Five cloud security risks your business needs to address
The rise of cloud computing represents a potential bonanza for cybercriminals, who are constantly probing for weak links in defence. Could your firm be doing more to protect itself?
Cloud computing has become a key part of how businesses operate in the West. Research conducted for the European Commission in 2021 found that 41% of EU companies with more than 10 employees were using some form of cloud service, for instance.
But with wider use of the cloud comes a greater likelihood that more things will go wrong. Cybersecurity should therefore be a prime concern for adopters. Here are five key issues that all cloud users would be well advised not to ignore.
1. Ensure that your configurations are… configured
“Misconfigurations remain a top risk for cloud applications and data,” says Paul Bischoff, privacy advocate and editor at Comparitech, a website that rates technologies on their cybersecurity. A misconfiguration happens when an IT team inadvertently leaves the door open for hackers by, say, failing to change a default security setting. This is often down to human error and/or a misunderstanding of how a firm’s systems operate and interact.
If misconfigurations happen on a non-cloud-connected network, they’re self-contained and, potentially, accessible only to those in the physical workplace. But, once your data is in the cloud, “it is subject to someone else’s security. You do not have any direct control or ability to test it,” notes Steven Furnell, professor of cybersecurity at the University of Nottingham. “This means trusting another party’s measures, so look for the appropriate assurances from them rather than making assumptions.”
Bischoff adds that oversights in this respect can “leave data vulnerable to unauthorised parties from the public internet. Attackers frequently scan and find cloud services with common misconfigurations. Comparitech’s ‘honey-pot’ experiments show that attackers can steal data from unprotected servers in a matter of hours. Our security team often finds and discloses exposures that occurred because of misconfigurations.”
2. Mitigate the risks of phishing
According to the government’s latest annual Cyber Security Breaches Survey, 39% of businesses in the UK experienced a cyber attack and/or breach in the year to March 2021. Of those firms, just over a quarter said that they were being targeted at least once a week.
The most common attack method they reported was phishing, which accounts for four in every five attempted incursions. Phishing occurs when a criminal impersonating a well-known brand contacts people online and tries to fool them into visiting fake websites designed to extract key information from them.
Furnell notes that cloud services have become among the most common phishing lures, because of their ubiquity and importance in business. They are places where users would expect to have to share information, including passwords.
Education is crucial in tackling phishing, says Furnell, who adds: “A combination of technical measures and interventions to improve user awareness are necessary to provide an effective safeguard.”
There is plenty of room for improvement in the latter area: the government survey found that only 20% of UK firms had used mock phishing exercises to test their employees’ knowledge in the year to March 2021.
3. Limit the amount of data shared to the cloud
It can be tempting for firms to outsource all their data to a cloud service provider. Doing so removes the need to manage data in different locations and eliminates a lot of maintenance hassle. But such convenience comes at a cost. Supply chain attacks – in which cloud providers are probed for weaknesses – are becoming more common.
Big players in the market are investing heavily in their defences. Google Cloud, for instance, recently added a feature called Virtual Machine Threat Detection. This continually scans tenants’ virtual machines for signs of crypto-mining operations, which can covertly hijack the processing power of their computers.
But even the most diligent providers cannot say with certainty that they are 100% invulnerable. For that reason, it’s vital that their clients audit what information they’re willing to share in the cloud. Thinking that the security of any material held in the cloud could be compromised is a useful – if pessimistic – way to approach this issue.
“Careful attention should be given to the extent and level of access to cloud data and resources that is granted to third parties,” Furnell advises.
4. Keep a lid on the internet of things
Whether you have production lines that are connected to a cloud server for their instructions, a packing operation that monitors stock using cloud-based data or simply a smart fridge in your office kitchen, the threat to business continuity grows as more data is connected to the cloud.
The internet of things (IoT) has enabled the smoother running of many processes, but it’s worth bearing in mind the risks if you’ve come to rely on the constant availability of a given cloud service, say, or if you’re storing proprietary manufacturing information on hackable servers.
Don’t be surprised if such data disappears or ends up in the wrong hands, warns Christopher Boyd, lead malware intelligence analyst at Malwarebytes Labs.
“Basic errors in cloud security will happen throughout 2022,” he says. “With so much IoT data stored in the cloud, there is no limit to what an attacker could do if it managed to compromise services.”
5. Lock up your application programming interfaces
It’s not only the cloud server and the data on it that you need to be concerned about. It’s also the way in which your business interacts with the cloud.
That connection is often brokered through application programming interfaces (APIs).
“These are often an initial attack vector, if not one of the most critical vectors, in complex attack chains,” says Michael Isbitski, technical evangelist at Salt Security. “Depending on your overall enterprise architecture, the potential security risks are numerous. They include data exposure, privilege escalation, system compromise, lateral movement within networks and the planting of malware or ransomware.”
APIs are a weak link that’s often overlooked. Several of the vulnerabilities identified in Microsoft Exchange Server in the first half of 2021 have been attributed to APIs, according to Isbitski.
“Attackers regularly plant malicious software by accessing unprotected services via APIs or compromising dependencies and Git repositories that make up software supply chains,” he says.
To stop the attackers in their tracks, IT professionals must monitor all API calls to and from cloud servers and contextualise them within normal business web traffic.