25% of Public Cloud Users Experienced Data Theft
by Robert Bond
Cloud computing has revolutionized the way that we work. Accessibility to applications, files, and documents is as easy as a click to log in from anywhere. No matter where you are, in the office, a coffee shop, or on a beach, you can continue to work on projects and plans. The cloud has also opened up collaboration in a way that was only dreamt of 15 years ago, with cloud apps that allow teams to work seamlessly together on projects no matter where they reside. According to data from Eurostat, enterprises are choosing the public cloud for three reasons: improved productivity; flexible ‘scale as you go’; and a more business friendly payment plan.
The uses of data in a public cloud by an enterprise is also interesting and point to issues around cloud data security. In a Skyhigh/MacAfee report “Cloud Computing Trends 2017” they found that over 18% of the documents shared in cloud collaboration portals contained sensitive information, including Personally Identifiable Information (PII).
Cloud adoption is being helped by tools such as Dropbox, Google Drive, and Microsoft Office 365 which are designed to offer great usability; Dropbox, for example, has over 500 million users, the reasons for this popularity is ease of use and accessibility for virtually any device.
With 93% of organizations using cloud services and spending 80% of their IT budget on cloud-related projects including migration, we should expect to see even more sensitive data being shared, stored, and collaborated on, in cloud repositories.
But just as every cloud has a silver lining, the cloud in this instance contains several risky problems. As the cloud opens up new opportunities to share and collaborate, it also opens up new cyber-attack vectors and offers new opportunities for theft for cybercriminals. The latest Breach Level Index shows that almost 10 billion data records have been breached since 2013 – with 2.6 billion in 2017 alone. And the earlier mentioned MacAfee report, confirms this fact, by finding an 18%, year on year, increase in cybersecurity incidents that are cloud-based. So, where does this leave us in the tug of war between accessibility/usability and data security risks?
Cloud Security Threats & Issues
Cybersecurity threats can no longer be ignored with the number of cybersecurity incidents doubling in 2017.
This is having a negative impact on the uptake of cloud computing, with 40% of IT leaders stating that implementation of cloud projects had slowed because of lack of security staff.
Keeping data secure in the cloud and reducing security risks is becoming more difficult as cybersecurity threats become more sophisticated. The concerning threats and issues that the connected enterprise are experiencing include:
Ransomware: Ransomware costs are expected to reach $11.5 billion by 2019. Last year, various ransomware variants, including WannaCry and NotPetya created havoc on businesses across the world by not only forcing organizations to pay to get their data unlocked, but also generating costs as IT teams scrambled over weekends to patch systems.
Distributed Denial of Service (DDoS): DDoS attacks are increasing in number and scale as well. The Mirai botnet brought several organizations to their knees in 2016 including significant service providers. The attack exploited vulnerabilities in 100,000s of Internet-enabled IoT devices like CCTV cameras used to flood Dyn webservers.
Phishing, including authentication and exposed credentials: Phishing is behind 91% of cyber attacks, exposing privileged login credentials, resulting in data breaches. Big brand web apps like Dropbox are being targeted by sophisticated social engineering scams, piggy-backing on the trusted brand name to entice users into entering login credentials to spoofed sites in many cases
Web app misconfiguration issues: Security misconfiguration is one of OWASPs Top ten web app security issues. Misconfiguration of security settings in cloud services like Amazon’s S3 cloud storage have resulted in serious data breaches. This was the case for National Credit Federation who had 111GB of sensitive customer data exposed because of a misconfigured AWS S3 cloud storage bucket. The company also stored credit file information from Equifax and Experian in the same repository. A similar S3 misconfiguration issue was behind an NSA and U.S. army data leak.
- Unsecured directories
- Mis-managing privileged access allowing unauthorized people to gain access to sensitive resources
- Insecure applications sitting on a production server – apps outside your control may have vulnerabilities which leave the door open to your server
- Forgetting to change default passwords
- Not patching known vulnerabilities
- Misconfigured firewalls
Challenges on Migrating to the Cloud
Deciding to move some, or all, of your operations to the cloud, is a major consideration and comes with challenges. You need to weigh the risks with the benefits obviously. However, cloud migration services can be used to handle the move to mitigate much of the risk. Certain challenges are key hurdles to cloud uptake and these can be summed up as:
Choosing the right cloud model for your organization: The most common options available when you decide to migrate are:
- Infrastructure-as-a-Service (IaaS) – a one-stop pop-up cloud computing service; for example, AWS, Microsoft Azure, Google Compute.
