Staying ahead of these data security issues in cloud computing is critical to every business’ daily operations
Today, most companies store the majority of their data and tools in the cloud. With staff, clients, and vendors spread across the globe, remote applications are better suited to the needs of an increasingly distributed working world. But to safely take advantage of these applications, security teams need to understand the unique threats that cloud services can be vulnerable to.
Cloud data security challenges mostly revolve around access control — a task made more difficult by the worldwide shift to remote work brought about by the COVID-19 pandemic. To help security teams handle these threats, the article will explore the most common cloud data security challenges modern enterprises must be ready to face.
What are cloud data security challenges?
Cloud data security challenges are any issues related to the access and sharing of data that is stored in the cloud. Most of the time, this comes in the form of someone gaining access to a system that they were not authorized to access, and from there either accessing sensitive information, launching an exfiltration attack, or moving deeper into the infrastructure via lateral movement. To ensure they can create proper prevention and mitigation measures, security teams should be well versed in the most significant threats to their organization’s cloud data assets.
The most common cloud data security challenges
Enterprise data breaches
Companies big and small are suffering from having user credentials leaked. In 2021, more than half a billion Facebook accounts were stolen, resulting in email addresses, phone numbers, job information, location data, being leaked. The standard infosec practice of hashing data has meant that it’s less common to encounter leaks of personally identifiable information (PII) like full credit cards, SSNs, or passwords. However the data that does make its way out in these breaches is still valuable fodder for other attack avenues, notably credential stuffing, social engineering vectors, spear phishing, and password reset workarounds.
Good cloud data security practice is crucial to prevent breaches, and to mitigate any information that might leak. But for the IT security side of any company, enforcing an appropriate level of security is a balancing act. It’s important to stay on top of new ways bad actors are attempting to harvest data, but the more stringent your company policies are, and the more frequently they change, the less likely people are to embrace them. Requiring employees to change passwords every six months typically leads to simple passwords being reused or barely changed, where a properly generated secure password can remain essentially effective indefinitely.
Regional data access legislation
There’s an old saying among IT folk: “The cloud is just someone else’s computer.” Your company’s data may be accessible from anywhere in the world, but it still physically exists somewhere. Those server banks have physical locations, and those locations are governed by local laws. In 2018, Congress enacted the CLOUD (Clarifying Lawful Overseas Use of Data) act, which could force companies to hand over data regardless of where the server is physically located, and also allows foreign entities to request data that is stored in the USA. Recent laws in China allow local authorities “unrestricted access to any data transmitted or stored within the country”, including that transmitted over VPN. If your company has a Beijing office, then-current laws prevent “any company that manages and stores data in China from transferring data across borders without the prior, explicit approval of the authorities”
The flip side of these geographical data concerns is that some places are improving data privacy, but in ways that make it difficult for companies that store or collect information on people from those locales. When GDPR went into effect in 2018, it catalyzed a huge push in the IT sphere to make sure data was compliant.
Different countries (and in some cases, different states) have different rules about how data privacy is dealt with, about what information the local government can require from a local host, what content can be hosted there, how user privacy is dealt with, and more. Infosec minded teams may want to audit their company’s data and establish who you’re pulling information from as well as how and where it’s been stored — and any associated liabilities.
Growth driven insider threats
“Insider threats” is a blanket term that can cover a number of potential risk vectors, but they all share one thing in common — an employee or contractor who leaked data, either intentionally or accidentally. A 2019 data risk report pegged that 17% of all sensitive files were accessible by all employees.
These threats can be malicious actors, people who are intentionally taking the data outside the organization for financial reasons, or to hurt the company. These are the stories that often make it to the press of established employees engaging in industrial espionage, sometimes for a payout, and sometimes because they feel slighted by the organization.
