top of page

Understanding & Overcoming Cloud Security Threats


The idea that data isn’t safe in the cloud seems to be a fairly common misconception, but it’s not consistent with fact. There are many benefits and efficiencies to be gained in moving to the cloud, so long as your migration strategy is sound. Cloud computing does not mean degraded security. Cloud is an adequate means for data storage when you work with the right partner and stay aware of threats.

Achieving sound information security and satisfactorily meeting compliance requirements in a cloud environment are perfectly feasible endeavors with the right strategy. A worthwhile starting point is in understanding the persistent threats that IT security professionals face in securing their systems, and in particular, how cloud technology can be a part of the solution to these challenges—not to mention how compliance and information security programs can also serve to mitigate potential threats.

Common Security Threats Today

• Data breaches

• Data loss

• Account/service hijacking

• Insufficient due diligence

Compliance can be an effective tool for shoring up security efforts.

Data Breaches

Origins of a Data Breach

A data breach can originate from numerous sources:

• Malevolent hackers

• Negligent, disgruntled or malicious insiders (employees, vendors, or contractors)

• Competitors

Fundamentally, a data breach is a failure in access control over data which exposes information to persons or organizations that should not have access. A breach can involve regulated data, such as protected healthcare information and financial data, or unregulated data, such as an internal company document that is not intended for public disclosure.

Data can be exposed in a number of ways. First, there’s the stereotypical Hollywood version of a data breach: criminal activity from an outsider that is unrelated to your organization—this is the malicious actor that most people think of when they heard the words “data breach” or “hack.” While there are professional and amateur hackers out there who are intent on breaching security of information systems and accessing confidential data, they’re actually not the most common threat, and it’s a common mistake among enterprises to design an information security program that is overly focused on hacking.

Another way data can be exposed is through an insider, either deliberately or unintentionally. This is either an employee or former employee, vendor, contractor, or business partner, and this type of breach or threat is often the most difficult to mitigate, since the individual is granted legitimate access to the data in question. A very public example of a malicious insider is the case of Edward Snowden, who deliberately exposed information from the National Security Agency. As most people know, Snowden was a contract employee of the federal government who was granted access to classified information as a part of his job. When he publicly released the information, the data breach never involved hacking or an outsider gaining access to the secure information system.

Lastly, industrial espionage or attempts by competitors to obtain confidential information is one more avenue of a data breach. While this does happen, it is not typically common.

Security implications as a result of a data breach:

• Litigation, fines, damage to reputation, investigation, recovery and mitigation costs.

• Many compliance policies require organizations to retain audit records or other documentation. However, whether stored in the cloud or not, loss of that data could jeopardize the organization's compliance status.

Regardless of the source of a data breach, it can be extremely costly to an organization, particularly where fines as a result of compliance or regulatory failure are concerned. Direct costs include fines and contractual penalties, however, if you take a look from a broader information security perspective rather than focusing solely on compliance, the cost can be much higher when accounting for some of the indirect costs of a breach.

Indirect costs can include the lost time and productivity of members of your workforce, as well as time spent investigating a data breach, responding to concerned customers, lost revenue, damage to organizational reputation, and the cost of correcting a breach and the mitigating future breaches.

Always remember: an information security program is always less expensive than a data breach.

The typical approach for responding to such threats tend to be the basics of information security, which include maintaining a current anti-virus program, maintaining properly configured firewalls to secure the system and network environment, maintaining strong information security policies and procedures for employees and other members of the workforce, maintaining and reviewing systems security logs, and training the entire workforce in information security. Keep in mind: an often overlooked portion of the workforce are the people who are not employees, but contractors, vendors and other service providers who are involved in the operation and maintenance of an information system.

No information security program is perfect, and even with these controls in place, a breach can still occur. However, there are some worthwhile extra steps that can go a long way in securing your data.

Best Practices

  • Encrypt data at rest—if a breach occurs, data is not readable.

  • Adhere to best practices like AES-256 and SHA-2 .

  • SSL/TLS must always be enabled.

  • IPsec communications should be allowed.

  • Take into account offline data backups, which also expose data to possible breaches.

One of the most powerful, underused security tools is encryption. Encrypt your most sensitive data, as well as any data that can expose your organization to risk. Encryption is an extremely powerful security control that can protect data when all other measures fail. However, if a solid encryption solution is in place, it can make a stolen or lost storage device completely useless, and prevent a data breach.

Encryption techniques are reliable technologies that are widely available to encrypt data at rest and while in transit. Use these tools to improve your company’s information security posture, and your efforts will go a long way in augmenting the other security controls that you have in place to protect your systems.

