{"id":1313,"date":"2021-04-05T14:31:13","date_gmt":"2021-04-05T14:31:13","guid":{"rendered":"https:\/\/www.pcidssguide.com\/?p=1313"},"modified":"2023-10-09T16:33:48","modified_gmt":"2023-10-09T16:33:48","slug":"what-are-the-security-risks-of-cloud-computing","status":"publish","type":"post","link":"https:\/\/pcidssguide.com\/what-are-the-security-risks-of-cloud-computing\/","title":{"rendered":"What are the Security Risks of Cloud Computing?"},"content":{"rendered":"\n\n\n\n\n
Today, organizations continue developing new applications or moving their existing applications to cloud-based services without slowing down. The most significant risk and security issue in the transition to the cloud is that an organization that chooses cloud service providers (CSPs) and services without fully aware of the risks involved is exposed to numerous business, financial, technical, regulatory, and compliance risks.<\/p>\n\n\n\n
See Also: Cloud Storage Security: How to Keep Data Safe in the Cloud?<\/a><\/strong><\/p>\n\n\n\n Our article will summarize the risks, threats, and vulnerabilities organizations face when moving applications or data to the cloud.<\/p>\n\n\n\n See Also: Cloud Application Security Guide with Best Practices<\/a><\/strong><\/p>\n\n\n\n We want to point out that the threats, vulnerabilities, and cloud computing security problems related to migration to the cloud are constantly evolving. The ones listed in our article are by no means comprehensive. It is essential to consider other challenges and risks of adopting the cloud-specific to their mission, systems, and data.<\/p>\n\n\n\n See Also: Best Practices for Cloud Security<\/a><\/strong><\/p>\n\n\n\n The cloud model developed by the National Institute of Standards and Technology (NIST) describes cloud computing as well as how it can be used and implemented. NIST defines the following features and models for cloud computing:<\/p>\n\n\n\n Cloud environments face almost the same threats as traditional data center environments. To put it another way, cloud computing runs software with security bugs that attackers attempt to exploit.<\/p>\n\n\n\n See Also: What is Security as a Service (SECaaS)<\/a><\/strong><\/p>\n\n\n\n Unlike information management systems in a conventional data center, however, in cloud computing, the responsibility for mitigating the risks posed by these software vulnerabilities is shared by the cloud provider and the cloud user.<\/p>\n\n\n\n As a result, customers must be mindful of the division of duties and have confidence in the CSP’s ability to meet its obligations.<\/p>\n\n\n\n The following vulnerabilities, threats, and risks are a result of CSP’s implementation of cloud computing. These vulnerabilities do not exist in traditional IT data centers.<\/p>\n\n\n\n When migrating assets to the cloud, organizations lose some visibility and control over these assets. When using third-party cloud providers, CSP assumes responsibility for specific policies and infrastructure.<\/p>\n\n\n\n One of the most significant advantages of using cloud-based technologies is that the customer does not have to manage the resources required to keep it running. However, the delegation of responsibility for managing the day-to-day maintenance of software, platform, or computing asset may result in you having less visibility and control over that asset.<\/p>\n\n\n\n See Also: Cloud Security Checklist<\/strong><\/a><\/p>\n\n\n\n Cloud-based services are situated outside of a company’s network and operate on software that is not operated by the company. As a result, many traditional tools for providing network visibility are not practical for cloud environments, and some organizations lack cloud-focused security tools. Reduced visibility can limit an organization’s ability to monitor cloud-based resources and protect them from attacks.<\/p>\n\n\n\n The change of responsibility depends on the cloud service models used and leads to a paradigm shift for security monitoring and logging organizations. Organizations need to monitor and analyze information about applications, services, data, and users without using network-based monitoring and logging for on-premises IT.<\/p>\n\n\n\n The reduced visibility affects the organization’s ability to:<\/p>\n\n\n\n When adding a cloud-based service to your organization’s workflows, it is essential to define what data your organization can access, how it can be monitored, and what security controls the cloud provider uses to prevent data breaches. This way, you can verify how much visibility and control the cloud solution will offer.<\/p>\n\n\n\n Cloud data breaches are often caused by incorrect configuration of cloud protection settings. Many enterprises’ cloud protection posture management initiatives fall short of securing their cloud-based infrastructures.