Data security and risk management top the list of concerns for many organizations today. Often, those companies choose cloud computing services at least in part due to the improved security the cloud often promises.
Yet the cloud presents risks of its own, and not all companies have a clear plan for monitoring and addressing risk.
Understanding the biggest cloud security pitfalls can help an organization create and execute an ongoing risk management plan.
Top Considerations for Cloud Security
All companies have data they want to protect — financial records and information about client and customer relationships, for example. Some organizations also handle sensitive information, like Social Security numbers, that is protected by state or federal law or regulations. These organizations face an even higher need for computer security, necessitated both by the sensitivity of the data itself and by the need for compliance with applicable regulations.
The cloud environment offers a number of benefits for growing companies, such as the ability to streamline processes, share data effectively and scale for growth. However, the data risks can also be significant.
For example, Capital One suffered a cloud breach that “compromised over 80,000 bank account numbers, 1 million government identification numbers, and tens of millions of credit card applications,” write Antonina K. McAvoy and Ryan Davis, members of the cybersecurity and control risk services team at PBMares. Capital One faced up to $150 million in costs associated with the breach, which resulted from an improper cloud migration.
“Organizations that plan to embark on the journey of cloud migration should first gain a clear understanding of the process involved in cloud migration,” advises Narendra Sahoo, director of VISTA InfoSec. Soo recommends that companies think broadly about security. That means implementing a core security strategy, but it also means considering the lifecycle of those security protocols.
This means an organization and its teams will need to understand the types of security threats that its data and applications could face in the cloud.
Address Key Security Issues
Many of the most common threats to cloud security, including hacking, viruses and ransomware, are familiar from news headlines. Understanding how these threats might affect a specific cloud app or project, however, is essential to protecting that project and the entire organization.
Organizations embarking on a cloud build project may wish to start by examining how their cloud provider secures its own offerings, Daniel Hein writes in Solutions Review. An organization that has not yet selected a provider could start by comparing security offerings from several prospective vendors.
Examining how cloud providers address security provides insight into the most common cloud security risks, as well as the means available to address them. Every cloud security plan should at least address the most common security issues, including:
Hacking often depends on intruders finding a weak point in computer architecture, such as an unsecured smart device or an application with inadequate security. And while many cloud services do incorporate security measures, these measures don’t address every weak point.
Further, because public cloud providers host so many businesses and applications, they become appealing targets for hackers. Access through one unguarded app or device can compromise data for many other businesses in the same cloud.
Thus, security against hacking is an essential part of building a cloud application.
Like their biological counterparts, what makes computer viruses so pernicious is their ability to self-replicate, spreading to new systems and even using connections between computers to infect new systems, writes Aaron Walker, analyst at G2.
Because viruses can spread between computers that are communicating with one another, they can be particularly pestilent in a cloud environment, where devices are logging onto and off the cloud system regularly.
A strong cloud security and risk management plan will include robust antivirus protection for all of the business’s devices, as well as means to monitor the cloud systems for evidence of viruses or malware.
Rather than simply stealing data, ransomware prevents the data’s owners from accessing it until they meet a hacker’s demands.
This is a growing problem. The number of organizations with files compromised by a ransomware attack in 2019 increased 41 percent over 2018, according to data from Emsisoft.
“The threat of attacks like this will continue to increase as hackers become increasingly savvy, and the cost to recover from ransomware is also growing at an alarming rate,” writes Emil Sayegh, president and CEO of Ntirety.
One way to protect data against ransomware attacks is through regular, thorough backups. When video game studio CD Projekt found itself the victim of ransomware in February 2021, for example, the company turned to its backups to restore its functioning, Jon Porter at The Verge writes.
While backups won’t address every issue that might arise from ransomware, they can allow a company to keep running its business despite setbacks from ransomware, as well as from viruses or natural disasters.
Hackers don’t pose the most likely threat to cloud security. Rather, that threat comes from unforeseen disasters.
“Cloud services can be disrupted by many unforeseen events including lightning strikes or flooding at data centers or even human error,” Tim Maurer and Garrett Hinck at the Carnegie Endowment for International Peace write.
One disaster can have ongoing effects for cloud security. In 2017, an Amazon engineer’s typo, for example, ended up making Amazon’s cloud storage service inaccessible for four hours, which in turn disrupted other businesses, Casey Newton reported at the time.
A power outage, a flood in a data center, wildfires near data centers inaccessible and similar events can threaten the security of cloud-based applications and data.
To address these issues, organizations will need a clear disaster plan. Address the most likely causes of a power failure or other issues within the plan.
Many organizations provide useful overviews of the main issues in cloud security. Each organization, however, will need to tailor this information to its own situation when creating a cloud security and risk management plan.
“The specific security problems you need to address will depend on your cloud solutions and the security problems you’re trying to solve,” Hein notes.
Build Security Into Your Project Plan
It’s important at this stage to understand that a cloud migration begs a different security paradigm.
Companies that are migrating from purely on-premise architecture to some kind of cloud architecture must update their security models from a perimeter-based security model to an in-depth, “trust nothing” model. The underlying assumption in this latter model is that any component can be hacked and used to perform malicious actions.
Approach security from this perspective during the planning stages. That will inform how security and risk management practices get executed during and after the project’s completion.
The National Institute of Standards and Technology (NIST) recommends that risk management be treated as a repeating process that focuses on identifying risks and addressing them. This risk management process consists of three steps:
- Performing a risk assessment.
- Implementing a risk mitigation strategy.
- Employing risk control techniques and procedures.
Executed effectively, this three-step process offers a way for organizations to continuously monitor their cloud security. The process can also be used to incorporate regulatory requirements for cloud security to ensure compliance.
Build Accountability Into Your Plan, Too
Having the right process for monitoring cloud security and risk management is important. So is delegating the authority to execute those processes effectively among team members.
Organizations with sound practices for managing data security and regulatory compliance “have mature data protection and regulatory compliance programs staffed with talented individuals who have sufficient authority and clear responsibilities,” writes Sai Gadia, a leader in KPMG’s Emerging Technology Risk Services practice. “Such organizations also leverage leading third-party or homegrown automated tools and continuously improve their capabilities.”
As part of a sound security and risk management practice, an organization may benefit from classifying the data handled by its cloud applications and addressing the specific needs of each classification, according to a January 2018 research article by Jing Li and Qinyuan Li. Such a classification process can fine-tune security efforts, which in turn may help an organization build trust with its customers.
Third-party risk management can also help an organization address cloud security issues, writes Michael Reiter, director of the cyber risk advisory at Coalfire. A third party can take a more objective view of an organization’s security and risk management. The third party can also provide vetting and background of potential partners or vendors.
While contracting with a third party solely for cloud security and risk management may be difficult for a startup or a small business, a similar outside perspective can be gained by bringing security questions and concerns to the attention of an external development team.
An external team can help internal team members better understand top cloud security risks as they relate to the project under development. Their added perspective can help the organization think about cloud security and risk management in new ways.
Images by: Juthamat Yamuangmorn/©123RF.com, dotshock/©123RF.com, Audtakorn Sutarmjam/©123RF.com