The Extra Encryption Measure

With encryption, data will be rendered useless if keys are accessible to attackers. Therefore, when implementing an encryption solution, think carefully about the management of your encryption keys. Key management needs to be both a technological and procedural consideration before you implement data encryption. Two types of key management include:

  • Split key management

• One part handled by cloud security application; one part handled by your security team

• Requires both for decryption, so if one part is used, data remains safe

  • Homomorphic key encryption

• Key is encrypted, even when in use

Other Considerations

There are a number of additional considerations to evaluate when it comes to designing an information security program that will fit the needs of your organization, particularly in the cases of data governance laws to which you are subject, and the

construct of your unique security architecture. Keep the following in mind:

• Data governance

  • Retention policy

  • Secure disposal

  • Non-production data

  • Information leakage

  • Risky assessments

• Security architecture

  • User ID credentials

  • Data security/integrity

  • Production/non-production environments

  • Remote user multi-factor authentication

Data Loss

Origins of Data Loss

In addition to data breaches, another information security threat is the loss of data. Similar to a data breach, there are several threats that can cause a loss of critical data. These include direct attack from a hacker or malicious insider, virus, accidental deletion or corruption of a file from an insider, equipment failure, or even a physical disaster.

Security implications as a result of a data breach:

• Downtime, loss of revenue, litigation, fines, damage to reputation.

• Under EU data protection rules, data destruction and corruption of personal data are data breaches and require appropriate public notification.

• Compliance policies may require organizations to retain audit records or other documentation.

From a regulatory standpoint, the loss of data can be just as painful as a data breach, and the cost can be just as high. In some situations, data loss can trigger fines, contractual penalties, litigation, and damage to reputation—which are very similar consequences to a data breach.

Often, data loss can have an even more significant impact on normal operations than a data breach would because the operations of an organization depend on data, and critical information systems that are compromised because of damaged, corrupt, or lost data can cripple a business. If key information is lost, business operations may be difficult or even impossible to recover.

Data Loss Prevention: the Traditional Approach vs. Best Practices

Some of the controls that companies have in place to protect against data loss are the typical practices that most IT organizations implement: measures such as tape backup, disaster recovery plans and backup systems. There’s a problem with a standard approach in that backup media can be impacted by the same threat that caused the data loss in the first place; it also provides an avenue for attack that could trigger a data breach. A lost tape can be as significantly difficult challenge, especially if data isn’t encrypted.

Best Practices

Supplement backup

Data encryption

Specify provider backup and retention strategies

Other Considerations

So, there are some additional controls that can be put into place in the case of preventing data loss—this is where a cloud solution can help considerably. Working with a cloud service provider gives your business a number of powerful DR options in a secure environment that is physically separated from normal business premise and operations. When working with a cloud service provider, it’s important to work together to develop a disaster recovery strategy, data backup and retention plan, and a plan for data destruction when a system or device reaches the end of its life.

Finally, be mindful of the regulatory compliance implications that pertain to your business. Consider data jurisdiction to the furthest boundary where data may reside; when international boundaries are crossed, various regulations can be compromised, depending on the type of data or business that you’re operating with. Consider data retention policies that apply to your business, and perform a risk assessment of your system, and internal operations as a part of the implementation plan of the new information system.

  • Data governance

• Retention policy

• Risk assessments

  • Resiliency

• Environmental risks

• Equipment location

Account or Service Traffic Hijacking

The Forces Behind Hacking

Another major threat to data security is access granted through stolen credentials or by way of individuals with legitimate access to a system. These attacks can involve social engineering, phishing, or the use of stolen credentials or intercepting information through the use of a software vulnerability.

Security events that precipitate a successful hack:

• Phishing

• Fraud

• Exploitation of software vulnerabilities

• Stolen credentials

Security implications as a result of a successful hacking event:

• Hackers can use your information and reputation to manipulate clients

• Destroy integrity and reputation

• Litigation or fines

Hacking Prevention: The Traditional Approach vs. Best Practices

Again, the response to the threat of a hack is to keep data encrypted while managing encryption keys carefully. Enforce good policies and procedures to prevent sharing credentials, and explore other technological solutions, such as system activity monitoring, to proactively identify any loss of data, as well as two-factor authentication to limit vulnerabilities of lost or stolen credentials.

These steps can go a long way in helping to secure information access through your workforce. Finally, understand and review the security controls of your cloud service provider, and understand what controls they have in place and how they complement the controls within your organization.

