security-by-design strategy, incorporating cloud-native application security, and adding CWPP to their DevOps CI/CD toolchain.
Reaping the Benefits of the Cloud while Managing the Risks
You can outsource cloud services and operations, but the accountability of data remains with your organisation. The critical success factor is ensuring all stakeholders, including business, IT, and CSP are part of the risk assessment, eventual findings, and remediation. Security must be addressed from the beginning of the project and continue to be evaluated throughout, even after project completion. Rather than putting out fires as they arise after deploying new technologies, network and cloud environments should be proactively managed.
The cloud is here to stay, and companies must plan accordingly for the risks of cloud services with the clear benefits they bring.