The rapid adoption of cloud computing services has given businesses a false sense of security when it comes to protecting their data.
The cloud has enabled businesses to launch and scale globalized operations at speeds once considered unimaginable by limiting resource investment, increasing global communications, and providing everything from computing services to fully functional applications as a service. As a result of this technological explosion, new online threats have proliferated, outpacing the development of security solutions necessary to combat them.
New threats and the emergence of cloud computing
After the emergence of “Web 2.0” in the mid-2000s, cloud computing and the power of virtualization gave birth to anything imaginable “as a service.” This included everything from raw resources (IaaS) to fully functional, cloud-native applications delivered as a cloud service (SaaS).
Naturally, new security solution providers emerged, and existing ones had to adapt. Data has shifted from on-premises solutions to the cloud, requiring new governance and protection solutions. Infrastructure is managed by service providers, which requires both parties to do their due diligence. Cloud-native applications require new kinds of firewalls and security policy configurations.
The list goes on. As a result, the cloud cybersecurity market is growing rapidly. In 2016, the cloud security market size was valued at less than $5 billion, according to Grand View Research. By 2022, that number is expected to hit $13 billion, according to MarketWatch.
In 2018, the average enterprise company experienced more than 30 cloud-related security threats a month, according to McAfee, up 27.7% from the previous year. This includes threats from third-party actors, insider threats, and privileged users.
Risks of cloud computing
Access control and insider threats
Cloud-based access control refers to the management of users authorized to access cloud-based systems and data remotely. This has become an enormous issue since cloud-based services are operated and accessed globally. As a result, companies must track who accesses what information, manage user identities and privileges, and monitor for suspicious activity. Successful access control operations needs to combine solutions focused on authentication and identity management.
Companies utilizing cloud services must consistently manage access to information stored in the cloud, especially if that information is considered sensitive. Sensitive data must be encrypted, and cryptographic keys should be securely stored while encryption keys are rotated.
They must handle the lifecycle management of authorized users. Privileged access management software helps assign permissions to specific systems to approved parties. Conversely, identities must be deprovisioned after access termination, suspicious behaviors, or security incidents.
While security keys and access management may seem obvious, it can be easy for individuals to mislabel data or forget to protect information. This is how Facebook leaked millions of phone numbers in August. The company left files containing sensitive data on a server that was not password protected, let alone encrypted. Requiring multi-factor authentication for the majority of access points is an easy solution; however, this may not be ideal for everyone.
Misconfigurations and data breaches
The recent Facebook incident was likely the result of old servers that were mismanaged and forgotten. However, many larger data breaches result from the misconfiguration of security mechanisms. Hackers and other cybercriminals use these misconfigurations to escalate their privileges and access sensitive data and private information.
That’s exactly what happened to Capital One in July 2019. A former AWS employee took advantage of a misconfigured web application firewall to obtain privilege escalation. As a result, sensitive information related to more than 100 million people in the United States and about 6 million Canadians was released.
Earlier this year, McAfee interviewed 1,000 enterprises about misconfigurations. They found that 99% of misconfigurations go unnoticed. Despite enterprises reporting an average of 37 misconfiguration incidents a month, McAfee’s real-world data suggests the number is closer to 3,500 incidents a month.
While the responsibility ultimately belongs to those using cloud services, ensuring proper configuration is possible using solutions such as network security policy management and general configuration management software. Many of these are cloud-native and are designed to identify common misconfigurations and enforce strict cloud security policies.
Integrations and API security
Cloud services providers typically deliver application programming interfaces (APIs) to their customers for managing and interacting with their services. Without these, their customers would not be able to use, manage, or monitor any cloud services. They might also use a software-based interface to serve the same purpose.
These APIs may be public-facing and provide IP address to parties outside a company’s secure network. That makes them an easily identifiable target and a major security priority. Like software, they may contain vulnerabilities.
For example, a vulnerability with the highest possible severity level was discovered in the Cisco REST API this August. The bug let hackers exploit a number of various Cisco routers since they easily bypassed authentication and could obtain full control over the device.
Cloud-native application flaws
Application vulnerabilities can expose companies to any number of security threats. Cloud-native applications remain vulnerable to the same threats as traditional applications, as well as new ones due to increased attack surface inherent to the cloud.
Companies delivering applications powered by third-party infrastructure providers must ensure their application is free of vulnerabilities, their management APIs are secure, and mechanisms are properly configured.
Without proper security policies in place, hackers can exploit system vulnerabilities to steal information, crash applications, or control devices. Once compromised, a vulnerable application can release confidential information stored or integrated on it.
Another emerging trend in cloud computing, container-based applications, may become big targets next. Luckily, as I wrote last month, the container security market is rapidly expanding and evolving to help tackle container-related issues with everything from AI-based anomaly detection to distributed security policy enforcement at the application level.
Last, but not least, is cloud compliance. It’s a threat to both a business’ safety and its pocket book—not to mention the customers who trust companies to protect their data.
According to McAfee, 21% of all files in the cloud contain sensitive data. That’s why regions, countries, and states have taken action to protect their citizens’ privacy. Because of cloud data privacy regulations, sensitive data may need to be handled differently in various jurisdictions.
These regulations include the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) that goes into effect Jan. 1, 2020. Consumer protection laws related to cloud data require things like access control, data portability, encryption at rest, and customer consent. Many also require businesses to deliver the information they’ve gathered on consumers when requested.
Luckily, cloud compliance solutions are designed to ensure all relevant consumer protection requirements are met. These products identify resources across cloud and IT environments, centralize governance, assess risk, and enforce policies aligned with government and industry regulations.
Data privacy and data-centric security solutions have expanded in popularity. Data privacy tools are typically used to ensure the visibility of sensitive information and its deliverability to customers. Data-centric security tools are designed to help discover sensitive data while continuously auditing databases and investigating resources for sensitive information that may be exposed.
Using these tools helps companies avoid stiff penalties like the €50 million fine Google had to pay the European Union for failing to comply with GDPR obligations. Google could have avoided these fines by properly informing consumers about how their data is used and giving more transparency about their data consent policies.
While there are many risks associated with cloud computing, it isn’t going anywhere. Companies should generally accept the idea that digital transformation has entered a new era of cloud computing and consumer relations governed by data, privacy, and transparency.
Businesses leaders managing information online must continuously educate themselves on emerging threats and regulations. If they fail, they will fail to secure their customers’ information, resulting in hefty fines and worse, losing customers’ trust.