According to last year’s Gartner forecast, public cloud services are anticipated to grow to $USD 266.4 billion by the end of this year, up from $USD 227.8 billion just a year ago. Clearly, cloud computing is making its way to cloud nine, (See what I did there?) leveraging the sweet fruits of being in the spotlight for a decade. However, the threats to public cloud security are growing at the same rate.
Despite the optimistic outlook, emerging public cloud security challenges in 2020 have now reached an alarming stage. The cloud security market has witnessed a few of the nastiest cybercrime cases, even during the COVID-19 pandemic.
Role of GDPR compliance and Data Privacy
What are the Business Implications of GDPR?
GDPR puts the customer in the driver's seat. It tasks businesses to comply with the regulation in order to honor the customer's personal data security, privacy and integrity. This GDPR compliance is followed by countries throughout the EU as well as by many non-EU countries.
What falls under GDPR Compliance?
When your business is offering products or services to an EU citizen, regardless of whether you are an EU or non-EU based company, this compliance applies to you. Companies that work daily with personal data are required to appoint a data controller or a protection officer accountable for the organization’s obedience to the regulation. If the company doesn't comply with these GDPR requirements, there are strict implications and penalties of up to 4% of annual revenue globally or up to 20 million Euros, whichever is higher.
Under the GDPR, individuals are given:
- The right to access
- The right to data portability
- The right to be forgotten
- The right to be notified
- The right to be informed
- The right to restrict processing
- The right to have data updated or corrected
- The right to object
Accountability and Data Ownership
GDPR requires that the data processing companies nominate a data controller to meet the law's requirements. Cloud service providers often work across countries. Whenever a vendor is involved, it introduces the factor of a third party that is processing the data in transit. This alone adds an extra layer of risk. It is crucial to ensure that this third party can ensure data protection accountability, especially surrounding backup and recovery of your data.
The cloud vendor must comply with a set of security policies that assure compatibility with your industry as well as regulations in your respective country as well as the country where the data is domiciled. Vendor risk management procedures are the way to smartly and securely manage this issue. This means your cloud vendor's use of technologies should be top-notch in data encryption, robust authentication, disaster recovery policies, and of course, compliance with cyber law including GDPR.
One of the biggest cloud computing security concerns and challenges in 2020 has been data breaches caused by cyber-attacks on corporate enterprises. The costs for some of the newest strains of ransomware have become staggering. While it could be easy to question the security of a cloud provider, that is an over-simplification of the problem. Remember, accountability always resides with the cloud consumer. This is why due diligence is so important when choosing your cloud vendor.
Lack of Cloud Security Architecture & Strategy
Globally, organizations are migrating small portions of their IT infrastructure and architecture to public clouds. One of the key challenges during this migration and transition is executing suitable security planning to endure cyberattacks.
Rob Lefferts, Corporate Vice President of Microsoft 365 Security, also warned about the threat during the COVID-19 lockdown months earlier this year. Microsoft reported a breach using “COVID 19” as click-bait keywords in e-mails, mobile alerts, and news updates exposing unsuspecting people to malware. Many enterprises got caught up in the cross-fire, as well, with their intellectual property compromised by cybercrime.
Private data is exposed to diverse threats when companies assume that cloud migration is just an easy process like a "drag and drop" feature. The absence of appropriate knowledge and understanding of the public cloud service can also compromise the security responsibility model as a contributing factor.
User Identity Theft
Cloud computing adds multiple changes to old system management practices related to identity and access management. Insufficient identity, credential, and access management exposes corporations and their staff to this new world of cloud threat. Both public and private cloud environments, cloud service providers, and cloud users are expected to maintain their access without endangering security.
Various governments, corporations, and banks have been targeted by cybercrime. One such attack was carried out by setting up fake trading websites that were identical to those of leading brokerage houses. Various temptation mechanisms, such as e-mail, social media, and SMS were used to capture credentials to make a trade on behalf of the victims’ accounts. This incident created losses starting from USD $60,000 in a blink.
Cloud computing providers introduce a set of software user interfaces and application programming interfaces (API) to allow users to operate and interact seamlessly with cloud services. The protection and availability of general cloud services are reliant on the security of the APIs.
Cybercriminals clung on rich pickings such as Netflix and Disney viewers. Early in April 2020, 700 fake websites mimicked these sign-up pages and jeopardized billions of subscribers during the pandemic lockdown. Personal information was stolen through these bogus websites.
The interfaces must be planned to protect against both incidental and malicious attempts to bypass the security policy from authentication and access control to encryption and activity monitoring. Inadequately designed APIs could lead to misuse or even worse an unpredictable data breach. Organizations must follow the security specifications when creating and publishing these interfaces on the web.
Cloud usage visibility
Poor cloud usage visibility occurs when an organization does not control the capacity to visualize and analyze if the cloud service in use is safe or malicious. This visibility threat concept is broken down into two parts: Sanctioned app misuse and un-sanctioned app use.
Companies may be unaware of how an approved application may be leveraged by an "insider" who unintentionally misuses the application. Conversely, employees who use cloud applications without the specific permission and support of corporate IT creates another problem known as shadow IT. Gartner warned and predicted in 2020 that one-third of every successful security incident against companies would come through shadow IT.
The Netwrix 2018 Cloud Security Report shows that 58% percent of companies' security breaches were caused by insiders. Trusted employees, architects, and vendors can be the biggest security hazards. These insider threats don't need a malicious intent to cause harm to a business. In fact, many insider incidents originate from a lack of knowledge, training, or simple negligence. Insider negligence has caused the largest security episodes. Employee or vendor negligence was the root cause of 64% reported incidents, whereas 23% were criminal insiders and 13% were the result of credential theft.
There's a constant challenge to hire qualified security specialists for the cloud computing ecosystem. This problem can be worsened with the cloud since not everyone is familiar with cloud security or with global regulations pertaining to the cloud. For a company that is currently considering a cloud migration strategy, this creates a simultaneous risk of lack of technical and legal knowledge.
The year 2020 has demonstrated that escalating threats and challenges of public cloud menaces, cybercrime, and targeted attacks are only getting worse. Coupled with the pandemic crisis, this has given us a different perspective to look at cybersecurity and cloud security standards that our organizations can withstand. However, a new rise in the demand for cloud security solutions has also come into play, proving that having the right technology partner to resolve your security ecosystem is vital.
Many regulations and compliance standards are also emerging, including GDPR, to ensure fair and secure industry-wide safeguarding standards. The crucial demand for cloud security services is expanding each year with a growing number of threats and attacks. For these reasons, it is of vital importance to carefully choose your vendor or tech partner who can safeguard your business by offering a friction-less security ecosystem.
About the Author: Hardik Shah is a Tech Consultant at Simform, a firm which provides mobile app development services. He leads large scale mobility programs that cover platforms, solutions, governance, standardization, and best practices.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.