<\/p>\n\n\n\n Several factors contribute to misconfiguration. Because the cloud infrastructure is designed to be easily usable and easy to share data, it is difficult for organizations to ensure that only authorized parties can access data.<\/p>\n\n\n\n See Also: What are the Security Impacts of Public Cloud?<\/a><\/strong><\/p>\n\n\n\n See Also: What are the Security Impacts of Private Cloud?<\/a><\/strong><\/p>\n\n\n\n Also, organizations using cloud-based infrastructure do not have complete visibility and control over their infrastructure; this means they must rely on security controls provided by cloud service providers (CSP) to configure and secure their cloud deployments.<\/p>\n\n\n\n Because many organizations are not familiar with securing cloud infrastructure and often have multi-cloud deployments, each with different security controls provided by the vendor, it is easy for misconfiguration or security oversight to expose an organization’s cloud-based resources to attackers.<\/p>\n\n\n\n Cloud service providers make it very easy to provide new services. The on-demand self-service provisioning capabilities of the cloud allow an organization’s staff to provide additional services from the agency’s CSP without IT permission. Using software in an organization that the organization’s IT department does not support is often referred to as shadow IT.<\/p>\n\n\n\n Because of the lower costs and ease of deploying PaaS and SaaS products, the likelihood of unauthorized use of cloud services grows. However, services provided or used without IT’s knowledge pose a risk to an organization.<\/p>\n\n\n\n The use of unauthorized cloud services can lead to an increase in malware infections or data theft due to its inability to protect unknown resources. The use of unauthorized cloud services also reduces the visibility and control of an organization’s network and data.<\/p>\n\n\n\n Cloud service providers offer a set of application programming interfaces (APIs) that customers use to manage and interact with cloud services. The Application User Interface (API) is the primary tool used to run the cloud infrastructure system. Organizations use these APIs to provision, manage, organize and monitor their assets and users.<\/p>\n\n\n\n APIs are vulnerable to the same software bugs as operating systems. CSP APIs, unlike management APIs for on-premises computing, can be accessed over the Internet, making them vulnerable to widespread abuse.<\/p>\n\n\n\n Attackers look for vulnerabilities in management APIs. Once discovered, these vulnerabilities can be translated into successful attacks, and the organization’s cloud assets can be compromised. Attackers can then use organization assets to perform further attacks against other CSP clients.<\/p>\n\n\n\n System and software vulnerabilities in a CSP’s infrastructure, platforms, or applications that support multi-tenancy can lead to failure to maintain segregation between its tenants. An attacker can exploit this failure to access one organization’s resource to another user’s or organization’s assets or data. Multi-tenancy increases the attack surface, and the likelihood of data leaks increases if segregation controls fail.<\/p>\n\n\n\n By exploiting vulnerabilities in the cloud service provider’s applications, hypervisor, or hardware, bypassing logical segregation tests, or targeting the CSP’s management API, this attack can be carried out.<\/p>\n\n\n\n Threats related to data deletion exist because the consumer reduces the visibility of where their data is physically stored in the cloud and can verify the erasure of their data securely. The risk of data not being completely deleted is related to the spreading of data across various storage devices within the CSP’s infrastructure in a multi-tenant environment. Additionally, deletion procedures may differ from provider to provider. Organizations may not verify that their data is securely erased, and attackers cannot use that data remnant. This threat increases as an organization use more CSP services.<\/p>\n\n\n\n The following are security concerns that apply to both cloud and on-premises IT data centers that organizations should address:<\/p>\n\n\n\n If an attacker gets their hands on a user’s cloud credentials, they can use CSP’s services to get more money and target the organization’s assets. The attacker can leverage cloud computing resources to target the organization’s administrative users, other organizations using the same CSP, or the CSP administrators.<\/p>\n\n\n\n An intruder who obtains a CSP administrator’s cloud credentials may use them to gain access to the organization’s systems and data.