- Platform-as-a-Service (PaaS) –a development and deployment environment for cloud apps and services; for example, AWS Elastic Beanstalk, Salesforce.com Heroku, Google App Engine.
- Software-as-a-Service (SaaS) – this is a product, like web email, that is deployed via a cloud service provider.
People and change – People tend to not like change, so training is required to get people used to new apps and new ways of working. Some of the cloud apps available, particularly those that have a collaboration element, have user interfaces that may require user education.
In addition, because of the increased attack surface cloud computing presents, security awareness training will also need to be extended.
Bandwidth issues: By definition, a business (generally) will need extra bandwidth to make cloud computing seamless. However, services like AWS offer ways to manage latency and optimize bandwidth.
Downtime and loss of services: This is a worry when using mission-critical apps. No service can truly commit to 100% uptime, although most will offer near that, or compensate if that goal is not met. Dedicated cloud services, like AWS and Azure, will offer service monitoring and will have high availability and redundancy built-in to their SLAs. This minimizes any disruption to a service. A data recovery and backup plan are essential for both cloud and non-cloud-based business operations.
Cloud Security: As we have seen, data security and risk management is a major concern when moving any business process to the cloud. However, there are a variety of mitigating factors that can be put in place to minimize cybersecurity threats, these include:
- Web application firewall (WAF): Use a WAF that is correctly configured to protect web apps against common cyber threats.
- Robust credentials for login: Use of two-factor authentication and risk-based authentication should be considered, especially for privileged access.
- Patch management: Most breaches, at some point, will exploit a software vulnerability. Patches should be prioritized and applied in a timely manner.
- Security awareness for all: All employees need to be cognizant of how phishing can be used to steal login credentials to access cloud-based apps and exfiltrate data.
- Insider protection: Avoid allowing cloud service providers or extended ecosystem partners privileged access to areas where sensitive data is stored.
- DDoS: Choose a cloud service provider that has mitigation of DDoS as part of their offering.
- Device management and control: The devices that are used to access the cloud service/app are a potential weak link. Mobile app risk management, such as app controls, should not be passed over.
5 Steps to a Successful Cloud Migration
Taking your business into the cloud is a positive step towards increased productivity and offers avenues for digital transformation. Following these five steps will help you to move successfully into a cloud environment:
- Assess – Assessment is where migration begins. Why do you want to move to the cloud and what do you want to do using cloud computing? What current applications do you want to move? Having an understanding of your data lifecycle and classifying your data is also important as this will determine security requirements. This intelligence gathering exercise will give you the know-how to make an informed decision about what type of cloud service you need.
- Select – Choosing the right cloud provider depends on what you have uncovered and mapped in the assessment process. Ideally, you need a mature cloud partner, with the right security and privacy policies in place. You will then need to determine the right cloud environment and architecture that most closely suits your needs.
- Plan – This is one of the most important aspects of a good plan and will help to minimize disruption to the business. Plan out which apps will be migrated and when. Remember to add in user training to the plan.
- Secure – Having the correct security in place is an integral part of the planning phase discussed above. Security cuts across all aspects and layers of the cloud computing environment you implement; this includes the device the cloud is accessed from. Your cloud security policy should be based on a risk assessment of the entire environment. Refer to advice on what security measures must be considered before going live with your service.
- Execute – Work out the execution steps in detail. Backing up your data is crucial. Having a test environment with real users before going live allows you to eliminate unforeseen situations. Monitoring of your cloud environment should be part of your overall security strategy.
Crossing the Chasm of Cloud Migration
Cloud computing is a natural evolution of the ubiquitous nature of the Internet. It offers us many benefits, including more global accessibility, productivity improvements, and options to explore digital transformation use cases. However, to be successful in moving business processes and people into a cloud working environment, we need to consider the challenges in migration and the security of using a more open network.
Finding the right provider for your business and using Cloud Migration Services is an important first step as they can help with the heavy lifting of migration and cloud security management. If your organization can cross the chasm of cloud migration you will open up a way of doing business that is freeing for both business and your people.
October 1, 2019