5 Cloud Security Issues You Need to Know
Back in the day, because of cost, IT systems were used mainly by large and the larger medium-sized organisations and they operated in-house IT support teams. Security was entirely in the hands of the in-house IT department. However, today’s landscape has changed. Almost every organisation has in-house or hosted IT systems, and operates an online presence.
Few medium-sized and small businesses have the resources to create and maintain an effective security environment, and are vulnerable to attacks on their data, compromising it’s security, accuracy and availability.
Here are 5 areas of concern in Cloud Security:
External Communications Issues
A hacker mustn’t be able to extract login credentials or steal confidential data by hacking the link between the client and the cloud host. Man-in-the-middle attacks need to be prevented. At the very least, the connection needs to be encrypted, carried over a secure VPN and have a secure backup or alternate connection as part of DRP.
The Cloud host must also have network security that minimises the potential for DDoS attacks and other hacking exploits that reduce systems performance or make the cloud-based systems unavailable.
Shared Service Issues
The first area is that of the security environment at the outsourced host. This needs to be specified in the SLA between you and the host and regularly reviewed and updated. Your systems and data need to be protected and covered by properly implemented and operated data backup procedures.
One area that is often overlooked is the security between clients on a shared service host. There need to be adequate firewalls between clients such that no client can look at another client’s data, and preventing hackers, who after hacking into one client, move on to another.
The second area is a matrix of responsibilities. Far too often, vulnerabilities have been found, vulnerabilities that existed because each thought the other was covering them. Part of the definition of responsibilities must be a clear statement of responsibility for security matters.
Finally, regular reviews with the host are needed to review security performance and to discuss any remedial measures that might be needed.
They say charity begins at home, and this is as true of security as any other area of life. The FBI estimate that the majority of successful hacks are caused by user bad behaviour, either inadvertently or deliberately.
In the cloud environment, users can log in from a variety of devices and locations. These devices and their anti-malware software are usually out of the control of the IT department and potentially can act as attack vectors for hacking attacks.
A second potential area of concern is that of comms devices like cellphone dongles or WiFi connectivity. Again. IT has little control of to where a user connects using these local devices for independent and sometimes concurrent connectivity.
Finally, portable data devices like flash drives or portable hard drives can be a source of malware or alternative unmanaged connections to the Cloud.
Inadequate Security Maintenance and Testing
The malware environment is continually evolving, as are countermeasures. This implies that hacks are made more likely by outdated or inappropriate network software and hardware.
Anti-malware applications and signature files must be kept fully up to date at all times.
In environments with many software applications, upgrades to one can have unexpected consequences. Previously functional interfaces stop working entirely or pass incorrect information. They may also expose previously secure interfaces to penetration attack.
In organisations that develop their inhouse applications, automated security testing (“AST”) is of increasing value. Applied to the security environment it can find new vulnerabilities and create the appropriate alerts. AST is especially appropriate in the DevOps environment where it can be used to detect potential security risks and suggest remedies before the app moves to production.
Studies suggest that new applications undergoing AST as part of the development process will be about five times more secure than those that don’t.
Data Loss and Backups
Strictly speaking, not a threat, but threats will happen. One eminent commentator says that the only secure network is one that hasn’t been hacked yet.
In these days of ransomware and other attack vectors, a complete and accessible clean backup is often the only way to recover easily and quickly. Loss of service, for example in an online retail environment can be business-threatening.
An organisation needs to have a backup regime in place:
- Backups, full and incremental must be taken regularly. In some fast-moving environments, immediate database replication may be needed. One point, test the backup. It wouldn’t be the first time that backups have been incomplete or corrupt. Also, if the backup process is manual, the backup might not have been taken at all.
- A recovery plan.
Moving to the Cloud can be beneficial, particularly for the smaller business. However, a proper security evaluation and implementation needs to take place, supplemented by regular reviews.