Blog

The 8 Biggest Cloud Security Risks

Marie ProkopetsMarie Prokopets,Co-founder of Nira

Making the decision to switch your company’s data and processes to the cloud seems like an easy choice these days. Using the cloud just makes a lot of sense, and it continues to grow in popularity.

Many companies choose to make the switch because they’re looking to reduce the risk to their systems and data when they’re on-premises. Using the cloud certainly can accomplish this, but cloud computing is not without its risks.

As you move to the cloud, it’s important to understand the biggest cloud security risks. There are multiple ways you can counteract these risks, catching problems with your cloud security before someone takes advantage of any vulnerabilities.

Here are the eight biggest cloud security risks and solutions for avoiding them.

Data Breaches

If you have vulnerabilities in your system, and a hacker is able to exploit these issues, the hacker may be able to steal your data. Without question, data breaches rank among the biggest cloud security risks, as well as the most publicized.

Data breaches present a whole host of problems for your business. Not only do hackers now have access to your data, potentially stealing your company’s intellectual property, but you could lose the confidence of customers or be subject to multiple fines. If a hacker is able to hijack HIPAA protected information, for example, the company could be subject to penalties.

The company’s brand will take a hit from the negative press related to the data breach, and it could affect the value of a publicly traded company.

How to Protect Against Data Breaches

Encryption of data is a good way to defend against data breaches. Certainly, adding a layer of encryption to the data could make the overall system a little less user friendly, but this is the best option to protect against this cloud security risk.

As we’ll discuss later, catching system vulnerabilities as early as possible helps to ward off data breaches too.

Denial of Service Attacks

Denial of service (DoS) attacks have been around for decades, and they still pose a risk to businesses. The DoS attack occurs when hackers flood a website with tons of traffic and requests, designed to overwhelm the system, slowing it to a crawl, leaving customers in the dark.

When your systems are in the cloud, DoS becomes a clear cloud security risk because the system will be too busy to respond to legitimate requests from your employees looking to access the information so they can work. When both customers and employees are stuck with no recourse because of DoS attacks, your business is in trouble.

How to Protect Against DoS

For starters, the IT team should have an active intrusion detection system, which can provide a clue as to when a DoS attack is beginning. Another key defense mechanism is to deploy source rate limiting, which prevents the DoS from consuming all of your bandwidth.

Finally, to eliminate this cloud security risk, set up the firewall to check the source of traffic that’s coming into your system. If the system is detecting traffic that indicates a DoS attack, it should have the ability to alert you or to cut off the malicious traffic automatically.

Incomplete Data Deletion

When your data in the cloud is spread across multiple servers, it is possible that the system may find all data for deletion when requested. Perhaps a backup copy doesn’t go through deletion for 24 hours after you issue the delete command. Some cloud service providers have different procedures regarding the deletion of data, which means you may believe you deleted the data, but random copies still exist.

This incomplete deletion is more common than you may think, and it can be a huge security risk for a company, as that sensitive data could be vulnerable to hackers.

Another issue that fits in this category and that plagues some cloud service providers occurs when the data becomes corrupted during deletion. A hacker could piece together this left-behind corrupted data, meaning the cloud service provider needs to have an ability to track down any data that becomes corrupted during deletion.

How to Protect Against Incomplete Data Deletion

Check with the cloud service provider regarding its protocols for deleting your data. The provider should be able to provide verification that it took care of your data deletion, including all copies.

Lack of a Security Strategy

One of the most efficient ways the IT team can guard against cloud security risks is through the process of setting up a detailed and clear strategy, through creation of a security plan. Without a well-considered strategy in place, your security measures will end up being haphazardly deployed. This increases the chances that you’ll miss something, creating a security hole that some hacker is sure to find at some point.

How to Develop a Security Strategy

There are a number of items to consider when developing a security strategy, including:

  • Limiting the number of administrator level accounts.
  • Creating two-factor authentication for as many accounts as is practical.
  • Requiring strong passwords with a mixture of types of characters.
  • Requiring frequent changing of passwords.
  • Removing access for employees immediately upon leaving the company.
  • Practicing the strongest identity controls.
  • Determining which users truly need access to the most sensitive data and avoid giving this access to others.
  • Developing a system to monitor unusual activity.
  • Deciding on the frequency with which the IT team will run audits on its cloud servers.
  • Determining the proper protection of security keys.
  • Setting up teams to handle the oversight, testing, and monitoring of all systems.
  • Looking at your system through the eyes of a hacker during stress tests, seeking out vulnerabilities in the structure

One other item to consider relates to the extra complexity that an organization can encounter as it moves to the cloud. If your IT team becomes overworked, it could begin to make sloppy errors or to cut corners, leaving huge vulnerabilities.

