The main security challenges when adopting cloud services
The popularity of cloud services has increased exponentially in recent years. The prospects of saving on capital and operational expenditures have been significant driving forces in influencing companies to adopt cloud services. Scalability and elasticity are also key drivers that encourage companies to move to the cloud. However, moving to the cloud comes with a lot of challenges. Security is a big concern for organizations that want to migrate to the cloud.
Data Security
An organization’s data is among its most valuable assets. Therefore, data security plays a large part for many organizations when moving to the cloud. Cloud Service Providers (CSPs) keep the exact location of their data centers secret. While this is a recognized best-practice in physical security, many potential customers are uncomfortable with storing data in the cloud because of the fear of not knowing the location of their data.
Data sovereignty also plays a big part in this. Organizations want to avoid legal complications that could potentially make their data inaccessible to them. Compliance with regulations like GDPR is also a key concern for organizations. Violation of GDPR can attract heavy financial penalties, which most organizations want to avoid. There are many other regulations the violations of which are equally expensive. For this reason, many organizations prefer storing sensitive data such as that which contains Personally Identifiable Information (PII) on premise.
Data Loss Prevention (DLP) systems are critical to an organization. Accidental data deletion might occur from the organization’s side. The Service-level Agreement (SLA) might dictate that the CSP should facilitate the restoration of systems and information when such incidents occur. If the CSP cannot fulfill the SLA, the customer could incur heavy losses. Organizations also want to be ensured of the security of their backups. In case of data loss or data corruption, organizations would want data to be restored within their Recovery Time Objective (RTO) and Recovery Time Objective (RPO).
Multi-Cloud Risks
Many companies use software and services from different vendors for different use cases. When such companies decide to move to the cloud, sometimes the use cases compel them to adopt a multi-cloud model. According to a 2021 survey by Tripwire, 98% of security professionals working in multi-cloud environments said the model increases security risks. Respondents to the same survey indicated that it is hard to find cloud security professionals who are experts in all the cloud environments operated by the different CSPs.
This possibility of increased risks due to adopting a multi-cloud model leads organizations to compromise on some of the benefits of the cloud by sticking with one CSP. Organizations with a low risk appetite will not take chances by choosing a multi-cloud provider option. Companies with a relatively higher risk appetite consider the benefits, and accept the risk.
Performing Due Diligence
Choosing one CSP over another is not always an easy decision. Some vendors might make it hard for an organization to migrate to another vendor. Organizations must perform adequate research before picking a CSP to make sure they understand the terms and conditions of using the cloud services of that particular CSP.
Failure of due diligence could also frustrate incident response efforts in the case of an attack. Most CSPs operate with a shared responsibility model when it comes to handling security in the cloud. It is paramount for cloud customers to understand their roles and the roles of the CSP in the model. Cyberattacks are inevitable, and proper incident response plans must be in place. Cloud customers have to make sure the provider they pick can effectively support incident response efforts.
Shared technology vulnerabilities are also an important due diligence consideration.
When evaluating a public cloud option, a customer must understand that the public cloud uses multitenancy for cost-effectiveness. Cloud consumers must also ensure that the CSP uses a defense-in-depth approach to protect each customer’s workload. A lack of layered security would allow an attacker to compromise other customers after successfully attacking one customer.
Cloud Attacks
Denial of Service Attacks
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks can paralyze business operations. Organizations running critical services in the cloud could be severely affected by such an attack. Organizations must be keen on eliminating single points of failure while provisioning workloads to minimize the risk of DoS attacks.
Insecure APIs
Most cloud administration tasks are executed through Application Programming Interface (API) calls. These tasks include provisioning, management, orchestration, and monitoring of workloads. The importance of secure APIs cannot be understated, as the security and availability of general cloud services rely on these APIs. Lack of effective authentication, access control and monitoring of the APIs can cause massive breaches and disastrous attacks.
Natural Disasters
The possibility of a natural disaster, while not an attack concern, is still a service disrupting event as well. If an act of nature destroys a CSP’s data centers, the disruption to those businesses using that data center is monumental. CSPs have high redundancy for their data centers, but the risk is always there.
Conclusion
Moving to the cloud is an important business decision and should not be undertaken without first fully understanding the risk implications. However, as many organizations that have either migrated to the cloud, or have been conceived entirely in the cloud, when carefully considered, the cloud can be a magnificent business enabler.
About the Author: Stefan Mutinda is a Security+ certified cybersecurity analyst. He has specialized in security operations, governance, risk management and compliance.
Twitter: @stefan_mutinda
LinkedIn: Stefan Mutinda
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.