Did you know? An average company uses nearly 1,000 cloud applications.
Often, employees sign up for these apps themselves as a way to do their jobs more efficiently, without the knowledge or authorization of the IT team.
This practice is likely to be more prevalent in smaller firms that do not have dedicated IT teams.
Small businesses are quick to adopt cloud technologies, but they often do so without considering the security challenges of storing their data in the cloud. These small businesses are blindly trusting their cloud providers and cloud applications, blissfully unaware how their data is stored, secured, or used.
Small businesses that sign up for cloud services without understanding the terms and without additional security measures, such as encryption or backup, are putting themselves at a significantly higher risk of data loss, cyberattacks, and noncompliance penalties.
In this article, we cover the major security risks of cloud computing, the actions businesses take that make them vulnerable to cloud-computing risks, and steps that you can take to improve your defenses.
What is cloud computing?
Cloud computing refers to the delivery of computing services over the internet—e.g., software applications, networks, storage, servers.
Unlike traditional systems—where you host your data, servers, and applications on premises—in cloud computing, cloud service providers (CSPs) host your data in their data centers, which are maintained at a different location. You can then access this data using the internet.
Benefits of cloud computing include:
- Savings on IT equipment costs
- Scalable storage space
- Subscription payment model by which you to pay for only what you use
You also get assistance from experienced professionals to manage IT operations, saving you from needing a full-fledged IT team to install and maintain systems. At the same time, cloud computing also increases security risks because you’re sharing your data at a data center that is also used by other businesses. You have no control and visibility over how the data center is managed and how and where your data is stored.
5 biggest risks you’re taking with cloud-computing security
In this section we discuss some of the major cloud-computing risks that affect businesses across the globe.
1. Data loss
Data loss is an event where information is either temporarily unavailable or permanently lost or destroyed. This can occur through accidental deletion, overwriting, or malicious actions by users or external hackers who purposely delete data.
EXAMPLE: Code Spaces was a company that offered source code and project management services to developers. It was built mostly on Amazon Web Services (AWS) using server and storage instances. In June 2014, a hacker gained access to the company’s AWS control panel and demanded ransom payment. When Code Spaces didn’t comply, the hacker deleted important files including EBS snapshots, S3 buckets, and more. Code Spaces was forced to shut down.
Though cloud service providers have improved their security controls in the last few years, ransomware attacks, such as the one described above, have also grown stronger and have doubled year-over-year, leaving businesses vulnerable.
Adding to the risk is the fact that it may not always be hackers who cause data loss. Human error at the CSP’s site can also result in client data loss, as seen in this Cisco example. An error in policy updates at Cisco’s North American object storage service in August 2017 resulted in the deletion of all data that was uploaded prior to 11:20 am on that day. Small businesses without data backup or data restoration policies in place would be hit worse in such a case.
- Ensure that you sign service level agreements with cloud service providers on data restoration, data backup, and failover.
- Take additional measures on your end to secure critical data by backing it up on disks or on a different cloud service. Implement other cloud security and data loss prevention technologies, as well.
2. Regulatory noncompliance
According to a survey of 177 global IT organizations that was conducted in the months leading up to the GDPR deadline, only 12 percent of organizations understood how the policy would affect cloud services.
Smaller organizations generally do not have a dedicated legal counsel, which can make it more difficult to decipher which specific terms and conditions they have to meet for GDPR compliance. They will be forced to rely heavily on cloud service providers to do this for them.
Other regulations, such as HIPAA, also require you to ensure the security and privacy of certain client information. If you are relying on a cloud service provider for data storage, you must ensure that your CSP adheres to the required data security norms.
EXAMPLE: The staff at St. Elizabeth’s Medical Center, a hospital in Massachusetts, used a cloud-based file-sharing app for storing patient health information. A data breach leaked ePHI (electronic protected health information) data from more than 500 patients from the cloud-based application, and the hospital was fined $218,400 for violating security breach notifications and data privacy rules under HIPAA. It was also instructed by the regulatory body to put corrective security measures in place.
