The balancing act of cloud versus risk
Why companies should still consider using cloud services even when they bring such high risk with them.
The development and uptake of cloud services is one of the main driving forces behind digital transformation. They have changed the face of how businesses are run, bringing immense opportunities that can galvanise organisations to the next level via agile technologies, new powers of collaboration and more.
The question business people should be asking is: How do I take maximum advantage of these offerings without putting my company at risk?
Certainly, cloud services come with an increased risk price tag but fortunately the benefits continue to outweigh the threats; therefore, two words should be uppermost on every business owner’s mind: data protection.
If cloud offerings such as software-as-a-service, infrastructure-as-a-service or platform-as-a-service are to be used to the benefit of a business, they must be used responsibly and that means securing data and ensuring it is accessed appropriately.
A Forbes article notes that vulnerabilities within cloud technologies are bound to increase in tandem with the steep rise in adoption of these services, adding that attackers are actively seeking ways to exploit and expand their footprint in cloud hacks.
This is a disturbing trend that could lead to an exponential growth in the number of hacked systems.
The key findings of the 2019 McAfee cloud adoption and risk report may read like every business owner’s/CIO’s worst nightmare, but it should be read as a lesson in what to do and what not to do in terms of cyber security.
McAfee analysed cloud usage data for over 30 million MVISION Cloud users worldwide, at companies operating in all major industry sectors.
Findings included the fact that 80% of all organisations experience at least one compromised account threat – per month, and 92% have stolen cloud credentials for sale on the dark web.
One staggering piece of information is that 21% of all files in the cloud contain sensitive data – this represents a 17% increase over the previous two years. The number of files with sensitive data shared in the cloud are said to have increased by 53% year-on-year, with sharing of sensitive data on an open, publicly accessible link having increased by 23% over the past two years.
Beware the insider
Following the Capital One data breach, in July, that exposed the personal data of 106 million customers in the US and Canada who had applied for credit cards – at an estimated cost of $100 million to $150 million – Amazon Web Services (AWS) issued a 100% denial of culpability for the hack.
Amazon’s AWS cloud platform stored the stolen data, and AWS’s statement noted the perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure.
No cloud provider offers 100% security, access control, collaboration control or behavioural analytics, etc. That’s your job.
However, it appears the headache is only beginning, with the revelation that the woman charged with the hack is a former AWS employee who may have had an inside track on Capital One’s firewall weaknesses.
McAfee’s research also warns about the threat from within and indicates 94% of organisations surveyed experience one insider threat incident per month.
These threats apparently take different forms, ranging from administrators accessing data in executives’ accounts, to modifying security settings in a manner that weakens the security of the entire system. Also, privileged user threats – while less common – are often much more damaging due to the high level of application permissions required.
Sharing is caring, or is it?
The ability to collaborate is one of the greatest offerings of the cloud and, of course, also poses the greatest risk. McAfee flags two categories as sources of exposure: personal e-mail addresses and anyone with a link.
People using corporate cloud accounts to send data to personal e-mail addresses are essentially removing that data from the scrutiny of the information security team.
Moreover, the risk is cited to be even greater where data is shared via an open link – potentially leading to an uncontrollable spread of data to unknown destinations.
Perception versus deception
If your organisation is compromised due to your ill-informed perception of what cloud service providers (CSPs) are offering, the fault lies with you and is certainly no deception on the part of the CSP. No cloud provider offers 100% security, access control, collaboration control or behavioural analytics, etc. That’s your job.
Carnegie Mellon University School of Computer Science studies note that many companies migrating to the cloud often perform insufficient due diligence. They move data to the cloud without understanding the full repercussions of doing so, including not knowing what the security measures used by the CSP are, and where their own responsibility to provide these controls begins and ends.
It is important to understand CSPs use a shared responsibility model for security. The CSP accepts responsibility for some aspects of security; other aspects are shared between the CSP and their customer – you.
Most importantly, some aspects remain the sole responsibility of the user. If you are clear due to the results of an in-depth due diligence, only then can you put effective measures in place.
Failure to understand this has been cited as one of the leading causes of security breaches in cloud-based systems.
Strydom joined DRS in 2006 as part of the finance team and worked himself up through the company and was appointed managing director in 2017. He boasts a wealth of experience in finance and business, and oversees the smooth daily running of the company, which has over 85 employees and in excess of 130 clients. Strydom took a Bachelor of Social Sciences degree at Rhodes University, and upon graduation, went to London where he spent the next four years in financial management roles.