Though more businesses than ever are moving to the cloud, the space is still not completely devoid of risk. To address some of these threats, the Cloud Security Alliance (CSA) developed the “Treacherous Twelve” report. We dissected six of those threats last week—now it’s time to delve into the remaining six on the list. These can have negative effects on your business, but with the right preparation, you’ll mitigate your exposure to risk.
Advanced Persistent Threats (APTs)
APTs are “a parasitical form of cyberattack that infiltrates systems to establish a foothold in the computing infrastructure of target companies from which they smuggle data and intellectual property.” Spear phishing – delivering attack code through USB devices – direct hacking systems, penetration through partner networks, and use of unsecured or third-party networks are among the common entry points for APTs.
APTs can be harder to detect, as they often adapt to the security measures intended to defend against them. Once they are in place, they move laterally through data center networks to blend in with the regular traffic of a network. IT departments need to stay up-to-date on the latest advanced cybersecurity attacks, and be educated on how to both recognize and handle social engineering techniques like spear phishing. Being aware is one of the best steps a user can take against APTs. And of course, always give pause before opening an attachment or clicking on a link, particularly if you don’t recognize the sender.
Malicious intent isn’t the only reason for data loss. Natural disasters, like fires and earthquakes, and accidental mistakes by users or a provider can also lead to the permanent deletion of data. It’s also possible for data to be lost thanks to encryption – a customer can encrypt data before uploading it to the cloud and then proceed to lose the encryption key. Information is the heart and soul of nearly every organization. In fact, under the new EU data protection rules, data destruction and corruption of personal data are considered forms of data breaches –so make sure you’re taking the steps to protect it.
Any good cloud provider should already be taking measures to back up data and follow best practices in business continuity and disaster recovery. They can also run daily data backup and possibly store some or all data off-site. An organization often must also retain audit records or similar documentation to prove compliance. It’s crucial that data doesn’t get lost, or the compliant status could be in danger.
Insufficient Due Diligence
Developing a strong roadmap and checklist for due diligence when evaluating technologies and cloud service providers CSPs is essential for the greatest chance of success. A company that rushes into adopting cloud – or any other technology – without first researching it thoroughly exposes itself to myriad risks.
Commercial risks, such as newly designed customer services that rely on the CSP to develop new systems and processes, may not be top of mind for a provider. Technical risks are also possible; a designer with limited cloud technology experience may be designing applications that are pushed in the cloud. And on the legal side of things, organizations must be aware of data in use, motion, or at rest in foreign locations. What’s more, moving applications that depend on “internal” network-level data privacy and security controls to the cloud suddenly pose a compliance risk when those controls disappear. A business must perform extensive due diligence and thoroughly understand potential risks they assume.
Abuse and Nefarious Use of Cloud Services
We’ve spoken before about malicious actors, which leverage cloud computing resources to target users, organizations or other cloud providers. The CSA white paper lists a number of examples, including “launching (Distributed Denial of Service) DDoS attacks, email spam and phishing campaigns; ‘mining’ for digital currency; large-scale automated click fraud; brute-force compute attacks of stolen credential databases; and hosting of malicious or pirated content.” This nefarious use reduces available capacity for real customers and can sometimes lead to increased costs or business disruption.
To minimize this risk, a CSP should have an incident response framework in place to address any misuse of resources. That includes a way for customers to report abuse and monitor the status of their cloud workload. As always, it’s better to be proactive than reactive.
Denial of Service
Denial-of-service (DoS) attacks are “meant to prevent users of a service from being able to access their data or their applications. By forcing the targeted cloud service to consume inordinate amounts of finite system resources such as processor power, memory, disk space or network bandwidth, the attacker—or attackers, as is the case in Distributed DoS attacks—causes an intolerable system slowdown and leaves all legitimate service users confused and angry as to why the service is not responding.”
But before you throw your computer in the trash like Ron Swanson, you should understand the key to mitigating a DDoS attack is being prepared for one before it happens. System administrators must be able to immediately access resources that can be used to minimize risk. Cloud providers are often better equipped to mitigate these kinds of attacks, which you should discover during your due diligence. Once a DDoS attack happens, the CSA white paper equates it to being stuck in rush-hour traffic: “there is no way to get to your destination, and there is nothing you can do about it except sit and wait.”
Shared Technology Issues
CSPs are able to deliver their services to scale by sharing infrastructure, platforms, or apps. Underlying components, like CPU caches or GPUs, which make up the deployment infrastructure “may not have been designed to offer strong isolation properties for a multitenant architecture (IaaS), re-deployable platforms (PaaS) or multicustomer applications (SaaS). This can lead to shared technology vulnerabilities that can potentially be exploited in all delivery models,” says the CSA white paper. This vulnerability is exceptionally dangerous, as it has the potential to affect not just one customer, but also the entire cloud environment all at once.
Related Reading: IaaS, PaaS, SaaS – Ohh My!
Compute, storage, network, application and user security enforcement, and monitoring should be utilized, no matter if the service model is PaaS, IaaS, or SaaS. There are additional ways to reduce risk, such as multi-factor authentication across all hosts, Host-based Intrusion Detection System (HIDS) and Network-based Intrusion Detection Systems (NIDS) on internal networks, and keeping shared resources patched.
The first step towards combating cloud security risk is educating yourself. Once you’re aware of the potential damage these threats can cause, you can develop a proactive method for stopping it, or at least mitigating the damage. If you still have any questions, feel free to check out the Cloud Security Alliance site for more information and upcoming events. As a CSA member, we’re well positioned to report on these threats, and are happy to answer any additional questions as well.