Many regulations, such as HIPAA, make the CSP, as well as the business, liable. In some other cases, only the business will be penalized for noncompliance.
- Partner only with established cloud service providers that are compliant with all important regulations, such as SOC 2 and ISO27001.
- Conduct risk assessments before migrating to cloud services and use cloud access security brokers (CASBs) as an additional security layer.
- Educate and train your employees about best practices for using SaaS applications and the need to maintain compliance.
3. Denial of service
Public clouds are usually multitenant, i.e., there are many organizations sharing space on the same cloud.
Attacks on the resources used by one or more of the other tenants can affect your operations as well. Attackers may hit the entire network and cause downtime to several clients, depending on the bandwidth available. This can frustrate your clients as well as stall your regular operations.
EXAMPLE: Hackers targeted Portland-based cloud computing company Cedexisnin May 2017 in an attack that caused widespread outages across Cedexis’ infrastructure. Many French media outlets, including Le Monde, Le Figaro, and more that used Cedexis services were impacted. Their customers faced downtime because of the denial of service attack on Cedexis’ cloud.
- Check whether your CSP is capable of scaling up bandwidth to withstand DDoS attacks. Also, ask whether they have scrubbing centers to cleanse and filter malicious traffic.
- Ask your cloud provider about the possibility of restoring cached data in the event of a DDoS attack to reduce downtime.
- Implement disaster recovery and business continuity plans to restore normal operations more quickly.
4. Compromised accounts and data breaches
Hackers stealing account credentials to gain access to your cloud applications and systems is one of the most common risks associated with cloud computing.
Organizations, on average, experience 12.2 compromised account incidents each month, where unauthorized third-party agents exploit stolen user credentials to gain access to corporate data stored in a public cloud service. Eighty percent of organizations are affected by this risk every month.
EXAMPLE: Cybercriminals stole personal data (including the residential addresses and earnings) of 3 million customers of the media and entertainment company WWE (World Wrestling Entertainment). Hackers gained access to the data after targeting a database left unsecured on the Amazon cloud server.
- Shadow IT and BYOD (bring your own device) practices often lead to data breaches. Strengthen data security by installing anti-malware, encryption, authentication, and data protection software in the personal devices that employees use for work.
- Educate employees about the need to keep their manager and IT lead in the loop when using any new applications other than those specified or provided by the IT team.
- Check terms and conditions as well as security features offered by CSPs and SaaS providers to ensure data privacy.
5. Insider attacks
Insider threats include intentional or unintentional behavior by employees that results in exposing or sharing of sensitive data.
This includes mistakenly sharing files with confidential information (like employee social security numbers) with a larger unauthorized group and using inappropriate sharing controls.
Ninety-four percent of all organizations experience at least one insider threat incident every month.
EXAMPLE: Data thefts are most common when people jump ship. For example, a salesperson leaving the company for a competitor can easily download customer data from a cloud CRM application. Cloud data thefts such as this are more difficult to detect than the theft of hard-copy documents, for example.
- Improve access controls using tools such as multifactor authentication and authorization to ensure that only the right people have access to your data.
- Use computer-based security awareness training courses and employee agreements to prevent intentional or unintentional sharing of confidential data.
Common practices that make your business vulnerable to cloud risks
Wrongly implemented business policies can result in increased vulnerability to cloud-computing risks. Careless behavior by your employees can also leave you vulnerable to some of the risks discussed above.
Some of the vulnerabilities in your organization include:
One of the main causes of increased cloud-computing risks is the tendency of employees and managers to bypass the IT team and download third-party applications. The growth in the number of SaaS applications that help you carry out random tasks—convert JPEG files into PDF, record and edit video files, instant messaging, etc.—result in employees signing up and using these programs without taking the necessary precautions.
