Cloud computing has quickly become a key part of the business model for many organisations, but it would be wise not to ignore the security risks of cloud computing, as doing so can incur major penalties.
The cloud comes with many key advantages like lowering the cost for smaller firms to run compute-intensive business analytics, or as the case with UK challenger bank Monzo, it can allow you to build a completely new business model that is powered by cloud computing.
Yet for all the myriad useful security tools that the leading cloud providers offer, which are typically — configured right — more than the match for on-premises systems, typically the security and maintenance of the data being stored or processed in the cloud is still the sole responsibility of the firms it belongs to, and errors start with misconfigurations.
Greg Day, VP & CSO for EMEA at Palo Alto Networks told Computer Business Review: “Often we see the most simple mistakes from poor account management, which is why 29 percent of organizations experienced potential account compromises, 32 percent had simple configuration issues and 23 percent found critical patches missing.
“These are security fundamentals we have been doing for years, yet the cloud adds complexity in shared responsibility models.”
Many of the major data breaches involving cloud computing that have hit the headlines in recent years, stem from poorly misconfigured web applications and cloud storage buckets. McAfee claim that 99 percent of IaaS misconfigurations go unnoticed by IT professionals and one culprit is a highly automated infrastructure that ‘automates misconfigurations along with all the rest’, resulting in vulnerable systems.
(The top ten causes of AWS misconfigurations in particular are, according to McAfee researchers:
- EBS data encryption is not turned on.
- There’s unrestricted outbound access.
- Access to resources is not provisioned using IAM roles.
- EC2 security group port is misconfigured.
- EC2 security group inbound access is misconfigured.
- Unencrypted AMI discovered.
- Unused security groups discovered.
- VPC Flow logs are disabled.
- Multi-factor authentication is not enabled for IAM users.
- S3 bucket encryption is not turned on.)
Marco Rottigni, Chief Technical Security Officer EMEA at Qualys added: “Some of the most common cloud database implementations ship with no security or access control as standard at the start.”
As with broader security best practice, asset discovery is the starting point. He notes: “They have to be added on deliberately, which can be easily missed. Spotting those problems, prioritising them, and keeping up to date with cloud best practices can be a massive struggle if you don’t know what assets you have running in the cloud.”
Rapid cloud migrations can also introduce legacy vulnerabilities into your cloud infrastructure from the very beginning, some experts warn. Ezat Dayeh, senior systems engineering manager at Cohesity notes that: “Moving data to the cloud has exposed the issues organisations have with data management and data fragmentation.”
“Poor data management leaves vulnerabilities that can be exposed and exploited by cyber attackers. This could be by way of incorrect file permissions gifting access to attackers hijacking users, malware, or insecure APIs. Wider threats like denial of service and data loss through physical damage to hardware along with human-error issues such as deleting files and directories or leaving databases exposed are still possible in the cloud.”
The Security Risks of Cloud Computing Start With You
When it comes to the security risks of cloud computing organisations and firms themselves are still one of the biggest risk factors.
Enterprises need to intrinsically understand their own on-premises cloud infrastructure as well as any public or private clouds they are storing data on. Companies operating in Europe are learning that the data protection commissioners will not pull any punches when it comes to GDPR infringements, as is evidenced by recent GDPR rulings which included hefty proposed fines against Marriott and British Airways.
Gary Marsden, senior director of data protection services at Thales informed us that: “Data governance – knowing what your data is and where it’s located – is a good first step towards securing data in the cloud, but businesses should take this further and retain full control and sovereignty over this data.”
“Keeping control over the keys used for encryption is an important step to taking responsibility, while also independently auditing yourself and proving your organisation’s compliance to regulations – something that’s so important in the age of GDPR!”