The rapid global shift to cloud computing continues to gather momentum, and with it, a sharp increase in both the sophistication and frequency of attacks against cloud infrastructure.
Cloud Adoption in the UK
The UK now boasts over 5.5 Million businesses that rely on cloud computing, with British data centers responsible for storing over $135 Billion worth of data annually. Both of these numbers are increasing year on year, and with cloud infrastructure becoming so widely adopted - ensuring the correct level of cloud security is in place is important.
Understanding Cloud Security Concerns
Cloud-hosted infrastructure provides us with new and emerging security concerns, and without forming a deeper understanding of those concerns, how are we going to address them?
Gartner's Security Incident Report
In 2019, US IT giant, Gartner, reported that up to 95% of security incidents and breaches were the fault of the customer. Fast forward to their 2023 estimates and they predict that 99% of cloud security failures will have occurred on the customer's side of the shared responsibility model.
Legal and Regulatory Considerations Before Cloud Implementation
Before a business starts to implement cloud solutions, it should carefully consider its aims and objectives in line with law and regulations. Failure to adhere to both could cost the business large fines and significant reputational damage.
Premature Cloud Operations
Too many organisations are becoming operational in the cloud before they have implemented a sufficient cloud strategy or appropriate security measures.
Common Cloud Misconfigurations
Common cloud misconfigurations can include any of the following:
- Public exposed cloud resource
- Insecure APIs and interfaces
- Lack of Visibility of Security Events
- Vulnerabilities in cloud compute resources (Out of date operating system or software)
Case Study: Capital One Breach
One prominent example that springs to mind of recent cloud security breaches is the now infamous credit giant Capital One breach in 2019. Remarkably, this example is one of the largest data breaches in US history.
Notable Cloud Security Incidents
Incident 1 - Online Retail Giant
In 2021 Turkish beauty giant Cosmolog Kozmetik’ had a 20GB trove of customer data leaked from a misconfigured AWS S3 Bucket, including over 9500 files with customer names, addresses, emails, and mobile numbers.
Incident 2 - Online SaaS provider
In the middle of 2021 the Online SaaS communication provider Twilio, accidentally misconfigured an access policy on one of their AWS S3 buckets to allow unauthenticated users permissions to both read and write to the bucket.
Incident 3 - Large Manufacturer
Towards the close of 2021, audio equipment manufacturer Sennheiser had a Christmas to forget as they became the latest victim of a poorly configured S3 bucket that was made public.
Incident 4 - InfoSec company
In 2019, Cyber security company Imperva was left red-faced after accidentally leaving an internal AWS EC2 instance exposed to the public that contained an administrative AWS key.
The Ongoing Challenge of Cloud Security
The scale of this problem is mind-blowing, and with the complexity of the environment constantly intensifying, it doesn’t feel like it is an issue that is going to slow down anytime soon.
Addressing Cloud Misconfigurations
So what are the risks to the business? Potentially millions for each instance of misconfiguration and severe reputational damage! This is why the best approach is to try and mitigate the risk right from the start, instead of in the middle or towards the end of any implementation.
Strategies for Enhancing Cloud Security
We need to know our cloud attack surface and understand where we could potentially be breached. Sensitive data require sophisticated access controls - allowing the right users to see the right data while preventing all others from accessing it is key. Businesses must continuously monitor our services, with unused and non-critical instances decommissioned and frequently audit access controls to snapshots.
And remember, it is vitally important to ensure our services are running the latest version or update provided by the vendor/service. Patch. Patch. Patch, then test and frequently retest.
