Security is both a benefit and a concern for enterprises when it comes to cloud computing. On the one hand, B2B research and review website Clutch.co found in its Security and the Cloud: Trends in Enterprise Cloud Computing report that 22 percent of enterprises ranked security as the primary benefit of cloud computing. The finding held even though businesses primarily utilize the cloud for increased efficiency (15 percent), data space (12 percent), scalability (9 percent), speed (9 percent) and other benefits.
On the other hand, privacy and data concerns persist despite more than 90 percent of businesses using the cloud to store mission critical data. Respondents to Clutch’s survey said cloud security is the challenge they encountered most frequently. As such, security dwarfed organizations’ concerns for cloud computing training and cost.
Enterprises should consider security before they migrate to the cloud. But at the risk of being too vague, we must ask: what specific cloud security challenges pose a threat to enterprises?
Let’s examine four security threats associated with the cloud that businesses should keep in mind.
1. Data Breach
With organizations turning to the cloud to store business-critical data, bad actors are increasingly looking to compromise cloud service providers. It’s no surprise why.
A successful hack could net them the personal and/or financial information for hundreds and millions of users, details which they could either abuse to commit payment and identity fraud or monetize on the dark web. Such exposure could damage affected companies’ reputations and force them into shelving the costs for legal fees, free identity monitoring, and reissued payment cards.
The threat of a cloud data breach is troubling because organizations are ultimately responsible for protecting their customers’ information regardless of where they store it. Enterprises must, therefore, trust that their cloud service provider has implemented adequate security measures to prevent a data breach.
By extension, companies that don’t research their cloud service provider don’t know what safeguards help protect their data. They might also lack insight into what measures they could take to prevent a security incident involving their provider from affecting their users’ data.
2. Lack of/Weak Identity Access Management and/or Authentication
In The Treacherous 12: Cloud Computing Top Threats in 2016 (PDF), Cloud Security Alliance (CSA) identifies the absence of identity access management (IAM) systems, multi-factor authentication, and weak password use as key forces that help escalate cloud-based security incidents into data breaches. The not-for-profit cloud computing organization also says enterprises’ failure to properly secure and rotate cryptographic keys endangers information stored in the cloud.
As CSA explains in its report:
“Credentials and cryptographic keys must not be embedded in source code or distributed in public facing repositories such as GitHub, because there is a significant chance of discovery and misuse. Keys need to be appropriately secured and a well-secured public key infrastructure (PKI) is needed to ensure key-management activities are carried out.”
In the absence of the security controls listed above, attackers could abuse high system privileges or weak authentication/encryption measures to breach a company’s data after compromising their cloud service provider.
3. Data Loss
Not every bad actor who gains access to a cloud service provider’s saved information wants to abuse or monetize it. A hacker’s sole mission might be to delete the information. In the absence of data backups and other security measures, such a move could spell disaster for the enterprise and threaten its longevity.
Digital attacks aren’t the only causes of data loss in the cloud, either. Security researcher Dan Virgillito identifies another factor in an article for CloudTech. To do so, he recalls an unfortunate incident involving Amazon:
“Amazon’s EC2 cloud services crash destroyed some data on a permanent basis. While the data loss was small compared to the total data stored, it was catastrophic for some companies. Chartbeat, one of Amazon’s customers, had to inform its clients that 11 hours of historical data was deleted permanently.”
Cloud service providers make use of servers and hard drives like anyone else. It doesn’t happen all that often, but sometimes these technologies fail. Service providers can usually recover that data, but companies should take precautions with their own data all the same.
4. Lack of Due Diligence
Whenever enterprises adopt new technology such as the cloud, they need to do so with their business strategies and assets in mind. It’s, therefore, important that organizations take the time to do their due diligence and evaluate how a service or technology fits into their business road map. Failure to do so could spell trouble.
Cloud Security Alliance states as much in The Treacherous 12:
“An organization that rushes to adopt cloud technologies and choose CSPs without performing due diligence exposes itself to a myriad of commercial, financial, technical, legal and compliance risks that jeopardize its success. This applies whether the company is considering moving to the cloud or merging with or acquiring a company that has moved to the cloud or is considering doing so.”
For instance, organizations might decide to roll out a new application that relies on their cloud service provider to operate at an optimum level. But the service provided by the app might not be a priority for the provider, and issues could arise in obtaining the necessary operational and architectural support for the new technology. Legal and compliance complications could also arise from storing customers’ information in the cloud, issues which could result in fees and other penalties.
Hope for the Future
Every organization should address the threats of data breaches, a lack of/weak IAM and/or authentication, data loss, and a lack of due diligence before migrating to the cloud. They should take two steps as part of this risk management process.
First, they should confirm that their cloud service provider implements safeguards like 24/7 monitoring and other multi-layered security measures to protect companies’ data. Second, they should use security measures like encryption, IAM, and data backups to protect their information that’s slated for storage in the cloud. These efforts will help make sure their information is safe even in the event their cloud service provider suffers a security incident.
Enterprises might also want to consider using a hybrid cloud to store their data. This type of cloud computing arrangement makes use of on-premises, private cloud, and third-party public cloud services. As such, the mixed infrastructure allows businesses to enjoy the benefits of the cloud while also preserving their on-site responsibility for safeguarding their information.