August 25


Has your organization adequately considered security as part of the push to the cloud?

By 2025, 80% of organizations are expected to migrate toward the cloud. Cloud initiatives predicted to make up almost 3/4 of all tech spending this year.

Security with regard to the cloud is often an afterthought and the risks are often hard to evaluate. Cloud consists of many things—hybrid or multi, private or public—each presents unique challenges and risks. More than half of organizations have no systems in place for securing, monitoring and managing cloud applications. Security that may have worked well in traditional data centers may not apply to the cloud.

An additional complication is security is now a shared responsibility between cloud vendor and customer. The three major Cloud Service Providers (CSP) make their positions publicly available:

Cloud computing does not necessarily lesson security risks as the zero-trust separation/segmentation may not be possible on shared cloud resources. Hijacking of accounts presents new opportunities with the cloud.  There are new threats such as the Man in Cloud Attack (MITC), which involves theft of the user tokens that cloud platforms use to verify devices without requiring logins during updates and syncs.

People remain one of the biggest security risks for organizations whether inside or outside your organization. Well-intentioned but inept, unaware or untrained users as well as malicious individuals are potential threat agents. Social Engineering and Phishing threats are still prevalent.

Threats include: 

  • Unauthorized access
  • Misuse by authorized users
  • Disclosure to unauthorized users, competitors, or general public
  • Modification

Sensitive Data Exposure, Broken Authentication, Broken Access Control, Security Misconfiguration, Using Components with Known Vulnerabilities, and Insufficient Logging and Monitoring are among the Top 10 OWASP Web Application Security Risks. In 2020, 99% of abused vulnerabilities have been known for at least a year by IT and security professionals.

Christopher Emerson of White Oak Security notes that the biggest issues with cloud-based engagements align with the following:

Failure of an organization to exhibit due diligence in managing data, especially financial, healthcare and Personally Identifiable Information (PII), can be costly.

A 2019 study noted that the cost of data breaches had increased 12% over the last 5 years and now costs a business on average $3.92 million. Another, estimated that the average cost may be in excess of $150 million due to “increased regulation, the long-term financial impact of breaches, and the complex process of resolving the attacks.” 

OWASP notes that most breach studies show the average time to detect a breach is 200 days and is usually brought to attention by external parties vs. internal processes/monitoring. 

Other research concluded that due to unique characteristics of cloud, businesses that utilize cloud are three times more vulnerable to data breaches. 93% of security professionals are concerned about human error causing cloud data exposure.  76% “have difficulty maintaining security configurations in the cloud,” and 37% say that cloud risk management capabilities are worse.

Due to environment complexity and rate of technological change, organizations often have difficulty assessing their overall cloud security posture in real-time despite making security a top area for improvement, adopting Center for Internet Security (CIS) or National Institute of Standards and Technology (NIST) frameworks. Cloud compliance with the introduction of the General Data Protection Regulation (GDPR) will be complicated with few organizations understanding its impact.

Christopher Emerson notes that his firm has additional tools and techniques that can be leveraged when conducting Traditional Penetration Tests due to the opportunities the cloud environment presents. Additionally, Account Configuration Reviews are valuable, as they “enumerate security configurations, identify common misconfigurations, and communicate any identified security gaps. This includes reviewing [Identity and Access Management] IAM policies, secrets/key management, computer images, storage/databases network/[Virtual Public Cloud] VPC and even monitoring configurations.”

Automation and tools can help organizations with security enforcement but hackers are also leveraging automation, often internal IT staff doesn’t have sufficient knowledge or expertise in utilizing built-in security or intermediary software such as a Cloud Access Security Brokers (CASB). Common risks include mis-configured software and insecure APIs/Interfaces. Organizations also have an ever-increasing amount of Internet of Things (IoT) devices as part of their environment footprint that are often unmanaged and have little visibility.

The COVID-19 pandemic has also brought some unique risks and challenges to organizations, with 64% of workers now working remotely, a 148% increase according to one study:

  • 161% increase of Risky Applications and Websites
  • 97% increase for personal use of managed devices
  • 80% increase in collaboration apps
  • Cloud-based malware delivery (vs. web) increased 63%

Attackers are also adopting cloud, with phishing and malware delivery prevalent, most popular cloud apps continue to be targets for abuse:

  • Microsoft Office 365 OneDrive for Business (malware and phishing)
  • Microsoft Live Outlook (phishing)
  • Microsoft SharePoint (malware)
  • Box (malware)
  • Google Drive (malware)
  • Amazon S3 (malware)
  • Blogger (phishing)
  • AOL Mail (phishing)
  • Facebook (phishing)

The number of cloud apps used in the average enterprise increased 2%, “7% of all users uploaded sensitive corporate data to personal instances of cloud apps and 33% of users transfer data between apps.”

Cloud Security Best Practices

  • Classify & audit data
  • Set and enforce security policies consistently
  • Employ strong encryption for data at rest and in transit, and protect keys
  • Implement strong authentication and access controls, such as:
    • Multi-factor authentication (MFA)
    • Single Sign On (SSO)
    • Virtual Private Networks (VPNs)
  • Cloud Data Loss Prevention (DLP)
  • Zero-trust network access by default
  • Continuous security assessments:
    • Misconfigurations
    • Defaults
    • Vulnerability Scans
    • Third-party vendor audits (legal contract reviews), dedicated hardware or network segmentation
    • Third-party risk assessments or penetration tests
    • Mapping controls for internal to cloud infrastructure
  • Human Resources/Staff:
    • Continuous security training on risks and prevention with timely coaching and monitoring of behavior changes over time
    • Mandatory Vacations
    • Job Rotation
    • Separation of Duties
    • Need to Know
    • Least Privilege
    • Review access whenever an employee’s status changes—leaves or changes roles
    • Provide adequate training on the software/hardware/systems your organization uses to IT staff and end-users.
    • Monitor usage and set guidelines of what employees can host in the cloud. The Cloud Security Alliance has some guidelines.
    • Background Checks
  • Realtime monitoring/logging/prevention/auditing/reporting/alerting:
    • Network Intrusion Prevention Systems (NIPS)
    • Anti-Virus/Anti-Malware
    • Behavior or Anomaly based systems
  • Infrastructure:
    • Harden systems—disable unneeded services/ports, change defaults settings which are often insecure
    • Keep hardware/software current—implement a patching schedule
    • Review cloud providers High Availability/Disaster Recovery (HA/DR) capabilities as well as data backup procedures
    • Maintain accurate hardware inventory, including IoT/smart devices.

Organizations need to practice defense in depth—physical, technical and administrative—adopt as many best practices as feasible and think of security holistically. Cloud security has some unique risks and challenges; companies need strategies and frameworks to effectively manage their enterprise and be good stewards of the data they are entrusted with.

About Allari

Allari implements customized service plans for IT Operations & Cyber-security which allow you to complete a higher volume of planned work, gain the capacity to innovate and help your business to win.

Subscribe to the best newsletter there is.

You won't regret it!

About the author

Tom Atwood

CISSP, ITIL, PMP, ORACLE Certified Specialist Helping companies manage and implement new technology (IT Managed Services, Cloud, Security, New Products)