Key cloud security challenges and how to address them

According to an IT Spending Outlook from Gartner (May, 2020), global IT spending will experience a decline of 8% in 2020 due to the impact of COVID-19. However, as the COVID-19 pandemic continues to stimulate remote working, investments in cloud services “will be a bright spot in the forecast, growing 19% in 2020” (Gartner, May 2020). Chances are your organization is already relying on some form of cloud service (Microsoft Azure Platform, Microsoft office 365, Enterprise Resource Planning systems…). If not, a cloud transformation might be planned or ongoing at this moment. Such a cloud transformation can come with a large number of benefits, such as: cost reduction, increased reliability and availability, flexibility and interoperability to remain competitive amid a fast changing business environment. Key elements of cloud computing can be categorized based on: essential characteristics, service model and deployment model.
Cloud computing continues to transform the way organizations use, store, and share data, applications, and workloads: a cloud solution introduces an IT operating model that presents (new) security threats and challenges and therefore requires a different approach. We refer to the report published by the Cloud Security Alliance (CSA) in 2019 with the top 11 threats to Cloud Computing. The full report can be downloaded via: https://cloudsecurityalliance.org/artifacts/top-threats-to-cloud-computing-egregious-eleven. In this article we will highlight and summarize the 7 most important reported threats:

1. Data breaches

A data breach might be the result of unauthorized access to confidential or sensitive information. Due to transfers of large volumes of data, and the risk this data might be intercepted by hackers, a data breach should be considered as a major risk in cloud systems. Key Considerations according to the CSA report:

  • Without an inventory of information assets, organizations cannot know what data they have or how valuable it is. Therefore, organizations should identify their data and assess the impact of a data breach.
  • The organization should adopt an information classification policy to adequately manage information.
  • Encryption techniques can help protect “data in transmission” (between the on-premise environment and the cloud) and “data at rest” (data stored in your systems but not actively used on devices)
  • “Establish a robust (and tested) incident response plan that considers the Cloud Service Provider (CSP) and data privacy laws”.

2.  Misconfiguration and inadequate change control

Inadequate configuration of cloud-based assets leads to vulnerabilities that might be exploited. Some common examples include: default credentials and configuration settings left unchanged, unpatched systems, logging or monitoring disabled, and unsecured data storage elements. Inadequate change control is the main cause of misconfiguration in a cloud environment (CSA). Key Considerations according to the CSA report:

  • Organizations should shift from a traditional, and rather static, controls and change management approach to a more agile and proactive change control and remediation.
  • Organizations should pay sufficient attention to automation and apply technologies that scan continuously for misconfigured resources.

3.  Lack of Cloud Security Architecture and Strategy

The focus on functionality and speed of migration might lead to an inadequate security architecture and cloud strategy. As a consequence, organizations are more vulnerable to cyber-attacks. Key Considerations according to the CSA report:

  • Develop and implement a security architecture and cloud security strategy.
  • The security architecture needs to be aligned with your business goals and objectives.
  • Ensure you clearly understand the shared security responsibility model.
  • Continuously identify and assess threats and vulnerabilities to mitigate attacks and protect your IT resources.
  • Leverage cloud native tools to increase visibility in cloud environments to minimize risk and cost.

4. Insufficient Identity, Credential, Access and Key Management

Identity and access management (IAM) doesn’t necessarily bring new issues in a cloud environment. Rather, they become more significant due to the potential impact. Identity, credential, access management systems include tools and policies that allow organizations to manage, monitor, and secure access to valuable resources. Key Considerations according to the CSA report:

  • Secure your accounts, apply two-factor authentication and limit the use of root accounts.
  • Segregate and segment your accounts, virtual private clouds (VPCs) and identity groups based on business needs and the principle of least privilege.
  • Secure (encryption) keys properly, remove unused credentials and privileges, and employ central and programmatic key management.
  • Identity management systems must support immediate de-provisioning of access to resources with personnel changes. Such identity management lifecycle processes should be integrated and automated within the cloud environments.

5.  Account Hijacking

Phishing attacks, exploitation of cloud-based systems, or stolen credentials can compromise privileged or sensitive accounts in your cloud environment. Therefore, account hijacking is a serious threat which can result in for example data loss and compromised operations. Key Considerations according to the CSA report:

  • Organizations should create sufficient awareness of these threats.
  • Defense-in-depth and identity and access management (IAM) controls are key in mitigating account hijacking.

6.  Insider Threat

CERT defines an insider threat as “the potential for an individual who has or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization”. “Insiders can be current or former employees, contractors, or other third parties with the possibility to access the networks, computer systems, and sensitive company data”. Key Considerations according to the CSA report:

  • Provide training to your employees to inform them how to deal with major security risks (e.g. phishing) and how to protect confidential data.
  • “Provide training to your security teams to properly install, configure, and monitor your computer systems, networks, mobile devices, and backup devices”.
  • “Periodically audit servers and correct any deviation from the secure baseline set across the organization”.
  • Privileged access should be limited to a minimum number of employees. Access to your computer servers needs to be monitored.

7. User Interfaces (UI’s) and Application programming interfaces (API’s)

Organizations will use interfaces or API’s when devices or other services communicate with the cloud services. Interfaces or API’s can be used by users within the organization or by clients, for example via a web application. If the API is not secured well enough, an unauthorized user may gain access to confidential information. Key Considerations according to the CSA report:

  • Practice good “API hygiene”. Good practice includes diligent oversight of items such as inventory, testing, auditing, and abnormal activity protections.
  • Ensure proper protection of API keys and avoid reuse.
  • Consider using standard and open API frameworks and Cloud Infrastructure Management Interface (CIMI).
  • Apply Transport Layer Security (TLS) encryption to secure data transmission.

References: [1] https://www.gartner.com/en/newsroom/press-releases/2020-05-13-gartner-says-global-it-spending-to-decline-8-percent-in-2020-due-to-impact-of-covid19 [2] https://cloudsecurityalliance.org/artifacts/top-threats-to-cloud-computing-egregious-eleven [3] ISACA, The Art of Cloud Auditing, 11 December 2019

Bereik je doelstelling dankzij onze diensten

Audit

Tax

Accounting and Reporting

IT Services

q

Risk Management

Corporate Finance

Uw expert

gorik van den bergh
Gorik Van den Bergh