Cloud security is concerned with the protection of data stored in the cloud from leakage, theft, and deletion. It, therefore, can be described as a set of policies, control measures, and other software engineering infrastructure associated with cloud computing. The importance of the cloud and its security concerns are attracting consideration, attention, and interest from all industries. A study conducted in 2011 by Gartner, a market research firm, put Cloud computing amongst the top 10 technologies with a prospect of growth in successive years.
Source: (Ismail, 2018)
Cloud computing, however, brings with it a level of security risk because the essential services of the Cloud are outsourced to third parties making is difficult and challenging to maintain data security and privacy. The availability of service support is a challenge. It is, therefore, essential to understand how the cloud works and its vulnerabilities and come up with precise solutions that optimize cloud security.
How the Cloud Works
The cloud is based in third-party data centers that are available to a multitude of users online. The cloud enables companies to offload storage and server management to cloud provides and not have to keep and manage physical servers on premises. The cloud works by enabling users to access information from anywhere around the globe, from any device at any time. This accessibility is the reason that users of platforms like Facebook and Instagram can log into their accounts from any device and find all their information and conversations intact. The same applies to mail providers like Gmail or Office 365 and cloud storage providers like Google drive or Dropbox.
The cloud works by using technology that allows the creation of a ‘virtual’ computer that acts as a server. By using many of these ‘virtual’ machines, they give different servers the capability to serve a multitude of organizations at a minimal cost. Users are then able to access these cloud services (retrieval or storage of data) through applications or browsers that are linked to the cloud over the internet regardless of location or device they are using. There are various cloud deployments: private cloud, public cloud, hybrid cloud, and multi-cloud. A private cloud is a data center for a sole organization, while multiple users or companies use public cloud within the same data center or even servers. A hybrid cloud is one that combines both private and public clouds, while multi-cloud involves many public clouds and can also be hybrid cloud and vice versa.
Source: (Robots.net, 2019)
Emerging Issues on Cloud Security
Cloud security complexity
Cloud security is a complex paradigm with several new emerging issues every year. Cloud security experts have advanced the understanding of the cloud security complexity, and cloud infrastructures are being made secure, but cloud attackers and hackers are becoming more sophisticated. The 2019 Cloud Security Alliance (CSA) report, ‘the Egregious Eleven,’ brings out emergent issues on cloud security as those that are as a result of organization management decisions in the areas of their cloud security strategy, its management and implementation.
Internal weak access controls
The emerging issues from the report are breaches of data, inadequate internal or weak control configurations, internal threats (insider), insecure Application Programming Interfaces (APIs), vulnerable or lack of proper access management, among others. The report highlights the cloud security threats being the responsibility of the user with traditional issues like cloud vulnerability and data losses eradicated.
In July 2019, CapitalOne Bank faced a significant data breach. More than 100 million of its customers in the U.S. and 6 million in Canada had their data breached and compromised after the bank’s cloud misconfiguration. This breach is one of the most significant data breaches in the financial banking industry. Customers might be unable to use their own data that was compromised for fear that it might be further compromised. There is also the risk of phishing and identity theft for after the breach. In September 2017, another data breach from Equifax, a credit reporting agency, affected over 140 million people. Their data was exposed. This breach cost Equifax over $400 million in a global settlement. Cloud platforms and providers have had a share of cloud threats endangering their data. Yahoo, Myspace, and Marriot Starwood Hotels and Resorts have had their clouds compromised by hackers.
Cloud Security is Critical for Users and Organizations
Gartner statistics showed that cloud computing would turn into a multi-billion service industry and forecasted a remarkable growth of its infrastructure, with its services reaching over $46 billion by 2017. The cloud offers its users convenience and cost-effective and minimal management. Additional reports, “2016 spotlight report” by Cloud Passage, confirmed that at least 91% of organizations use cloud computing but are quite concerned by the security and privacy of their data. This data is a pointer to the acceptance and popularity of cloud by organizations around the world due to the importance it attaches to it.
Organizations have embraced cloud due to the cost-effectiveness, efficiency and productivity it offers. With many organizations’ operations spread across the globe, the cloud allows employees to access data anytime and anywhere. The cloud is useful for business but is not risk-free, and cloud security is critical to the organizations and their employees. Organizations and users must embrace and understand cloud security. Organizations stand to lose significant funds in settlements like the case of Equifax if cloud security is not optimized.
Cloud Security Failures and Pitfalls Organizations are Facing
Several prominent cloud security breaches in the past two years have attracted attention, and organizations are now focusing on assessing their failures in managing cloud security. These breaches have changed the landscape of the cloud. The emergent issues in cloud security have forced organizations to rethink their strategies in protecting their data. Organizations are reviewing and auditing their decisions on cloud security – retaking assessment of their failures and pitfalls they have become prey to.
Ignorance of Emerging cloud threats
Organizations have ignored or lack knowledge of the emerging cloud security threats. As the Cloud evolves and transforms into sophisticated infrastructure and technology, so is the cloud security threats. Hackers are becoming more aggressive with honed techniques to take advantage of any slight breach to steal data.
Weak Internal cloud access credentials
Organizations are paying keen attention to external attacks while often disregarding the internal threats employees pose to their data. Employees are trusted with information and data. They do not need to break through the architecture of the systems and other security walls like firewalls but some employees possess unhindered access to all sensitive data in the organizations’ computer systems. Organizations sometimes offer credentials for data access liberally with no way of ensuring data security. Employees widely do data deletion, make modifications, or leak data using access credentials granted by the organization.
