Top Cloud Security Threats – Part 2
Last week, we looked at 5 of the top cloud security threats. This week, we continue the list, as well as take a brief dive into the topic of who is responsible for cloud security.
User access to data is based on permissions. Account hijacking is a real threat and can be particularly devastating if the account credentials stolen were those of someone with access to sensitive data. How do hackers hijack accounts, or, even, get their hands on login credentials?
Social engineering, for one, is a lucrative tactic that remains a huge problem in cybersecurity across organizations, as it taps into the human element of the security chain. (The Ghostnet operation mentioned in Part 1 is one example of social engineering via targeted phishing emails.)
A couple years ago, I wrote about my own experience with two social engineers, both claiming to work for AT&T. Had I confirmed my address and/or given them my passcode, they could have easily made changes to my account, added phone lines, etc.
Malicious insiders can be a difficult threat to prevent, regardless of the network environment (e.g. physical or cloud). According to the 2018 Verizon Data Breach Incident’s Report, 28% of data breaches involved insiders; however, not all insiders are intentionally malicious. Verizon found that 17% of breaches were because of human error, whether clicking on a malicious link, improperly disposing of sensitive documents/data, or being a social engineering target and unintentionally offering up information.
Regardless of how often we are told to back-up our data, data loss happens and can be a serious threat in cloud environments. Data loss could be a result of a malicious attack, or even purely accidental. Forrester Research released a report that discussed the 6 leading causes of data loss in the cloud:
- Accidental Deletion
- Departing Employees
- Malicious Insiders
- Rogue Applications
- SaaS (Software-as-a-Service) Providers’ Prolonged Outage
Accidental deletion is, by far, the most common. For instance, in 2011, the Alzheimer’s Association had an employee leave their organization. Prior to doing so, the employee deleted their emails. While he/she may have merely wanted to delete all personal emails, some of the deleted emails contained important information regarding an upcoming fundraiser.
Insufficient Due Diligence
Technology is constantly evolving and, in turn, so is cybersecurity (and, subsequently, cybersecurity strategies). When protecting your cloud infrastructure is at stake, insufficient due diligence can present a serious security issue. This includes, but is not limited to, reviewing contracts with third party vendors (i.e. What steps are they taking to ensure that their cloud offering is secure?), identifying what you are doing to ensure your own cybersecurity, defining and implementing processes for incident response, as well as when employees are hired or leave the company, cybersecurity training, etc.
Who is Responsible for What?
One of the biggest challenges when it comes to cloud security is determining who is responsible for what part of the cloud. After all, the cloud is a shared responsibility between cloud provider and customer. Amazon Web Service’s (AWS) illustrated their Shared Responsibility Model in the image below. Simply put, AWS is responsible for the security OF the cloud, while customers are responsible for security in the cloud.
As with anything, there is a learning curve and cloud security isn’t any different. While the threats are similar to those affecting traditionally deployed networks, the cloud magnifies the threat and risk factors, and is a stark reminder of the importance of approaching the cloud with security top of mind.