In order to have a competitive edge in the market and to meet the ever-growing customer needs, organizations are now switching to a virtual infrastructure offering more distributed, agile and flexible services as compared to the traditional computing which is referred to as “Cloud Computing”.
NIST defines cloud computing as: “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
Considering all the convenience that cloud offers, organizations over the last several years have shifted to the cloud infrastructure. However, the factor that is still inhibiting many IT organizations to fully move to the cloud is the security challenges that come along. Some of the major security risks associated with cloud include:
- Data Breach
Companies sensitive data which is not intended for public release can be stored on the cloud. This can also include highly sensitive data including Intellectual Property, Personally identifiable information(PII) etc. Data can be lost or abused if breached because of which it tops the list as the most severe security risk associated with cloud.
- Malware Infection
Cloud-Based malware Infection is similar to the traditional one but it can comparatively spread at a much faster pace. The attacker can upload malicious or infected files on the cloud-based applications like Dropbox, OneDrive, Box etc and that be unknowingly shared by the legitimate users of the service.
Scripts and codes can also be injected and run on the cloud services which can let the attacker eavesdrop sensitive information and can even lead to Data Stealing.
- Insider Threat
Malicious insiders is a real thing and can prove to be a major threat to the internal network security. An employee having authorized access to the Cloud Datacenter can misuse his rights and access confidential data. Or a person such as a System Admin having a higher level of access to critical systems can access information like Financial Records, Health information etc.
- Limited visibility and Control
To prevent attacks, the organization should have full visibility and control of all the internal and external traffic flow including cloud. Having limited visibility prevents the organization to know who is accessing the cloud, what level of access do they have and what data is being downloaded and uploaded from the cloud. For example, An employee that is about to leave the organization can access the cloud using his authorized credentials and download sensitive data from the cloud and use it to gain future projects. Thus, having visibility is a major step to ensure that cloud-based security risk is minimized.
- Compliance and Audit Risk
Organizations usually operate under Regulatory bodies such as HIPPA for Private Health Information, PCI-DSS, SOX etc and they should know how their data is being accessed and protected.
If the regulated data in the cloud gets breached then the regulatory bodies can impose fines on the organization. But the Cloud-based service providers are usually reluctant in getting their system audited by Third Party Auditors and restrict them to examine only their policies and not the efficacy of their implementation thus bringing greater risk to the Cloud Service Consumers.
Securely Adopting Cloud
Moving to the public cloud comes with its own set of risks, however, following a proactive approach and strategies in choosing the Cloud Service Provider and implementing which applications measures can help the organizations in managing their services and bringing down the security risks.
Following are the practices that the organizations can consider for securely transitioning to cloud:
- Conduct Internal Research
Have a complete understanding of the types of data that will be uploaded to the cloud and ensure the data and the level of protection needed for the same. Decide which applications will be better off on the cloud and which will remain on-premises. Also, analyze the Business impact to understand how the migration will affect the business processes.
- Choosing your Cloud Service Provider(CSP)
Different cloud providers have different services to offer. Look out for the security measures that are provided by the provider like they should offer multi factor authentication, they should be compliant to HIPPA, SOX, PCI-DSS etc, provide encryption for data both in rest and in transit. Also, evaluate the Service Level Agreements(SLA) to know the level of services like uptime that will be provided and choose accordingly.
- Gaining visibility to cloud data and services
Gaining visibility into what's happening in the cloud can let the organization know exactly who is accessing the services, what is being uploaded and downloaded and can help minimize the risk of attacks because the security team can detect and track any unusual behavior in the cloud environment. Also, having transparency reduces operational and financial risk to the organization.
- Securing cloud applications
Securing applications running on the cloud is a primary concern of all the organizations and it's not the sole responsibility of the cloud service provider to ensure security but a shared responsibility of the application owners as well for ensuring a higher level of security. The application security layer is out if sight for the cloud provider so it comes to application owners to scan and their cloud applications for common vulnerabilities or using Web Application Firewall(WAFs) that can handle those vulnerabilities.
- Securing endpoints that will access Cloud Applications
When organizations move their data and applications to the cloud, the endpoint devices becomes the weakest link. So before using cloud services, it becomes important to secure the endpoints that will be accessing the cloud. This can be done by using multi-factor Authentication and End-to-End Encryption which prevents Third parties to access the data when it is transferred from one end system to another.
By addressing all these risks and security measures, organizations can securely embrace Cloud Computing and take advantage of all the opportunities that cloud has to offer.
Authored By - Sakshi Saini
TCS Cyber Security Practice