Top 10 Cloud Security Risks
Organization leaders today face a complex question regarding the cloud- while it comes with many significant benefits which include scalability, cost efficiency and operations optimization, it still faces many potential security threats. If the annual reports produced by the Identity Theft and Research Centre are anything to go by, the cloud remains the single most endangered unit consistently targeted by hackers and malware.
In a bid to reduce the risks, managed service providers and organizations have heavily invested in risk assessment and subsequent prevention and breach-response infrastructures. As a result, the number of cloud users confident in their data security has risen to 75%, up from 33% in 2010. The IDG Research Group attributes improved cloud security to increased pressure from consumers, who have been pushing for vendors to strictly adhere to industry standards. In fact, 41% of cloud vendors reported that increased security spending was triggered by client requirements, which keep growing with time. 52% of the clients are satisfied by the progress and are optimistic that they will increase their security spending to counter the increasing threats.
The first and arguably the most critical step in countering them is individually assessing the risks to comprehend them. To help you in this, here are the top to security risks your cloud faces:
- Data Loss
Data loss refers to the accidental loss of data which is not backed up- and is therefore irrecoverable. Although it may occur due to hardware or software failure, it’s mostly triggered by human error or malice. For instance, one could lose the encryption key, subsequently making the data irretrievable. One of the most recent large scale data losses affected Amazon Web Services customers in 2011, who lost data after the cloud suffered a major remirroring storm caused by human error.
- Data Breach
Although data loss and data breach are two frequently used as synonyms of each other, they refer to different risks- while data loss is the accidental loss of data, data breach refers to malicious access and retrieval of data, a strategy which is normally orchestrated by a hackers. A perfectly good example of this is Target’s unfortunate loss of sensitive credit card and personal information of more than 100 million of its customers, after hackers successfully bypassed its virtual machine’s firewall.
- Shared Service Threats
Most cloud services, particularly public cloud resources, are supported by multi-tenant frameworks- they are shared between different users and organizations. Although resource sharing is highly encouraged as a cost-reduction strategy, it exposes cloud users to a wide range of shared service threats. These are threats which initiate from a single user and subsequently spread to the rest of the cloud, affecting other users. They are harder to manage and control compared to single-tenant threats.
- Browser Threats
In the past, hackers popularly attacked endpoint operating systems and subsequently used them to create portals into different cloud servers. Although a couple of them still do so, most have shifted to web-based threats which involve infiltrating browsers and consequently using them to gain entry into cloud servers.
One of the infamous examples is the Padding Oracle On Downloaded Legacy Encryption, which is a special bug that hackers came up with to gain access to private browsing information. Millions of internet users unknowingly downloaded it as it embedded itself in web pages and email files. After downloading, it automatically launched itself to grant hackers complete control in decrypting session cookies which identify users to their respective online accounts. As a result, attackers took over email, cloud and social media accounts to access sensitive, confidential data, and use the accounts for spamming and phishing.
- Cloud Resources Available To Hackers
With limited hardware resources, a hacker usually takes a couple of days or even months just to develop multi-dimensional malware to infiltrate and crack systems. However, since the advent of the cloud, hackers can now take advantage of the cloud resources to improve their processing capabilities and consequently crack systems faster and develop superior hacking software. Some of these resources are even used to launch attacks on other cloud services.
- Insider Threat
An insider threat is arguably the most damaging risk that organizations face. The fact that insiders have unlimited access to critical company information makes them even more dangerous and intimidating than hackers. After getting compromised by third parties, insiders working for vendors or organizations could knowingly or unknowingly leak critical data from the cloud. One particular insider who recently graced the headlines is Edward Snowden, a whistleblower who leaked NSA documents proving the organization’s top secret phone and internet surveillance.
- Denial of Service
Denial-of-Service is an old attack strategy, but still fairly prominent among cloud users. Attackers usually target specific cloud services and lock out users without shutting them down. Therefore, despite service unavailability, users are billed for the resources they use even during the attacks.
- Unstable APIs
The cloud has exceptionally empowered organizations in distributing their services to a wide range of users. Unfortunately, this exposes them to a myriad of risks and policy circumvention, which are best controlled through APIs. Although they regulate third party access to services, most of the APIs are unstable and are used to circumvent protocols in accessing data and selected services.
- Account Hijacking
This is arguably one of the most favorite tricks in the hacking book. Hackers use different strategies to infiltrate cloud systems, gain access to a wide range of accounts and use the users’ credentials for phishing and spamming. One of the most recent large scale attacks was directed at Amazon, where hackers launched a cross-site scripting attack to hijack customer accounts in Amazon’s wireless retail site.
Although users are regarded as the single most important entity in the cloud, they also introduce a new set of risks. Some of the user activities like random clicks on email links, visiting fake websites and downloading data introduce malware within cloud systems, which ultimately develop into full blown attacks.
Although they cover the major threats, these represent just a fraction of the security risks the cloud faces. It’s therefore imperative for organizations to consult security experts for comprehensive risk assessment and implementation of necessary prevention measures. If you are thinking of leveraging public cloud services, it’s advisable to first comprehend their security protocols and measures to ensure your data and account is safe before proceeding to subscribe.
Author Davis Porter
Image Courtesy: suphakit73, freedigitalphotos.net