In as little as three years cloud computing will be a $300-billion business, per a recent forecast by the global research and advisory firm Gartner covered by the Wall Street Journal’s CIO Journal. Along the way, Gartner analysts say, companies of all shapes and sizes will continue to struggle with cybersecurity as they cope with this cloud growth.
Despite record spending on information security during the last two years, Gartner reports organizations have lost an estimated $400 billion to cyber theft and fraud worldwide. And during the next several years, Gartner predicts at least 95% of cloud security failures will be the fault of the organization. Considering these recent findings, we felt reiterating one of our past posts was in order. Here’s a digest of the Cloud Security Alliance’s list of “The Treacherous 12” cloud computing issues, with links to articles providing deeper insight into related topics that we’ve posted since first sharing the content:
- Data Breaches - “Cloud providers are highly accessible and the vast amount of data they host makes them an attractive target.”
- Weak identity, credential, and access management - “Malicious actors masquerading as legitimate users, operators or developers can read/exfiltrate, modify and delete data.”
- Insecure interfaces & APIs - “APIs and UIs are generally the most exposed part of a system, perhaps the only asset with an IP address available outside the trusted organizational boundary.”
- System & application vulnerability - Multitenancy in cloud computing means systems from various organizations operate in close virtual proximity to each other and may share memory and other resources. This situation creates what’s called a broader “attack surface” for hackers and cyber crooks.
- Account hijacking - “If an attacker gains access to your credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information and redirect your clients to illegitimate sites.”
- Malicious insiders - “Systems that depend solely on the cloud service provider (CSP) for security are at greater risk here.”
- Advanced persistent threats (APTs) - Attackers with substantial means, organization and motivation can carry out a sustained assault against a high-value target like a business. “Advanced security controls, process management, incident response plans and IT staff training” are needed to thwart or, in the least, mitigate them.
- Data loss - “Cloud consumers should review the contracted data loss provisions, ask about the redundancy of a provider’s solution, and understand which entity is responsible for data loss and under what conditions.”
- Insufficient due diligence - Choosing CSPs without thorough due diligence exposes an SMB to a “myriad of commercial, financial, technical, legal and compliance risks that jeopardize its success.”
- Abuse and nefarious use of cloud services - “Poorly secured cloud service deployments, free cloud service trials and fraudulent account sign-ups via payment instrument fraud expose cloud computing models… to malicious attacks.”
- Denial of service (DoS) - “DoS attacks take advantage of vulnerabilities in web servers, databases or other cloud resources, allowing a malicious individual to take out an application with a single extremely small attack payload.”
- Shared technology issues - “The key is that a single vulnerability or misconfiguration can lead to a compromise across an entire provider’s cloud.”
An IT Managed Service Provider (MSP) specializing in cloud services can support cybersecurity by assisting with secure authentication, data encryption, access control, auditing and validating how cloud apps you’re considering support existing security policies. MSPs also can help engage cloud services that open new markets, extend operational capabilities and raise business performance.