what are cloud security Threats and Vulnerabilities to Infrastructure

Cloud security threats and vulnerabilities are any potential dangers to the security of cloud
infrastructure, which includes the hardware, software, and network resources that support cloud
computing services.

Cloud security threats are malicious actions that can be taken against cloud infrastructure by
attackers to gain unauthorized access, steal data, disrupt operations, or cause other damage. Some
common cloud security threats include:

Misconfiguration

Misconfiguration of cloud resources is one of the most common causes of cloud data breaches.
Misconfigurations can occur accidentally, or they can be exploited by attackers to gain unauthorized
access. A recent study by IBM found that 95% of cloud security incidents are caused by human error,
and misconfiguration is the most common type of human error.

Cloud resources are often complex and can be easily misconfigured, either accidentally or
intentionally by attackers. Misconfigurations can expose cloud resources to the public internet, leave
sensitive data unencrypted, or grant excessive permissions to users.

Some common examples of cloud misconfigurations include:

• Exposing cloud resources to the public internet without proper authentication and
authorization controls.

• Leaving sensitive data unencrypted.

• Granting excessive permissions to users or roles.

• Failing to enable security features such as two-factor authentication and multi-region

replication.

Organizations can help to prevent misconfigurations by implementing a strong cloud security posture
management (CSPM) program. CSPM programs use automation to continuously monitor cloud
resources for misconfigurations and to notify organizations of any potential security issues.

Unauthorized access

Unauthorized access to cloud resources can occur when attackers steal or crack user credentials, or
when they exploit security vulnerabilities in cloud infrastructure. Attackers can also exploit security
vulnerabilities in cloud infrastructure to gain unauthorized access. For example, an attacker might
exploit a vulnerability in a cloud API to gain access to sensitive data.

Organizations can help to protect against unauthorized access by implementing strong identity and
access management (IAM) controls and by regularly patching and updating software.

Some common methods for stealing or cracking user credentials include:

1|Page
 • Phishing attacks: Attackers send fraudulent emails or text messages that appear to be from a
legitimate source, such as a cloud provider. These messages often contain links to malicious
websites or attachments that install malware on the victim's device.

• Password brute-force attacks: Attackers use software to try to guess user passwords by trying
a large number of possible combinations.

• Password spraying attacks: Attackers try to guess common passwords or password patterns
against a large number of user accounts.

Insecure interfaces and APIs

Insecure cloud interfaces and APIs can be exploited by attackers to gain unauthorized access to cloud
resources or to launch attacks against cloud services. Cloud interfaces and APIs provide a way for
users and applications to interact with cloud resources. If these interfaces and APIs are not properly
secured, they can be exploited by attackers to gain unauthorized access to cloud resources or to
launch attacks against cloud services.

Some common examples of insecure cloud interfaces and APIs include:

• APIs that do not properly validate input from users.

• APIs that do not use strong encryption to protect data.

• APIs that have known security vulnerabilities that have not been patched.

For example, an attacker might exploit an insecure API to steal data or to launch a denial-of-service
attack.

Organizations can help to protect against insecure interfaces and APIs by implementing strong API
security best practices, such as using strong authentication and authorization controls and by
regularly testing APIs for security vulnerabilities.

Malicious insiders

Malicious insiders are employees or contractors who have authorized access to cloud resources but
who abuse that access for malicious purposes. Some common examples of malicious insider activity
include:

• Stealing data and selling it to third parties.

• Planting malware on cloud resources.

• Disrupting cloud services.

• Deleting or corrupting data.

Malicious insiders can pose a significant threat to cloud security because they have trusted access to
cloud resources and may be able to bypass security controls.

Organizations can help to protect against malicious insiders by implementing strong security controls,
such as role-based access control (RBAC) and two-factor authentication (2FA). Organizations should

2|Page
also conduct regular security audits and employee training programs to help identify and prevent
malicious insider activity.

Cyberattacks

Cyberattacks such as denial-of-service attacks, malware attacks, and phishing attacks can be launched
against cloud infrastructure to disrupt operations or steal data. Some common examples of
cyberattacks against cloud infrastructure include:

• Distributed denial-of-service (DDoS) attacks: Attackers overwhelm cloud resources with

traffic, making them unavailable to legitimate users.

• Malware attacks: Attackers install malware on cloud resources to steal data, disrupt
operations, or launch further attacks.

• Phishing attacks: Attackers send fraudulent emails or text messages that appear to be from a
legitimate source, such as a cloud provider. These messages often contain links to malicious
websites or attachments that install malware on the victim's device.

For example, an attacker might launch a DDoS attack against a cloud service to make it unavailable to
legitimate users. Or, an attacker might launch a malware attack against a cloud server to steal data or
to disrupt operations.

Organizations can help to protect against cyberattacks by implementing strong security controls, such
as firewalls, intrusion detection systems, and intrusion prevention systems. Organizations should also
regularly monitor their cloud environment for suspicious activity.

Cloud security vulnerabilities are weaknesses in cloud infrastructure or services that can be exploited
by attackers to carry out threats. Some common cloud security vulnerabilities include:

• Unpatched software: Outdated or unpatched software can contain known security

vulnerabilities that can be exploited by attackers.

• Insecure default configurations: Cloud resources often have default configurations that are
not secure. Attackers can exploit these default configurations to gain unauthorized access or
to launch attacks.

• Weak passwords and authentication: Weak passwords and authentication controls can make
it easy for attackers to steal user credentials and gain unauthorized access to cloud
resources.

• API vulnerabilities: Insecure APIs can contain vulnerabilities that can be exploited by
attackers to gain unauthorized access to cloud resources or to launch attacks against cloud
services.

• Data storage vulnerabilities: Cloud storage services can contain vulnerabilities that can allow
attackers to steal or corrupt data.

3|Page
Protecting cloud infrastructure from threats and vulnerabilities

There are a number of steps that organizations can take to protect their cloud infrastructure from
threats and vulnerabilities, including:

• Implement strong identity and access management (IAM) controls. IAM controls ensure that
only authorized users have access to cloud resources. Organizations should implement IAM
controls such as role-based access control (RBAC) and two-factor authentication (2FA).

• Regularly patch and update software. Software vendors regularly release patches and
updates to address known security vulnerabilities. Organizations should regularly apply these
patches and updates to their cloud infrastructure and applications.

• Securely configure cloud resources. Cloud resources often have default configurations that
are not secure. Organizations should securely configure their cloud resources by following
best practices provided by their cloud provider.

• Implement strong authentication controls. Strong authentication controls make it more

difficult for attackers to steal user credentials and gain unauthorized access to cloud
resources. Organizations should implement authentication controls such as 2FA and multi-
factor authentication (MFA).

• Monitor cloud activity for suspicious activity. Organizations should monitor their cloud
activity for suspicious activity such as unusual login attempts, unauthorized access to
resources, and unusual data exfiltration.

• Have a plan for responding to cloud security incidents. Organizations should have a plan in
place for responding to cloud security incidents. This plan should include steps for
identifying, containing, eradicating, and recovering from incidents.

By taking these steps, organizations can help to protect their cloud infrastructure from threats and
vulnerabilities.

Cloud security threats, risks and

vulnerabilities
How secure is the cloud?
Questions about cloud security threats are a valid concern, as all your sensitive data
is held outside of your company premises. However, in most cases, data will be
much safer when stored in the cloud than kept on the user's device.

Usually, cloud data is stored in an encrypted form, meaning that anyone needing
data access needs a digital key. Not to mention that the data itself is stored across a
large fleet of servers with multiple backups. This is done to protect the information in
case of a server malfunction or a cyberattack.

Cloud computing security risks and threats

4|Page
All companies face security risks, threats, and challenges every day. Many think
these terms all mean the same thing, but they’re more nuanced. Understanding
the subtle differences between them will help you better protect your cloud
assets.

What is the difference between risks, threats, and challenges?

• A risk is a potential for loss of data or a weak spot.

• A threat is a type of attack or adversary.
• A challenge is an organization’s hurdles in implementing practical cloud security.

Let’s consider an example: An API endpoint hosted in the cloud and exposed to
the public Internet is a risk, the attacker who tries to access sensitive data using
that API is the threat (along with any specific techniques they could try), and
your organization’s challenge is effectively protecting public APIs while keeping
them available for legitimate users or customers who need them.

A complete cloud security strategy addresses all three aspects, so no

cracks exist within the foundation. You can think of each as a different lens or
angle with which to view cloud security. A solid strategy must mitigate risk
(security controls), defend against threats (secure coding and deployment), and
overcome challenges (implement cultural and technical solutions) for your
business to use the cloud to grow securely.

5|Page
While the cloud is much safer than device storage, it's important to note that no
security system is uncrackable. A broad spectrum of cybersecurity risks applies to
cloud infrastructure that could compromise your data.

External data breaches

Most business owners view data loss as their biggest cloud security concern.
Leaking financial or customer data threatens customer trust, which can cause long-
lasting revenue loss. As the security responsibilities are shared between a cloud
service provider and a client, there's always a risk of failure to secure the network
properly. The servers should also be properly equipped to withstand DDoS attacks.

Misconfigurations

Cloud infrastructure is very complex, so there's a real risk of missing something

when setting it up. Organizations risk misconfiguring their access systems when
scaling up or scaling down their operations. Missing important updates or
overlooking existing infrastructure shortcomings may also contribute to critical
misconfigurations.

Poor authentication controls

Your data is as secure as strong is the weakest component within its chain. If the
only thing that your employees need is a username and a password, this is
something that could be easily exploited. Generally, the rule is to protect sensitive
assets with a corresponding level of authentication mechanisms. The more sensitive
the data, the more authentication layers it should have.

Account hijacking via phishing

Hackers don't need to penetrate your internal networks when the data is hosted in
the cloud. This means that hijacking your administrator's account and posing as one
could be enough to gain direct access to the cloud-hosted data. It requires less effort
to pull off than bypassing various cybersecurity defenses that could be deployed
internally.

API insecurities

Growing Application Programming Interface (API) usage creates an opportunity for

hackers looking for an opening into the network. This area must be thoroughly
checked for vulnerabilities, poor coding practices, lack of authentication, and
insufficient authorization. These and other similar oversights can help hackers gain
access to the system.

Cloud security vulnerabilities

Cloud vulnerabilities are a sensitive subject because cloud services are used for
development, analytics, machine learning, and other tasks. There are multiple weak

6|Page
points that hackers will check first when attempting to penetrate a network. Here's
the list of the top cloud vulnerabilities.

Open S3 bucket

An Amazon S3 bucket is a public cloud storage resource used within Amazon Web
Services. Buckets are similar to folders as they consist of data and descriptive
metadata. According to various reports, poorly configured S3 buckets contribute to
a significant portion of cloud security data breaches. Some of the companies that
were recently affected by these misconfigurations that resulted in a data breach
were Netflix and Capital One. This allowed some of the private buckets to be
accessible to anyone interested. Therefore, when using cloud services, it's critical to
implement proper access rules.

Incomplete data deletion

One of the trickiest parts of cloud data management is data deletion. On the one
hand, it's a process that should be done irreversibly. On the other hand, an
administrator must ensure that there are no backups left.

In cases when multiple tenants are sharing the infrastructure, data should be deleted
without the possibility of retrieving it. It's not enough to wipe the hard drive and hope
for the best. The data should be overwritten with blank tables and then deleted
again.

As for the data backups, this requires full visibility of where they are kept. There
shouldn't be any unsupervised copies lying in the cloud as, over time, this data could
find its way to hackers. That said, in most cases, data deletion must follow the cloud
provider's procedures, so it will likely be a joint effort. Although some cloud service
providers may have different requirements.

Lambda command injection

Lambda function is an AWS computing service that allows running code without
provisioning or managing servers. It can execute code when needed, ranging from a
few daily requests to thousands per second. The service model allows using this tool
per the computed time only. It's a convenient tool that tests any application or
backend service.

As the user function is serverless, this greatly increases the potential attack surface.
The function can be launched from various events like database changes, code
modifications, notifications, and other events. This means that a hacker can try to
inject an unexpected event into the vulnerable function, which is then passed down
to the OS-level application. It's potentially devastating to the stored data as the
hacker could obtain direct access to the cloud using this vulnerability.

Failure of separation among multiple tenants

7|Page
The multitenancy model helps drive costs low — multiple customers are using the
same software instance, which is installed on multiple servers. User data and
resources are located in the same computing cloud, controlled and distinguished by
various unique identifiers. Naturally, the risks associated with this model arise from
the shared model itself, as the used computer hardware is the same for multiple
clients.

Data isolation is paramount in such scenarios as multitenancy would, by definition,

be one of the best attack vectors at a hacker's disposal. Not to mention that
successfully breaching one of the tenants makes it easier to infiltrate co-residents
within the cloud. Since the only boundary between them is individual user IDs, this
gives plenty of leverage for malicious individuals.

Summary
While cloud computing is an incredible opportunity for most businesses to reorganize
their infrastructure flexibly, this doesn't come without a price. While, by default, cloud
security provides much more safety than locally hosted data, there's much that an
organization should keep in consideration when setting it up.

Like most systems, cloud computing isn't without its weak points. The majority of
data breaches result from misconfigurations and poor authentication controls. It's
important to emphasize that cloud security isn't given. The high status of security has
to be maintained.

Then, there are quite many vulnerabilities that a hacker could exploit when planning
an attack on your cloud. Network administrators should be in the loop about the
latest developments regarding S3 bucket exploits and be very cautious regarding the
deletion of backups and other data. Only by timely addressing various cloud risks
can it be possible to create a secure model that helps businesses achieve their
goals.

7 Cloud Computing Security

Vulnerabilities and What to Do
About Them
Companies are rapidly using the cloud to revolutionize their digital
transformations. According to Gartner, the global market for cloud
computing is estimated to grow $266.4 billion by 2020, rising from
$227.4 billion in 2019.
8|Page
There are several benefits of cloud computing including potential
lower cost (with more capabilities in the public cloud that could aid
productivity versus more limited capabilities in private clouds) and
faster time to market.

However, with the array of benefits that the cloud offers, data
security is amongst the key concerns holding back enterprises from
adopting cloud solutions. To back this up, a survey found that 93%
of companies are moderately to extremely concerned about cloud
computing security risks.

Cloud infrastructure can be complex, and we all know that

complexity is the enemy of security. While most cloud security
experts agree that companies can benefit from the security solutions
built into the cloud, organizations can also make grave errors and
expose critical data and systems.

Some of the most common cloud security risks include unauthorized

access through improper access controls and the misuse of employee
credentials. Unauthorized access and insecure APIs are tied for the
number one spot as the single biggest perceived security
vulnerability in the cloud (according to 42% of respondents). These
security risks are followed by misconfigurations in the cloud at 40%.

How can companies gain the benefits of cloud computing technology

while still maintaining data security?

There are several preventive measures that companies can adopt to

prevent cloud security vulnerabilities in their early stages. This
9|Page
ranges from simple cloud security solutions such as implementing
multi-factor authentication to more complex security controls for
compliance with regulatory mandates.

5 Top Cloud Security Threats and Tips to

Mitigate Them
Cloud computing has accompanied a new borderless work world, which boosts the free flow
of information and open collaborations. This has allowed companies to be more productive
and has made remote work possible, especially in this Covid pandemic, allowing enterprises
to ensure business continuity. While the cloud environment provides enormous benefits to
organizations, it has also opened a host of vulnerabilities for attackers to exploit.

In the 2020 cloud security report, there are mixed reviews of whether cloud adoption will
improve enterprises’ security.

45% of those surveyed said that both the security of cloud applications and on-premises
applications are the same. 28% of respondents said that cloud apps are more secure than on-
premises apps while 27% were concerned that cloud apps are less secure than on-premises
apps.

The same survey highlighted that 93% of respondents were extremely concentrated on public
cloud security. These data show that enterprises recognize that cloud adoption is inherently
safe but are battling with their responsibility to use it securely.

Companies, which leverage cloud technologies without being aware of the cloud security
risks open themselves up for myriad financial and technical risks. Let’s break down the top
security risks that come with adopting cloud technologies and tips to mitigate them.

1. Unauthorized Access to Data

It is the biggest risk to cloud security. According to a new cloud security spotlight report,
53% of respondents see unauthorized access via improper access controls and misuse of
employee credentials as their biggest cloud security threat.

10 | P a g e
Unauthorized access involves individuals accessing enterprise data, networks, endpoints,
devices, or applications, without having proper permissions. The good news is that poor
access control can be tackled through security solutions in combinations with access
management policies. Indusface’s Web Application Firewall allows blocking of access to
cloud applications based on IP, countries, GEO location, and many more. It provides
complete tracking, monitoring as well as reporting of app access, enabling enterprises to
comply with data security regulations.
Tips to prevent Poor Access Management

• Develop a data governance framework for all user accounts. All user accounts should be
connected directly to the central directory services like Active Directory that can monitor and
revoke access privileges.
• You can use third-party security tools to regularly pull lists of users, privileges, groups, and
roles from cloud service environments. Then your security team can sort and analyze it.
• You should also keep logging and event monitoring mechanisms in place to detect
unauthorized changes and unusual activity.

2. Distributed Denial of Service (DDoS)

Attacks
Another most common form of attack on the cloud, which proves extremely
damaging. DDoS (Distributed Denial of Attack) is a kind of attack, which involves denying
access to online service for legitimate users by flooding them with malicious connection
requests.
Tips to tackle DDoS attacks in the cloud

• Have an excess of bandwidth on your enterprise’s internet connection. The more bandwidth
you have, the more hackers must do to flood its connection.
• Discover vulnerabilities in your system – scan your network and system to determine
vulnerabilities with web application scanning tools to find vulnerabilities, which can be
exploited to execute DDoS attacks. Implement security controls to fix the detected security
issues.
• Keep a backup internet connection – a backup connection with a separate pool of IP
addresses provides an alternate path in case the primary circuit is flooded with requests.

• Configure WAF rules to filter out the malicious IPs – Configure your WAF firewall with custom
rules to monitor and filter out traffic based on your requirements.

11 | P a g e
3. Cloud Misconfiguration
Three-quarters of all enterprises on the cloud are suffering from some sort of cloud
misconfiguration, which affects security. Common weaknesses include default passwords,
inadequate access restrictions, mismanaged permission controls, inactive data encryption, and
many more. Many of these vulnerabilities result from insider threats and a lack of security
awareness.

Another way company introduces vulnerabilities is by attempting to personalize their cloud

usage by setting changes or plug-ins. These ad-hoc changes can cause configuration drift,
which creates availability, management, and security problems.
Tips to Overcome Cloud Misconfiguration Error

• Get to know your Cloud – Learn all the services, settings, and permissions of your cloud
services, and never forgot to leverage the benefits of integrated security features.
• Modify credentials and permissions – thoroughly check the default credentials and set up
multi-factor authentication to ensure an extra layer of security.
• Regularly audit your cloud asset – Don’t assume that properly configured cloud settings will
remain the same for a long time. Proper auditing and monitoring can help you to identify the
sign of misconfigurations.
• Choose the right security solutions – The best cloud security service providers like Indusface
can provide a complete package of features, which includes security management, threat
detection, and intrusion prevention.

4. Data Leaks and Data Breaches

The largest and critical cloud computing threat for organizations today is the loss of personal
and sensitive information and data – both inadvertently and deliberately. The risk of data
breaches increases as more companies allow their employees to use personal devices for
work without implementing a robust security policy in place. Using personal devices to
access storage services like One Drive or Dropbox increases security risks, especially when
older OS versions are used. Another way in which sensitive information can be leaked is due
to insider threats. Storing sensitive data and passwords in a plain text file can mean it is
susceptible if the attackers get their hands on it.

