listen to this article:
Cloud services have reformatted how organizations deliver IT, pushing the on-premisess model out of favor for many. With no more server farms to provision nor data centers to build, organizations of all sizes and types can rapidly acquire and deploy software capabilities to all employees wherever they work from. And they all lived happily ever after.
Not so fast.
While cloud services have made a significant impact to the breadth of capabilities available to organizations of all sizes and types, they have imposed a range of security vulnerabilities on their buyers. Research repeatedly shows a range of security vulnerabilities in the age of cloud services. Here’s five of those.
Insufficient Access Control
Cloud services adopted without strong integration with the organization’s identity system raises the risk of access by unauthorized people or no longer authorized ex-employees. For example, a business unit signs up for cloud service to support internal file sharing, and everyone creates an account using their organizational identity but without tying the service to their organizational identity system. Now there are two separate and disconnected instances of the same identity. When an employee leaves the organization their identity in the official organizational identity system is revoked, but they retain control over the other one, and can continue to access the data in the file sharing service. Imagine the devastating impact if the employee joins a competing firm and yet retains surreptitious access to all files at their previous firm. At stake? Data breaches, violation of data privacy regulations, loss of intellectual property, weakened competitive positioning, and more. Current stats say that about half of employees who leave their employer retain confidential information, and more than 40% say they intend to use such confidential information in their new job.
With the average enterprise using more than 1,000 cloud services, the scope for systematic and unidentified unauthorized access to corporate data is staggering.
Weak Authentication Credentials
Cloud services can also create security vulnerabilities when access controls aren’t put in place at all, or when default passwords on services are not changed. One of the horror statistics we came across last year while working on our Cybersecurity in Healthcare report was that more than 60% of the available 305 medical imaging systems in India can be accessed without any kind of password or restriction, and for various other web interfaces, the default admin:admin username/password combination works just fine. Medical data is highly personal and is protected in many jurisdictions, and such a systemic lapse of basic access control is unacceptable.
We saw similar weaknesses during the initial days of the health pandemic in early 2020, where cloud services such as Zoom had weak access controls by default that allowed uninvited people to join online classroom sessions (and business and government meetings, too). People who would never be able to gain access to our children’s classrooms in person were suddenly able to join from anywhere in the world. Lewd acts were performed, and inappropriate images were shown to the young and vulnerable before Zoom implemented new security controls.
In recent years, Amazon Web Services (AWS) has been in the news frequently due to cloud storage folders with insufficient access controls. Customers who have failed to properly secure their storage folders have had data stolen or accessible to anyone; one research study pegged this at just over one in 20 instances were insufficiently secured.
Supply Chain Attacks
Recent months have witnessed the flow-on effects of the SolarWinds compromise, another example of supply chain attacks, with more than 18,000 organizations including government agencies and security vendors compromised due to weaknesses in their supply chain
Tighter integration and automated processes across supply chain partners can quickly transform into a net-negative when what isn’t under your control, influence, or decision-making remit goes horribly wrong. Microsoft estimated that the well-orchestrated attack group behind the SolarWinds compromise had more than 1,000 engineers working to undermine SolarWinds and its customers.
Security vulnerabilities in the cloud can also be the consequence of just one person at a critical partner failing to do their job properly. A retailer in Canada suffered an extended data breach on e-commerce transactions when threat actors were able to compromise their e-commerce system because the hosting provider had failed to activate the required security settings on their account. The shared responsibility model with cloud services means that what isn’t your responsibility can still put you at fault.
Leveraging the Cloud for Malicious Actions
Cloud services such as Office 365 and Google GSuite Workspace aggregate huge numbers of organizations and people on a shared platform, and access to accounts on these services has often only been secured by a username and password. If a threat actor can compromise login credentials through a phishing attack, they can leverage the stolen account for several types of misdeeds, often without the valid user even knowing.
For example, the stolen account can be used to launch new phishing attacks to compromise additional accounts, which results in people receiving email messages from a trusted and known account but with content carrying nefarious intent.
Another potential misdeed is data theft. In the case of Office 365, a user’s login provides access to much more than email, with Teams, SharePoint, OneDrive, and Yammer (among others) available for a threat actor to stealthily review for intellectual property, data of value, and intelligence to inform business email compromise (BEC) attacks (e.g., fake invoices or payroll theft). BEC attacks are a significant threat in the modern economy, with enterprises, government agencies, and school districts sometimes paying millions into the wrong bank account (e.g., see Osterman Research recent Cybersecurity in Education report for examples in the education sector).
Compliance Violations and Regulatory Actions
New data protection regulations – e.g., Europe’s GDPR and the CCPA in California, among others – are aware of the dangers of cloud services for exposing massive volumes of personal data. There’s a regulatory cost to pay when organizations ignore their responsibilities to secure whatever services they use to store and process personal, sensitive, and confidential data. British Airways was fined £20 million last year for a data breach involving personal data on 400,000 customers , and the breach of personal data on 100 million customers at Capital One due to a misconfigured web application firewall resulted in a $80 million settlement by the bank. While cloud services hold significant promise for fast time-to-market, their usage does not provide immunity from ensuring strong security protections are in place.
Call to Action
Strong security protections—deployed, tested, and regularly assured—are essential if you want to live happily ever after with the cloud services used by your organization. Check to ensure strong access controls are used with cloud services, default credentials are changed and strengthened, and that you have ways of checking that responsibilities held by cloud providers are actually being met, among other needed protections. Cloud services offer tremendous value, and it’s essential that the security reality keeps up with the marketing promise.