Private businesses and government organizations are moving large parts of their infrastructure and services to the cloud. However, many don’t address cyber risks properly.
Many organizations struggle to identify security risks when it comes to their infrastructure because they have no precise understanding of the model of the cloud services they are using or their cybersecurity implications. In order to maximize cloud security across an organization, it is essential to understand both.
To start, let’s discuss the three main models of cloud services: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS).
In the IaaS model, businesses rent or lease servers for computing and storage in the cloud, which lets them run any applications and operating systems on the rented infrastructure. The IaaS model is remarkably useful for organizations because it allows them to reduce the upfront costs. When utilizing IaaS, businesses do not have to purchase the hardware or maintain it, and can scale their infrastructure according to their needs and workload.
However, IaaS can be a valuable target for threat actors that can abuse this infrastructure in multiple ways, such as running a botnet, mining cryptocurrencies, and carrying out attacks against third-party systems.
Even though organizations that use the IaaS model are responsible for securing their applications, data, and virtual network traffic, they often fail to do so because they don’t address the security of applications running on it.
In the PaaS model, the service provider offers their customers access to a cloud-based environment where the clients can build and deliver applications. The overall infrastructure is provided by the cloud service provider, is scalable, and is usually offered through a subscription service.
PaaS provides all the components - programming languages, execution environment, web servers, and operating systems - that developers need to create and run cloud applications. The major security risks for PaaS environments are theft or unauthorized access to their data and applications.
In the SaaS model, businesses can access software and applications through the internet. Providers that offer their cloud services via SaaS manage the security for the cloud applications used by their customers.
The providers are responsible for securing the underlying infrastructure (applications, operating system, platform, physical infrastructure), excluding customer data and access management. The level of security offered by cloud providers is quite different, which is why it’s essential to carefully evaluate them before choosing the cloud providers.
The biggest cloud security risks faced by organizations
The main security risks for cloud environments are as follows:
- Misconfiguration of cloud infrastructure and services is probably one of the main causes of data leaks and data breaches. Regardless of the model they choose, businesses tend to lack essential knowledge to secure cloud solutions. In many cases, organizations only rely upon security controls provided by their cloud service provider to protect their cloud infrastructure, which don’t match their requirements.
- Poorly protected corporate accounts can be hijacked by threat actors. The accounts of many organizations that use cloud services are protected by weak passwords or credentials that could be easily retrieved from third-party data breaches. Having obtained an employee’s credentials, attackers can access company infrastructure and data, and use them to carry out multiple malicious activities.
- Malware infections represent a serious threat for cloud infrastructure. Malicious code can be used by threat actors to steal sensitive data, abuse computational resources of the company (i.e. cryptojacking attacks), or for sabotage. Many IaaS offerings and SaaS applications lack anti-malware protection, and organizations using them have no idea of the security features they are paying for. The infection vectors within cloud infrastructure are many, including unmanaged file uploads and downloads of infected files.
- Insecure interfaces offered by service providers can be abused by threat actors to access the cloud infrastructure. Poorly protected application programming interfaces (APIs) and vulnerable data sharing systems can be exploited by attackers to access corporate cloud resources.
- Malicious insiders are a major security issue for most organizations, especially those that utilize cloud services. In cloud-based infrastructure, the detection of a malicious insider is even more complex due to their lack of visibility in the underlying infrastructure, as well as the lack of proper controls.
- The absence of data encryption can potentially expose data to theft and unauthorized access. Data encryption is essential for both data storage and data in transit. Even when data is encrypted, it is essential for organizations to master key management processes. An attacker can potentially steal encryption keys used to protect business data and access sensitive information.
- Legal/compliance issues related to regulation on data protection and security, such as the EU GDPR and HIPAA, require organizations to implement compliant systems for the management of cybersecurity. Being compliant means that organizations have to clearly define roles and responsibilities for their employees and external partners. In a cloud environment, it is more difficult to regulate and monitor access.
How to secure cloud infrastructure?
To better secure cloud infrastructure on their end, organizations should take the following steps:
- Keep every component within cloud infrastructure up to date, including operating systems, applications, monitoring tools, and security solutions.
- Enforce data protection policies. Organizations should define policies that establish what data can be stored in cloud infrastructure, how to manage it and who can access it.
- Monitor internal traffic. Many cloud providers allow their customers to deploy specific solutions to monitor internal traffic for cyber threats and anomalies. Hardware or software-based firewalls allow businesses to apply rules to all traffic coming into a network, filtering out anything potentially dangerous.
- Back up your data. Make sure that the cloud providers back up your data and periodically test it. Backups must be properly protected.
- Apply advanced malware protection. This is particularly important, especially in IaaS environments, where organizations are responsible for the security of the infrastructure components (i.e. operating systems, applications, and network traffic). Anti-malware solutions can prevent malicious code from infecting systems in the cloud and spread across its internal network.
- Implement redundancy. Reliable cloud providers have to implement redundancy to ensure the availability of data and infrastructure in case of major failures, such as natural disasters or unforeseen incidents. Redundancy is usually implemented by storing multiple synchronized copies of customer data across multiple data centers.
- Perform periodical vulnerability assessments and penetration tests. Cloud providers should periodically conduct security assessments, which have to be conducted by third-party cybersecurity experts that can evaluate the level of infrastructure security and address any vulnerabilities they discover.
- Encrypt the data. All data stored in the cloud, as well as any data in transit, has to be encrypted.
- Enable two-factor authentication for any resources that are provided by the cloud infrastructure service.
- Monitor data access. Businesses have to take care how their sensitive data is being stored, accessed, and shared. Sensitive data has to be carefully protected, and cloud providers have to offer tools and solutions to monitor accesses. IT staff have to assess the permissions on each resource in the cloud environment.