Cloud Computing Security Issues and Solutions
McAfee, LLC
Cloud computing presents many unique security issues and challenges. In the cloud, data is stored with a third-party provider and accessed over the internet. This means visibility and control over that data is limited. It also raises the question of how it can be properly secured. It is imperative everyone understands their respective role and the security issues inherent in cloud computing.
Cloud service providers treat cloud security risks as a shared responsibility. In this model, the cloud service provider covers security of the cloud itself, and the customer covers security of what they put in it. In every cloud service—from software-as-a-service (SaaS) like Microsoft Office 365 to infrastructure-as-a-service (IaaS) like Amazon Web Services (AWS)—the cloud computing customer is always responsible for protecting their data from security threats and controlling access to it.
Figure 1. Shared responsibility for security between cloud providers and their customers.
Most cloud computing security risks are related to cloud data security. Whether a lack of visibility to data, inability to control data, or theft of data in the cloud, most issues come back to the data customers put in the cloud. Read below for an analysis of the top cloud security challenges in SaaS, IaaS, and private cloud, placed in order by how often they are experienced by enterprise organizations around the world.1
Top 10 cloud application security issues experienced with software-as-a-service (SaaS)
- Lack of visibility into what data is within cloud applications
- Theft of data from a cloud application by malicious actor
- Incomplete control over who can access sensitive data
- Inability to monitor data in transit to and from cloud applications
- Cloud applications being provisioned outside of IT visibility (e.g., shadow IT)
- Lack of staff with the skills to manage security for cloud applications
- Inability to prevent malicious insider theft or misuse of data
- Advanced threats and attacks against the cloud application provider
- Inability to assess the security of the cloud application provider’s operations
- Inability to maintain regulatory compliance
Issues experienced with SaaS cloud application security are naturally centered around data and access because most shared security responsibility models leave those two as the sole responsibility for SaaS customers. It is every organization’s responsibility to understand what data they put in the cloud, who can access it, and what level of protection they (and the cloud provider) have applied.
It is also important to consider the role of the SaaS provider as a potential access point to the organization’s data and processes. Developments such as the rise of XcodeGhost and GoldenEye ransomware emphasize that attackers recognize the value of software and cloud providers as a vector to attack larger assets. As a result, attackers have been increasing their focus on this potential vulnerability. To protect your organization and its data, make sure you scrutinize your cloud provider’s security programs. Set the expectation to have predictable third-party auditing with shared reports, and insist on breach reporting terms to complement technology solutions.
Top 10 cloud security issues experienced with infrastructure-as-a-service (IaaS)
- Cloud workloads and accounts being created outside of IT visibility (e.g., shadow IT)
- Incomplete control over who can access sensitive data
- Theft of data hosted in cloud infrastructure by malicious actor
- Lack of staff with the skills to secure cloud infrastructure
- Lack of visibility into what data is in the cloud
- Inability to prevent malicious insider theft or misuse of data
- Lack of consistent security controls over multi-cloud and on-premises environments
- Advanced threats and attacks against cloud infrastructure
- Inability to monitor cloud workload systems and applications for vulnerabilities
- Lateral spread of an attack from one cloud workload to another
Protecting data is critical in IaaS. As customer responsibility extends to applications, network traffic, and operating systems, additional threats are introduced. Organizations should consider the recent evolution in attacks that extend beyond data as the center of IaaS risk. Malicious actors are conducting hostile takeovers of compute resources to mine cryptocurrency, and they are reusing those resources as an attack vector against other elements of the enterprise infrastructure and third parties.
When building infrastructure in the cloud, it is important to assess your ability to prevent theft and control access. Determining who can enter data into the cloud, tracking resource modifications to identify abnormal behaviors, securing and hardening orchestration tools, and adding network analysis of both north–south and east–west traffic as a potential signal of compromise are all quickly becoming standard measures in protecting cloud infrastructure deployments at scale.
Top 5 cloud security issues experienced with private cloud
- Lack of consistent security controls spanning over traditional server and virtualized private cloud infrastructures
- Increasing complexity of infrastructure resulting in more time/effort for implementation and maintenance
- Lack of staff with skills to manage security for a software-defined data center (e.g., virtual compute, network, storage)
- Incomplete visibility over security for a software-defined data center (e.g., virtual compute, network, storage)
- Advanced threats and attacks
An important factor in the decision-making process to allocate resources to a public vs. private cloud is the fine-tuned control available in private cloud environments. In private clouds, additional levels of control and supplemental protection can compensate for other limitations of private cloud deployments and may contribute to a practical transition from monolithic server-based data centers.
At the same time, organizations should consider that maintaining fine-tuned control creates complexity, at least beyond what the public cloud has developed into. Currently, cloud providers take on much of the effort to maintain infrastructure themselves. Cloud users can simplify security management and reduce complexity through abstraction of controls. This unifies public and private cloud platforms above and across physical, virtual, and hybrid environments.
Recommendations for mitigating the top security issues in cloud computing
Your organization is using cloud services, even if those cloud services are not a primary strategy for your information technology (IT). To mitigate cloud computing security risks, there are three best practices that all organizations should work toward:
- DevSecOps processes — DevOps and DevSecOps have repeatedly been demonstrated to improve code quality and reduce exploits and vulnerabilities, and increase the speed of application development and feature deployment. Integrating development, QA, and security processes within the business unit or application team—instead of relying on a stand-alone security verification team—is crucial to operating at the speed today’s business environment demands.
- Automated application deployment and management tools — The shortage of security skills, combined with the increasing volume and pace of security threats, means that even the most experienced security professional cannot keep up. Automation that removes mundane tasks and augments human advantages with machine advantages is a fundamental component of modern IT operations.
- Unified security with centralized management across all services and providers — No one product or vendor can deliver everything, but multiple management tools make it too easy for something to slip through. A unified management system with an open integration fabric reduces complexity by bringing the parts together and streamlining workflows.
Finally, when trade-off decisions must be made, better visibility should be the No. 1 priority, not greater control. It is better to be able to see everything in the cloud, than to attempt to control an incomplete portion of it.
Copyright ©2020 McAfee, LLC