Helping Clients Avoid Cloud Security Breaches
There have been more cyber-attacks this year than any other time in history and 2018 will likely match, if not exceed, that record. Adnene Guabtni, Senior Research Scientist and Engineer at Data61 states, "We are producing more data than ever before, with more than 2.5 quintillion bytes produced every day", according to computer giant IBM. Because of increased demand, cloud solutions are evolving from simple online backup services to comprehensive storage services. Let's take a closer look at how to approach the topic of cloud security with clients and provide the most current information and support they require to prevent attacks. (If you have yet to discuss the topic with your clients or need help starting a dialogue, read the Top 5 challenges when moving your business to the cloud, and how to overcome them.) To help you begin this discussion, here is a list of the top five cloud security threats and what our clients need to know.
1. Data Breaches Leading to Loss of Intellectual Property
All cloud environments employ security measures, but these platforms are still subject to threats much like traditional networks. Although each cloud service implements its own security protocol, these are not all created equal. Data breaches can expose sensitive customer information, intellectual property as well as trade secrets and can have substantial consequences such as lawsuits, large fines and loss of trust in the brand by the public. Analysis indicates more than 20 percent of the data stored on cloud platforms includes sensitive information. Any cloud security breach can compromise this confidential information. In recent years, Target and Home Depot have experienced significant data breaches including theft of customer credit card and personal information. In his article, Hybrid Cloud Security: Achieving Full Protection, Daniel Newman states, "While the cloud offers numerous financial and operational efficiencies, the hard truth is those gains can be wiped out almost instantly with just one data breach."
2. Poor User Credential Maintenance
Companies have a responsibility to encourage users of their online platforms to create and maintain strong passwords which can go a long way to prevent many security threats. Businesses also need to have proper procedures in place to identify critical changes made by other users that can adversely affect the security of their information. This is where multifactor authentication, which includes the use of smartcards, phone-based authentication and one-time passwords, is vital in helping to prevent unauthorized users from logging into customer accounts. Poor certificate and key management, weak passwords and inadequate authentication protocol are often causes of cloud-based data breaches. In addition, companies frequently fail to update or remove access privileges when a user changes roles or leaves the company. Disgruntles ex-employees, inattentive or incompetent users can cause a lot of damage unless you implement the proper security precautions and procedures.
3. Application Program Interface (APIs) Threats and Hacking
APIs, sets of programming instructions and standards for accessing a web-based software application or web tools, are used by cloud services to communicate with other cloud services. Consequently, proper API security directly affects the quality of the overall security of the cloud platform. When a company allows a third party to have access to an API, it can leave the corresponding cloud platform open to attack. In How to mitigate your cloud computing risks, Jason Parms writes, "To provide services such as platform services, application programming interfaces are made available to integrators and developers…Malicious attackers can access the service using an API, essentially building their own application, and use it to manipulate a customer's data." The best methods to prevent API hacks are to incorporate threat modeling applications and systems into the cloud development process and to conduct comprehensive code reviews to help identify and correct security gaps. APIs are fairly accessible via the Internet, so focus on a proactive security approach. Enterprises must understand that they, not the cloud environment, are ultimately responsible to maintain proper information security. As integrators, we should encourage clients to adopt layered security protocols that include encryption and multi-factor authentication. For more detailed encryption tips, check out Six Cloud Encryption Tips to Put in Place Now by Shelly Kramer.
4. Denial of Service (DoS) Attacks
DoS attacks, which monopolize server processing power and impede cloud availability and speed for users, are on the rise. While this type of attack has been around a long time, cloud services are frequently targeted due to the network of virtual machines and multiple points of entry common with these platforms. Prevention, including regular security audits to identify vulnerabilities, is crucial. Once an attack occurs, the only option that remains is to wait for it to end. Companies must pay for the additional server load caused by attacks, and in severe cases, can result in substantial financial losses.
5. Regulation and Compliance Violations
There are many types of compliance requirements, including HIPAA guidelines in handling private health information and federal regulations governing student information. Enterprises need to make sure their cloud storage and application service providers adhere to regulatory directives. Business leaders risk loss of important data, loss of revenue as well as a hit to their reputation when they neglect compliance monitoring and maintenance of their cloud services. According to Dan Newman, a well-developed cloud security monitoring solution offers businesses more control over accessibility, improved regulatory support, better reputation management and faster threat response times.
Robust cloud security is essential in today's business world and it is everyone's responsibility. Our clients need to be equipped with the most current knowledge and tools to prevent common security threats and attacks. A proactive approach is best including regular monitoring and maintenance to ensure the best possible protection against an unwanted breach.