Especially this is high risks in the cloud since it is a shared environment, a single
vulnerability on the cloud opens the whole environment to be compromised leading to data
breaches and loss.

12 | P a g e
Tips to avoid the risk of Data Leaks

• Encrypt Data – Sensitive data should not be in your cloud environment without being
encrypted.
• Change Password – Store all your passwords in a safer place. Be smarter while you choose a
password and increase the frequency in which they’ve changed.
• Set Permissions – Not all employees need the same level of access to your sensitive files.
Assign permissions based on a ‘need to know’ basis to prevent the wrong people from
accessing.
• Educate your staff – Train your staff to prevent them from inadvertently leaking sensitive
information.

5. Insecure API
The adoption of APIs is advantageous for businesses, but it is a nightmare for the security
team.

Though APIs are meant to streamline cloud computing processes, they are not always black
& white. There is a gray area where APIs if left unsecured can allow hackers to exploit
private details. Insufficient API security is one of the major causes of cloud data
breaches. Gartner predicts that by 2022, APIs will be the most common vector used
frequently in cyber-attacks.
Best Practices for API security

• Comprehensive authentication & authorization policies – APIs should be designed with

tokens, signatures, quotas, encryption, API gateways, etc., to ensure API security.
• Web Application Firewalls – applies web-based vulnerability exploit defense to APIs in the
cloud
• Choose standard API framework – relay only on APIs which are designed with security in
mind. Examine its security aspects and decide whether it is secure enough to integrate 3rd
party apps.

Wrapping up

The shift to a cloud environment provides companies much need scalability and flexibility to
remain competitive in the unstable business environment. At the same time, remember, cloud
migration exposes your firm to security vulnerabilities if you don’t leverage security best
practices. Don’t let this happen to you. Be proactive to prevent them in the first attempt!

13 | P a g e
Top 15 Cloud Security Issues,
Threats and Concerns
Nearly 94% of organizations state that they are "moderately to extremely concerned"
about cloud security. Here are the main reasons why there's so much worry
surrounding cloud security:

• Many organizations have a hard time figuring out where cloud provider's
security responsibilities end and their own responsibilities begin.
• There's a lack of visibility into exactly how providers house and protect cloud-
based data and assets.
• The expansiveness of the cloud significantly increases the attack surface.
• Many tried-and-tested security controls (e.g., traditional firewalls and IDSes)
are less effective when protecting cloud workloads and assets.

Let's dive into the top cloud security risks you must plan for to stay safe while
operating in the cloud.

According to Gartner, 99% of all cloud security failures will be due to human error by
2025. Stay safe by ensuring teams understand cloud-related risks and their role in
keeping threats at bay.

94% of organizations are moderately to extremely concerned about cloud

security. When asked about what are the biggest security threats facing
public clouds, organizations ranked misconfiguration (68%) highest,
followed by unauthorized access (58%), insecure interfaces (52%), and
hijacking of accounts (50%). Here we discuss the top cloud security threats
and concerns in the market today.

Main Cloud Security Issues and

Threats in 2023
14 | P a g e
Almost every organization has adopted cloud computing to varying degrees
within their business. However, with this adoption of the cloud comes the
need to ensure that the organization’s cloud security strategy is capable of
protecting against the top threats to cloud security.

Misconfiguration
Misconfigurations of cloud security settings are a leading cause of cloud
data breaches. Many organizations’ cloud security posture
management strategies are inadequate for protecting their cloud-based
infrastructure.

Several factors contribute to this. Cloud infrastructure is designed to be

easily usable and to enable easy data sharing, making it difficult for
organizations to ensure that data is only accessible to authorized parties.
Also, organizations using cloud-based infrastructure also do not have
complete visibility and control over their infrastructure, meaning that they
need to rely upon security controls provided by their cloud service provider
(CSP) to configure and secure their cloud deployments. Since many
organizations are unfamiliar with securing cloud infrastructure and often
have multi-cloud deployments – each with a different array of vendor-
provided security controls – it is easy for a misconfiguration or security
oversight to leave an organization’s cloud-based resources exposed to
attackers.

Unauthorized Access
Unlike an organization’s on-premises infrastructure, their cloud-based
deployments are outside the network perimeter and directly accessible
from the public Internet. While this is an asset for the accessibility of this
infrastructure to employees and customers, it also makes it easier for an
attacker to gain unauthorized access to an organization’s cloud-based
resources. Improperly-configured security or compromised credentials can
enable an attacker to gain direct access, potentially without an
organization’s knowledge.
15 | P a g e
Insecure Interfaces/APIs
CSPs often provide a number of application programming interfaces (APIs)
and interfaces for their customers. In general, these interfaces are well-
documented in an attempt to make them easily-usable for a CSP’s
customers.

However, this creates potential issues if a customer has not properly

secured the interfaces for their cloud-based infrastructure. The
documentation designed for the customer can also be used by a
cybercriminal to identify and exploit potential methods for accessing and
exfiltrating sensitive data from an organization’s cloud environment.

Hijacking of Accounts
Many people have extremely weak password security, including password
reuse and the use of weak passwords. This problem exacerbates the
impact of phishing attacks and data breaches since it enables a single
stolen password to be used on multiple different accounts.

Account hijacking is one of the more serious cloud security issues as

organizations are increasingly reliant on cloud-based infrastructure and
applications for core business functions. An attacker with an employee’s
credentials can access sensitive data or functionality, and compromised
customer credentials give full control over their online account. Additionally,
in the cloud, organizations often lack the ability to identify and respond to
these threats as effectively as for on-premises infrastructure.

Lack of Visibility
An organization’s cloud-based resources are located outside of the
corporate network and run on infrastructure that the company does not
own. As a result, many traditional tools for achieving network visibility are

16 | P a g e
not effective for cloud environments, and some organizations lack cloud-
focused security tools. This can limit an organization’s ability to monitor
their cloud-based resources and protect them against attack.

External Sharing of Data

The cloud is designed to make data sharing easy. Many clouds provide the
option to explicitly invite a collaborator via email or to share a link that
enables anyone with the URL to access the shared resource.

While this easy data sharing is an asset, it can also be a major cloud
security issue. The use of link-based sharing – a popular option since it is
easier than explicitly inviting each intended collaborator – makes it difficult
to control access to the shared resource. The shared link can be forwarded
to someone else, stolen as part of a cyberattack, or guessed by a
cybercriminal, providing unauthorized access to the shared resource.
Additionally, link-based sharing makes it impossible to revoke access to
only a single recipient of the shared link.

Malicious Insiders
Insider threats are a major security issue for any organization. A malicious
insider already has authorized access to an organization’s network and
some of the sensitive resources that it contains. Attempts to gain this level
of access are what reveals most attackers to their target, making it hard for
an unprepared organization to detect a malicious insider.

On the cloud, detection of a malicious insider is even more difficult. With

cloud deployments, companies lack control over their underlying
infrastructure, making many traditional security solutions less effective.
This, along with the fact that cloud-based infrastructure is directly
accessible from the public Internet and often suffers from security
misconfigurations, makes it even more difficult to detect malicious insiders.

17 | P a g e
Cyberattacks
Cybercrime is a business, and cybercriminals select their targets based
upon the expected profitability of their attacks. Cloud-based infrastructure is
directly accessible from the public Internet, is often improperly secured, and
contains a great deal of sensitive and valuable data. Additionally, the cloud
is used by many different companies, meaning that a successful attack can
likely be repeated many times with a high probability of success. As a
result, organizations’ cloud deployments are a common target of
cyberattacks.

Denial of Service Attacks

The cloud is essential to many organizations’ ability to do business. They
use the cloud to store business-critical data and to run important internal
and customer-facing applications.

This means that a successful Denial of Service (DoS) attack against cloud
infrastructure is likely to have a major impact on a number of different
companies. As a result, DoS attacks where the attacker demands a ransom
to stop the attack pose a significant threat to an organization’s cloud-based
resources.

Main Cloud Security Concerns in

2023
In the Cloud Security Report, organizations were asked about their major
security concerns regarding cloud environments. Despite the fact that many
organizations have decided to move sensitive data and important
applications to the cloud, concerns about how they can protect it there
abound.

Data Loss/Leakage
18 | P a g e
Cloud-based environments make it easy to share the data stored within
them. These environments are accessible directly from the public Internet
and include the ability to share data easily with other parties via direct email
invitations or by sharing a public link to the data.

The ease of data sharing in the cloud – while a major asset and key to
collaboration in the cloud – creates serious concerns regarding data loss or
leakage. In fact, 69% of organizations point to this as their greatest
cloud security concern. Data sharing using public links or setting a cloud-
based repository to public makes it accessible to anyone with knowledge of
the link, and tools exist specifically for searching the Internet for these
unsecured cloud deployments.

Data Privacy/Confidentiality
Data privacy and confidentiality is a major concern for many organizations.
Data protection regulations like the EU’s General Data Protection
Regulation (GDPR), the Health Insurance Portability and Accessibility Act
(HIPAA), the Payment Card Industry Data Security Standard (PCI DSS)
and many more mandate the protection of customer data and impose strict
penalties for security failures. Additionally, organizations have a large
amount of internal data that is essential to maintaining competitive
advantage.

Placing this data on the cloud has its advantages but also has created
major security concerns for 66% of organizations. Many organizations have
adopted cloud computing but lack the knowledge to ensure that they and
their employees are using it securely. As a result, sensitive data is at risk of
exposure – as demonstrated by a massive number of cloud data breaches.

Accidental Exposure of Credentials

19 | P a g e
Phishers commonly use cloud applications and environments as a pretext
in their phishing attacks. With the growing use of cloud-based email (G-
Suite, Microsoft 365, etc.) and document sharing services (Google Drive,
Dropbox, OneDrive), employees have become accustomed to receiving
emails with links that might ask them to confirm their account credentials
before gaining access to a particular document or website.

This makes it easy for cybercriminals to learn an employee’s credentials for

cloud services. As a result, accidental exposure of cloud credentials is a
major concern for 44% of organizations since it potentially compromises
the privacy and security of their cloud-based data and other resources.

Incident Response
Many organizations have strategies in place for responding to internal
cybersecurity incidents. Since the organization owns all of their internal
network infrastructure and security personnel are on-site, it is possible to
lock down the incident. Additionally, this ownership of their infrastructure
means that the company likely has the visibility necessary to identify the
scope of the incident and perform the appropriate remediation actions.

With cloud-based infrastructure, a company only has partial visibility and

ownership of their infrastructure, making traditional processes and security
tools ineffective. As a result, 44% of companies are concerned about their
ability to perform incident response effectively in the cloud.

Legal and Regulatory Compliance

Data protection regulations like PCI DSS and HIPAA require organizations
to demonstrate that they limit access to the protected information (credit
card data, healthcare patient records, etc.). This could require creating a
physically or logically isolated part of the organization’s network that is only
accessible to employees with a legitimate need to access this data.

20 | P a g e
When moving data protected by these and similar regulations to the cloud,
achieving and demonstrating regulatory compliance can be more difficult.
With a cloud deployment, organizations only have visibility and control into
some of the layers of their infrastructure. As a result, legal and regulatory
compliance is considered a major cloud security issue by 42% of
organizations and requires specialized cloud compliance solutions.

Data Sovereignty/Residence/Control
Most cloud providers have a number of geographically distributed data
centers. This helps to improve the accessibility and performance of cloud-
based resources and makes it easier for CSPs to ensure that they are
capable of maintaining service level agreements in the face of business-
disrupting events such as natural disasters, power outages, etc.

Organizations storing their data in the cloud often have no idea where their
data is actually stored within a CSP’s array of data centers. This creates
major concerns around data sovereignty, residence, and control for 37% of
organizations. With data protection regulations such as the GDPR limiting
where EU citizens data can be sent, the use of a cloud platform with data
centers outside of the approved areas could place an organization in a
state of regulatory non-compliance. Additionally, different jurisdictions have
different laws regarding access to data for law enforcement and national
security, which can impact the data privacy and security of an
organization’s customers.

Protecting the Cloud

The cloud provides a number of advantages to organizations; however, it
also comes with its own security threats and concerns. Cloud-based
infrastructure is very different from an on-premises data center, and
traditional security tools and strategies are not always able to secure it

21 | P a g e
effectively. For more information about leading cloud security issues and
threats, download the Cloud Security Report.

Some other cloud security challenges and risks are:

• Unmanaged attack surface: When organizations migrate to the cloud without

understanding how to secure their data, sensitive information and resources are left
vulnerable to exploitation by attackers, resulting in many issues.
• Human error: From using weak passwords to falling victim to phishing scams,
human error is a common issue that puts cloud security systems at risk. Statistics
show that 88% of cloud-based data breaches are attributed to human error.
• Inadequate change control: When change management and control protocols are
inadequate or neglected, unnoticed misconfigurations can occur, resulting in
unauthorized access, data breaches, and data leaks.

Types of Cloud Security Solutions

Today, organizations leverage multiple types of cloud security solutions to safeguard
their data. These solutions can be used together to establish a holistic and effective
cloud security strategy.

Identity and Access Management (IAM)

IAM manages user identities and access to cloud resources. It ensures proper
authentication, authorization, and user management to prevent unauthorized access
while providing granular control over who can access specific cloud resources and what
actions they can perform.

Network and Device Security

Network and device security reinforces cloud infrastructure and devices against
network-level attacks and ensures proper configuration. This cloud security solution –
which includes firewalls, IdPs, and VPNs – helps protect against DDoS attacks, malware,
and other external threats. Endpoint protection and mobile device management can
also help secure devices used to access cloud resources.

Security Monitoring and Alerting

Continuous monitoring, detection, and alerts use tools like IdPs and SIEM systems to
provide real-time monitoring of cloud resources and help organizations respond quickly

22 | P a g e
to security threats. Security monitoring solutions also collect and analyze data from
various sources to identify potential security incidents and generate alerts.

Cloud Access Security Broker (CASB)

CASBs are a type of cloud security system that acts as a gatekeeper between an
organization’s on-premises infrastructure and the cloud. They can effectively monitor
and enforce security policies across all cloud applications and services, enabling
organizations to gain visibility into cloud usage and enforce compliance with regulatory
requirements.

Data Security

Data Security protects data from unauthorized access, tampering, and loss, using
encryption, data masking, and access controls. It includes securing data at rest, in
transit, and in use. Data loss prevention (DLP) solutions, access control solutions, and
encryption solutions can be used to protect sensitive data in the cloud.

Disaster Recovery and Business Continuity Planning

This vital solution involves planning strategies to restore cloud services during a
disaster and minimize downtime. Disaster recovery involves identifying critical data
and applications and establishing recovery time objectives (RTOs) and recovery point
objectives (RPOs) to ensure that data and applications can be restored within
acceptable timeframes.

Legal Compliance

Legal compliance ensures that cloud services comply with legal and regulatory
requirements, including data privacy and protection. Compliance with regulations such
as HIPAA, GDPR, and CCPA is critical for organizations that handle sensitive data. Legal
compliance involves implementing appropriate controls to protect data privacy and
ensuring that cloud services meet regulatory requirements.

Governance

Governance establishes policies and procedures to govern cloud service usage and
ensure proper risk management and compliance reporting. It ensures that cloud
services comply with industry regulations and standards. Governance involves
identifying and managing risks associated with cloud services and establishing
appropriate controls to mitigate them. It also involves establishing policies and
procedures for data classification, access control, and incident response.

Cloud Security Safety Tips

Using cloud computing systems might seem inherently secure. But this misconception
couldn’t be further from the truth. Both individuals and organizations should employ

23 | P a g e
cloud security tips and best practices to protect their assets against attacks and data
breaches.

Some of the most reliable tips from cloud security resources include:
• Implement a strong password policy and multi-factor authentication.
• Encrypt data both in transit and at rest.
• Regularly back up data and test the recovery process.
• Implement security monitoring and logging to detect and respond to threats.
• Keep systems and software current with the latest patches and updates.
• Limit access to sensitive data and applications to only authorized personnel.
• Conduct regular security audits and risk assessments.
• Establish a clear security incident response plan.
• Train employees on security best practices and make them aware of potential threats.
• Choose a reliable cloud service provider with a good security track record.

In addition to the procedures that organizations implement internally, using the

support of CASB can be an invaluable investment to reinforce cloud protection.

A CASB service provides four key types of cloud security system management:
• Visibility. This is a consolidated view of an organization’s cloud service landscape,
including details about users accessing data in cloud services from any device or
location.
• Data Security. Some CASBs provide the ability to enforce data security policies to
prevent unwanted activity. Policies are applied through data loss prevention (DLP)
controls such as audit, alert, block, quarantine, delete and view only.
• Threat Protection. CASBs provide adaptive access controls to prevent unwanted
devices, users, and certain versions of apps from accessing cloud services. Cloud app
access can be changed based on signals observed during and after login.
• Compliance. CASBs help organizations demonstrate that they are governing the use
of cloud services. CASBs assist efforts to conform to data residency and
regulatory compliance requirements.[2]

Cloud Security Threats & Vulnerabilities

Cyber criminals often exploit vulnerabilities and weaknesses in cloud security to gain
access to valuable data and assets. Once attackers get their hands on cloud account
credentials, they impersonate legitimate users. They can trick your people into wiring
money to them or releasing corporate data. They can also hijack email accounts to
distribute spam and phishing emails.

A study of more than 1,000 cloud service tenants with over 20 million user accounts
found over 15 million unauthorized login attempts in the first half of 2019 alone. More
than 400,000 of these attempts resulted in successful logins. About 85% of tenants were
targeted by cyber-attacks, and 45% had at least one compromised account in their
environment.[3]

24 | P a g e
Cyber criminals tend to target popular SaaS applications like Microsoft Office 365 and
Google G Suite. Just about everyone at your company uses these applications, which
hold the key to business communication and vital data. Attackers use a variety of
techniques and exploit several vulnerabilities to compromise cloud account credentials
and take advantage of vulnerable users, including:

• Intelligent Brute-Force Attacks: Brute-force attacks are a trial-and-error technique

in which the attacker submits many username and password combinations until
something works. What makes such attacks intelligent is using automated tools to
expose multiple combinations of usernames with passwords in large credential
dumps.
• Advanced Phishing Campaigns: Otherwise known as credential phishing, these
targeted and well-crafted campaigns come in various forms and deceive people into
revealing their authentication credentials. Attackers usually carry out phishing via
socially engineered emails.
• Password Recycling: This common cloud security threat is characterized by the
same password used across multiple accounts. If an attacker gets their hands on an
account’s credentials from an unrelated data breach, they can leverage password
recycling to breach other sensitive accounts and data.
• Data Loss and IP Theft: On any typical business day, people share information with
colleagues, partners, and others via cloud-based collaboration or messaging tools.
But lack of employee training on cloud security or worker malice could result in
sharing sensitive data with those who shouldn’t be able to see it.
• Malicious File Shares: Phishing links, credential stealers, and downloaders are
typically used in these types of attacks. Threat actors also distribute malware via
cloud services such as Dropbox.
• Data Breaches: One of the most significant risks associated with cloud security is the
potential for a data breach. Hackers can gain access to cloud-based systems and steal
sensitive information, such as financial data, personal information, or intellectual
property.
• Shadow IT: People and departments within an enterprise often deploy new cloud
apps and services without the approval, or even awareness, of IT security managers.
These services may result in data loss, data oversharing, compliance issues, and
more.
• Insider Threats: Employees or contractors with access to cloud-based systems can
intentionally or unintentionally cause data breaches, steal data, or leak sensitive
information.
• Distributed Denial of Service (DDoS) Attacks: Cloud-based systems can be
targeted by DDoS attacks that overload the system and prevent legitimate users from
accessing cloud resources.
• Insecure APIs: Application programming interfaces (APIs) used to access cloud-
based services can be vulnerable to attacks, such as injection attacks or man-in-the-
middle attacks.
• Shared Infrastructure Vulnerabilities: Cloud-based systems often use shared
infrastructure, which means a vulnerability in one customer’s system could
potentially expose data for all customers on the same infrastructure.

