If your security strategy for cloud services is based on defending a single location, you will need to handle the constantly changing borders of a cloud-based system. Your employees may access your cloud services and your sensitive data via any number of devices – desktops, laptops, notebooks, and smartphones – over everything from your internet provider to a 3G or 4G network in a café or airport. In effect, cloud services make traditional security controls much less manageable.
The scale of the threat landscape continues to grow. According to SANS, 19% of organizations experienced some type of unauthorised access to their cloud environment in 2017, but a whopping 31% in 2019. And in 2019, 28% of respondents reported an incident – or an actual breach – related to their cloud applications or data. The most common type of attack is account- or credential hijacking, reported by a staggering 48.9% of respondents in SANS’s study. Other common threats include misconfiguration of cloud services, DoS attacks, and exfiltration of sensitive data. 11.1% of respondents also reported incidents where the attacker used an organization’s cloud services as a vehicle of accessing internal systems.
Malware, as always, is a significant threat – especially in the cloud, as employees can use the same device to roam the Internet for other than work-related purposes and then sign into work-related cloud services. When one of your employees visits a malicious website, their device runs the risk of getting infected without the users even being aware of this. When the user later accesses your cloud services using the same device there is a risk that the attacker, unbeknownst to the user, is given access to your data. This type of threat is no longer limited to situations where an attacker simply tricks an employee into visiting an infected website with a phishing scam. Many cyber criminals have botnets waiting to infect any device that happens to come across these, allowing the hackers to opportunistically target many organisations simultaneously. While antivirus or endpoint protection software does offer protection, new malware is constantly being developed and existing malware is constantly evolving. Relying on antivirus alone can leave your organisation exposed to the latest versions of malware.
And then there is Ransomware. Cyber criminals using ransomware are targeting companies that are the most likely to pay ransoms to recover their data. Just imagine what would happen inside your company if all your cloud-hosted files, used by everyone in the company, were suddenly locked up and completely inaccessible? Ransomware embedded into documents and files and uploaded to your cloud services pose a serious risk unless scanned for threats. Links to websites containing malicious code and/or illicit content will not generally be picked up by traditional antivirus solutions. Cloud service providers are relying on their customers to protect their content in accordance with the concept of Shared Responsibility.
Insider threats are also a concern. A disgruntled employee with access to your content on the cloud can abuse it for their own personal benefit – such as exfiltrating it and selling it. The cloud provider’s own personnel may have privileged user access that can bypass whatever security controls you may have in place. In fact, privileged user abuse was the third most common type of attack in a recent SANS study.
Simple user errors can also open the door to a cloud-native breach. This type of breach uses the functions native to the cloud to successfully complete a breach without using malware. If a cloud service is incorrectly configured, an attacker can use this to gain access to your resources. Once they are inside, the attackers can then search for weaknesses that will allow them to expand their access, find your sensitive data, and exfiltrate it.
And then there is misconfiguration which can have very expensive consequences, as Capitol One discovered in mid-2019. A web-application firewall, or WAF, was misconfigured, allowing an attacker to get access to 80,000 bank account numbers and 140,000 social security numbers. The total cost for Capitol One still has not been realised yet but is expected to be as much as $150 million.