Organizations using Cloud for the first time are struggling with access control management of their cloud data. Determination of credentials combined with the roles held by employees has become a real struggle as they ascertain certain access rights appropriate for those roles. They forget to change access rights with functional or purpose changes within. The Health Insurer Anthem Inc. data breach in 2015, affecting 80 million of its customers, was a result of mishandled user credentials. Anthem failed, like many organizations do today, to employ multiple authentications (two-factor) of user access controls.
Failure to understand cloud models
Failure by organizations to understand the cloud as a shared security model has been one of the biggest pitfalls. They leave the security management of their cloud data to the cloud provider. Whereas in this model, the service provider ensures the security of access, organizations are responsible for ensuring their data security while within the Cloud through their operating systems. Organizations get stuck and trapped with the cloud model as they fail to comply with compliance laws on data management for their clients. Additionally, some organizations are not researching which cloud model is best suited for their businesses. They fail to decipher how certain services are offered in the Cloud, thus compromising their data. Various models carry different levels of risk.
Optimizing Cloud Security for Users
Cloud security is one of the significant concerns in the IT industry today. Organizations and their users are embracing Cloud computing but are skeptical about the security and privacy of their information held on the Cloud. Organizations are working hard to maintain a competitive edge in the market by increasing the trust their users have on their privacy and security of the information they share with them. Proper cloud architecture, consistent systems monitoring, and employment of good governance can optimize cloud security for organizations and their users.
Proper configuration of Cloud storage
The emerging issues of data breaches are due to cloud storage. The causes for these breaches are often associated with the misconfiguration of services in the cloud. The CapitalOne Bank breach related the incident to ‘firewall misconfiguration.’ These configurations range from access control managements, user credential pitfalls, and insecure storage. According to the CSA report, Ëgregious 11, these misconfigurations result from incorrect setups of cloud assets creating vulnerability of attacks. Organization leadership should ensure the right decisions in exploring the right strategies for moving their data and applications in Cloud.
Proactive cloud Monitoring and audit
Consistent monitoring of any intrusion into the cloud system or environment can be set. Proactive monitoring of cybersecurity and protocols can optimize an organization’s position to foresee potential problems and resolve them before they happen. Intrusion detection methods can be employed to aid in misuse and anomaly detection in the cloud environment. Execution of unprecedented access into the cloud environment can be detected using techniques such as kernel debugging, or IDs. IDs approaches like signatures, behavior anomaly or a combination of both are recommended. Detection of these anomalies sends an alarm to the data administrator and can be timed to response mechanisms, thus preventing further damage.
Micro-Segmentation, the future of Cloud Security
Micro-segmentation is one of the emerging methods for optimizing cloud security. Micro-segmentation, also being known as security segmentation, makes use of virtual networks like VLAN or LAN to break networks into small components for easier management. These segments break into workloads, applications, operating systems, which are then configured independently and secured independently on the Cloud. Micro-segmentation is the future of cloud security. It makes it harder for malicious infections to affect the whole network, as each segment has its secure boundaries. If there is an infection in one part of the system, it is detected before it can compromise other sections of the network.
Cloud continues to be embraced by organizations across the globe as the most convenient and cost-effective way of managing extensive data. With Cloud growth, so does the cloud security concerns for privacy and security of its data storage. Organizations continue to embrace new practices to optimize cloud security to maintain trust and reputation from their users. To achieve that, organizations need to understand cloud security, how cloud works, the advantages or critical aspects it offers to the organizations, the vulnerabilities, and threats and develop solutions to optimize security measures.
Cloud Security 2016 Spotlight Report. (2016). [online] CloudPassage. Available at: https://pages.cloudpassage.com/rs/857-FXQ-213/images/cloud-security-survey-report-2016.pdf [Accessed 5 Mar. 2020].
CSA Releases New Research – Top Threats to | Cloud Security Alliance. (2019). Retrieved 5 March 2020, from https://cloudsecurityalliance.org/press-releases/2019/08/09/csa-releases-new-research-top-threats-to-cloud-computing-egregious-eleven/
Ismail, N. (2018). Cloud security – who should take ownership in the enterprise?. Retrieved 5 March 2020, from https://www.information-age.com/cloud-security-ownership-enterprise-123473398/
Jathanna, R., & Jagli, D. (2017). Cloud Computing and Security Issues. International Journal Of Engineering Research And Applications, 07(06), 31-38. doi: 10.9790/9622-0706053138
Luszcz, J. (2018). Apache Struts 2: how technical and development gaps caused the Equifax Breach. Network Security, 2018(1), 5-8. doi: 10.1016/s1353-4858(18)30005-9
Mathews, L. (2017). Equifax Data Breach Impacts 143 Million Americans. Retrieved 5 March 2020, from https://www.forbes.com/sites/leemathews/2017/09/07/equifax-data-breach-impacts-143-million-americans/
Mueller, P., Huang, C., Yu, S., Tari, Z. and Lin, Y. (2016). Cloud Security. IEEE Cloud Computing, 3(5), pp.22-24.
Top 10 Benefits Of Cloud Computing For Your Business | Robots.net. (2019). Retrieved 5 March 2020, from https://robots.net/it/top-10-benefits-of-cloud-computing-for-your-business/