25 | P a g e
 • Compliance Risks: Cloud-based systems must comply with various regulations and
standards, such as HIPAA, PCI-DSS, and GDPR. Failure to comply with these
regulations can result in legal and financial penalties.

Enterprises face growing cloud compliance risks in the face of ever-changing

cybersecurity regulations. Government and industry regulations require you to know
where your data is in the cloud and how it is being shared. The European Union General
Data Protection Regulation (GDPR) affects millions of organizations. That’s why
developing a plan to comply with the new rules is critical for all organizations.

Today’s attacks target people, not technology. This is just as true for the cloud as it is on-
premises. As businesses move their messaging and collaboration platforms from the
corporate network to the cloud, they become vulnerable to attack.

Tips for Cloud Security Protection

Fortunately, many security strategies are available for organizations and cybersecurity
teams to increase cloud security. From limiting access to cloud-based resources to
encrypting and backing-up data, here are several tips for cloud security protection:

Protect Against Cloud-Based Security Threats

It’s worth repeating: Cyber criminals tend to target people, not technology, with popular
cloud-delivered SaaS applications such as Microsoft Office 365 or Google G Suite. A
CASB with a broad complement of cloud security solutions offers the best defense
against today’s people-centric threats.

Use Strong Authentication Mechanisms

Multi-factor authentication (MFA) is a critical and easy-to-implement security control

that requires users to provide multiple forms of authentication to access cloud
resources. This can include a password, PIN, biometric information, or something the
user has, like a token or smart card. MFA significantly reduces the risk of unauthorized
access to cloud resources, even if a user’s password is compromised.

Limit Access to Cloud Resources

Another vital strategy hinges on access controls, particularly limiting access to cloud
resources to users who require it. This can include implementing role-based access
controls, where users are granted permissions based on their role within the
organization, or using network segmentation to restrict access to specific cloud
resources.

Back-Up Your Data

Data backups are a cloud security best practice for data recovery in case of a data leak
or security breach. Backups should be performed regularly and stored in a secure
location separate from your primary data storage. In addition to helping you recover

26 | P a g e
from a data loss, backups also help you comply with regulatory requirements and
ensure business continuity.

Keep Systems Up to Date

Keeping software and systems up to date is an essential security control that helps
mitigate the risk of known vulnerabilities. This includes applying security patches and
updates as soon as they become available, as well as regularly updating antivirus and
other security software.

Train Your Employees

Security awareness training is a powerful element of any security program. By

educating employees on cloud security best practices, you can help them understand
the importance of security and their role in protecting the organization’s data and
systems. This can include training on password management, phishing awareness, and
social engineering detection.

Regularly Monitor Your Cloud Resources

Monitoring is an essential security control that lets you quickly detect and respond to
security incidents. This can include monitoring network traffic, system logs, and user
activity to identify suspicious behavior and potential security threats.

Stay in Compliance

As your employees, contractors and partners share more data in the cloud, the risk of a
breach increases. You need risk-aware cloud security that connects the dots to detect
and prevent such breaches. In addition, compliance with government regulations and
industry mandates is essential. These include the following: personally identifiable
information (PII) such as Social Security numbers or date of birth; consumer payment
card information (PCI); and protected health information (PHI) such as medical records.

Manage Cloud Apps in Your Environment

Given the proliferation of cloud-delivered apps, governance of the use of those apps is
essential. The average enterprise has an estimated 1,000 cloud apps, and some have
serious cloud security gaps. They can violate data residency regulations, such as GDPR.
In addition, attackers often use third-party add-ons and social engineering to trick
people into granting broad access to your approved SaaS apps.

Cloud-app governance capabilities provide important critical visibility into cloud

security threats. They also provide important controls that alert and coach end users
and set up automated responses for cloud access, such as “allow,” “read-only,” or
“block.”

In addition to these tips, a CASB with a broad complement of cloud security solutions
with robust detection, remediation, and risk-based authentication capabilities offers the

27 | P a g e
best defense against today’s people-centric threats, including brute-force attacks,
phishing attacks, and malicious file shares.

What Does a Robust Cloud Security Strategy

Include?
A robust cloud security strategy entails several key elements. These include:
• A robust user security system that involves multi-factor authentication (MFA) and
role-based access control to prevent unauthorized access.
• Clear policies and procedures on data handling, change management, and internal
communications within the cloud service provider’s organization.
• Highly secure cloud protection solutions that use dedicated encryption keys,
computational resources, network links, and storage infrastructure.
• Secure APIs, including the tracking, configuration, and monitoring of the attack
surface provided by APIs.
• Disaster recovery and redundancy procedures to ensure business continuity in the
event of a security breach or disaster.
• Risk assessment frameworks with recurring vulnerability analysis to improve static
and dynamic security policies.
• Cybersecurity solutions integrated into the cloud, including defined principles,
solutions, and architectures that prevent security vulnerabilities in their early stages.

These elements, along with maintaining confidentiality, integrity, and availability (CIA),
are fundamental to establishing a resilient cloud security architecture that prevents
cyber-attacks and employs targeted action when and where needed.

11 top cloud security threats

•

1. Insufficient identity, credential, access and key management

Concerns about identity and access are foremost in the minds of cybersecurity pros, according
to the CSA report. “Access is at the top of the list this year because protecting your data starts
and ends with access,” says Yeoh.

28 | P a g e
Forrester Vice President and Principal Analyst Andras Cser agreed. “Identity and access in a
CSP’s platforms are everything,” he says. “If you have the keys to the kingdom, you can’t just
enter it but reconfigure it—a major threat to operational stability and security of any
organization.”

“Attackers no longer try to brute-force their way into enterprise infrastructure,” adds Hank
Schless, a senior manager for security solutions at Lookout, a provider of mobile phishing
solutions. “With so many ways to compromise and steal corporate credentials, the preferred
tactic is to pose as a legitimate user in order to avoid detection.”

As more organizations migrate their applications to the cloud, identity management continues
to be a hot button issue, asserts Tushar Tambay, vice president of product development for data
protection solutions at Entrust, a digital security and credential issuance company. “With many
companies still working remotely as well, IT teams have to verify the identities of employees
working from anywhere at any time on any device,” he says. “Additionally, businesses are
engaging with customers and partners in the cloud.”

Tambay adds that key management needs to be prioritized, too. “Strong key management can
keep data secure and help ensure that trusted parties only have access to data that is absolutely
necessary,” he says. “Unfortunately, securing data through encryption can often cause a bit of a
key management headache due to the growing number of keys.”

Identity management is almost entirely on the user to manage properly, says Daniel Kennedy,
research director for information security and networking at 451 Research. “The cloud
providers provide help, but the flexibility of cloud platforms come with a requirement to
effectively manage user and system access and privileges,” he says. “It’s one of the primary
responsibilities of the enterprise leveraging cloud in a shared responsibility model, and thus
figures prominently in their assessment of risk.”

Key takeaways about access and identity management identified in the report include:

• Hardened defenses at the core of enterprise architectures have shifted hacking to

endpoint user identity as low-hanging fruit.

• Discrete user and application-based isolation is required to achieve a robust zero trust-
layer beyond simple authentication.

• Advanced tools are only part of the story, such as cloud infrastructure entitlement
management (CIEM). Operational policies and structured risk models are also vital.

• Trust is more than giving keys and codes. It’s earned. User objects must be given risk
scores that dynamically adjust as the business requires.

29 | P a g e
2. Insecure interfaces and APIs
APIs and similar interfaces potentially include vulnerabilities due to misconfiguration, coding
vulnerabilities, or a lack of authentication and authorization among other things, the report
stated. These oversights can potentially leave them vulnerable to malicious activity.

It added that organizations face a challenging task in managing and securing APIs. For
example, the velocity of cloud development is greatly accelerated. Processes that took days or
weeks using traditional methods can be completed in seconds or minutes in the cloud. Using
multiple cloud providers also adds complexity, it continues, as each provider has unique
capabilities that are enhanced and expanded almost daily. This dynamic environment requires
an agile and proactive approach to change control and remediation that many companies have
not mastered.

Key takeaways about APIs include:

• The attack surface provided by APIs should be tracked, configured, and secured.

• Traditional controls and change management policies and approaches need to be

updated to keep pace with cloud-based API growth and change.

• Companies should embrace automation and employ technologies that monitor

continuously for anomalous API traffic and remediate problems in near real time.

3. Misconfiguration and inadequate change control

Misconfigurations are the incorrect or sub-optimal setup of computing assets that may leave
them vulnerable to unintended damage or external and internal malicious activity, the report
explained. Lack of system knowledge or understanding of security settings and nefarious
intentions can result in misconfigurations.

A serious problem with misconfiguration errors is they can be magnified by the cloud. “One of
the biggest advantages of the cloud is its scalability and the way it enables us to create
interconnected services for smoother workflows,” Schless says. “However, this also means that
one misconfiguration can have magnified ramifications across multiple systems.”

Due to an automated continuous integration/continuous deliver (CI/CD) pipeline,

misconfigurations and vulnerabilities not identified during build time are automatically
deployed to production, says Ratan Tipirneni, president and CEO of Tigera, a provider of
security and observability for containers, Kubernetes and the cloud. “Misconfigurations and
vulnerabilities in images are passed on to all containers created from those images.”

30 | P a g e
Key takeaways about misconfiguration and inadequate change control include:

1. Companies need to embrace available technologies that scan continuously for

misconfigured resources to allow remediation of vulnerabilities in real-time.

2. Change management approaches must reflect the unceasing and dynamic nature of
continuous business transformations and security challenges to ensure approved
changes are made properly using real-time automated verification.

4. Lack of cloud security architecture and strategy

The fast pace of change and the prevalent, decentralized, self-service approach to cloud
infrastructure administration hinder the ability to account for technical and business
considerations and conscious design the report notes. However, it added, security
considerations and risks must not be ignored if cloud endeavors are to be successful and safe.

Those problems can be compounded when multiple cloud providers are involved. “Leveraging
cloud providers is certainly no longer novel, but the security product space continues to emerge
and evolve around the cloud,” Kennedy says. “As examples, early on we saw cloud workload
security emerge as an approach to provide common third-party security functions.”

“Most security folks looking after cloud security must consider what mix of default controls
from the cloud provider, premium controls from the same, and what third-party security
product offerings address their specific risk profile, and sometimes that profile is different at
the application level. It introduces a lot of complexity in the face of emerging threats,”
Kennedy adds.

Key takeaways about the lack of cloud security architecture and strategy include:

• Companies should consider business objectives, risk, security threats, and legal
compliance in cloud services and infrastructure design and decisions.

• Given the rapid pace of change and limited centralized control in cloud deployments,
it’s more important, not less, to develop and adhere to an infrastructure strategy and
design principles.

• Adopters are advised to consider due diligence and vendor security assessment
foundational practices. They should be complemented with secure design and
integration to avoid the kinds of systemic failures that occurred in the, SolarWinds,
Kaseya and Bonobos breaches.

31 | P a g e
5. Insecure software development
While the cloud can be a powerful environment for developers, organizations need to make
sure developers understand how the shared responsibility model affects the security of their
software. For example, a vulnerability in Kubernetes could be the responsibility of a CSP,
while an error in a web application using cloud-native technologies could be the responsibility
of the developer to fix.

Key takeaways to keep in mind about insecure software development include:

• Using cloud technologies prevents reinventing existing solutions, allowing developers

to focus on issues unique to the business.

• By leveraging shared responsibility, items like patching can be owned by a CSP rather
than the business.

• CSPs place an importance on security and will provide guidance on how to implement
services in a secure fashion.

6. Unsecure third-party resources

According to the CSA report, third-party risks exist in every product and service we consume.
It noted that because a product or service is a sum of all the other products and services it’s
using, an exploit can start at any point in the supply chain for the product and proliferate from
there. Threat actors know they only need to compromise the weakest link in a supply chain to
spread their malicious software, oftentimes using the same vehicles developers use to scale
their software.

Key takeaways about unsecure third-party resources include:

• You can’t prevent vulnerabilities in code or products you didn’t create, but you can
make a good decision about which product to use. Look for the products that are
officially supported. Also, consider those with compliance certifications, that openly
speak about their security efforts, that have a bug bounty program, and that treat their
users responsibly by reporting security issues and delivering fixes quickly.

• Identify and track the third parties you are using. You don’t want to find out you’ve
been using a vulnerable product only when the list of victims is published. This
includes open source, SaaS products, cloud providers, and managed services, and
other integrations you may have added to your application.

32 | P a g e
 • Perform a periodic review of the third-party resources. If you find products you don’t
need, remove them and revoke any access or permissions you may have granted them
into your code repository, infrastructure or application.

• Don’t be the weakest link. Penetration-test your application, teach your developers
about secure coding, and use static application security testing (SAST) and dynamic
application security testing (DAST) solutions.

7. System vulnerabilities
These are flaws in a CSP that can be used to compromise confidentiality, integrity and
availability of data, and disrupt service operations. Typical vulnerabilities include zero days,
missing patches, vulnerable misconfiguration or default settings, and weak or default
credentials that attackers can easily obtain or crack.

Key takeaways about system vulnerabilities include:

• System vulnerabilities are flaws within system components often introduced through
human error, making it easier for hackers to attack your company’s cloud services.

• Post-incident response is a costly proposition. Losing company data can negatively

impact your business’s bottom line in revenue and reputation.

• Security risks due to system vulnerabilities can be greatly minimized through routine
vulnerability detection and patch deployment combined with rigorous IAM practices.

8. Accidental cloud data disclosure

Data exposure remains a widespread problem among cloud users, the report noted, with 55% of
companies having at least one database that’s exposed to the public internet. Many of those
databases have weak passwords or don’t require any authentication at all, making them easy
targets for threat actors.

Key takeaways about accidental cloud data disclosure include:

• Which databases are in the clouds? Review your platform-as-a-service (PaaS)

databases, storage and compute workloads hosting databases, including virtual
machines (VMs), containers, and the database software installed on them.

• What is effectively exposed from the cloud environment? Choose exposure engines
that have full visibility of your cloud environment to identify any routing or network

33 | P a g e
 services that allow traffic to be exposed externally. This includes load balancers,
application load balancers, content delivery networks (CDNs), network peering, and
cloud firewalls.

• Assess external exposure from a Kubernetes cluster. The exposure engine must factor
in many Kubernetes networking components, including cluster IPs, Kubernetes
services, and ingress rules.

• Reduce access exposure by ensuring that the database is configured to the least-
privileged IAM policy, and that assignments of this policy are controlled and
monitored.

9. Misconfiguration and exploitation of serverless and container workloads

Managing and scaling the infrastructure to run applications can still be challenging to
developers, the report pointed out. They must take on more responsibility network and security
controls for their applications.

While some of that responsibility can be offloaded to a CSP through the use of serverless and
containerized workloads, for most organizations, lack of control of cloud infrastructure limits
mitigation options for application security issues and the visibility of traditional security
tooling. That’s why the report recommended building strong organizational practices around
cloud hygiene, application security, observability, access control, and secrets management to
reduce the blast radius of an attack. Key takeaways about misconfiguration and exploitation of
serverless and container workloads include:

• Companies should implement cloud security posture management (CSPM), CIEM,

and cloud workload protection platforms to increase security visibility, enforce
compliance, and achieve the least privilege in serverless and containerized workloads.

• Investments should be made into cloud security training, governance processes, and
reusable secure cloud architecture patterns to reduce the risk and frequency of
insecure cloud configurations.

• Development teams should put extra rigor around strong application security and
engineering best practices before migrating to serverless technologies that remove
traditional security controls.

10. Organized crime, hackers and APT groups

Advanced persistent threat (APT) groups typically focus their thieving ways at data acquisition.
Those groups are closely studied by threat intelligence outfits, who publish detailed reports on
the groups’ methods and tactics. The CSA report recommended organizations use those reports

34 | P a g e
to stage “red team” exercises to better protect themselves from APT attacks, as well as perform
threat-hunting exercises to identify the presence of any APTs on their networks.

Key takeaways from the report in the APT area include:

• Conduct a business impact analysis on your organization to understand your

information assets.

• Participate in cybersecurity information sharing groups.

• Understand any relevant APT groups and their tactics, techniques and procedures
(TTPs).

• Conduct offensive security exercises to simulate the TTPs of these APT groups.

• Ensure security monitoring tools are tuned to detect TTPs of any relevant APT
groups.

11. Cloud Storage Data Exfiltration

Cloud storage data exfiltration occurs when sensitive, protected or confidential information is
released, viewed, stolen or used by an individual outside of the organization’s operating
environment. The report noted that many times data exfiltration may occur without the
knowledge of the data’s owner. In some cases, the owner may not be unaware of the data’s
theft until notified by the thief or until it appears for sale on the internet.

While the cloud can be a convenient place to store data, the report continued, it also offers
multiple ways to exfiltrate it. To protect against exfiltration, organizations have begun turning
to a zero-trust model where identity-based security controls are used to provide least privileged
access to data.

Key takeaways about cloud storage exfiltration in the report include:

• Cloud storage requires a well-configured environment (SaaS security posture

management [SSPM], CSPM), remediation of vulnerabilities in infrastructure as a
service (IaaS), which is still a major threat vector, and strong identity and access
control of both people and non-human personas.

• To detect and prevent attacks and data exfiltration, apply the CSP’s best practices
guides, monitoring and detection capabilities.

• Employee awareness training on cloud storage usage is required, as data is scattered

in various locations and controlled by various personas.
35 | P a g e
 • Evaluate a cloud providers’ security resilience and, at minimum, security standards
adherence, legal agreement, and service level agreement (SLA).

• If not limited by business, client-side encryption can provide protection from external
attackers or CSP malicious insiders. Overall, encryption is not always feasible, due to
implementation considerations. Classifying data can help in setting different controls,
and if exfiltration happens, assessing the impact and recovery actions required.

Shifting focus of cloud security

The CSA report noted that its 2022 edition continued a nascent trend found in its previous
version: a shift away from the traditional focus on information security, such as vulnerabilities
and malware. Regardless, these security issues are a call to action for developing and enhancing
cloud security awareness and configuration, and identity management. The cloud itself is less
of a concern, so now the focus is more on the implementation of the cloud technology.

4 Cloud Security Risks

You cannot completely eliminate risk; you can only manage it. Knowing common
risks ahead of time will prepare you to deal with them within your
environment. What are four cloud security risks?

1. Unmanaged Attack Surface

2. Human Error
3. Misconfiguration
4. Data Breach

How to manage cloud security risks

Follow these tips to manage risk in the cloud:

• Perform regular risk assessments to find new risks.

• Prioritize and implement security controls to mitigate the risks you’ve identified (CrowdStrike
can help).
• Document and revisit any risks you choose to accept.

4 cloud security threats

A threat is an attack against your cloud assets that tries to exploit a risk. What
are four common threats faced by cloud security?