But these threats can also be people who join your organization for the explicit purpose of infiltration. Even the most canny hiring manager can be taken in by a good set of credentials, or an excellent programming test. For companies in their growth phase, hiring en masse to meet the rapidly expanding needs of your organization can allow for bad actors to slip through the cracks. Be certain to chase up on references (and make sure you’re talking to the people you think you’re talking to), and run background checks.
Insider threats can also come through unknowing participants in the leak, people who share a file in a way they shouldn’t, or lose a laptop, or just have an easy to guess password. The best way to prevent insider threats is through monitoring of user activities, and active control of who is allowed to access what files. Set up flags for individuals accessing large numbers of files, especially those outside of what they need for their job, and strictly control settings to make sure that files aren’t accidentally being shared beyond where they’re meant to be. Knowing who accessed what tools and when can be crucial to spotting an internal bad actor.
Rising ransomware attacks
With their frequency newly compounded in response to the worldwide shift towards WFH practices, ransomware attacks are both one of the most high profile and most frequently hushed up, types of data attack. Cognyte found more than 1000 organizations were targeted by ransomware attacks in 2021, which is projected to have cost more than $20 billion dollars globally this year. Large corporations regularly pay millions to unlock their data after a ransomware attack, successes that further feed into the growth of this cyberattack industry.
A robust ransomware defense includes ensuring secure, encrypted off-site backups that can be deployed quickly in the event of an attack. Roll out updates and patches frequently to prevent known vulnerabilities from being exploited — if you’ve ever emailed your staff to remind them about an OS update to fix a potential OS breach, follow your own advice and keep things up to date. The most useful tool for protection is employee education. Training people to spot and avoid potential attack vectors is not only an exercise in ongoing practice, but can also be an exercise in frustration. Tell people to overhaul their security protocols too often, and you run the risk of them completely tuning you out, and defaulting to an even worse level of personal security.
Account hijacking is one of the most prevalent attack vectors in modern cloud security. Noted as one of the biggest cloud security challenges of 2020 by the Cloud Security Alliance, account hijacking is on the rise as credential sharing between employees and vendors becomes increasingly difficult to prevent.
The Cloud Security Alliance’s white paper on these challenges flags account stuffing as one of the primary vectors of account hijacking — again pointing the manner in which a data breach on one service leads to flow on attacks on a huge number of others through automated login attempts using stolen credentials. Protecting against account stuffing is one of the most powerful ways to prevent account hijacking (outside of somehow managing to ensure your users actually have unique passwords, which is an uphill battle at the best of times). Multi-factor authentication is still the most common and useful tool in your toolkit for this, but biometrics can be a reliable alternative, assuming you trust how accurate the scanner is.
Many of the issues on this list can feel hard to proactively address, but misconfigurations are comparatively straightforward to prevent. The downside is that there’s no easy way to roll it out in one fell swoop, it takes time and effort. Misconfigured systems are simply those that are set up without the correct security controls, which can lead to breaches.
Misconfiguration prevention comes primarily from frequent auditing and testing of application configurations to make sure they are properly set up, as well as ongoing education of the teams responsible for using these tools to ensure they’re aware of best practices and following protocol.
Detailed access and edit logs are useful when paired with auditing to establish where and when misconfigurations occur, in order to make sure mistakes aren’t replicated.
Lack of a strategy
The biggest threat to data security is not having a plan to deal with threats to data security. Like every city should have a disaster plan and every household should have a fire plan, so too every company should have a data breach plan. Figure out the likely avenues that a breach might come through and how to handle it should it happen. Establishing what to do in the worst case scenario can mitigate damage if something goes wrong and get everything back up and running as soon as possible.
The vast majority of these problems can either be prevented or mitigated through intelligent use of access control. Being constantly on top of who has access to what, and granularly controlling it as the situation demands is key to preventing a breach. Having the right tools in place is crucial to maintaining the ongoing efforts necessary for optimal data security. Symmetry Systems’ DataGuard provides the ability to analyze and control who is accessing your information, ways to control that access, and automatic alerts if anything goes wrong. Reach out today for a demonstration.