<\/p>\n\n\n\n A CSP’s and an organization’s administrator roles differ. While the CSP administrator’s CSP infrastructure has access to the CSP network, systems, and applications, the consumer’s administrators can only access the organization’s cloud applications. The CSP admin has administrative rights over multiple clients and supports various services.<\/p>\n\n\n\n Vendor dependency becomes a problem when an organization considers moving assets from one cloud provider to another. The organization discovers that due to non-standard data formats, non-standard APIs, and reliance on a CSP’s proprietary tools and unique APIs, the cost, effort, and timing required for migration is much higher than initially thought.<\/p>\n\n\n\n The problem of technological addiction is increasing in-service models where CSP has more responsibility. As a company uses more features, services, or APIs, the exposure and dependency level of a CSP to its unique implementations also increases.<\/p>\n\n\n\n The cloud service provider’s unique applications require changes when you move your company to a different CSP. If a selected CSP goes out of service, it becomes a big problem as data can be lost or not transferred to another CSP promptly.<\/p>\n\n\n\n Being limited to a single cohesive security solution option for a cloud service is highly limiting and can lead to a low return on security investment. This is because the supplier you depend on does not have to compete with other suppliers.<\/p>\n\n\n\n When choosing cloud-based services, it is essential to control how easy it will be to switch from one service to another. Is your data, for example, in a format that can be easily transferred to another system? Does CSP provide export tools to help this? Does the cloud service have many different integrations and interfaces for other services and security features?<\/p>\n\n\n\n It’s important to check this before deciding on a cloud storage solution to prevent vendor lock-in.<\/p>\n\n\n\n Migration to the cloud can cause complexity in IT operations. For the company’s current IT staff, managing, integrating, and operating in the cloud may necessitate a new model. IT personnel must have the ability and expertise set to handle, integrate, and sustain the migration of assets and data to the cloud, as well as their existing on-premises IT responsibilities.<\/p>\n\n\n\n Finding qualified security professionals for all types of production environments is a constant challenge. This problem can be exacerbated by the cloud, as not everyone will be immediately familiar with the cloud solution’s security measures.<\/p>\n\n\n\n It is tough to find qualified personnel to manage cloud computing security solutions. Managed security service providers (MSSPs), on the other hand, are also well-versed in a wide range of security tools. If you do not have a qualified staff of in-house security experts, they can quickly bring you a team of experts for a fraction of the paying costs.<\/p>\n\n\n\n Key management and encryption services in the cloud become more complex. The benefits, techniques, and tools available for logging and monitoring cloud services typically differ between cloud service providers, further increasing the complexity.<\/p>\n\n\n\n Besides, there may be threats and security concerns in hybrid cloud applications due to technology, policies, and implementation methods that increase complexity. This additional complexity leads to an increased potential for vulnerabilities in an organization’s cloud and on-premises applications.<\/p>\n\n\n\n Insider threats are a serious security concern for every business. A malicious insider has already been given access to a company’s network and some of its most sensitive assets. Attempts to gain this level of access get most attackers to their goals, making it difficult for an unprepared organization to spot a malicious insider.<\/p>\n\n\n\n It’s much more difficult to track malicious insiders in the cloud. Due to the lack of control over core infrastructure with cloud implementations, many conventional security solutions are rendered ineffective.<\/p>\n\n\n\n This, together with the fact that the cloud-based infrastructure is directly accessible from the public Internet and often suffers from incorrect security configurations, makes it even more difficult to detect malicious insiders.<\/p>\n\n\n\n Insiders, such as staff and administrators who abuse their authorized access, can carry out attacks that cause damage or information leakage to the organization’s networks, systems, and data or cloud service provider.<\/p>\n\n\n\n Due to an insider’s ability to fund or conduct dangerous activities that involve forensics for identification, this impact is likely to be worse by using IaaS. With cloud services, these forensic capabilities may not be usable.