Often, sensitive files are uploaded onto unknown cloud servers to simply convert them into different file types. Though these go undetected most of the time, a single instance of confidential company information surfacing in the public or landing in the hands of competition can damage business reputation forever.
Fifty-nine percent of organizations today allow their employees to bring their own devices to work, a concept called BYOD. While it helps businesses save money on IT equipment, it also increases security risks.
Employees might use unapproved SaaS applications from their personal devices. They may also use personal and official cloud storage applications side-by-side, increasing the risk of confidential data getting posted in a personal space. BYOD policies make it difficult to track employees’ use of business data on their personal devices. Stolen, lost, or misused devices can also result in business data getting breached.
Have you signed up for a service provider without reading and understanding their terms and conditions or without signing up for a legal contract? Are you aware of any data portability clauses, disaster recovery expectations, up-time availability, and dispute mediation processes offered by the provider?
If not, you’re not alone. Many small businesses sign up for cloud providers without asking for a robust service level agreement (SLA).
SLAs should not be made up of incomprehensible legal language; look for terms that guarantee a specified level of performance by the CSP. Understanding the extent of security features, e.g., encryption and data loss prevention, offered by the vendor along with the technical and business features—up-time, resilience, etc.—will help to ensure that your data in the cloud is secured.
While employees often take care to secure their hard paper files and thumb drives, they tend to be lax with cloud data-security controls. This is likely because they lack visibility into where or how it is stored.
Employees often share passwords for cloud accounts, which increases the risk for data breaches and data losses. According to one report, an average employee will share six passwords with their co-workers. Fifty-four percent of small and midsize businesses see negligent employees as the root cause of data breaches.
Recommended actions: Steps your business must take to address cloud risks
Securing your data stored in a public cloud is the shared responsibility of both you and your service provider.
But, according to Gartner, through 2022, 95 percent of cloud security failures will be the customer’s fault. To safeguard yourself against cloud-computing risks, you must supplement your CSP’s security measures with additional security tools discussed below as well as educate your employees on security hygiene.
Additional security measures your business must take:
- Multifactor authentication: Multifactor authentication is an authentication method that allows access to a portal or application only after the user successfully presents two or more pieces of evidence. A two-factor authentication that uses a password as well as a one-time authentication key (OTP) is an example of this.
- Data loss prevention: Data loss prevention is a mechanism designed to ensure that sensitive or critical information is not sent outside of corporate networks. It helps a network administrator control what data end users can transfer.
- Encryption: The front line of defense for any system is encryption. It uses complex algorithms to conceal or encrypt information. To decrypt these files, you must have a confidential encryption key. Encryption helps prevent confidential data from falling into the wrong hands. Encrypting data at rest is a must while encrypting data in-transit is highly advised.
- Data backup: Data backup is the process of duplicating data to allow for its retrieval in case of a data loss event. It helps to ensure that data is not lost because of natural disasters, theft, or any other mishap.
- Firewalls: A firewall is a network security tool that monitors incoming and outgoing traffic to detect anomalies. It also blocks specific traffic based on a defined set of rules. Cloud-based virtual firewalls help to filter network traffic to and from the internet and secure the data center.
- Security assessments: Cloud security assessments help to test, validate, and improve cloud security features. You can ask your CSP for results of cloud security assessments they’ve conducted or seek third-party services to audit your cloud operations.
Next steps: Questions you must ask your cloud service provider
Do not blindly sign up for cloud services or SaaS applications. Question your vendor thoroughly to understand data security features offered.
Ask your cloud service provider these seven questions:
You may also like to read:
- IT security trends for 2019 and beyond
- CCPA, GDPR, and the state of internet privacy laws
- Data privacy in the digital age: Why you need employee social media guidelines
To choose cloud security software best suited for your organization, visit our directory that offers a long list of cloud security products. Be sure to compare products and read user reviews before making your final purchase decision.
Note: The information contained in this article has been obtained from sources believed to be reliable. The applications listed are to show a feature in context, and are not intended as endorsements or recommendations.