An additional threat to information security is a failure for the organization to understand the role of the cloud service provider and which aspects of the system are being managed by the service provider, and which are managed by the organization itself.

Best Practices

  • Supplement backup

  • Data encryption

  • Specify provider backup and retention strategies

This is another area in which a cloud solution can potentially be very helpful.

Lack of Due Diligence

Human Error and Information Security

An additional potential threat to information security is the failure of an organization to understand the role of their cloud service provider (CSP), which aspects of the system are being managed by the service provider, and which are self-managed. Particularly important considerations include system risk assessment, incident response planning, data encryption, DR planning, and system monitoring. If either party fails to understand their part in the shared responsibility model, data can be exposed or lost.

Human Errors That Can Lead to Security Threats:

• Incomplete understanding of CSP environment

• Operational responsibilities (i.e., incident response, encryption and security monitoring) take on unknown levels of risk

Security Implications as a Result of Human Error(s):

• Contractual issues

• Unknown operational and architectural issues

A lack of due diligence can expose an organization to contractual and regulatory sanctions, or even cause operational breakdowns and system failures.

To prevent human error, interview the service provider, review marketing materials, and discuss the security of your system and how it relates to the security offering of the service provider. While this is a good place to start, it does not constitute good due diligence.

Best Practices

Compare vendors

Request audit reports (and evaluate them)

References

Conduct risk assessment

To properly review a CSP, request audit reports, review them carefully and make sure they meet the requirements that are unique to your organization. Speak to other organizations who can offer a reference, and complete your own risk assessment for your system as it’s implemented with the cloud provider. The risk assessment should look at the entire system from a shared responsibility perspective. Take into account your organization’s responsibilities, and the responsibilities of the service provider.

Other Considerations

  • Data governance

• Risk assessments

  • Information security

• Industry knowledge/benchmarking

  • Operations management

• Capacity/resource planning

  • Risk management

• Program assessments

  • Resiliency

• Management program

• Impact analysis

• Business continuity planning

  • Security architecture

• Data security/integrity

• Application security

• Network security

• Segmentation

When developing an information systems compliance or information security program, there are a number of considerations. As you plan your system deployment, it’s important that at each stage in the process you consider how a technology or business process will impact compliance and information security.

Compliance Requirements Strengthen Overall Security Posture

There’s no doubt that the world of information technology professionals is increasingly more often the focus of a growing number of industry standards and government regulations. This has made compliance a key element of information systems development and operations. Compliance standards like the PCI DSS, HIPAA, FISMA and ISO are a major concern of IT departments in most industries, whether they’re directly or indirectly regulated.

Compliance Requirements Strengthen Security

  • Compliance standards can be helpful security tools

  • Establish consistency

  • Communicate maturity of the security model

  • Validate applicability of security controls

Compliance standards are useful tools to establish a baseline for a security program; they promote consistency within organizations and throughout entire industries.

How a Cloud Service Provider Can Help

Outsourcing to a CSP is more secure, eliminates or greatly reduces the need to expand IT staff, and is usually more cost-effective.

Seasoned CSP's typically also offer data security services, which means they know how to secure your environment, and that doesn’t include the multi-layered physical security controls that are already in place.

Discovernet.ca is always here for you every step of the way when it comes to assessing the security of your cloud. If your IT team has questions, we’ve got answers. Reach out to one of our solution engineers today by calling 905-814-8383 or visiting http://discovernet.ca/contact-us

Thanks to Jason Carolan, Chief Cloud Officer, at Peak10, for contributing to this article.

<https://www.linkedin.com/in/jtcarolan>

Bob Seccaspina

 

Bob has had 25 years of Sales, Marketing and Management experience in  the IT field.  He has been responsible for revenue growth and gaining market share by executing brand strategies, and building organization capabilities through direct and channel teams.

 

Bob has built high-performance teams through hands-on, active coaching and through identifying and attracting and retaining high-performing human resources.

 

He has worked with CEO’s, CIO’s, and senior business executives to help deliver on growth and cost efficiencies.  He has created initiatives through strategies that capitalized on market trends, leading to exponential organizational growth.

Other Posts
More IT on the web

 

IT Force

 

Follow Me
  • IT-Force-Logo_edited
  • LinkedIn Social Icon
  • Facebook Basic Black
  • Twitter Basic Black
  • YouTube Basic Black
Search By Tags

© 2017 Sales and Technology. 

  • IT-Force-Logo_edited
  • LinkedIn Social Icon
  • Facebook Basic Black
  • Twitter Basic Black
  • YouTube Basic Black
bottom of page