What are the security risks of cloud computing?

Nov 09th 2020

What are the security risks of cloud computing?

Cloud computing solutions are becoming increasingly popular within business technology ecosystems as they are resilient, scalable and agile. The nature of cloud computing is complex and there are several important security considerations before committing to a cloud solution. As your business moves to digitally transform your operations, cloud security controls should not be an afterthought to ensure risks can be assessed and managed effectively.

According to Sophos, 70% of organisations hosting data or workloads in the cloud experienced a security incident in the last year. Without effective cloud security controls in place, your organisation’s information may be exposed to an increased risk of compromise.

Accidental and unknown exposure can cause significant challenges for your organisation. Sophos found that security weaknesses caused by misconfigurations were exploited in 66% of attacks. As businesses start to bring new cloud services into operation, the opportunity for misconfiguration increases which in turn increases the organisation’s attack surface. Businesses must develop a comprehensive cloud security strategy that involves the integration of all business areas to ensure cloud security is a priority and shared responsibility is established.

 

What are the major cloud platforms and which should you choose?

Cloud platforms offer your organisation an alternative to building your IT infrastructure in-house. This saves your business the cost of investing in and maintaining systems, technology and applications. There are many companies that offer cloud platforms that support the development and management of your organisation’s IT needs.

     1. Amazon Web Services

Amazon Web Services (AWS) is considered one of the most powerful and flexible cloud solutions. Its Identity Access Management (IAM) capabilities offer a large range of granular user permissions heavily centred on the principle of least privilege. 

     2. Microsoft Azure

Microsoft Azure is a great cloud solution for organisations that predominantly use Microsoft infrastructure and services. Azure is developed to provide flexible integration with Microsoft services such as O365 and Active Directory, enabling organisations to transform and scale existing services to a fast and reliable cloud-based solution.

     3. Google Cloud

Google Cloud offers a multi-layered security infrastructure providing organisations with a wide range of services that they can use to build flexible and reliable cloud-based IT environments. Google Cloud focuses on ensuring consistent performance and management with services including Compute Engine, Cloud Storage and Big Query. 

     4. IBM Cloud

IBM Cloud offers PaaS, SaaS and IaaS solutions. Not all of IBM Cloud’s extensive range of services are cloud-based, some are both virtual and hardware services giving users complete control of their infrastructure. It is fully integrated and manageable within a single environment via the web portal, Application Programming Interface (API) or mobile application.

     5. Oracle Cloud

Oracle Cloud Infrastructure offers two main service solutions including cloud infrastructure and data processing. Oracle’s cloud infrastructure services relate to databases, data management and applications, and data processing includes analytics and insights for big data. A clear difference between Oracle and the other cloud platform providers is that it is more suited to large enterprises rather than small businesses or individuals.

The key to developing effective security across your cloud infrastructure is to integrate it into the planning, design and implementation phases of your cloud transformation program. Regular testing can supplement the cloud security strategy to maintain a strong security posture as cloud resources are modified over time.

Think about issues including availability, connectivity, flexibility and scalability. Identify the risks that are unacceptable to your organisation and those that would not be. The NCSC has created 14 cloud security principles that can help you identify the risks you should be aware of. Your service provider should best protect the security risks that are a priority to your business.

 

What are the risks involved in using the cloud and how can these be managed?

Lack of cloud expertise

A significant risk of cloud computing is a lack of cloud expertise. Oracle found that 75% of IT professionals view the public cloud as more secure than their own on-site infrastructure, but 92% feel that their lack of expertise in cloud security programs is creating a readiness gap.

To properly secure your cloud environment, you must be able to leverage the platform tools, secure and configure the architecture and integrate them with third-party services. This requires experts either employed in-house or via a third-party to ensure you can gain complete visibility of your infrastructure. You must know who has access to your cloud services and be able to maintain a security management strategy across your cloud environment.


Cloud misconfigurations

Gaps in your understanding of cloud security can lead to misconfigurations. Correctly configuring your cloud infrastructure is the responsibility of your organisation, not the cloud provider. One of the main causes of misconfiguration is over-privileged accounts. A report conducted by Oracle found that 33% of organisations reported that cyber criminals gained access to their cloud environments by stealing cloud provider account credentials.

The principle of least privilege means it is important to only grant admin privileges to users that require this access to complete their job functions. Implementing multi-factor authentication on all accounts will make it harder for a malicious actor to gain access via the end-user. Stronger identity measures provide an additional challenge for criminals should your employees’ devices be stolen or lost and their accounts compromised. 


Non-compliance with data regulations

Migrating to the cloud can lead to complex issues with data compliance. Organisations that process sensitive data including Personally Identifiable Information (PII) must comply with data regulations, such as the EU’s General Data Protection Regulations. It is important to identify which data regulations you are subject to depending on where your data is processed; as processing data internationally can have additional challenges for compliance.

Shared responsibility models determine that it is the responsibility of the customer to protect data stored in the cloud, while the cloud provider is responsible for the security of the cloud platform. When using a cloud provider it is important to understand exactly where the data is stored in the cloud, who has access to it and how it is protected in accordance with the relevant data regulations you are subject to.

 

Impact of security risks of cloud computing

Data loss is one of the biggest impacts caused by the security risks of cloud computing. Companies store sensitive data in the cloud including intellectual property and Personally Identifiable Information (PII) that can have serious implications if lost. Cloud platforms offer features to prevent data loss caused by loss of connectivity, outages and data corruption. However, these features must be configured correctly.  Having a backup and disaster recovery plan in place is critical to ensure your data can be recovered if a breach or loss is to occur.

Cloud computing resources are easy and fast to deploy but require knowledge and experience to manage risks effectively. Improving your organisation’s knowledge surrounding cloud services is crucial to fill gaps in the misunderstanding that can compromise your security posture. Cloud services must be configured correctly to secure your infrastructure and prevent data breach or loss from occurring whether it is via the end-user or a malicious actor.

How to secure data in cloud computing
How to maintain security when employees work remo...
How to identify and avoid phishing attacks
What is penetration testing and why is it important?