Top 7 - Cloud Risks And Mitigations
Organisations continue to migrate to cloud computing at a rapid pace for the promise of increased efficiency, scalability, and improved agility. However, with this surge, cloud security concerns are increasing in scope and complexity and should be a top priority for all business leaders.
In my last blog, we discussed the Risk Assessment Framework for Cloud Security. In this blog, I'll focus my advice on the top security risks that will impede the adoption and implementation of cloud services.
Legal and Regulatory Non Compliance: Most companies need to abide by local, regional and international compliances including but not limited to data sovereignty and privacy. In the UAE, data sovereignty laws are still evolving, with no clear mandate or defined regulation but:
- Organisations must understand where the data resides, travels, auditing information (especially when using 3rd-party SaaS applications), access control, and how it is being protected.
Clearly map out the compliance and regulatory landscape for internal and external stakeholders such as, such as internal business stakeholders, vendors and clients such as HIPAA, GDPR, export regulations etc.
Identify cloud service provider (CSP) and application trust boundaries, data flow paths, input points, privileged operations and Details about security stance and approach early on.
Data also includes metadata, data used for data mining, or undisclosed machine language analysis.
Carefully review CSP contracts around export control, laws of the country which control the access to, and rules, regarding the processing of client data.
Ensure data is not shared with cloud service subcontractors/ technicians located in regions, which can impact the organisation if the information is leaked/breached.
Review the cloud data encryption and key management controls, which help with limiting data disclosures. I have elaborated the same, in point 5, below.
Loss or theft of intellectual property
Companies increasingly store sensitive data in the cloud. A Skyhigh analysis found that 21% of files uploaded to cloud-based file-sharing services contain sensitive data, including intellectual property. When a cloud service is breached, cybercriminals can gain access to this sensitive data. Certain cloud services can even pose a risk if their terms and conditions claim ownership of the data uploaded to them.
Business involvement is a must. Understand the business data that will be processed, stored, transmitted by the applications. Identify sensitive, confidential, IP data and classify the data accordingly.
CSP contracts need thorough reviews. The terms, conditions, and technical understanding regarding security controls must be reviewed and tailored for handling/ownership of such data. Standard CSP contracts will not accept liability of such data, rather add statements such as "prohibits the use of the solutions for processing sensitive personal data".
Loss of Control:
A significant and unplanned challenge cloud services create, is the loss of control over the management and monitoring across complex cloud architectures. Considerable planning is necessary to achieve effective end-to-end monitoring of software and hardware stacks deployed across on-premises infrastructures and private and public clouds. We've found that it is unlikely that an organisation's existing monitoring frameworks can effectively track both on-premises and cloud environments. To this point, relevant security and operations teams must be proactively involved to assist with monitoring requirements and processes during the cloud design stages. Not having them involved early on is highly risky, as it's nearly impossible to implement effective monitoring as an afterthought.
Data Breach Notifications:
Suppose sensitive or regulated data is placed in the cloud, and a breach occurs. In that case, your organisation may be required to disclose the breach and send notifications to potential customers, patients, etc. Following legally-mandated breach disclosures, regulators can levy fines against you, in addition to, potential consumer’s lawsuits.Ensure contracts are reviewed for breach notifications.
Research and evaluate how a CSP handles breaches. This will give you and your organisation insights into their process.
Upon go-live, ensure a channel of communication is established, documented and responsibilities are assigned for incident communications and notifications.
Cloud customers have little or no control towards data disclosure, whenever an MLAT, or similar Foreign Access, a request is invoked on any client data at CSP. Data encryption and key management controls can help with limiting data disclosures. However, key management is an area which has not yet matured even in the big cloud service providers. These security services have typically been added as a layer on top of their existing stacks; they're afterthoughts due to late recognition of their customers' increasing data security concerns, and are not enterprise-grade. For example, when CSPs offer the bring your own key (BYOK) option, it creates the perception of increased security and control. But digging deeper into the BYOK model reveals that it is applied only at varying tiers of the key hierarchy across CSPs, and customers are not necessarily in control of the keys that actually protect data.
Organisations must carefully review the encryption and key management architecture provided by the CSP. Cloud Security Alliance, in its Security Guidance for Critical Areas of Focus in Cloud Computing, recommends that sensitive data should be:
Encrypted for data privacy with approved algorithms and long, random keys;
Encrypted before it passes from the enterprise to the cloud provider;
Should remain encrypted in transit, at rest, and in use;
The cloud provider and its staff should never have access to decryption keys.
Loss of Governance: According to the Ponemon BYOC study, 64 % of companies can’t confirm if their employees are using their own cloud in the workplace. Trust us—they are.
In order to reduce the risks of unmanaged cloud usage, companies first need to define their cloud policy. Define the Organisations stance on cloud adoption, requirements, approvals etc.
Then they need visibility into the cloud services in use by their employees. They need to understand what data is being uploaded to which cloud services and by whom.
With the above two steps Organisations can establish compliance, and governance to protect corporate data in the cloud.
Weak Cloud Security Configuration Measures
As per IBM’s 2020 X-Force Threat Intelligence Index, threat actors took advantage of misconfigured cloud servers to siphon over 1 billion records from compromised cloud environments in 2019. Misconfiguration occurs when computing assets are set up incorrectly, leaving them vulnerable to malicious activity. Some examples of misconfiguration include: 1) Unsecured data storage elements or containers, 2) excessive permissions, 3) unchanged default credentials and configuration settings, 4) standard security controls left disabled, 5) unpatched systems and logging or monitoring left disabled, and 6) unrestricted access to ports and services.
As cloud-based resources can be complex and dynamic, they can prove challenging to configure.
Traditional controls and approaches for change management are not effective in the cloud. Organisations must:
Embrace automation and use technologies that continuously scan for misconfigured resources and remediate problems in real time.
Enable multi-factor authentication to access the service and administration
Ensure the Organisations staff undergoes adequate technical training of the cloud application and administration.
In conclusion, you can outsource cloud services and operations, but not security accountability. The ultimate accountability of data on cloud remains with your organisation.
For this, the critical success factor is to ensure all stakeholders, including Business, IT, Security and Cloud service provider, are part of the risk assessment and the eventual findings and remediations. Security must also be addressed from the beginning of the project and continue to be evaluated throughout the project, even after its completion. This will ensure the organisation proactively manages its network and cloud environments, rather than putting out fires as they arise after deploying new technologies.
The cloud is here to stay, and companies must balance, and plan accordingly, the risks of cloud services with the clear benefits they bring.