1. Zero-Day Exploits
2. Advanced Persistent Threats
3. Insider Threats
4. Cyberattacks

36 | P a g e
1. Zero-day exploits

Cloud is “someone else’s computer.” But as long as you’re using computers and
software, even those run in another organization’s data center, you’ll encounter
the threat of zero-day exploits.

Zero-day exploits target vulnerabilities in popular software and operating

systems that the vendor hasn’t patched. They’re dangerous because even if your
cloud configuration is top-notch, an attacker can exploit zero-day vulnerabilities
to gain a foothold within the environment.

2. Advanced persistent threats

An advanced persistent threat (APT) is a sophisticated, sustained cyberattack in

which an intruder establishes an undetected presence in a network to steal
sensitive data over a prolonged time.

APTs aren’t a quick “drive-by” attack. The attacker stays within the environment,
moving from workload to workload, searching for sensitive information to steal
and sell to the highest bidder. These attacks are dangerous because they may
start using a zero-day exploit and then go undetected for months.

3. Insider threats

An insider threat is a cybersecurity threat that comes from within the

organization — usually by a current or former employee or other person who has
direct access to the company network, sensitive data and intellectual property
(IP), as well as knowledge of business processes, company policies or other
information that would help carry out such an attack.

4. Cyberattacks

A cyber attack is an attempt by cybercriminals, hackers or other digital

adversaries to access a computer network or system, usually for the purpose of
altering, stealing, destroying or exposing information.

Common cyberattacks performed on companies

include malware, phishing, DoS and DDoS, SQL Injections, and IoT based
attacks.

How to handle cloud security threats

There are so many specific attacks; it’s a challenge to protect against them all.
But here are three guidelines to use when protecting your cloud assets from
these threats and others.

• Follow secure coding standards when building microservices

• Double and triple check your cloud configuration to plug any holes
• With a secure foundation, go on the offensive with threat hunting. (CrowdStrike can help)

37 | P a g e
4 cloud security challenges
Challenges are the gap between theory and practice. It’s great to know you need
a cloud security strategy. But where do you start? How do you tackle cultural
change? What are the daily practical steps to make it happen?

What are four cloud security challenges every company faces when
embracing the cloud?

1. Lack of Cloud Security and Skills

2. Identity and Access Management
3. Shadow IT
4. Cloud Compliance

1. Lack of cloud security strategy and skills

Traditional data center security models are not suitable for the cloud.
Administrators must learn new strategies and skills specific to cloud computing.

Cloud may give organizations agility, but it can also open up vulnerabilities for
organizations that lack the internal knowledge and skills to understand security
challenges in the cloud effectively. Poor planning can manifest itself in
misunderstanding the implications of the shared responsibility model, which lays
out the security duties of the cloud provider and the user. This misunderstanding
could lead to the exploitation of unintentional security holes.

2. Identity and access management

Identity and Access Management (IAM) is essential. While this may seem
obvious, the challenge lies in the details.

It’s a daunting task to create the necessary roles and permissions for an
enterprise of thousands of employees. There are three steps to a holistic IAM
strategy: role design, privileged access management, and implementation.

Begin with a solid role design based on the needs of those using the cloud.
Design the roles outside of any specific IAM system. These roles describe the
work your employees do, which won’t change between cloud providers.

Next, a strategy for privileged access management (PAM) outlines which roles
require more protection due to their privileges. Tightly control who has access to
privileged credentials and rotate them regularly.

Finally, it’s time to implement the designed roles within the cloud provider’s IAM
service. This step will be much easier after developing these ahead of time.

38 | P a g e
3. Shadow IT

Shadow IT challenges security because it circumvents the standard IT approval

and management process.

Shadow IT is the result of employees adopting cloud services to do their jobs.

The ease with which cloud resources can be spun up and down makes
controlling its growth difficult. For example, developers can quickly spawn
workloads using their accounts. Unfortunately, assets created in this way may
not be adequately secured and accessible via default passwords and
misconfigurations.

The adoption of DevOps complicates matters. Cloud and DevOps teams like to
run fast and without friction. However, obtaining the visibility and management
levels that the security teams require is difficult without hampering DevOps
activities. DevOps needs a frictionless way to deploy secure applications and
directly integrate with their continuous integration/continuous delivery (CI/CD)
pipeline. There needs to be a unified approach for security teams to get the
information they need without slowing down DevOps. IT and security need to find
solutions that will work for the cloud — at DevOps’ velocity.

4. Cloud compliance

Organizations have to adhere to regulations that protect sensitive data like PCI
DSS and HIPAA. Sensitive data includes credit card information, healthcare
patient records, etc. To ensure compliance standards are met, many
organizations limit access and what users can do when granted access. If
access control measures are not set in place, it becomes a challenge to monitor
access to the network.

EXPERT TIP

Stay up to date with the most common cloud security frameworks meant to
protect your environments and all sensitive data that lives within.

Cloud Security Best Practices

Here's a list of best practices you should rely on to minimize cloud security risks:

• Keep all cloud services, VMs, and containers up to date with the latest
security patches.
• Use multi-factor authentication (MFA) for all user accounts.
• Use enterprise password management to centralize credential handling and
ensure everyone in the organization uses strong passwords.
• Define and enforce company-wide cloud security policies. Remember to
regularly review and update policies to adapt to evolving threats.
• Implement zero-trust security and the principle of least privilege (PoLP) to
restrict access to cloud-based data and assets.

39 | P a g e
 • Regularly review and revoke unnecessary access.
• Encrypt data both at rest and in transit with strong encryption algorithms.
Also, ensure the team follows key management best practices.
• Set up robust logging and cloud monitoring to ensure teams detect security
incidents promptly.
• Regularly back up all your data and configurations, plus occasionally test
backups to ensure there's no file corruption.
• Regularly assess the security practices of your cloud service provider and
ensure the vendor meets your current security requirements.
• Protect APIs with advanced authentication and authorization mechanisms.
• Regularly review and update all API security policies.
• Maintain an up-to-date inventory of cloud assets and resources to ensure the
security team has a complete overview of what they are protecting.
• Remember to decommission and archive unused resources.
• Carefully assess and manage the security risks associated with third-party
tools, integrations, and services.
• Run regular vulnerability assessments to proactively find flaws and exploits in
cloud systems.
• Perform occasional penetration tests to see how your cloud environment and
security team respond to realistic attack simulations.

Remember that most cloud-related incidents result from human error.

Organize security awareness training to ensure employees understand their role in
preventing and dealing with cloud security risks.

While Alarming, Cloud Security Risks

Are Not a Deterrent
Despite the cloud security risks discussed above, nearly 94% of companies rely on
cloud services to run servers, host apps, or store mission-critical data. That figure
indicates that most organizations are willing to take on the security risks of using the
cloud. You should follow the same logic—despite adding a few new security
concerns, the cloud is too beneficial of a tech to ignore.

Top 11 Strategies to Mitigate Cloud

Security Threats
Understanding the Cyber Threat Landscape for
Cloud Infrastructure
As we journey further into the 21st century, we are driven more and more by digitization and
interconnectedness. This digital transformation, while bringing unparalleled benefits, has also

40 | P a g e
spawned an alarming surge of cyber threats that continually challenge our collective security
measures.

When it comes to cloud infrastructure, these threats predominantly take two forms: assaults
targeting data and attacks aimed at the cloud services themselves. Within the sphere of data-
focused cyber threats, the dangers are primarily in the form of:

• Data breaches
• Data losses

Data breaches transpire when nefarious actors manage to penetrate the system and gain
unauthorized access to sensitive data. The fallout from such breaches can lead to the unwanted
disclosure of pivotal data, spanning from individual user details to proprietary business
intelligence, potentially causing significant reputational damage and financial fallout. On the
contrary, data loss refers to incidents where data is inadvertently deleted or permanently
misplaced due to unforeseen circumstances like natural disasters or system malfunctions.
Although not always a result of malicious actions, data loss can hinder business operations and
continuity, emphasizing the criticality of resilient data recovery mechanisms and comprehensive
backup strategies.

Threats targeting cloud-based services primarily aim to hamper the service’s operational
efficiency. For example, in the case of service traffic hijacking, a malevolent individual diverts the
cloud service traffic, misguiding users into deceptive websites. Such actions could pave the way
for additional data breaches or harm the credibility of the cloud service provider.
Additionally, distributed denial of service (DDoS) attacks emerge when malefactors inundate
the service with an overload of requests, restricting access for authentic users. Such aggressive
cyber attacks can incapacitate the service, hinder its regular functions, and might result in both
financial and reputational setbacks. Adding another layer of complexity to the cloud security
landscape are insider threats, insecure interfaces, and misconfigured cloud storage. Insider
threats refer to the potential for individuals within an organization, who have authorized system
access, to misuse this access either accidentally or with malicious intent. Insecure interfaces and
APIs, often the gateways to cloud services, present another potential vulnerability if they are
not adequately secured. Misconfigured cloud storage, an issue stemming from human error or
lack of understanding, can leave data unprotected and easily accessible to attackers. These
aspects further underscore the need for comprehensive and multi-faceted measures to guard
against cloud security threats.

Strategies for Mitigating Cybersecurity Threats to

Cloud Infrastructure
As cloud infrastructure becomes an increasingly integral part of modern businesses, ensuring its
security is paramount. To effectively shield against potential cloud security threats and
vulnerabilities, organizations must adopt a multifaceted approach to cybersecurity. Here are

41 | P a g e
some key strategies that enterprises can employ to bolster the security of their cloud-based
assets and operations.

1. Encryption and key management: Encrypting data is fundamental to ensuring its

security. Both data-at-rest and data-in-transit should be encrypted. Data-at-rest refers
to inactive data stored physically in any digital form, while data-in-transit refers to data
actively moving from one location to another across the internet or through a private
network. Key management also plays a crucial role in maintaining encryption’s
effectiveness. Companies need to use strong encryption methods and properly manage
their encryption keys to ensure data remains secure.
2. Identity and access management (IAM): It is a framework for business processes that
facilitates the management of electronic identities. With IAM, businesses can control
who has access to which resources and under what conditions. Implementing multi-
factor authentication, using role-based access control, and conducting regular audits of
access rights can help prevent unauthorized access to cloud services.
3. Disaster recovery and business continuity planning: Even with rigorous precautions,
breaches can still occur. Therefore, it’s important for enterprises to establish a
comprehensive disaster recovery strategy to facilitate system restoration and data
retrieval in the wake of a breach.
4. Regular security audits: Regular audits help identify vulnerabilities in the system and
ensure compliance with security policies. These audits should include penetration
testing, where ethical hackers attempt to breach the system to find potential
vulnerabilities.
5. Security awareness and training: Human error is a significant contributor to
cybersecurity breaches. Regular security awareness and training programs can help
employees understand the role they play in maintaining cybersecurity, hence, reducing
the risk of insider threats and inadvertent breaches.
6. Vendor management: Since cloud infrastructure often involves third-party vendors, it’s
essential to ensure these vendors follow robust security practices. This involves
conducting regular audits of the vendor’s security policies and practices and including
security clauses in the vendor agreements.
7. Security as a culture: Viewing cybersecurity as not only a technical challenge but a
holistic business issue is vital. This perspective needs to be integrated into the
organizational culture. This approach necessitates everyone within the company to
comprehend the significance of cybersecurity and their individual roles in preserving it.
8. Threat intelligence: The use of threat intelligence tools can illuminate potential dangers
and nefarious activities that might pose a threat to an organization’s cloud
infrastructure. Such tools are designed to gather and scrutinize data from diverse
sources, enabling them to forecast and identify potential cyber threats. This proactive
approach enables businesses to bolster the security of their systems in advance.
9. Zero-trust architecture: Adopting a zero-trust security model is another effective
strategy. This approach operates on the principle of ‘‘never trust, always verify.’’ It
requires verification for every person and device trying to access resources on a
network, regardless of whether they are sitting within or outside of the network
perimeter.

42 | P a g e
 10. Automated security management: The incorporation of automation can significantly
uplift cybersecurity provisions within the cloud infrastructure. Tools designed for
automated security management are beneficial in perpetually monitoring the network,
pinpointing and rectifying security gaps, managing software patches, and ensuring
system alignment with established security policies. Such automation aids in lessening
the burden of manual oversight and mitigates the likelihood of mistakes stemming from
human involvement.
11. Secure DevOps practices (DevSecOps): The amalgamation of security protocols within
the DevOps process (DevSecOps) is instrumental in the creation and deployment of
secure applications within a cloud environment. This strategy dictates that security
considerations take precedence at each phase of the software development lifecycle,
from initial design through to deployment, instead of being an afterthought. Practices
encompassed within DevSecOps could comprise code assessments, automated testing
procedures, and continuous monitoring and auditing, among other techniques.

Conclusion
The surge in the adoption of cloud infrastructure by businesses worldwide is linked to
escalating demand for robust and efficient cybersecurity measures. These are required to
counteract the threats that loom over the cyber landscape. By taking a proactive stance and
deploying formidable security strategies such as data encryption, identity and access
management (IAM), the construction of a secure cloud architecture, effective disaster recovery
plans, routine security audits, and cultivating a pervasive culture of security consciousness,
organizations can drastically mitigate their risk exposure and protect the security of their data
and services. Encryption, for instance, serves as the first line of defense by scrambling data into
an unreadable format, thus preventing unauthorized access. On the other hand, IAM systems
control and monitor user access, reducing the risk of internal threats and data breaches.

A secure cloud architecture that involves implementing secure virtual networks, firewalls, and
intrusion detection systems can provide a robust security perimeter, protecting the cloud
environment from potential cloud security threats. Meanwhile, an effective disaster recovery
plan is vital to ensure business continuity and data recovery in the face of unforeseen incidents.
Regular security audits, inclusive of penetration testing, can help identify system vulnerabilities
and ensure adherence to security policies.

Finally, promoting a culture of security awareness among employees can mitigate the risk of
breaches caused by human error. It’s crucial for businesses to recognize that cybersecurity isn’t
a set-and-forget effort but a persistent and iterative process that necessitates ongoing
vigilance, updates, and training. An organization’s cybersecurity landscape is dynamic and ever-
evolving, reflecting the changing threat landscape. Therefore, it requires constant monitoring
and refinement to stay ahead of potential threats. Adopting a proactive approach, armed with
the right tools and mindset, organizations can harness the immense benefits that cloud
infrastructure offers, all while minimizing their cybersecurity risks. By integrating cybersecurity

43 | P a g e
into the core of their business strategy, organizations can ensure they are well-equipped to
navigate the digital landscape safely and efficiently.

Cloud Computing Security Issues

Cloud computing presents many unique security issues and challenges. In the cloud, data is
stored with a third-party provider and accessed over the internet. This means visibility and
control over that data is limited. It also raises the question of how it can be properly secured.
It is imperative everyone understands their respective role and the security issues inherent in
cloud computing. Cloud service providers treat cloud security issues and risks as a shared
responsibility. In this model, the cloud service provider covers security of the cloud itself, and
the customer covers security of what they put in it. In every cloud service—from software-as-
a-service (SaaS) like Microsoft 365 to infrastructure-as-a-service (IaaS) like Amazon Web
Services (AWS)—the cloud computing customer is always responsible for protecting their
data from security threats and controlling access to it. Most cloud computing security risks
are related to cloud data security. Whether a lack of visibility to data, inability to control data,
or theft of data in the cloud, most issues come back to the data customers put in the cloud.
Read below for an analysis of the top cloud security issues in SaaS, IaaS, and private cloud,
placed in order by how often they are experienced by enterprise organizations around the
world.

Top 10 SaaS Cloud Security Issues

1. Lack of visibility into what data is within cloud applications

2. Theft of data from a cloud application by malicious actor

3. Incomplete control over who can access sensitive data

4. Inability to monitor data in transit to and from cloud applications

5. Cloud applications being provisioned outside of IT visibility (e.g., shadow IT)

6. Lack of staff with the skills to manage security for cloud applications

7. Inability to prevent malicious insider theft or misuse of data

8. Advanced threats and attacks against the cloud application provider

9. Inability to assess the security of the cloud application provider’s operations

10. Inability to maintain regulatory compliance

SaaS cloud security issues are naturally centered around data and access because
most shared security responsibility models leave those two as the sole responsibility
for SaaS customers. It is every organization’s responsibility to understand what data
they put in the cloud, who can access it, and what level of protection they (and the
cloud provider) have applied.

44 | P a g e
It is also important to consider the role of the SaaS provider as a potential access
point to the organization’s data and processes. Developments such as the rise of
XcodeGhost and GoldenEye ransomware emphasize that attackers recognize the
value of software and cloud providers as a vector to attack larger assets. As a result,
attackers have been increasing their focus on this potential vulnerability. To protect
your organization and its data, make sure you scrutinize your cloud provider’s
security programs. Set the expectation to have predictable third-party auditing with
shared reports and insist on breach reporting terms to complement technology
solutions.

Top 10 IaaS Cloud Security Issues

1. Cloud workloads and accounts being created outside of IT visibility (e.g., shadow IT)

2. Incomplete control over who can access sensitive data

3. Theft of data hosted in cloud infrastructure by malicious actor

4. Lack of staff with the skills to secure cloud infrastructures

5. Lack of visibility into what data is in the cloud

6. Inability to prevent malicious insider theft or misuse of data

7. Lack of consistent security controls over multi-cloud and on-premises environments

8. Advanced threats and attacks against cloud infrastructure

9. Inability to monitor cloud workload systems and applications for vulnerabilities

10. Lateral spread of an attack from one cloud workload to another

Protecting data is critical in IaaS. As customer responsibility extends to applications,

network traffic, and operating systems, additional threats are introduced.
Organizations should consider the recent evolution in attacks that extend beyond
data as the center of IaaS risk. Malicious actors are conducting hostile takeovers of
compute resources to mine cryptocurrency, and they are reusing those resources as
an attack vector against other elements of the enterprise infrastructure and third
parties.

When building infrastructure in the cloud, it is important to assess your ability to

prevent theft and control access. Determining who can enter data into the cloud,
tracking resource modifications to identify abnormal behaviors, securing and
hardening orchestration tools, and adding network analysis of both north–south and
east–west traffic as a potential signal of compromise are all quickly becoming
standard measures in protecting cloud infrastructure deployments at scale.

45 | P a g e
Top 5 Private Cloud Security Issues

1. Lack of consistent security controls spanning over traditional server and virtualized
private cloud infrastructures

2. Increasing complexity of infrastructure resulting in more time/effort for

implementation and maintenance

3. Lack of staff with skills to manage security for a software-defined data center (e.g.,
virtual compute, network, storage)

4. Incomplete visibility over security for a software-defined data center (e.g., virtual
compute, network, storage)

5. Advanced threats and attacks

An important factor in the decision-making process to allocate resources to a public

vs. private cloud is the fine-tuned control available in private cloud environments. In
private clouds, additional levels of control and supplemental protection can
compensate for other limitations of private cloud deployments and may contribute
to a practical transition from monolithic server-based data centers.

At the same time, organizations should consider that maintaining fine-tuned control
creates complexity, at least beyond what the public cloud has developed into.
Currently, cloud providers take on much of the effort to maintain infrastructure
themselves. Cloud users can simplify security management and reduce complexity
through abstraction of controls. This unifies public and private cloud platforms above
and across physical, virtual, and hybrid environments.

