As enterprises continue to invest heavily in public cloud technology, experts now agree that the market is entering a second wave.
Cloud uptake will accelerate faster in 2017, according to a report by Forrester. ‘Enterprises with big budgets, data centres, and complex applications are now looking at cloud as a viable place to run core business applications’ says Dave Bartoletti, analyst at Forrester.
An average of 1031 cloud services is now in use per enterprise — up from 977 in the previous quarter — according to Netskope’s January Cloud Report.
But the threat of cyber crime in 2017 is massive and data breaches are becoming more commonplace. With the average cost of a breach now a massive $4 million, enterprises cannot afford to consider public cloud cyber security an afterthought.
But there are numerous cyber security threats out there for enterprises migrating to, or already running critical infrastructure in the cloud.
- Enterprise cloud services are not enterprise-ready
Large companies are already using public cloud providers to host critical enterprise applications. And as CIOs become increasingly comfortable hosting critical software in the public cloud, we can expect this trend to continue.
Worryingly, 95% of cloud services used in the average enterprise are not enterprise-ready from a security standpoint.
And by using unsecured applications, your sensitive corporate data could be exposed without your organisation even realising it.
The burden of creating secure applications — using secure approaches, models, and technology –belongs to developers. The movement to DevOps and CloudOps now places the responsibility of writing and testing secure cloud applications squarely on the developer’s shoulders.
Software defects and bugs coded into program logic are a common cause of application vulnerabilities. These flaws can be accidentally built into any application, whether it’s hosted through a provider’s public cloud or on your local network.
Most cloud services now offer APIs for developers to manage and interact with their service. The security and availability of cloud services — from authentication and access control to encryption and activity monitoring — depend on the security of the API.
Risk increases with third parties that rely on such APIs, as enterprises may be required to expose more services and credentials. Weak APIs expose enterprises to security vulnerabilities.
To help secure cloud APIs and the enterprise applications they’re used to build, the Cloud Security Alliance recommends security-focused code reviews and rigorous penetration testing
- Data breaches
Due to the huge amount of data stored on cloud servers, providers are an increasingly attractive target to cyber criminals.
The severity of damage depends on the sensitivity of the data exposed. Breaches involving health information, trade secrets and intellectual property are typically the most devastating.
Breaches can incur fines, lawsuits or even criminal charges leveraged against an organisation. Damage to reputation can also have long-term effects potentially outweighing the initial financial cost.
Whilst public cloud providers are actively investing in improved security controls to protect their environment, it’s ultimately the responsibility of the enterprise to protect their data in the cloud.
And with the introduction of new data protection laws in Europe, organisations wanting to do business with EU firms must comply to the EU General Data Protection Regulation (GDPR). When the GDPR is introduced in 2018 new accountability and restrictions on internal data flows will be introduced. Organisations risk a $4 million fine for breaching the regulation.
Europe’s upcoming GDPR regulations set a global precedent in data security. But with just 2% of enterprise cloud applications GDPR-ready, there’s a lot of work ahead for developers on every public cloud platform.
- Lack of encryption
The Cloud Security Alliance (CSA) recommend organisations use encryption to protect their sensitive cloud data.
Encryption is one of the most basic methods for securing data, but many enterprises make the mistake of failing to encrypt sensitive data.
UK Base TalkTAlk Telecom Group were recently fined a record $500,000 for security failings which led to the theft of personal data from 157,000 customers. If TalkTalk had encrypted their data, only authorised users with a matching key would able to access private records.
Whilst some public cloud providers are starting to provide customers with more control over their data, information stored in the cloud is often not within an organisation’s control.
Instead, the integrity of your data may rely entirely on the security practices of third parties. Unfortunately, this is out of your control and impossible to guarantee. Your organisation’s security best practices may not always be applied.
With the rise of bring your own device (BYOD) in the workplace, employees may be tempted to use their own cloud-based applications to store or share sensitive data with their colleagues.
