Cloud computing and cloud-based storage solutions have grown in popularity among businesses, and many have already migrated their critical data to the cloud. Unfortunately, cloud computing organizations are frequently targeted by various dangers, Security Threats and new risks emerge on a regular basis.
While any threat present in traditional environments should also be a concern in cloud computing, there are some security threats that tend to be more prevalent.
A data breach is an incident in which data is viewed, copied, or transmitted by an individual not authorized to do so. While all information systems face this type of threat, the ubiquitous “always available from anywhere” nature of cloud computing enhances the possibility for attack. Click on the following tabs to learn more about two famous data breaches involving cloud computing.
In July 2019, a hacker was arrested for stealing over 106 million customer records from Capital One Financial. The hacker was able to exploit misconfigurations that ultimately were the responsibility of Capital One and not the cloud provider, Amazon.
In 2012, the professional networking site, LinkedIn, suffered the loss of 167 million passwords as a result of not using a salt with passwords in the database.
Data loss is the accidental or deliberate deletion or overwriting of data. In cloud computing, data loss is one of several issues to be addressed in delineating the responsibilities of the customer vs. the cloud service provider. Further, it is important to consider the role of encryption in protecting cloud-based backups. Lastly, given the heightened role of cryptography in cloud computing, one of the most devastating forms of data loss can be the deletion of decryption keys.
Account hijacking occurs when an attacker uses someone else’s credentials to access a system or service they would normally not be authorized to. While this is not a threat specific to cloud computing, again, the high availability nature of the cloud can increase the challenge of mitigating such attacks. Whereas with a conventional network, someone might have to be on the same physical network to login to resources, with cloud computing, attacks can be launched from anywhere.
Cloud computing makes use of complex application programming interfaces (APIs) that permit various components of a cloud platform to communicate with each other, third-party resources, and the cloud consumer trying to manage its resources. While these APIs provide functionality, they also provide additional attack vectors.
Denial of Service
A major feature of cloud computing is its ability to scale with demand. However, when that demand is in fact a flood of malicious requests, intended to create a denial of service (DoS) attack, the consequence can be devastating. Whereas in a traditional environment, a DoS attack might target a specific service, such as email or web, when all of an organization’s resources are housed with the same cloud provider, a DoS attack targeting one resource will render all the organization’s resources unavailable. Also, a DoS directed at some other organization may render your organization’s resources unavailable if they happen to share the same cloud resources. Related to DoS is the distributed denial of service (DDoS) attack. Click on the following tab to learn more about one famous DDoS attack that targeted GitHub.
In February 2018, an attack on the popular software development platform GitHub sent over one trillion bits a second to the platform, making it the attack the largest DDoS attack ever. However, the company was able to reroute traffic as it had expected to be a target of this kind of attack. However, it was not expecting this type of amplification attack to occur. Surprisingly, GitHub was able to recover within minutes of rerouting traffic.
As is the case when using any third party, care must be taken to ensure its employees and contractors do not intentionally undermine your organization’s security.
Abuse of Service
Many of the features that make cloud computing valuable for ethical business make it also attractive for unethical activities. For example, the strength of encryption typically is based upon the length of time it would take a standard computer to test all possible combinations of a key. However, cloud computing can make the resources of many computers available all at once, thus greatly shortening the length of time it might take to crack a password. Similar scenarios exist when talking about launching denial of service attacks or spam. While cloud computing did not create these attacks, it does make them much more feasible.
Control of Data
Another concern organizations have regarding cloud computing deals with the perceived loss of control over data assets when those assets are now housed in the cloud. Organizations may also fear that their data will comingle with data from other organizations that share cloud resources. Tracking down where data resides and whether it has been properly disposed of according to pertinent laws and regulations can also become problematic when those processes are not clearly defined between a cloud provider and its client(s). Lastly, organizations need to be reassured that their data will not comingle to the point that misconfiguration issues arise.
PaaS and IaaS implementations are targets for malware injections as vulnerabilities can be introduced when customers install their own applications. Once in the cloud, an attacker can access and alter the data that is housed there.
Inadequate Due Diligence
Many non-technical issues can arise from the contracts between vendors and cloud service providers. An organization needs to perform sufficient due diligence while evaluating a potential cloud provider. Not doing so can open up the organization to vulnerabilities as security does not fall only on the provider. In addition, the language of contracts can be vague in some areas. Ultimately, it is the responsibility of the customer to ensure that a cloud provider is complying with contractual obligations in every way. This may require monitoring of the service provider and performing regular security assessments to ensure compliance.
Recommended for you Types of Cybersecurity Attacks