How to Mitigate Common Cloud Computing Security Issues

Your organization is using cloud services, even if those cloud services are not a
primary strategy for your information technology (IT). To mitigate cloud computing
security risks, there are three best practices that all organizations should work
toward:

• DevSecOps processes — DevOps and DevSecOps have repeatedly been

demonstrated to improve code quality and reduce exploits and vulnerabilities and
increase the speed of application development and feature deployment. Integrating
development, QA, and security processes within the business unit or application
team—instead of relying on a stand-alone security verification team—is crucial to
operating at the speed today’s business environment demands.

• Automated application deployment and management tools — The shortage of

security skills, combined with the increasing volume and pace of security threats,

46 | P a g e
 means that even the most experienced security professional cannot keep up.
Automation that removes mundane tasks and augments human advantages with
machine advantages is a fundamental component of modern IT operations.

• Unified security with centralized management across all services and

providers — No one product or vendor can deliver everything, but multiple
management tools make it too easy for something to slip through. A unified
management system with an open integration fabric reduces complexity by bringing
the parts together and streamlining workflows.

Finally, when trade-off decisions must be made, better visibility should be the No. 1
priority, not greater control. It is better to be able to see everything in the cloud, than
to attempt to control an incomplete portion of it.

Top 10 Cloud Attacks and What You

Can Do About Them
Cloud attacks are various types of cyber attacks that target cloud computing
resources and infrastructure.

What Are Cloud Attacks?

A cloud attack is a cyber attack that targets cloud-based service platforms, such as
computing services, storage services, or hosted applications in a platform as a
service (PaaS) or software as a service (SaaS) model.

Cloud attacks can have serious consequences, such as data breaches, data loss,
unauthorized access to sensitive information, and disruption of services.

As more organizations and individuals rely on cloud computing for storing and
processing data, there is a corresponding increase in the number of potential targets
for attackers. Many organizations may not be aware of the risks and vulnerabilities
associated with cloud computing, or may not have sufficient measures in place to
protect against these threats.

10 Types of Cloud Computing Attacks

1. Denial-of-Service Attacks
2. Account Hijacking
3. User Account Compromise
User account compromise typically involves an attacker gaining access to an
account through the actions of the account owner, such as by tricking the user into

47 | P a g e
revealing their login credentials or by exploiting a vulnerability in a system or
application used by the user.

This differs from account hijacking, which involves an attacker gaining unauthorized
access to an account through means such as password cracking or exploiting
vulnerabilities in the cloud infrastructure.

4. Cloud Malware Injection Attacks

Cloud malware injection attacks are a type of cyber attack that involves injecting
malicious software, such as viruses or ransomware, into cloud computing resources
or infrastructure. This can allow the attacker to compromise the affected resources
and steal or destroy data, or to use the resources for their own purposes.

There are several ways in which attackers can inject malware into cloud resources,
including:

• Exploiting vulnerabilities in the cloud infrastructure or in the systems and applications

running on the cloud.
• Adding a malicious service module to a SaaS or PaaS system, or an infected VM to
an IaaS system, and diverting user traffic to it.
• Using phishing attacks to trick users into downloading and installing malicious
software.
• Gaining unauthorized access to cloud accounts and injecting malware through the
use of malware-infected files or links.

5. Insider Threats
6. Side-Channel Attacks
A side-channel attack involves exploiting information that is leaked through the
physical implementation of a system, rather than through its logical interfaces. This
information can include details about how the system is implemented or about the
data being processed by the system.

In a cloud environment, attackers can perform side-channel attacks by placing a

malicious virtual machine on a legitimate physical host used by the cloud customer.
This gives the attacker access to all confidential information on the victim machine.

Side-channel attacks can be used to extract sensitive information from a system,

such as passwords, encryption keys, or other sensitive data. They can also be used
to disrupt the operation of a system or to manipulate its behavior.

7. Cookie Poisoning
Cookie poisoning in cloud applications refers to the unauthorized modification or
injection of malicious content into a cookie, which is a small piece of data that is
stored on a user’s computer by a website or web application.

Cookies are used to store information about a user’s preferences and browsing
history, and are often used to personalize the user’s experience or to track their

48 | P a g e
activity. In SaaS and other cloud applications, cookies often contain credential data,
so attackers can poison cookies to access the applications.

8. Security Misconfiguration
9. Insecure APIs
Insecure APIs have vulnerabilities that can be exploited by attackers to gain
unauthorized access to systems or data, or to disrupt the operation of the API.

Examples include:

• Shadow APIs: APIs that are not properly documented or authorized, and may not be
known to the organization that owns the API. These APIs can be created by
developers or other users within the organization, and can expose sensitive data or
functionality to unauthorized parties.
• API parameters: The inputs and outputs of an API, which can be vulnerable to
injection attacks if they are not properly validated and sanitized.

10. Cloud Cryptomining

A cloud cryptomining attack is a type of cyber attack in which attackers use cloud
computing resources to perform cryptomining without the knowledge or consent of
the cloud provider or the owner of the resources. Cryptomining is the process of
using computing resources to solve complex mathematical problems in order to
verify and validate transactions on a blockchain network.

In a cloud cryptomining attack, the attackers use stolen or compromised credentials

to access and exploit cloud computing resources, such as virtual machines or
containers, for the purpose of performing cryptomining. They may also use malware
or other techniques to gain unauthorized access to cloud resources.

Real-World Cloud Attack Examples

Kaseya
In July 2021, IT solution provider Kaseya experienced an attack on its remote
monitoring and network perimeter security tools. It was a supply chain ransomware
attack, designed to gain administrative control over Kaseya services and use them to
infect the networks of managed service providers and their customers.

The attack took down the company’s SaaS servers and affected on-premise virtual
SAN appliances (VSA) used by Kaseya customers in 10 countries. Kaseya was
proactive in responding to the attack and alerted customers immediately. Later, the
company deployed a VSA detection tool to allow its customers to analyze VSA
services and identify signs of vulnerabilities.

49 | P a g e
Facebook
In April 2021, Facebook reported a vulnerability affecting hundreds of millions of user
records, which were exposed on servers hosted by Amazon Web Services (AWS).
Facebook said the problem was identified and quickly fixed.

The incident was sparked by the disclosure of records by two third-party developers
employed by Facebook. The exposed databases contained personal information that
could be used for social engineering and targeted phishing attacks.

Cognyte
In May 2021, cybersecurity analytics giant Cognyte made the mistake of leaving its
cloud-based database unprotected without authentication. This paved the way for
cyber attackers, exposing the records of 5 billion users. The leaked information
included user credentials such as names, email addresses, passwords, and
information about vulnerabilities within customer systems, which could be highly
valuable to attackers.

The information was made public and indexed by search engines—this included
Cognyte’s threat intelligence data, which contained information about historic
security breaches. It took Cognyte 4 days to secure the data and remove it from the
public domain.

Verizon
Verizon Communications, a telecommunications giant, experienced a series
of cloud-related security incidents. In 2017, Verizon partner Nice Systems
accidentally exposed user data due to a flaw in its Amazon S3 storage configuration.
Then in 2020, Verizon experienced 29,207 security incidents, of which 5,200 were
confirmed compromises.

The attacks included DDoS, social engineering, and client-side web application flaws
that led to compromise of server-side systems. Verizon said most of these attacks
were due to the “human element”, as a result of remote work during the COVID-19
crisis.

Raychat
In February 2021, the online chat app Raychat experienced a massive cyberattack.
A cloud database managed by Raychat was compromised, giving hackers free
access to 267 million usernames, emails, passwords, metadata, and encrypted
chats. Shortly thereafter, a targeted bot attack wiped out the company’s data.

An investigation showed that the data was exposed due to a MongoDB

misconfiguration. This attack highlights that cloud-based NoSQL databases are easy
targets for attackers if not secured properly.

What You Can Do About Cloud Attacks: Prevention and Protection

Here are some best practices to help prevent and mitigate cloud attacks.

50 | P a g e
Encrypt All Data in the Cloud
Encrypting data is important in the cloud because it helps protect sensitive and
confidential information from unauthorized access, even if the data is stolen or
accessed by an unauthorized party. When data is encrypted, it is converted into a
format that is unreadable to anyone without the proper decryption key. This means
that even if an attacker gains access to the data, they will not be able to read or
make sense of it.

There are typically three stages at which data needs to be encrypted:

• At-rest encryption: This refers to encrypting data when it is stored, such as on a

hard drive or in a cloud storage service. This ensures that data is protected when it is
not in use and can’t be read or accessed by unauthorized parties.
• In-transit encryption: This refers to encrypting data when it is being transmitted
across networks, such as when it is sent to or from a cloud service provider. This
ensures that data is protected during transit and cannot be intercepted and read by
unauthorized parties.
• In-use encryption: This refers to encrypting data when it is being used or
processed. This is useful when data needs to be processed in its encrypted form; this
is possible using a technique called homomorphic encryption, where the computation
is performed on the ciphertext, thus the data is always protected.

Control Access to Cloud Services

Restricting access to cloud services is necessary because it helps to limit the
potential attack surface. Organizations can reduce the likelihood of a successful
attack by limiting the number of people who have access to cloud resources and
data. Additionally, by granting access only to those who need it, organizations can
reduce the potential impact of a successful attack.

Here are a few examples of how restricting access can help prevent cloud attacks:

• Limiting access to cloud storage resources can prevent attackers from being able to
access and steal sensitive data.
• Restricting access to cloud-based applications can prevent unauthorized users from
launching a denial-of-service attack against the application, which could make it
unavailable to legitimate users.
• By controlling access to cloud-based infrastructure, organizations can prevent
unauthorized users from compromising virtual machines, which could lead to data
breaches.
• By controlling access to cloud services, organizations can prevent privileged insiders
from misusing their access and stealing or damaging data.

Enforce Secure API Access

Ensuring that clients only access cloud applications via secure APIs is important for
several reasons:

• Security: APIs are the main entry point for clients to access cloud applications and
data, so it is crucial to ensure that these APIs are secure and that only authorized
clients can access them. This helps to prevent unauthorized access to data and

51 | P a g e
 resources, as well as to protect against various types of attacks, such as injection
attacks, cross-site scripting, and other malicious activities.
• Authentication and authorization: Secure APIs can use various mechanisms such
as token-based authentication, multi-factor authentication, and role-based access
controls to ensure that only authorized clients can access the cloud application and
its resources.
• Data validation: By using secure APIs, organizations can validate the data received
from clients before processing it. This ensures that the data is in the correct format
and does not contain malicious payloads.

Leverage a CSPM Solution

A cloud security posture management (CSPM) solution is a tool that helps
organizations manage and secure their cloud assets. It can help protect against
cloud attacks in several ways:

• Asset management: A CSPM solution can help organizations identify and inventory
their cloud assets, including the systems and applications running on the cloud, the
data stored in the cloud, and the users and groups that have access to the cloud.
This can help organizations better understand their cloud environment and identify
potential vulnerabilities that could be exploited by attackers.
• Compliance: By providing visibility into the security posture of cloud assets, a CSPM
solution can help organizations identify and remediate any compliance issues that
could expose them to risk.
• Threat detection: By monitoring cloud assets for unusual activity or potential
vulnerabilities, a CSPM solution can help organizations identify and mitigate threats
before they can cause damage.

52 | P a g e
Research shows cloud
security vulnerabilities grow
Recent research shows the number of cloud security incidents are
growing. Here are the biggest contributors to the complicated cloud
threat landscape facing modern enterprises.

The risk involved with enterprise cloud deployments is expanding, with

several recent reports indicating a rise in cloud security incidents and
threats.

The 2019 SANS State of Cloud Security survey reported "a significant
increase in unauthorized access by outsiders into cloud environments or to
cloud assets." Nineteen percent of the surveyed organizations reported
experiencing such incidents, compared to 12% in 2017.

Meanwhile, Skybox Security's midyear update on threat trends found that

vulnerabilities in container software increased 46% in the first half of 2019
when compared to the same period in 2018. They also calculated a 240%
increase in container vulnerabilities over the past two years.

The consequences of a cloud security incident can be significant. A case in

point is the theft of 100 million-plus records from Capital One that was
reportedly pulled off by a former Amazon employee who exploited a well-
known cloud computing vulnerability.

Cybersecurity experts said neither the statistics nor the fallout from
breaches is surprising, as cloud brings both business benefits and new
risks in equal measure.

53 | P a g e
"With all of the positive aspects that come with the digital economy, it can
also be a double-edged sword bringing about significant security threats to
CIOs, CISOs and enterprises if they are not adequately armed to protect
their data," said Satish Thiagarajan, vice president and global head of
cybersecurity at Tata Consultancy Services Ltd.

Modern cloud security threats

The 2019 SANS report looked at what issues were most commonly involved in successful attacks.

These include the following:

▪ credential hijacking, with 49% of survey respondents experiencing this type of attack;

▪ misconfiguration of cloud services or resources, with 42% reporting this as an issue;

▪ privileged user abuse (38%);

▪ unauthorized (rogue) application components or compute instances (31%);

▪ insecure API or interface compromise (29%);

▪ shadow IT (29%);

▪ denial-of-service attacks (29%); and

▪ several other issues, including cloud provider vulnerabilities, each cited by less than 25% of

respondents.

The "2019 Cloud Security Report," supported by Netskope and produced

by Cybersecurity Insiders, a 400,000-member information security
community, identified similar trends. It listed the following as top cloud
security vulnerabilities:

• insecure interfaces and APIs (cited as the most severe cloud

security vulnerability by 57%);

• misconfiguration of the cloud platform (48%);

54 | P a g e
 • unauthorized access through misuse of employee credentials and
improper access controls (46%);

• external sharing of data (34%);

• hijacking of accounts, services or traffic (32%);

• malicious insiders (31%); and

• denial-of-service attacks (28%).

The root causes of cloud risk
Cybersecurity experts pointed to several factors that contribute to the
modern threat landscape during enterprise cloud deployments.

The lack of governance and oversight is one of the biggest contributors,

according to Dave Shackleford, founder of Voodoo Security and a SANS
analyst who authored the 2019 cloud report.

"People go to the cloud without a plan. They lack governance or even

conversations within the organizations," he said.

He noted that business units can -- and often do -- deploy SaaS options
without consulting IT or security, potentially exposing the organization to
risk as a result.

But the business side isn't the only group unwittingly exposing the
organization to risk, he said. IT, with its focus on agility and speed, also
inadvertently introduces vulnerabilities in its use of cloud by exposing
encryption keys, passwords or other sensitive data.

Tony Buffomante, cybersecurity global co-leader for KPMG, offered a

similar take.

"Some of the core tech spend has moved out of IT and into business units,
so that means business leaders are making decisions about the technology
sourcing and cloud solutions," Buffomante said. "There's a risk of confusion
over who is responsible [for which security pieces] if the IT organization

55 | P a g e
isn't aware of some of these cloud usages or isn't involved in negotiating
contracts with the cloud providers."

Buffomante also pointed to the increasing complexity of cloud

environments. Most companies use a mix of on-premises, public cloud and
private cloud (including SaaS offerings). This further increases cloud
security threats that organizations face.

"The multi-cloud environment increases the complexity of monitoring and

managing security," he added, noting that each platform provider has its
own security configurations and monitoring tools that enterprise security
teams must track and learn to use.

Although cloud has created new security challenges for organizations,

cybersecurity leaders said CISOs should rely on the conventional mix of
people, processes and technologies to build adequate defenses. They also
suggested layering in new elements such as cloud access security
brokers and updated governance policies to appropriately address the new
realities of cloud security.

"The security team can't just use one process, one tool or one technology
to lock down the critical data and to manage and monitor that going
forward," Buffomante added. "That makes it harder to see individual
security gaps and more difficult to see vulnerabilities."

56 | P a g e
57 | P a g e
58 | P a g e
6 cloud computing security best
practices to follow

1. Use a cloud service that encrypts

One of the best weapons in your cyberthief defense arsenal is a cloud
service that encrypts your files both in the cloud and on your
computer. Encryption ensures service providers and their
service administrators, as well as third parties, do not have
access to your private information.
59 | P a g e
2. Read user agreements
Never sign up for cloud service without reading the user
agreement completely. It includes vital information that details
how the service protects your data and whether you give permission
for them to use or sell your information in any way by signing up.

Avoid signing anything without a complete understanding of what

every clause in the agreement means. Anytime your service provider
updates its privacy policies, it will notify you via email, text, or an alert
when you log in. Always read these notifications to ensure changes do
not negatively affect your data.

3. Enable two-factor authentication

When provided with the option, always use two-factor
authentication to avoid cloud security issues. This means
anyone who signs into your account will need information in addition
to your password. Common methods of authentication include:

• Biometric logins
• Security questions
• Personal PINs
• Temporary codes
• Authenticator apps

Not all accounts will automatically ask you to set up a secondary

identifier, so be sure to check your settings to see if the option is
available.

60 | P a g e
4. Don’t share personal information
Some of your personal information may seem unimportant, but if it
falls into the wrong hands, it could compromise your identity. Always
avoid publicly providing information that may be used to
answer a security questions, like:

• Your birthdate
• Your mother's maiden name
• The name of the street you grew up on
• The name of your first pet
• The city where you met your significant other

Some providers allow you to choose your own questions to answer for
verification. If you have the option, use questions and answers that
you can remember but that most people wouldn't easily be able to
learn about you, such as an embarrassing childhood nickname or
where you went on your first date.

5. Don’t store sensitive data

Avoid storing sensitive information on the cloud to prevent
blackmail or embarrassment if it falls into the wrong
hands. In addition to the obvious, such as your Social Security
number, copies of your IDs, or important financial statements—even
old ones—consider what other information someone could get their
hands on.

61 | P a g e
Never keep racy pictures or intimate interactions with partners in the
cloud, and if you are sensitive about items such as diet progress
pictures, avoid storing those as well.

6. Do your research
Before deciding to move your personal or professional data to the
cloud, it’s important to do your research. You need to understand the
ins and outs of the CSP you've chosen to help mitigate the chances of
you becoming a victim of today’s cloud security risks. You should
know who has access to your information, who’s in charge of
data security, and the current cloud network
security protocols in place.

Use the cloud safely

Despite cloud computing allowing you the convenience of accessing
your data at your fingertips from almost anywhere in the world, there
are still cloud security risks to keep in mind that could threaten your
Cyber Safety. Take note of these cloud security issues and best
practices for peace of mind when managing your most precious
documents, photos, and files.

Get a jump start on protecting your information in the cloud

with Norton 360 Deluxe security software. With powerful protection
against hackers, malware, and data breaches, you can rest assured
that your most valuable information remains in good hands.

62 | P a g e
what are cloud security threats and vulnerabilities to cloud data. Elaborate each and how to
mitigate them?

Cloud security threats and vulnerabilities are a growing concern for

businesses that rely on cloud-based services. These threats can exploit
weaknesses in cloud environments to access, steal, or modify sensitive
data. It is crucial for organizations to understand these risks and take steps
to mitigate them.

1. Misconfigurations:

Misconfigurations occur when cloud resources are not properly configured

or secured, leaving them vulnerable to exploitation by attackers. These
misconfigurations can range from simple mistakes, such as leaving default
passwords in place, to more complex issues, such as misconfigured
security groups.

Mitigation:

• Use Infrastructure as Code (IaC) tools to automate cloud resource

configuration and ensure consistency.

• Implement cloud security best practices and guidelines, such as the

Cloud Security Alliance (CSA) Cloud Control Matrix (CCM).

• Regularly review and audit cloud resource configurations to identify

and remediate misconfigurations.

2. Data breaches:

Data breaches involve the unauthorized access and theft of sensitive data,
such as customer information, financial data, or intellectual property. Cloud-
based data is particularly vulnerable to breaches due to its accessibility and
potential for large volumes of data storage.