Known as shadow IT, trends like this, put organisations at risk. Gartner predicts that one-third of security breaches will result from shadow IT services by 2020.
Because of this, shadow IT is in direct conflict with enterprise data security. And the result may leave sensitive enterprise data in the hands of an unknown third party applications.
Enterprises should consider using a VPN tunnel to protect their public cloud data. A VPN tunnel enables remote off-site employees to create an encrypted end-to-end connection with their company network and transfer data securely regardless of location or application.
- Weak authentication and identity management
A lack of proper authentication and identity management is responsible for data breaches within organisations. Businesses often struggle with identity management as they try to allocate permissions appropriate to every user’s job role.
The Anthem Inc data breach resulted in cyber criminals accessing 80 million records containing personal and medical information. This hack was the result of stolen user credentials; Anthem had failed to deploy multifactor authentication.
Two-factor/Multifactor authentication systems, like one-time passwords and phone-based authentication, protect cloud services by making it harder for attackers to log in using stolen passwords.
Enterprises that need to federate identity with a public cloud provider must understand the security measures which that provider uses.
- Insider threat
Poor identity management can leave gaping gaps in enterprise cyber security when IT professionals fail to remove user access when a job function changes or an employee leaves the organisation.
Insider threat can take many forms: a former employee, system administrator, contractor, or business partner. Often dependent on the industry, the criminal’s agenda can range from IP theft (common in manufacturing) to revenge.
Within enterprise public cloud, an insider could destroy infrastructure or permanently delete data. Systems that depend entirely on cloud service providers for security, like encryption, are at greatest risk of this type of threat.
Insider threat can be disastrous. A recent insider breach affecting Sage resulted in the company’s stock price dropping by 4.3% – causing $millions in losses.
However, quickly identifying insider threat can be tricky; it’s possible to misidentify a poorly carried out routine job as a malicious activity. For example, if an administrator accidentally copies sensitive customer information to a public server.
Proper training and management to help prevent these mistakes are becoming increasingly important in the cloud.
- Account Hijacking
Techniques like phishing and fraud are well known cyber threats, but cloud adds a new dimension to these threats as successful attackers are able to eavesdrop on activities and modify data.
Common defence-in-depth protection strategies can contain the damage caused by a hijacking attempt. But, as always with cyber security, prevention is the best-practice.
Enterprises should prohibit the sharing of account credentials between users and cloud services – and enable multifactor authentication where available.
The CSA recommend that accounts should be monitored so that every transaction can be traced back to a human owner. The key is to protect credentials from being stolen in the first place.
- Lacking due diligence
Due diligence is the process of evaluating cloud vendors to ensure that best practices are in place. Part of this process includes verifying whether the cloud provider can offer adequate cloud security controls and meet the level of service expected by an enterprise.
Enterprises should review accreditations and standards gained by cloud providers, including ISO 9001, DCS, PCI and HIPAA.
Enterprises must only embrace the cloud when fully understanding the environment, or risk getting entangled in a myriad of security issues. For example, organisations that fail to read-up on a contract may not be aware of where liability lays in case of data loss or breach.
Due diligence massively affects application security and any resulting breach. The rise of cloud technology means the responsibilities of shared security have changed. Public cloud providers may be responsible for your infrastructure, but it can be easy to forget that — as the customer — you are responsible for the security of your own application and infrastructure.
- DDoS attacks
DDoS attacks are nothing new but can be especially crippling when targeted at your organisation’s public cloud. DDoS attacks often affect availability and for enterprises that run critical infrastructure in the cloud. This can be debilitating and systems may slow or simply time out.
DDoS attacks also consume large amounts of processing power – a bill that the cloud customer (you) will have to pay.
On the upside, cloud providers are typically better positioned to handle DDoS attacks than their customers. However, as the Cloud Security Alliance state, organisations must still have a plan to mitigate attacks before they occur.