A good definition of ‘Vulnerability’ where the cloud is concerned comes from Cloud Security Alliance (1). It defines vulnerability as a weakness in the system and not a software bug. For this reason, it can lie dormant till discovered and either remedied or exploited. It is essentially therefore a state waiting to be triggered by either or both the defender (system owner) and the attacker (hacker).
With more organizations shifting their operations to the cloud, the risks inherent in vulnerabilities are becoming a matter of concern. In 2018, the regulatory authorities made it mandatory for organizations having cloud operations to be fully seized of the risks involved in cloud computing, and imposed fines for non-compliance.
Cloud computing has some unique characteristics that contribute to the risks inherent in it. These characteristics are:
- on-demand self-service,
- broad network access,
- resource pooling,
- rapid elasticity, and
- measured service
In view of these characteristics, cloud computing comes with the following unique risks (2).
- Consumers have reduced visibility and control. Organizations using cloud computing lose some visibility and control over those assets/operations. Organizations therefore are called upon to monitor and analyze applications, services, data, and users. This is done, without using network-based monitoring and logging, which is generally available for on-premises IT. This reduced visibility also affects data deletion completeness as consumers cannot always ensure complete deletion of data that is stored in the cloud, and possibly over several storage devices of the Cloud Service Provider (CSP)
- Unrestricted and unauthorized use of service due to its on-demand nature allows organizations’ personnel to requisition new services from the CSP, thereby diluting the organization’s IT policies and creating what is termed ‘shadow IT’ situations. Unrestricted and unauthorized use of services increases the chances of malware infection and data exfiltration.
- CSP Application Programming Interfaces (API) are accessible via the Internet making them more vulnerable to exploitation and attack as opposed to on-premises computing APIs. APIs are used to provision, manage, orchestrate, and monitor assets and users. These APIs can contain the same software vulnerabilities as an API for an operating system.
- Cloud computing does not adequately separate tenants and this multi-tenancy creates a situation where attackers can gain access to multiple organizations’ data in the absence of separation controls.
In addition to these, cloud computing shares the risks that on-premise computing also faces – for eg. stolen credentials, complexity, vendor reliance, loss of data, lack of due diligence and monitoring etc.
Countering the breach
In its 17th annual 2021 Cost of a Data Breach report, IBM (3) put the costs of a public cloud breach at USD 4.80 million which is almost 32% more than the cost of a hybrid cloud-based breach, involving cloud and on-premise storage, which stood at USD 3.61 million. They also take much longer to identify than private cloud or hybrid cloud breaches – estimates put the period at an average of 341 days!
To counter the threats of a cloud breach, IBM suggests the following:
- Plan carefully as migration of on-premises data is risky. Attention must be paid to several users, processes and tools, and adherence to policies
- Automate security measures and make use of AI tools as these remain the best-known defense in the face of growing security endpoints and devices and data
- Behavioral Biometrics to identify users based on how they interact with the system
- CASB is an effective process, that provides continuous monitoring and user authentication
- Adopt and enforce a zero trust approach commensurate with industry standards. The Cost of a Data Breach Report makes the case for zero trust – on an average adoption of zero trust caused a drop of almost USD 1.76 million representing a reduction of 42.3% in the cost of a data breach, where no zero-trust existed
The future of Cloud Computing
Estimates put the cloud computing market (4) to reach USD 800 million by 2025, with some 6 out of 10 businesses being on the cloud in 2022. An equivalent number is committed to increasing their spending on cloud operations in the coming year. Yet equally alarming are the statistics for cloud breaches – the Thales Report (5) says almost 45% of all businesses experienced cloud breaches in 2022, up 5% from the previous year.
Alarming? Yes. Gartner sounds the warning, predicting that with the increase in the number of organizations adopting cloud computing, the next 3 years will see an exponential increase in the cloud security failures in the next 3 years.
Vulnerability Assessment and other measures
Key in the unfolding scenario surrounding Cloud security is perhaps to start with Vulnerability Assessment for organizations adopting cloud computing. Vulnerabilities in the cloud, or for that matter on-premise systems can be looked into by conducting a Vulnerability Assessment (VA). Aurora’s team of experts has the capabilities to identify, categorize and manage vulnerabilities. These include unsecure system configurations or missing patches, as well as other security-related updates in the systems connected to the enterprise network directly, remotely, or in the cloud.
Aurora with its suite of services like zero trust, SASE, and CASB can provide organizations with a strong cloud security solution that will serve to mitigate cyber threats they are faced with.
For more information, visit our website www.aurorait.com or call us at +1 888 282 0696
- Cloud Security Alliance : https://cloudsecurityalliance.org/research/topics/vulnerabilities/
- Carnegie Melon University : https://insights.sei.cmu.edu/blog/12-risks-threats-vulnerabilities-in-moving-to-the-cloud/
- IBM : https://www.ibm.com/cloud/blog/is-the-cloud-more-secure-or-less-secure
- Techjury : How Many Companies Use Cloud Computing in 2022? All You Need To Know (techjury.net)
- Thales Report : Cloud Data Breaches: 2022 Challenges and Trends | Thales Research (thalesgroup.com)