Mitigation:

63 | P a g e
 • Encrypt sensitive data both at rest and in transit to protect it from
unauthorized access. Use strong encryption algorithms and key
management practices.

• Implement data loss prevention (DLP) solutions to prevent sensitive

data from being accidentally or intentionally shared or exported
outside authorized channels.

• Regularly monitor cloud storage for unauthorized access and data

exfiltration attempts.

3. Insecure APIs:

APIs are used to connect applications and services. Insecure APIs can be
exploited to gain unauthorized access to cloud resources, steal sensitive
data, or manipulate system behavior.

Mitigation:

• Implement API security best practices, such as using strong

authentication mechanisms, validating input data, and protecting
against common API vulnerabilities.

• Monitor API traffic for suspicious activity, such as unusual access

patterns or attempts to access unauthorized resources.

• Regularly scan APIs for vulnerabilities using automated tools and

manual penetration testing.

4. Unauthorized access:

Unauthorized access occurs when an individual gains access to a cloud

account without proper authorization. This can happen through stolen
credentials, phishing attacks, or other means.

Mitigation:

64 | P a g e
 • Implement strong identity and access management (IAM) controls to
manage user access to cloud resources. Use strong passwords,
multi-factor authentication (MFA), and least privilege principles.

• Educate employees about phishing attacks and social engineering

scams, and provide them with tools to identify and avoid these
threats.

• Monitor cloud access logs for suspicious activity, such as login

attempts from unusual locations or unauthorized access to sensitive
resources.

5. Denial-of-service (DDoS) attacks:

DDoS attacks aim to overwhelm cloud resources with traffic, making them
unavailable to legitimate users. These attacks can disrupt business
operations and cause significant financial losses.

Mitigation:

• Implement DDoS mitigation solutions that can detect and filter

malicious traffic before it reaches cloud resources.

• Choose a CSP with a strong DDoS protection infrastructure and

service level agreements (SLAs) for DDoS mitigation.

• Regularly test DDoS mitigation plans and procedures to ensure they

are effective in protecting against large-scale attacks.

6. Malicious insiders:

Malicious insiders are employees or contractors who have authorized

access to a cloud environment but use it to harm the organization. They
may steal data, sabotage systems, or install malware.

Mitigation:

65 | P a g e
 • Implement strong access controls and role-based access controls
(RBAC) to restrict access to sensitive data and resources.

• Monitor insider activity for suspicious behavior, such as unauthorized

access to sensitive data or unusual data transfers.

• Conduct regular background checks and security awareness training

for employees and contractors.

By implementing these mitigation strategies, organizations can significantly

reduce the risk of cloud security breaches and protect their valuable data
and systems. It is important to remember that cloud security is an ongoing
process that requires continuous vigilance and adaptation to evolving
threats.

what are cloud security threats and vulnerability to access control.

Elaborate each and how to mitigate them?

Cloud security threats and vulnerabilities to access control are a major

concern for organizations that rely on cloud-based services. Access control
is a critical component of cloud security, as it ensures that only authorized
users can access and modify cloud resources. However, weaknesses in
access control can expose sensitive data and systems to exploitation.

. Unauthorized Access

Unauthorized access occurs when an individual gains access to a cloud

account or resource without proper authorization. This can happen through
various means, such as:

• Stolen credentials: Attackers steal credentials through phishing

attacks, social engineering scams, or by exploiting vulnerabilities in
authentication mechanisms. Once they have credentials, they can
impersonate legitimate users and gain access to cloud resources.

66 | P a g e
 • Misconfigured access policies: Access policies that are too
permissive or contain errors can grant unauthorized access to
sensitive data or resources. For example, a policy that grants all
users access to a data storage bucket instead of limiting access to
specific users or groups would allow unauthorized individuals to
access the data.

• Misconfigured security groups: Security groups are used to control

network traffic to and from cloud resources. Misconfigured security
groups can allow unauthorized access to resources by exposing
them to the public internet or granting access to unauthorized users.

Mitigation Strategies:

• Implement multi-factor authentication (MFA): MFA requires users to

provide additional verification beyond just a username and password,
such as a code from a mobile app or a fingerprint scan. This makes it
much harder for attackers to gain unauthorized access even if they
have stolen credentials.

• Implement least privilege: The principle of least privilege states that

users should only be granted the minimum level of access necessary
to perform their job duties. This helps to limit the potential damage if
a user's account is compromised.

• Regularly review access policies: Access policies should be reviewed

regularly to ensure that they are up to date and aligned with the
organization's security requirements. Revoke access for inactive or
terminated users and remove unnecessary permissions.

2. Privilege Escalation

Privilege escalation occurs when an authorized user gains access to

unauthorized privileges beyond their assigned level of access. This can
happen through various means, such as:

• Exploiting vulnerabilities in software: Attackers may exploit

vulnerabilities in software to gain elevated privileges. For example, a
67 | P a g e
 vulnerability in a web application could allow an attacker to execute
arbitrary code on the server, which could then be used to gain access
to sensitive data or systems.

• Misconfigured access controls: Misconfigured access controls, such

as overly permissive access policies or poorly configured security
groups, can allow authorized users to gain access to unauthorized
resources or privileges.

Mitigation Strategies:

• Implement regular vulnerability scanning: Regularly scan cloud

environments for vulnerabilities in software and infrastructure. Apply
security patches and updates promptly to address known
vulnerabilities.

• Implement role-based access control (RBAC): RBAC assigns access

permissions based on user roles and job functions. This helps to
prevent unauthorized access by ensuring that users only have the
permissions they need to perform their job duties.

• Monitor user activity: Monitor user activity to detect suspicious

behavior, such as unauthorized access attempts or unusual privilege
changes. Investigate any anomalies promptly to identify and
remediate potential threats.

3. Data Exfiltration

Data exfiltration involves the unauthorized transfer of sensitive data from a

cloud environment to an unauthorized location. This can happen through
various means, such as:

• Uploading data to unauthorized cloud storage: Users may upload

sensitive data to unauthorized cloud storage services, such as
personal cloud storage accounts or file sharing services.

68 | P a g e
 • Embedding data in emails or documents: Attackers may embed
sensitive data in emails or documents and then send them to external
parties.

• Using compromised accounts to extract data: Attackers may

compromise user accounts and then use those accounts to extract
sensitive data from cloud storage or other cloud resources.

Mitigation Strategies:

• Implement data loss prevention (DLP): DLP solutions prevent

sensitive data from being accidentally or intentionally shared or
exported outside authorized channels. DLP tools can block data
transfers that violate data protection policies.

• Encrypt sensitive data: Encrypt sensitive data both at rest and in

transit to protect it from unauthorized access. Use strong encryption
algorithms and key management practices.

• Educate employees: Train employees on proper data handling

practices, such as not sharing sensitive data with unauthorized
individuals or uploading it to unauthorized locations.

4. Denial-of-Service (DoS) Attacks

DoS attacks aim to disrupt or overwhelm cloud resources, making them

unavailable to legitimate users. This can happen through various means,
such as:

• Flooding the cloud environment with excessive traffic: Attackers flood

the cloud environment with a large number of requests, causing it to
slow down or become unavailable.

• Exploiting vulnerabilities in cloud infrastructure: Attackers exploit

vulnerabilities in cloud infrastructure to disrupt or disable cloud
services.

Mitigation Strategies:

69 | P a g e
 • Implement DDoS mitigation solutions: DDoS mitigation solutions can
detect and filter malicious traffic before it reaches cloud resources.
These solutions can also help to absorb the impact of an attack and
keep cloud services available to legitimate users.

• **Choose a cloud service provider (CSP) with a strong

5. Misconfigured Access Policies: Misconfigured access policies can

grant unauthorized access to sensitive data or resources. This can
happen through errors in granting permissions, leaving default
configurations unchanged, or failing to follow proper access control
principles.

Mitigation strategies:

• Implement strong identity and access management (IAM): IAM provides a

framework for managing user identities, access permissions, and
authentication mechanisms. Use strong passwords, multi-factor authentication
(MFA), and least privilege principles.

• Enforce role-based access control (RBAC): RBAC restricts access to

resources based on user roles and job functions. Assign access permissions
based on the minimum level of access required for each role.

• Regularly review access permissions: Periodically review access permissions

to ensure they remain aligned with users' roles and responsibilities. Remove
unnecessary permissions and revoke access for inactive or terminated users.

• Monitor access activity: Continuously monitor cloud access logs to detect

suspicious activity. Identify and investigate unauthorized access attempts,
data exfiltration attempts, or unusual permission changes.

• Implement data loss prevention (DLP): DLP solutions prevent sensitive data
from being accidentally or intentionally shared or exported outside authorized
channels. Utilize DLP tools to define data protection policies and monitor data
transfers.

• Educate employees: Provide cybersecurity awareness training to employees

to help them identify and avoid phishing attacks, social engineering scams,
and other common threats. Train employees on proper password

70 | P a g e
 management, secure data handling practices, and reporting suspicious
activity.

• Regularly update software and patch vulnerabilities: Promptly apply security

patches and updates to cloud software and infrastructure to address known
vulnerabilities that could be exploited for unauthorized access or privilege
escalation.

• Implement access control lists (ACLs): ACLs define specific permissions for
users or groups to access and modify cloud resources. Use ACLs to restrict
access to sensitive data and resources based on the principle of least
privilege.

• Utilize cloud security monitoring tools: Employ cloud security monitoring tools
to gain visibility into cloud activity and identify potential threats. Use these
tools to detect anomalous behavior, unauthorized access attempts, and
misconfigured access policies.

• Conduct regular security audits: Regularly conduct security audits of cloud

environments to identify and remediate vulnerabilities in access control
policies, configurations, and software. Engage external security professionals
to perform independent assessments.

What is Risk Management in Cloud Computing?

Process of Risk Management
Risk management is a cyclically executed process comprised of a set of activities for
overseeing and controlling risks. Risk management follows a series of 5 steps to manage risk,
it drives organisations to formulate a better strategy to tackle upcoming risks. These steps are
referred to as Risk Management Process and are as follows:

• Identify the risk

• Analyze the risk
• Evaluate the risk
• Treat the risk
• Monitor or Review the risk

Now, let us briefly understand each step of the risk management process in cloud computing.

1. Identify the risk - The inception of the risk management process starts with the
identification of the risks that may negatively influence an organisation's strategy or
compromise cloud system security. Operational, performance, security, and privacy
requirements are identified. The organisation should uncover, recognise and describe

71 | P a g e
 risks that might affect the working environment. Some risks in cloud computing
include cloud vendor risks, operational risks, legal risks, and attacker risks.
2. Analyze the risk - After the identification of the risk, the scope of the risk is
analyzed. The likelihood and the consequences of the risks are determined. In cloud
computing, the likelihood is determined as the function of the threats to the system,
the vulnerabilities, and consequences of these vulnerabilities being exploited. In
analysis phase, the organisation develops an understanding of the nature of risk and its
potential to affect organisation goals and objectives.
3. Evaluate the risk - The risks are further ranked based on the severity of the impact
they create on information security and the probability of actualizing. The
organisation then decides whether the risk is acceptable or it is serious enough to call
for treatment.
4. Treat the risk - In this step, the highest-ranked risks are treated to eliminate or
modified to achieve an acceptable level. Risk mitigation strategies and preventive
plans are set out to minimise the probability of negative risks and enhance
opportunities. The security controls are implemented in the cloud system and are
assessed by proper assessment procedures to determine if security controls are
effective to produce the desired outcome.
5. Monitor or Review the risk - Monitor the security controls in the cloud
infrastructure on a regular basis including assessing control effectiveness,
documenting changes to the system and the working environment. Part of the
mitigation plan includes following up on risks to continuously monitor and track new
and existing risks.

The steps of risk management process should be executed concurrently, by individuals or

teams in well-defined organisational roles, as part of the System Development Life
Cycle (SDLC) process. Treating security as an addition to the system, and implementing risk
management process in cloud computing independent to the SDLC is more difficult process
that can incur higher cost with a lower potential to mitigate risks.

Types of Risks in Cloud Computing

This section involves the primary risks associated with cloud computing.

1. Data Breach - Data breach stands for unauthorized access to the confidential data of
the organisation by a third party such as hackers. In cloud computing, the data of the
organisation is stored outside the premise, that is at the endpoint of the cloud
service provider(CSP). Thus any attack to target data stored on the CSP servers may
affect all of its customers.
2. Cloud Vendor Security Risk - Every organisation takes services offered by different
cloud vendors. The inefficiency of these cloud vendors to provide data security and
risk mitigation directly affects the organisation's business plan and growth. Also,
migrating from one vendor to another is difficult due to different interfaces and
services provided by these cloud vendors.
3. Availability - Any internet connection loss disrupts the cloud provider's services,
making the services inoperative. It can happen at both the user's and the cloud service
provider's end. An effective risk management plan should focus on availability of
services by creating redunadancy in servers on cloud such that other servers can
provide those services if one fails.

72 | P a g e
 4. Compliance - The service provider might not follow the external audit process,
exposing the end user to security risks. If a data breach at the cloud service provider's
end exposes personal data, the organisation may be held accountable due to improper
protection and agreements.

Apart from these risks, cloud computing possesses various security risks bound under 2 main
categories.

• Internal Security Risks

• External Security Risks

Internal Security Risks

Internal security risks in cloud computing include the challenges that arise due to
mismanagement by the organisation or the cloud service provide. Some internal security risks
involve:

1. Misconfiguration of settings - Misconfiguration of cloud security settings, either by

the organisation workforce or by the cloud service provider, exposes the risk of a data
breach. Most small businesses cloud security and risk management are inadequate for
protecting their cloud infrastructure.
2. Malicious Insiders - A malicious insider is a person working in the organisation and
therefore already has authorized access to the confidential data and resources of the
organization. With cloud deployments, organisations lack control over the underlying
infrastructure; making it very hard to detect malicious insiders.

External Security Risks

External security risks are threats to an organisation arising from the improper handling of the
resources by its users and targeted attacks by hackers. Some of the external security risks
involve:

1. Unauthorized Access - The cloud-based deployment of the organisation's

infrastructure is outside the network perimeter and directly accessible from the public
internet. Therefore, it is easier for the attacker to get unauthorized access to the server
with the compromised credentials.
2. Accounts Hijacking - The use of a weak or repetitive password allows attackers to
gain control over multiple accounts using a single stolen password. Moreover,
organizations using cloud infrastructure cannot often identify and respond to such
threats.
3. Insecure APIs - The Application Programming Interfaces(APIs) provided by the
cloud service provider to the user are well-documented for ease of use. A potential
attacker might use this documentation to attack the data and resources of the
organisation.

Need for Risk Management

73 | P a g e
Above discussed risks are the primary security concern for individuals, businesses, and
organisations. If actualized, some risks may cause a business to close. These risks need to be
treated proactively by implementing risk management strategies. By implementing a risk
management plan and considering the various potential risks or events before they occur, an
organisation may save money and time and protect its future. This is because a robust risk
management plan will help an organisation establish procedures to prevent potential threats
and minimise their impact if they occur. This ability to understand and control risks allows
organisations to be more confident in their business decisions. Moreover, effective risk
management helps organisations to understand the processes deeply and provide information
that can be used to make informed decisions to provide increased levels of security and
ensure that the business remains profitable. In cloud computing, the organisation sets risk
management plans which help them to identify appropriate cloud vendors and service
providers, make proper service-level agreements and set up better budgeting plans.

Benefits of Risk Management

Risk management enables organisations to ensure any potential threats to cloud-deployments
security, assets, and business plans are identified and treated before they derail the
organisation's goals. It has far-reaching benefits that can fundamentally change the decision
making process of the organisation. Here are some benefits of robust risk management:

1. Forecast Probable Issues - The risk management process in cloud computing

identifies all the possible risks or threats associated with the cloud service provider,
the cloud vendor, the organisation, and the users. It helps an organisations to mitigate
risks by implementing appropiate control strategies and create a better business plan.
2. Increases the scope of growth - Risk management in cloud computing forces
organisations to study the risk factors in detail. Thus, the workforce is aware of all the
possible catastrophic events; and the organisation creates a framework that can be
deployed to avoid risks that are decremental to both the organisation and the
environment. Hence, risk management enables organisations to take a calculated risks
and accelerate their growth.
3. Business Process Improvement - Risk Management requires organisations to collect
information about their processes and operations. As a result, organisations can find
inefficient processes or the scope for improvement in a process.
4. Better Budgeting - Organisations implementing risk management strategies often
have clear insights into the finances. Thus, they can create more efficient budgets to
implement risk management plans and achieve the organisational goals.

Data Protection Risk Cloud's Impact on IT Operations

With IT companies switching infrastructure to cloud deployments, the risk for data protection
becomes essential. The area-specific data protection laws make it hard for companies to
comply with the regulations. Moreover, with personal data stored in the cloud, determining
the geographical location of the data can be challenging. Therefore, it becomes difficult to
hold the applicable law. Hence, developing a hurdle in the IT operations of the company. Let
us consider an example; an enterprise uses cloud infrastructure to provide services to its
users. The personal data of its users could be stored anywhere in the world such as EU, India
and each geographical region has its own data protection rules and regulations. To comply

74 | P a g e
with these regulations, the enterprise must provide different solutions, which increase the
workload and redundancy for IT operations.

Best Practices for Risk Management in Cloud Computing

An effective risk management process is a mix of coordinate governance and internal
controls. It coordinates the engagement of managers, employers, and stakeholders at each
step to embrace risk-taking as an avenue for growth and opportunity. The following are the
best practices to manage the risks in cloud computing:

1. Choose the cloud service provider wisely - Perform cloud vendor risk assessment
for contract clarity, availability, security, ethics, compliance, and legal liabilities.
Make sure, the cloud service provider(CSP) has service providers that can deliver the
services accordingly.
2. Deploy Technical Safeguards such as Cloud Access Security Broker - Cloud
Access Security Broker (CASB) are on-premise or cloud-based software which acts
as intermediary between cloud service providers and consumers, to monitor the
activities and enforce organisation security policy for accessing cloud applications.
3. Establish controls based on risk treatment - After identification, analysis, and
evaluation of the risk. Dedicated measures need to be taken to mitigate risks and drive
the business processes to improve. Organisations should delete unwanted data from
the hosted cloud.
4. Optimized cloud service model - Adopt a cloud service model that promotes
achieving a business solution, minimizes risks, and optimizes cloud investment cost.
5. Strategize Availability of Services - Create redundancy of servers by regions and
zones. In this way, if one connection fails, it will not stop the operation of the
services.

Conclusion
• With the boost in cloud deployments by organisations, risk management in cloud
computing helps to identify and mitigate the risks and protect organisation assets.
• Risk management in cloud computing follows a process that involves identification,
analysis, evaluation, treatment, and monitoring of the risks.
• Cloud computing involves a high risk of data breaches, availability and cyberattacks.
• Risk management in cloud computing helps organisations to derive a better business
solution while forecasting and minimizing maximum risk factors.
• Good practices such as better availability, CSP selection, and technical safeguards
deployment should be followed to minimize cloud-based risks.

Risk assesssment and management in cloud.

• cloud computing
ADD COMMENT FOLLOW SHARE EDIT
1 Answer

75 | P a g e
 0
919views
written 5.1 years ago by

teamques10 ★ 59k
Cloud computing is recognized as the most promising computing paradigm of the
last several years . Actually, a lot of Cloud computing models have arisen, each one
offering different characteristics or services, at different degrees of flexibility and
involving distinct risks.
Given the fact that Cloud computing encompasses new technologies such as
virtualization, there are both new risks to be determined and old risks to be re-
evaluated. According to the risk management standard of the Institute of Risk
Management (IRM) a risk can be defined as 2 the combination of the probability of an
event and its consequences In general, in all types of businesses there are events
which represent opportunities for benefit or threats to success, i.e. positive and
negative aspects of risks, respectively.
Thus, and in contrast to traditional risk avoidance strategies, accepting some risks
leads to obtain remarkable benefits.
The Risk Management is the process whereby organizations treat, in a methodical
way, risks related with their activities. The main goal is to obtain benefits and
sustainable values within each activity and across all of them.
Actually, it is a fundamental part of any organization’s strategic management.
Entering in detail in its core sub process, i.e. risk assessment, there are three primary
methods according to: qualitative, which uses simple calculations and thus it is not
needed to determine the numerical value of all assets at risk and threat frequencies;
quantitative, which assigns numerical values to both impact and likelihood of risks;
semi-quantitative (or hybrid), which is less numerically intensive than quantitative
methods and classifies (prioritizes) risks according to consequences and foreseen
probabilities.
Risk management in cloud involves the following tasks
• risk identification
• risk analysis and evaluation
• selection of counter measures
• deployment of suitable counter measures
• continuous monitoring to assess effectiveness of the solution

76 | P a g e
8 Pillars of Risk Management in
Cloud Computing
Over the last few years, cloud computing technology has grown at an

exponential rate. It has several advantages for both individuals and

businesses. At the same time, several difficulties have developed as a

result of the rapid expansion of cloud computing.

Organizations frequently express worries regarding cloud computing

migration and usage owing to the loss of control over their outsourced

resources, and cloud computing is subject to hazards.

As a result, a cloud provider must manage the risks associated with the

cloud computing environment in order to identify, assess, and prioritize

those risks in order to reduce those risks, improve security, boost

confidence in cloud services, and alleviate organizations’ concerns about

using a cloud environment.

Need of Risk Management

The benefits of migrating from old in-house systems to the cloud are

apparent for financial organizations. A cloud environment allows financial

organizations to operate at a faster and more agile pace than their present

settings.

77 | P a g e
However, although mobile technologies provide us with tremendous power

and convenience, they also pose significant security and privacy problems.

Financial organizations confront a similar quandary: although going to the

cloud makes sense for a variety of reasons, it also introduces new

problems. Cybersecurity risk is at or near the top of any institution's list

of worries.

Simultaneously, new cybersecurity laws and recommendations are being

issued by regulators and auditors.

Institutions could consider adopting a centrally managed platform and

related services to build a uniform and scalable control structure to deter

hackers and satisfy regulatory requirements while also managing expenses.

(Also Read: How AI is used in Fraud Detection)

A cloud ecosystem has the following characteristics:

• Broad network connectivity

• Cloud consumers have less visibility and control.

• Changing system boundaries and overlapping roles/responsibilities between

cloud Consumers and cloud providers.

• Multiple tenancies

• Data retention

78 | P a g e
• Measurable service

• Significant expansion in size (on demand), dynamics (elasticity, cost

optimization), and complexity (automation, virtualization).

When recent trends and research on cloud computing are considered, it is

apparent that, after the Internet, it is the time of cloud computing to

determine the future of computing.

The debate is no longer "to cloud or not to cloud," but rather "when will

the transition occur" and "which operations will migrate to the cloud." In

this blog, we will attempt to complete a full cloud risk management

exercise.

Facets of Cloud Risk Management

Cloud-based Cyber Risk Management pillars

1. Comprehensive Risk Management

Comprehensive risk management would, of course, begin with a

comprehensive risk management framework, which would include

everything from detecting and assessing cyber risk to factoring cyber

risk into the institution's total risk appetite.

79 | P a g e
 Furthermore, minimizing the risks associated with cloud migration

necessitates incorporating cyber risk management within the

institution's enterprise risk management operations.

When understanding the risks to the enterprise, it may give top

management better insight into hazards and essential data.

( Must Read: AI in Risk Management )

2. Cybersecurity

As the complexity and frequency of cyber threats rise, organizations

should create a comprehensive cybersecurity program.

They should concentrate on finding vulnerabilities, deploying solutions

to protect important business data, detecting potential threats that

have infiltrated the infrastructure, and assisting essential business

applications and systems in responding to and recovering from

incidents.

Given that executives at financial institutions are under enormous

pressure to maintain the integrity of their data, keep their customers'

sensitive information safe, be fully versed on evolving threats and

challenges, and prepare for threats they have not yet seen, it is

critical for an institution to establish an aggressive, analytics-driven

solution to identify, manage, and mitigate threats.

Read More: What is Cybersecurity? Types and Importance

80 | P a g e
 3. Regulatory compliance

In light of these problems, authorities all over the world are

continuing to act by releasing and updating recommendations on cloud

computing and how to avoid and respond to cyber-attacks. Without

automation, the expenses of maintaining a risk staff to remain on top

of these rules will skyrocket.

Read this document on: “Managing the 5 Key Cloud Computing Risks”

4. Backup and recovery

Almost every company does frequent backups. However, very few

businesses actually undertake frequent restoration to ensure the

functionality and sufficiency of backups, resulting in unpleasant shocks

at the last minute.

Cloud companies have this step-down path since the consequences of a

blunder will be devastating to their business. Again, this is a two-

edged sword that is depending on the cloud provider's rules, which may

or may not be sufficient for your organization's needs.

Watch this video on: Cloud Computing Risk Management - Is Data really

safe?

5. Instituting an end-to-end cyber risk framework

81 | P a g e
 While keeping your company's goals in mind at all times, there are a

few key fundamental measures to take while creating a good cloud-

security plan.

It all starts with creating a high-level strategic approach to risk

assessment and management that is tailored to your company's needs –

there is no one-size-fits-all solution.

This involves developing a budget that is reasonable, practical, and

attainable, as well as a deployment plan.

6. Platform support

Many companies are unable to roll out patches on time, or even

discover the appropriate patches, for a variety of reasons such as a

lack of a suitable knowledge base, time, or testing infrastructure.

Most cloud providers do not have these weaknesses, guaranteeing that

the platforms and apps you use on such cloud settings are properly up

to date.

This is a two-edged sword because vulnerabilities are found in several

cloud providers. Organizations with reasonably developed procedures

ensure things such as timely internal system changes and sufficient

testing.

82 | P a g e
 The same cannot be true for cloud providers owing to a lack of

visibility and openness.

Read this document to explore more on: “Managing Risk in the cloud”

7. Vendor Management

The inclusion of third-party suppliers in cloud business models has

raised security issues. Many cloud providers are undergoing official

third-party security assessments, such as the International

Organization for Standardization (ISO), Service Organization Control

(SOC) 2, and the Federal Risk Authorization and Management Program

(FedRAMP).

To prevent security problems, you should concentrate on establishing a

corporate public cloud strategy that includes security guidelines on

approved SaaS usage.

You will need to understand how to include procurement and sourcing

solutions into this approach. You may also establish and enforce

policies on use responsibility and risk acceptance processes in the

cloud.

It is important to employ a life-cycle governance model that stresses

ongoing operational management of your public cloud utilization.

8. Cloud Migration

83 | P a g e
 The process of transferring apps, data or even the whole corporate IT

infrastructure to distant server facilities and a virtual environment is

known as cloud migration.

The benefits of cloud migration are numerous. The cloud architecture

allows for the acceptance of any workload, and the simplicity with

which new services may be added allows for rapid response to changing

business demands.

Several companies are still delaying cloud adoption due to dependability

and security concerns. Otherwise, people might not find it useful.

Organizations can save money by migrating to the cloud. Companies

may save a lot of money by migrating to the cloud, especially in the

long run. When compared to on-premise hardware, the cloud requires

no initial expenditure.

When employing on-premise infrastructure, you may encounter capacity

difficulties. However, by utilizing cloud technology, you may entirely

eliminate capacity issues.

Many businesses discover that one of the primary hazards they

encounter during cloud migration is the complexity of their current IT

architecture. Extra delay is one of the most underappreciated

concerns of cloud migration.

84 | P a g e
 This can happen when you access cloud-based databases, apps, and

services. If you have apps that require fast answers, even a delay of

a few seconds can have a significant impact on your business.

To eliminate latency issues, you must first identify their root causes,

which include incorrect QoS (Quality of Service) and geographical

distance between servers and client devices.

How to Perform a Cloud

Risk Assessment
A cloud security risk assessment is an analysis of an
organization’s cloud infrastructure to determine its security
posture. This is a critical process for any organization operating
out of the cloud to better understand present risks and
determine gaps in security coverage. The result is finding
potential points of entry, finding evidence of potential
compromise, and establishing future controls to better protect
critical assets.

We will explore what can be expected in a cloud security

assessment, the benefits of conducting one, and process steps
to follow.

Why You Need a Cloud Risk Assessment

The transition to enterprise cloud computing is growing rapidly,
potentially outgrowing security processes and practices. With

85 | P a g e
cloud estates spanning across multiple clouds, accounts,
workloads, and applications, the sheer scale of the cloud makes
proper security a challenge.

Malicious actors are not only able to enter environments via

improper network configurations, workload vulnerabilities, and
compromised identity credentials, but also execute recon once
in an environment. Attackers exploit overprivileged identities to
move laterally through an environment in search of an
accumulation of power or the right high-value asset.

With breaches costing on average $4.45M, the stakes are high

and proper assessment and improved security controls are
critical to business continuity, revenue, and data privacy.

Cloud Security Risk Assessment Benefits

Prevent Misconfigurations
Cloud misconfigurations are a leading cause of attacker entry.
These misconfigurations are improper or insufficient usage of
controls within the cloud environment. Examples are not
enabling logging, leaving ports open to the internet, or leaving
default access settings open. These configurations are the
foundation to strong cloud security and are often low-hanging
fruit. An assessment of network controls, access controls,
datastores, and workloads can help reveal improper
configurations, allowing your teams to remediate before an
attacker can exploit them.

Reveal Risky Identities and Permissions

The cloud is largely run via microservices and a proliferation of
machine identities like APIs, roles, service accounts, serverless
functions, and more. It is very common for these entities to be
overprivileged by developers for the sake of ease and flexibility.

86 | P a g e
The danger is attackers will jump from one identity to the next to
accumulate a toxic combination of permissions that can give
them the power to disrupt applications, delete infrastructure, or
wipe your cloud clean. A risk assessment should find identity
risks like overprivileging, unused identities, insecure access keys,
lateral movement opportunities and more.

Detect Compromise
Performing a cloud risk assessment is not the same as auditing
your cloud for signs of compromise, but it is an opportunity to
come across variances from what the normal baseline looks like.
This could be logging revealing that access controls were
changed on an object storage service or an identity accessing
an asset from a location they never have before. These are signs
of potential compromise and may help you catch onto an
attacker’s activity.

Better Secure Assets

Protecting company assets like sensitive data or applications is
a top priority. There are a lot of efforts that ultimately help
better protect assets – a large one being identity and access
controls. A risk assessment is an opportunity to start at the core
of your business – the data itself, and work outwards to
determine every entity that can access this information. It is
common there are routes to sensitive assets that your team’s
never intended to make. This is the result of the complexity of
permissions in the cloud. Organizational guidelines, permissions
assigned at the identity level, and permissions assigned at the
resource level can create a confusing web of privilege.

Remain Compliant
A lot of compliance standards require audits or assessments of
cloud environments to ensure risks are accounted for. Cloud
87 | P a g e
Service Providers follow requirements like ISO/IEC 27001, ISO/IEC
27002, and NIST SP 800-53, which all require risk assessments –
not to mention an organization’s own internal standards or
industry requirements.

Key Steps for a Cloud Risk Security

Assessment
Identifying Cloud Security Risks

Asset Identification and Classification

This is a preliminary step in an assessment – gathering a proper

inventory of all assets present in your estate. Data classification
and tagging processes help by establishing what the asset is,
where it is, and how valuable it is to the organization. Past this is
a proper inventory of all workloads and applications as well.

Vulnerability Identification

When you’ve discovered all workloads and applications, the next

step is performing vulnerability testing to reveal any potential
points of entry an attacker could exploit.

Identity and Privilege Audits

One very common assessment of whether identities hold proper

privileges or not is by following the Principle of Least Privilege.
This states identities should hold only the permissions
absolutely necessary to their job function. If your organization
evaluates logging and sees X identity did not use an assigned
permission in over 60 days, it is fair to assume it is an
unnecessary risk and strip it. Further potential identity and
access risks include: toxic combinations, privilege escalation
capabilities, and insecure access keys.

88 | P a g e
Cloud Security Risk Analysis

Risk Likelihood and Impact

When you’ve evaluated the entire landscape including assets,

identities, workloads, and platform controls, the next step is
determining the likelihood of potential for incidents. On top of
that, is determining a blast radius for said incidents. This refers
to how far and wide the incident would affect your environment.
It is a way to understand how severe a security incident is.

Risk Rating and Prioritization

Many assessments offer a clear risk score dependent on how

many concerns were found or compared against an industry
standard. A great way to better prioritize and understand risks is
through asset classification. If your organization knows what all
workloads, applications, and data stores are, what data they hold
access to, and how serious that information is, it can help inform
what top priorities should be.

Cloud Security Risk Mitigation Strategies

Preventative Controls

When your risks are identified the next step is implementing

some controls to prevent future concerns. Some examples
include Separation of Duties – a security principle that ensures
any given identity does not have an accumulation of privilege
that gives them excessive power; IP restricting; security groups
within VPCs to protect instances; role-based access controls to
help distribute privilege amongst roles for specific functions.

89 | P a g e
Detective Controls

Detective controls can be implementing practices to ensure

future detection of cloud risks. A great example is continuous
monitoring features in security tools. This is a way to review
logging and activity in the environment so you never miss an
incident. Additionally, semi frequent audits are a great way to do
a larger overhaul of the cloud estate and ensure everything is
up-to-par.

Corrective Controls

Corrective controls are practices like policy updates, patching

vulnerabilities, rotating access keys, or cleaning up unused or
orphaned identities. Anything your organization implements to
fix concerns raised in cloud risk assessments.

Ongoing Cloud Security Assessments

Cloud security is an ongoing effort, not a one-off process. Ideally
your organization implements policies and practices that offer
continuous security. This will in turn make any audit or
assessment far less of a burden when the time comes around.

Organizations can implement security policies to help offload

manual work and ensure best practices are upkept. The best
way to achieve this is by leveraging a cloud security
tool with prebuilt or customizable frameworks and policies.
Policies can be compliance related to ensure mandates like
HIPAA or PCI-DSS are maintained or can be best practices like
implementing Least Privilege or Least Access.

Cloud Security Assessment for Identity

and Access

90 | P a g e
Conducting cloud security risk assessments are critical to
revealing risks, gaps in your current security procedures, and
implementing new controls to fix issues. Aside from sufficient
controls around platform configurations, workload security, and
network access, a major priority in risk assessment should be
around identity and access.

Identities and their permissions are the new stepping stones

attackers leverage to find unintended pathways to critical assets
or accumulate dangerous privilege. Currently, about 1 in 10
identities in the typical enterprise cloud have access to enough
privilege they can entirely delete their organization’s cloud.

Proper permission and access control is a defense-in-depth

strategy that considers what an attacker can do once the
perimeter is breached. Organizations want to strip actors of any
possible lateral movement.

Sonrai Security offers a free Cloud Identity Diagnostic to assess

an enterprise’s cloud identity access and permission risks and
output a security score, what and where the specific risks are,
and what an organization can do to fix them – plus, two weeks in
the Sonrai tenant to actually address the security findings.

Interested in benefiting from this amazing opportunity? Anyone

and everyone can request a Diagnostic today – no installations
required.

FAQs
What’s a cloud security risk assessment?
A cloud security risk assessment is an analysis of an
organization’s cloud infrastructure to determine its security
posture or potential security risks.

91 | P a g e
Why do I need a cloud security risk assessment?
Cloud security risk assessments are a critical process that
reveals present risks and identifies gaps in security coverage.
The result is finding potential points of entry, finding evidence of
potential compromise, and future controls to better protect
critical assets.
What key components should be considered during one?
Cloud security risk assessments should consider access
controls, misconfigurations, vulnerability management, identity
and access permissions, and compliance standards.
How often should an assessment be conducted?
How often Cloud risk assessments should be conducted
depends on industry and internal standards or relevant
compliance frameworks. It is recommended at least annually or
every 2 years.

Cloud Risk—10 Principles and a

Framework for Assessment
The Ten Principles of Cloud Computing Risk
The ten principles of cloud computing risk8 help to give context to the
frameworks for assessment previously discussed, and they can be used as
an overall road map for migration to cloud computing. The road map is
based on four guiding principles:

1. Vision—What is the business vision and who will own the initiative?
2. Visibility—What needs to be done and what are the risks?
3. Accountability—Who is accountable and to whom?
4. Sustainability—How will it be monitored and measured?

The ISACA Business Model for Information SecurityTM (BMISTM)9 (figure 4)

was used as an overarching framework for risk and security.

92 | P a g e
Based on BMIS, these 10 principles of cloud computing risk provide a
framework for cloud computing migration which is presented here in a
case study.

This case study considers moving a risk management business function

(e.g., a home loan mortgage insurance calculation) to the cloud. The
business function is part of the decision-making process within the end-to-
end home loan business process shown in figure 5. In this process, an
application is received and acknowledged, various calculations are
performed, and a decision is made regarding whether to lend money.

The business benefit of placing this function in the cloud is that it will allow
branches, call centres, brokers and other channels to use the same code
base and avoid replicating the calculations in multiple places. The use of
the cloud will also reduce paper handling and host system access and the
associated security required. There is also a potential business driver for
allowing customers access to their own data if placed on the public cloud.

The first step in the framework is to formulate and communicate a vision

for the cloud at an enterprise and business-unit level. The first two
principles relate to this vision:

1. Executives must have oversight over the cloud—The business as a

whole needs to recognise the value of the cloud-based technology and data.
There must be constant vigilance and continuous monitoring of risk to these
information assets, including ensuring compliance with appropriate laws,
regulations, policies and frameworks. This is related to the governance
dimension of BMIS. In the case study, the head of the retail banking
department obtains briefings from internal and/or external business and
technical experts to understand the technology and its alignment to the
business objectives. The individual then sets a ‘tone from the top’,
mandating policies and structures to ensure that this alignment is
maintained within industry standards and regulatory constraints.

2. Management must own the risks in the cloud—The management of

the relevant business unit must own the risk associated with its use of cloud
services, and must establish, direct, monitor and evaluate commensurate
risk management on an on-going basis. This is related to the organisation
dimension of BMIS. In the case study, the business decides to assign
ownership of the complete (business and IT) risk of the initiative to the retail
bank operational risk manager, who works with the departmental IT risk
manager to plan actions covering both the business and technical risk
involved.

93 | P a g e
Once the vision is articulated and the risk management organisation is in
place, the next step in the road map is to ensure visibility of what needs to
be done and the risk of doing it. There are three principles related to
ensuring visibility:

3. All necessary staff must have knowledge of the cloud—All users of

the cloud should have knowledge of the cloud and its risk (commensurate
with their role in the organisation), understand their responsibilities and be
accountable for their use of the cloud. This is related to the human factors
dimension of BMIS. In the case study, the home lending line-of-business
owner and the IT manager work together to ensure that the involved
business and technology staff have the appropriate skills to embark on the
cloud initiative or that the needed expertise is obtained externally.