<\/p>\n\n\n\n Other than malicious attacks, data stored in the cloud may be lost. Customer data may be permanently lost if the cloud service provider deletes data by accident or if a physical catastrophe occurs, such as a fire or an earthquake.<\/p>\n\n\n\n The burden of data loss prevention is not solely the responsibility of the provider. If a customer encrypts their data before uploading it to the cloud but loses the encryption key, the data will be lost. Poor understanding of a cloud service provider’s storage model can also result in data loss. Companies should consider data recovery and be prepared for the possibility of cloud service providers changing their service offerings or going bankrupt.<\/p>\n\n\n\n This threat increases as an organization use more CSP services. Recovering data in a CSP can be easier than recovering data in a company because an SLA dictates availability\/uptime percentages. When you choose a CSP, you should research these percentages thoroughly.<\/p>\n\n\n\n The following are the three most common causes of data loss:<\/p>\n\n\n\n Suppose the cloud service provider outsources some of its infrastructure, operations, or maintenance. In that case, these third parties may not meet or support the requirements that the CSP has contracted with an organization to provide.<\/p>\n\n\n\n An enterprise should assess how the CSP implements enforcement and if the CSP passes on the specifications to third parties. If the requirements are not extended to the supply chain, the risks to the business grow.<\/p>\n\n\n\n Contracts restrict the way business partners or customers use data, as well as those who have access to them. When employees move restricted data to their cloud accounts without permission from the relevant authorities, they expose both the company and themselves to the risk of legal action.<\/p>\n\n\n\n Violations of employment contracts by violating confidentiality agreements are common. This is mainly when the cloud service retains its right to share all uploaded data with third parties.<\/p>\n\n\n\n Many organizations have strategies to respond to internal cybersecurity incidents. It is possible to resolve the incident, as the organization has the entire internal network infrastructure and security personnel. Also, this ownership of their infrastructure means that the company has the necessary visibility to determine the event’s scope and take appropriate remedial action.<\/p>\n\n\n\n With cloud-based infrastructure, having only partial visibility and ownership of a company’s infrastructure renders traditional processes and security tools ineffective. As a result, 44% of businesses are worried about efficiently managing incident response in the cloud.<\/p>\n\n\n\n When it comes to cloud migration, many businesses don’t do their homework. They transfer data to the cloud without knowing the CSP’s security policies or their own security obligations. Deciding to use cloud services without fully understanding how to secure cloud services raises many security concerns.<\/p>\n\n\n\n Organizations must show that they restrict access to protected information in order to comply with data security legislation such as PCI DSS and HIPAA (credit card data, healthcare patient records, etc.). This may require creating a physically or logically isolated part of the enterprise network that can only be accessed by employees who legally need access to this data.<\/p>\n\n\n\n\n
What are Cloud Computing Threats, Risks, and Vulnerabilities?<\/strong><\/h2>\n\n\n\n
What Are Cloud Specific Threats and Risks?<\/strong><\/h2>\n\n\n\n
Reduced Visibility and Control is Obtained.<\/strong><\/h3>\n\n\n\n
\n
Incorrect Configuration May Cause Data Leaks.<\/strong><\/h3>\n\n\n\n
Optional Self-Service Simplifies Unauthorized Use.<\/strong><\/h3>\n\n\n\n
Internet Accessible Management APIs May Be Compromised.<\/strong><\/h3>\n\n\n\n
There may be Unsuccessful Separations Between Multiple Customers.<\/strong><\/h3>\n\n\n\n
Not Fully Deleted Data May Be Risky.<\/strong><\/h3>\n\n\n\n
What are the Cloud and Internal Threats and Risks?<\/strong><\/h2>\n\n\n\n
Theft of Identity Information Creates Unauthorized Access Risks.<\/strong><\/h3>\n\n\n\n
Dependence Complexities On Cloud Service Providers May Occur.<\/strong><\/h3>\n\n\n\n
Due To Increasing Complexity, IT Personnel May Be Inadequate.<\/strong><\/h3>\n\n\n\n
Insider Access Can Be Misuse.<\/strong><\/h3>\n\n\n\n
Stored Data May Be Lost.<\/strong><\/h3>\n\n\n\n
\n
Endangerment of the Cloud Service Provider’s Supply Chain May Cause Problems.<\/strong><\/h3>\n\n\n\n
Inadequate Due Diligence Increases Cyber \u200b\u200bSecurity Risk.<\/strong><\/h3>\n\n\n\n
Compliance Violations May Occur.<\/strong><\/h3>\n\n\n\n