Loss of Stored Data

Should the cloud service have a hardware failure without adequate backups available, you could end up with a loss of some of the data stored. This can create a situation almost as dire as if a hacker steals data.

Additionally, cloud service providers sometimes may inadvertently delete the wrong set of data, creating a significant problem for you.

Another way companies may experience a loss of data stored in the cloud happens when the company encrypts its data, but then loses the encryption key, leaving the data inaccessible.

How to Protect Against Loss of Stored Data

Companies need to make regular backups of their data to guard against inadvertent data loss. It is best to have data stored on servers in a variety of physical locations, so that a natural disaster in one location doesn’t affect your data. The cloud service provider should be able to help here.

Make sure that your IT team has a good grasp of how the cloud service provider stores your data and how it guards against an inadvertent deletion.

Stolen or Misused Credentials

Sometimes, the biggest threat to your cloud security is the one that’s physically closest to you. If employees fail to properly guard their credentials for using the cloud server, someone could steal those credentials and gain access to your cloud system without having to try to hack into it through inefficient means. Instead, the hacker can just jump into the system by posing as the employee.

Additionally, a disgruntled employee could cause problems for your cloud system. The employee who is leaving the company anyway could copy data or sabotage data through his or her normal log-in credentials. Without stringent oversight of the system, you may not notice these issues until the employee has done the damage and is no longer working for you.

This may be the biggest cloud security risk you’ll have, as insider threats often are the toughest to catch until it’s too late.

How to Protect Against Stolen Credentials

Your IT team needs to be on alert for any oddities in the system and with data access. Having monitoring apps and software up and running can help the team maintain the security of the overall system from insider threats. Monitor any attempts to access backup data too.

Hackers could target certain people in the organization in an effort to gain access to the system through a certain person’s credentials. The hacker may develop a relationship with the targeted employee through social media, gaining the target’s trust before making a play for the target’s credentials. Training is important here, helping make employees aware of this potential issue.

Finally, employees must be on alert to protect their mobile devices and laptops when they’re off campus. They must understand the importance of reporting any losses of devices immediately, so the IT team can take the appropriate steps to eliminate access for the device reported stolen.

System Vulnerabilities

System vulnerabilities may provide a crack in the armor for a hacker to upload malicious software or to gain access to data. IT teams need to be monitoring the system constantly, looking for vulnerabilities that a hacker could exploit.

Additionally, system vulnerabilities can include third-party apps that do not have the same level of security that you expect out of your system, which could create a vulnerability that a hacker could exploit.

How to Protect Against System Vulnerabilities

Because the application programming interfaces (APIs) are fully exposed, it is especially important to monitor potential security vulnerabilities with all of the system’s APIs. If you have security holes in APIs, it is possible that a hacker could gain easy access to the system.

Training is key here too, as employees should not click on random links in emails, nor should they download apps without checking with the IT team first. Additionally, those who have access to sensitive data in the company need to understand exactly which data needs to be in private access locations only, and which data is acceptable to place on public access locations.

Deploying data loss prevention (DLP) techniques can help the IT team determine when compromises are occurring.

Employees should have specific instructions to let the IT team know if they are able to access data and portions of the cloud that they know they should not be able to access. This self-reporting of issues could be vital to catching vulnerabilities before a significant data breach occurs.

Finally, make sure your IT team has a good handle on how the cloud service provider guards your data and what types of security measures it uses on its cloud servers. You as a company may have a need for a greater level of security than the cloud service provider employs, meaning you may need to look for another provider.

Weak Identity Verification Requirements

If you consider employees and how they access the cloud to be the weakest link in your cloud system, creating stricter account access requirements is a good place to start.

Earlier, we mentioned that someone could physically steal the employee’s credentials. Other times, the hacker can just gain access to the system through guessing or brute forcing a weak password in a system that doesn’t have strong enough identity verification requirements.

Employees may not like having stronger identity verification rules, but the more steps you make employees go through to access the cloud system, the tougher it will be for a hacker to take advantage of a weak system.

How to Strengthen Identity Verification

The best place to start is through two-factor authentication. If the employee has to go through two steps to gain access to the cloud system, your system will be significantly more protected from hackers than through a single authentication step.

Always make employees use the strongest possible passwords by requiring a variety of characters, which is a good way to protect the system from hackers. An automatic rotation of the system’s cryptographic keys can create a stronger system as well.

Sometimes, these problems could result from inadequate training for employees. If employees don’t fully realize the potential for others to steal passwords, they may create passwords that are easy to break. Discussing steps for protecting the system should occur in training throughout the organization, rather than only during training for the IT team.

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira