Cloud storage and cloud computing are booming. Worldwide public cloud service revenues are expected to grow by 18.5 percent in 2017 to a whopping $260 billion — and there's no reason to think that pace will slow down any time soon.
It's not hard to see why business is booming. The cloud offers families a convenient way to store everything from pictures to documents, and provides individuals and businesses efficient new ways to work together, handle services such as payroll or online software, and share what they're doing via remote networks of servers.
But there's a catch. All that data collected in a shared space makes a prime target for hackers. And despite the clear risk, RedLock found in its recent Cloud Security Trends report that 81 percent of organizations are not doing enough to protect their cloud environments.
Here's a quick look at how data in the cloud is vulnerable, what's at stake, and how to reduce the risks.
What are some of the main threats?
A big risk is the dreaded data breach. Hackers can get access to personal information and credit card data that lives in the cloud, but, as Fahmida Y. Rashid notes in a rundown of cloud security threats at InfoWorld, "breaches involving health information, trade secrets, and intellectual property can be more devastating." Bottom line, Rashid says: "The severity of the damage tends to depend on the sensitivity of the data exposed."
Another danger is that hackers will flat out hijack accounts once they gain access. "Attackers can eavesdrop on activities, manipulate transactions, and modify data," or even delete it, Rashid says. Hackers also can use the cloud application they've commandeered to launch more attacks, or use advanced persistent threats (APTs), a sort of cyber-parasite, to establish a presence in a system and "stealthily exfiltrate data and intellectual property over an extended period of time," Rashid says.
This can lead to extensive damage to a company's brand, lost data, or identity theft. Many companies use cloud-based payroll services, for example. If breached, this can be a "trove for cybercriminals," says Michael Baer at the Bloomberg BNA Payroll Blog, citing representatives of several payroll-service providers.
How do the bad guys do it?
There are plenty of ways cloud services can be vulnerable. If an authorized user's credentials fall into the wrong hands, or there's a flaw in the authentication system, look out. The RedLock researchers found that administrative accounts for 38 percent of public cloud computing environments could have been compromised. If a cybercriminal gets hold of an authorized user or administrator, he or she can do a lot of damage before they're found out.
System bugs can also give hackers an opening. When we access services in the cloud instead of on our own server, Rashid points out, we "share memory, databases, and other resources in close proximity to one another, creating new attack surfaces." A flaw in the lines of code running an application can create a vulnerability a hacker can exploit. The RedLock report found that 53 percent of organizations using cloud storage services such as Amazon Simple Storage Service (Amazon S3) had goofed and left a service (or several of them) somehow exposed.
Another danger is mobile computing. "Almost 70 percent of the employee population accesses their corporate accounts with the help of their own mobile devices," says Priya Viswanathan at Lifewire. "This could create a mobile security hazard for the enterprise concerned." The security of any such interaction is only as secure as the device, the connection, and the user's handling of his or her credentials allow.
What can be done to reduce these risks?
Employers can't just shift their systems over to any third-party that provides cloud-computing services and assume everything is secure. They need to take into account a host of factors, such as how that third-party authenticates the identities of people given access to the data, how the information is encrypted, how breaches are handled, and where, meaning in what country, the servers storing the data are located. Companies have to do their homework, and make sure they put in place the best security measures possible. Companies should know exactly what they have in the cloud (and do an audit if they don't), back everything up in case of trouble, use the latest security measures, such as multifactor authentication and default encryption, and train employees to spot threats and deal with them right away. The same goes for personal users. Know what you're putting into the cloud, and know what your service provider does to keep it secure.
Mobile computing risks can be kept to a minimum by drawing up clear rules for employees to minimize vulnerability, says Viswanathan at Lifewire. These rules might include limiting devices employees can use to the latest models, which tend to have the best security, and only letting workers access what they absolutely need, with a firewall to limit access to the most sensitive stuff. RedLock CTO Gaurav Kumar said in a press release that recent breaches at big firms show that "the threats are real and cybercriminals are actively targeting information left unsecured in the public cloud," so every organization that uses these services needs a "holistic strategy" to be safe.
"While cloud computing is not without its risks, the truth remains that these risks are definitely manageable with some effort taken on the part of the company involved," says Viswanathan at Lifewire. "Once the above issues are resolved, the rest of the process should go on smoothly, thereby providing immense benefits" for the company.