Migrating applications, systems and workloads to cloud offers you the advantage of flexibility of scaling, reduction of costs in the usage of storage and compute with pay as you use model and many others. AS with other ecosystems, there are some common security concerns of operating in the cloud. Below I have mentioned all the major security concerns
- Data Theft and modification- If your cloud provider has not enforced all the security controls and measures for restricting unauthorized access or some loophole or vulnerability in the process has been exploited by non-desired users, it may lead to sensitive data falling in the hands of someone else. The data properties in the cloud may be modified thereby making certain data elements inaccessible to the users, the data may be corrupted making it ineligible to be used by the users.
Some stats to validate data theft concerns
- On 22nd Jan, 2020, a certain customer database carrying 280 million+ Microsoft customer records was found unprotected online(IdentityForce).
- On 20th August, 2020, Comparitech Researchers found 235 million + Instagram, tik tok and YouTube user profiles in an unsecured database (IdentityForce).
These are just some of the instances out of hundreds occurring everyday and the majority of them are result of cloud-based security loopholes
- Malware and DOS attacks- Enormously high volume of traffic to the system may increase the chances of malware and DOS attacks. The hackers can send high volume of traffic to web-based applications causing the server crash.
- Incomplete SLA based risk analysis- If the SLA based risk analysis is not comprehensive taking into account every element of the functioning on cloud, it may happen that there are chances of vulnerabilities in the cloud infrastructure which may be used for data breaches and unauthorized access by other parties. Reviewing the terms of SLAs to include all possible security measures is of utmost importance.
- Vendor Lock-in-Vendor lock-in creates some of the biggest risks in cloud services. When transferring from one vendor to other or from one cloud to other, the systems and components may develop vulnerabilities of breaches and attacks.
- Contractual breaches- Every business contract is defined by a set of agreed upon rules by the parties involved. Now, if the clause of maintaining security of sensitive data and providing authorization of usage of the data has not been clearly elaborated, then it may result in contract violation. For example, if a user is not authorized to change the data location and he/she does the same by transferring it to cloud, it may result in conflicts and litigations. This generally happens in enterprises or companies where the business entities do not have a clear goal of the cloud services they are planning to have.
- Non-maintenance of API hygiene- API must be designed for complete authentication, maintaining the access hierarchy and should be adequately encrypted. API keys must be secured and should not be reused. In case of insecure APIs, where any one of these measures are lacking, unauthorized access to data and systems can take place.
According to Imperva “An API security survey revealed that on average companies manage 363 different APIs, and that two-thirds (69 percent) of organizations are exposing APIs to the public and their partners. As noted, public-facing APIs are a key security concern because they are a direct vector to the sensitive data behind applications. Asked about their main API security concern, respondents stated they are most worried about DDoS attacks and bots while 24 percent said they are most concerned about authentication enforcement.”