4. Management must know who is using the cloud—Appropriate

security controls must be in place for all uses of the cloud, including human
resources practices (e.g., recruitment, transfers, terminations). This is
related to the people dimension of BMIS. In the case study, the home lending
line of business owner must ensure that the necessary background checks,
segregation of duties, least privilege and user access review controls are in
place in the business, IT and cloud service provider. This will require working
with the IT manager and the possible engagement of external assessment
organisations.

5. Management must authorise what is put in the cloud—All cloud-

based technology and data must be formally classified for confidentiality,
integrity and availability (CIA) and must be assessed for risk in business
terms, and best practice business and technical controls must be
incorporated and tested to mitigate the risk throughout the asset life cycle.
This is related to the technology dimension of BMIS, and it is where the ISO
9126-based framework for assessment is used in this road map.

In the case study, the home loan mortgage insurance calculation process
uses sensitive data such as customer identity, date of birth and taxable
income. The CIA rating of the business data is an average of high, based on
the assessment provided in figure 6.

A more complete CIA analysis might also consider detailed business

requirements, data retention requirements, and privacy and regulatory
requirements.

Once this assessment is completed, the asset can be mapped to potential

cloud deployment models. Based on the profile of high concern in the case

94 | P a g e
study, management decided that the process should be considered for
migration to a private cloud. In this type of deployment, the calculation can
be made accessible to the various stakeholders with their heterogeneous
client devices, but still provide an acceptable level of security over the data.
A key consideration would be the limited scalability or agility that a private
cloud would offer compared to a public cloud. In this case, the retail
banking executive decides to deploy to a private cloud until customer
access becomes a compelling requirement.

As the next step, the risk associated with a cloud implementation must be
assessed against the risk associated with the incumbent in-house system,
and also against the option of acquiring a new internally operated system.
The framework for assessment could be used for each of these options, to
assess risk areas such as deficient vendor or internal support, application
complexity, and application reliability. In the case study, an assessment of
the existing loan mortgage insurance application identified an aging
application with overreliance on a single vendor and limited disaster
recovery.

The current risk assessment may have identified a value-at-risk (VaR) of US

$20 million per year and a need to spend approximately US $1 million–$2
million, stabilising and securing the existing system. The as-is risk profile
for the current in-house system (using the risk associated with deficient
characteristics from the ISO 9216 framework) is shown in figure 7.

The risk profile for the business process after moving it to a private cloud
(using the combined ISO 9126 and COBIT assessment framework) is
shown in figure 8. A similar risk assessment (as well as an assessment of
relative business value) should be conducted on the other option—an
internally operated and hosted system.

Movement of the business function to a private cloud reduced the VaR to

around US $2 million per annum by removing the exposure to aging, poor-
performing technology, and removing the user and data security risk of
having multiple copies of the system and data in circulation. At a more
detailed level, an organisation may have an overall scorecard covering the
combined ISO 9126 and COBIT frameworks; a detailed control assessment
of applicable preventive, detective and impact controls; and a risk
assessment for each risk showing inherent (prior to control) and residual
(after control) impact and likelihood.

95 | P a g e
The third step in the cloud computing road map is accountability. In the
case study, the business owner works with the operational risk manager to
develop a matrix of roles and responsibilities, shown in figure 9.

This accountability extends to process, architecture and culture through

the next three principles:

6. Mature IT processes must be followed in the cloud— All cloud-

based systems development and technical infrastructure processes must
align with policy, meet agreed business requirements, be well documented
and communicated to all stakeholders, and be appropriately resourced. This
is related to the process dimension of BMIS. In the case study, the retail bank
operational risk manager ensures that relevant policies are in place and
communicated, and that a mapping of policy clauses to the assessment
framework is included. A gap analysis is then performed against IT
development and support processes and included in the risk and control
profile.

7. Management must buy or build management and security in the

cloud—Information risk and security, as well as its monitoring and
management, must be a consideration in all cloud investment decisions.
This is related to the architecture dimension of BMIS. In the case study, the
departmental IT risk manager is involved in all aspects of the initiative,
including vendor evaluation and management, technology review, security
assessment and design, and the final investment decision.

8. Management must ensure cloud use is compliant—All providers and

users of the cloud must comply with regulatory, legal, contractual and policy
obligations; uphold the values of integrity and client commitment; and
ensure that all use is appropriate and authorised. This is related to the
culture dimension of BMIS. In the case study, the retail banking operational
risk manager works with the compliance manager to ensure that all policies,
regulations and employee codes of conduct are in place; training is
performed; and compliance is periodically reviewed. The operational risk
manager works with the IT risk manager and vendor manager to ensure that
processes are in place to similarly assess compliance within the cloud
service provider.

The final phase in the cloud computing road map is sustainability, and
there are two related principles:

9. Management must monitor risk in the cloud—All cloud-based

technology developed or acquired must enable transparent and timely

96 | P a g e
reporting of information risk and be supported by well-documented and
communicated monitoring and escalation processes. This is related to the
enabling and support dimension of BMIS. In the case study, the retail
banking operational risk manager and departmental IT risk manager work
together to develop an ongoing cloud risk and security monitoring, reporting
and escalation process. Ideally, this process includes regular information
and escalations from the cloud service provider.

10. Best practices must be followed in the cloud—All cloud-based

systems development and technical infrastructure related processes must
consider contemporary technology and controls to address emerging
information risk identified through internal and external monitoring. This is
related to the emergence dimension of BMIS. In the case study, the
departmental IT risk manager and IT resources involved in the cloud initiative
undertake continuing education on cloud technology and related risk
through formal education, industry contacts and associations such as
ISACA.

Conclusion
This article has reviewed some of the existing guidance to keep in mind
when considering cloud computing, suggested ISO 9126 as a valuable
standard for a more structured and coherent assessment of cloud
offerings, and proposed ten principles of cloud computing risk loosely
based on BMIS and cloud assessment road map consisting of four guiding
principles: vision, visibility, accountability and sustainability.

The framework suggested is not a panacea, as variations occur in each of

the different service models (SaaS, PaaS or IaaS) and deployment models
(public, community, private, or hybrid). Variations also occur depending on
whether the private/community clouds are onsite, outsourced or virtual
(virtual private clouds). A cloud-consuming business needs to be aware of
risk variations within each cloud model and remain accountable for risk
and security regardless of the cloud model or the contractual obligations of
the cloud service provider.

The proposed framework could be tailored to map to these various cloud

models, and it could be expanded by mapping to detailed controls within
ISO 27001, COBIT, NIST and other guidance and regulatory requirements in
various industries. Another area of development is an expansion of the
trade-offs between the various quality characteristics (in particular,
functionality, reliability and efficiency) and the ways that various cloud
offerings address the issue of consistency vs. availability vs. partitioning.

97 | P a g e
Understanding Cloud Information
Security Risk Assessment
Many firms are now shifting to cloud-based solutions. Statistics demonstrate a consistent
and striking increase in the use of cloud solutions, which is attributable to the advantages
that come with their adoption. On-demand self-service, extensive network access, resource
pooling, quick elasticity, and measured service are a few of these advantages. However,
cloud computing services have a cost, even if that cost is not always monetary. The
outsourcing aspect, in which a third party is trusted to manage the data, is what puts security
at more risk than it is with traditional on-premises systems. The multi-tenancy, wherein the
resources are shared, is another worry. This is where Cloud Information Risk Assessment
comes in.

What Is Cloud Information Security Risk Assessment?

The goal of the Cloud Information Security Risk Assessment model is to assist cloud users in
evaluating the risks involved in choosing a particular cloud service provider. To evaluate
various risk situations, it assesses background data gathered from cloud service providers
and clients. This makes it easier to decide which cloud service provider has the best risk
profile based on the total number of security, privacy, and service delivery threats. The
evaluation is intended to:

• Determine the cloud infrastructure of the company’s weak points and entrance
points
• Examine the network to look for signs of exploitation
• Describe ways to stop upcoming attacks

The following areas are often the focus of a cloud security assessment:
• Conducting interviews and reviews of the documentation to assess the overall
security posture of the cloud infrastructure
• Access management and control: Reviewing identity and management, including
user access, roles, and management
• Network security: Reviewing the firewall policies and network segmentation for
typical misconfigurations
• Storage security: Evaluate the state of the cloud system storage, taking into
account associated snapshots, block-level storage, and object-level storage
• Incident management: Reviewing the cloud infrastructure incident response
strategy, including the responsibilities and processes connected to an issue
• Security for platform services: Examine the security settings for the advanced
service options offered by cloud system providers
• Security for workloads: Examine the security of server-hosted containers,
virtualized servers, functions, and server-less containerized workloads

98 | P a g e
What Advantages Does a Cloud Information Security Assessment Offer?
A cloud information security assessment assures businesses that their assets and network are
properly set up, safe, and not under constant attack. In addition to evaluating the
organization’s network workings, the audit will point out any access points or other
architectural vulnerabilities and provide comprehensive recommendations on how to bolster
security and enhance capabilities going forward. Benefits of a cloud information security
assessment in particular include:

• Reduced chance of inadvertent misconfiguration: The company can reduce its

attack surface in the cloud environment by implementing the specific
configuration adjustments advised
• Reduced chance of missing notifications: The recommendations made by the
cloud security assessment team can help an organization be better equipped to
spot compromises and take appropriate action before they turn into major
breaches
• Enhanced flexibility: The team conducting the security assessment will offer
suggestions to aid firms in recovering from a breach more quickly.
• More effective account management: Companies with subpar identity designs
might spend less effort on user privilege management whereas lowering the
likelihood of unintentionally granting users privileges that are excessive

What Distinguishes a Security Risk Assessment From Risk Management?

When people start reading through security or compliance regulations, this is one of the
most frequently asked questions. The security risk assessment includes a moment-by-
moment analysis of your company’s technology, personnel, and business procedures to spot
issues. Risk management is a continuous procedure where you gather all dangers that have
been identified in your business and try to eliminate them. Security risk assessments are in-
depth analyses of your business, or perhaps even a particular IT project or business
department. The objective of the evaluation is to identify issues and security gaps before
third parties do. Reviewing and evaluating people and systems while looking for flaws should
be part of the evaluation process. The risks are ranked according to how much of a danger
they pose to the company when they are discovered. The ensuing report will highlight both
systems with problems and those that are operating efficiently and securely. The technical
outcomes of a security risk assessment are often quite specific, such as network scanning or
firewall configuration outcomes. The goal of risk management is to continuously identify
problems and seek to develop solutions. Consider a risk management procedure to be
similar to a weekly or monthly management meeting. To make sure nothing is falling
through the gaps, risks and problems are identified, ranked, and then reviewed each week. A
company’s security should always be improved, and any threats that do arise should be
worked to eradicate as soon as possible.

What Steps Are Used During a Cloud Information Security Assessment?

Typically, the security assessment involves three fundamental parts:

99 | P a g e
Review
Review of the documentation and interviews aid in the assessment team’s comprehension of
the cloud architecture, business goals, and upcoming modifications to the client’s
environment. The testing team uses specific tools to gather data about the cloud
environment, spot misconfigurations, and breaches in comparison to the ideal design, and
assess potential attack chains.

Generating Recommendations
The security assessment team formulates suggestions for every discovery based on the
review.

Presentation
The team consults with internal stakeholders of the client to present findings and respond to
inquiries about both specific technical advice and advanced recommendations.

The Cloud Risk Assessment Process

A cloud security risk assessment follows a similar process to
other cybersecurity risk assessments. The main steps include the following:

• Assessment: The security service provider performs an in-depth

assessment of the cloud environment, collecting data regarding security
configurations, installed software, and other potential factors.

• Analysis: Based on the collected data, the provider can assess an

organization’s cloud security risk exposure and identify potential risks to
the organization.

• Guidance: After identifying the main threats to an organization’s cloud

security, the provider offers recommendations for steps that the
organization can take to fix these issues, which may include steps like
improving security configurations, performing updates, or deploying
additional security solutions.

• Response: Based on the report and guidance provided, the organization

can implement the recommended remediation steps to close security
gaps and improve the security posture of its cloud environment.

Cloud Security Risk Assessment

Capabilities
100 | P a g e
Ideally, a cloud security risk assessment will identify which of the various
potential cloud security threats an organization is currently exposed to.
Some common risks that may be identified as part of a risk assessment
include the following:

• Malware Infections: Cloud-based includes virtual machines and

documents that may be infected with malware. A cloud security risk
assessment can help to identify if cloud infrastructure is suffering from an
active malware infection.

• High-Risk Websites and Apps: Companies are increasingly hosting

websites and applications in cloud infrastructure due to the numerous
benefits it provides. A cloud security risk assessment can help to identify
if any of these sites contain high-risk vulnerabilities that expose them to
potential exploitation.

• Zero-Day Vulnerabilities: An organization can deploy multi-layer

infrastructures in the cloud, including VMs, applications, and data
storage. All of these may contain vulnerabilities that could be exploited
by an attacker if not appropriately patched.

• Phishing Risks: Phishing attacks can be used to compromise the

credentials used to manage and access cloud deployments, applications,
and data. A cloud risk assessment can help to determine an
organization’s exposure to these types of attacks.

• Data Loss: Cloud data breaches are a major threat due to the use of
misconfigured and insecure cloud storage to hold sensitive and valuable
data. Identifying configuration errors that could lead to a potential data
breach is a vital part of a cloud security risk assessment.

• Bandwidth Utilization: Cloud infrastructure may have limited access to

network bandwidth within the provider’s environment. Identifying
vulnerabilities, threats, and errors that could consume this bandwidth is
essential to ensuring the usability and cost-effectiveness of cloud
infrastructure.

The desired outcome of a cloud security risk assessment is a report

detailing the security risks and issues that exist in an organization’s cloud
101 | P a g e
environment. This includes detailed information about findings, their relative
criticalities, and recommendations for steps that companies can take to
remediate them and reduce their cloud security risk exposure.

Cloud Security Assessment With

Check Point
Cloud security has become an increasingly important component of many
organizations’ cybersecurity strategy. As cloud adoption grows, the volume
of sensitive data and important applications hosted in these environments
increases, as does the complexity of effectively securing and monitoring
these cloud environments.

With complex, multi-cloud environments, it’s easy for security issues to slip
through the cracks. A cloud security risk assessment is a good way for an
organization to identify holes in its cloud security and get useful
recommendations for remediation.

Check Point offers cloud security assessments as part of its portfolio

of cyber security risk assessment services. To get started on your journey
to better cloud security, sign up for a no-cost Cloud Security CheckUp
today.

How is a Cloud Security Assessment performed?

A Cloud Security Assessment usually consists of three basic components:
1. Documentation review & interviews – helps the assessment team understand the business purpose of the client’s
environment, the intended architecture, and planned changes to the environment.
2. Automated and manual testing – The assessment team runs specialized tools to collect information about the environment,
identify misconfigurations and gaps vs. ideal architecture and evaluates possible attack chains.
3. Recommendations generation – The assessment team builds recommendations for each finding and presents them to the
client’s security team.
4. Presentation – The assessment team works with the client’s internal stakeholders to discuss findings and answer questions
about both individual technical and high level recommendations.

Types of Enterprise Risks in Cloud Computing

102 | P a g e
Unauthorized Access to Business Data
Cloud computing services manage data from thousands of companies. Each
company using a cloud service, however, increases the value of that service as a
potential target for cyber attackers – and the risk is concentrated at a single point of
failure (the cloud service provider). As a result, a cyberattack at a cloud provider
could affect all of its customers.

No business is safe in this scenario. Attackers may target small businesses because
those companies typically have weaker controls and may be easier to breach.
Alternatively, some attackers prefer to target larger companies because of the lure
of hefty payouts.

Cloud Vendor Security Risks

Using cloud providers exposes you to additional third-party risks. Doing business
with any vendor that experiences business challenges such as bankruptcy, lawsuits,
regulatory investigations, or other threats could inadvertently harm your
organization’s reputation and goodwill.

Many small businesses know little about the technology behind the cloud services
they use. As a result, your reputation no longer depends only on the integrity of
your company: it now also relies on the integrity of the cloud provider’s company.
And that’s a risk of cloud computing.

Due to the ease of access to IaaS (infrastructure as a service), there has been a
proliferation of innovative SaaS (software as a service) startups providing cloud
services. Some offer unique features that traditional providers have left unmet.

Some of these providers, however, may lack the expertise required to meet
stringent control requirements. Their products may also be unsustainable for large
organizations that need to exchange increasing amounts of data.

103 | P a g e
Compliance Risks
Legal or compliance risks arise from non-compliance with various industry
regulations or regulatory requirements, such as the Health Insurance Portability
and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), Gramm-Leach-
Bliley Act (GLBA), or the European Union’s General Data Protection Regulation
(GDPR).

When a data breach in a cloud service provider exposes personal data, your
company may be held accountable if it does not have proper protections in place.
In other words, a cloud service provider suffers a breach of your data, and you will
still suffer the consequences. Proper legal contracts to place as much of that
responsibility back upon the cloud provider are vital.

Operational Control
When an organization manages its own IT infrastructure such as enterprise tools,
documents, computing resources, and processes, it has direct control over these
elements (along with responsibility for their care). When outsourcing to a vendor
cloud environment, the control resides with the cloud provider – not you.

Availability Risks
If your Internet access is lost, you will be unable to access your provider’s cloud
service. You’ll have to wait until the Internet is back up and running if you need to
use the cloud service to process customer payments or access sensitive data. You
don’t have this problem when operating on a local server.

Another risk associated with the cloud is that the service provider may fail. The
service can become unresponsive due to various factors, including adverse
weather, distributed denial of service (DDoS) assaults, or some other system
breakdown.

Downtime of cloud environments, platforms, or infrastructure can significantly

affect companies that rely primarily on cloud computing technologies for their day-
to-day operations and corporations that provide user services.
104 | P a g e
Best Practices for Cloud Computing Risk
Management
An effective ERM process uses a mix of corporate governance, risk management
processes, and internal controls. It coordinates managers, employees, third-party
suppliers, and other stakeholders to embrace risk-taking as an avenue for growth
and opportunity. Here are some best practices for cloud computing risk
management.

• Carefully select your cloud service provider (CSP). Conduct supplier risk
evaluations for contract clarity, ethics, legal liability, viability, security,
compliance, availability, and business resilience, among other things.

Determine whether or not the CSP itself has service providers it can rely on
to deliver its solutions and adjust the scope accordingly.

• Establish adequate controls based on the risk treatment. After

measuring the risks and determining the risk appetite, the resulting risk
treatment solutions will drive the program in a reasonable, pragmatic and
prioritized manner.

An essential aspect of risk management is to build robust data classification

and lifecycle management methods. It’s also a good idea to incorporate
processes in your service-level agreements (SLAs) for safeguarding, and
even erasing, data hosted in the public cloud.

• Deploy technical safeguards. Technical safeguards, such as a cloud access

security broker (CASB), can be cloud or on-premises security policy
enforcement points between cloud service users and providers. It serves as
an enforcement point for enterprise security policies when users access
cloud-based resources.

• Vendor management. Third-party suppliers’ presence in cloud business

models has generated security concerns. Many cloud services are subject to

105 | P a g e
 third-party security audits, such as those specified by the International
Organization for Standardization (ISO).

Consider building a public cloud strategy that includes security criteria for
suitable SaaS usage to avoid security risks.

• Implement a comprehensive ERM framework. The Committee of

Sponsoring Organizations (COSO) offers a comprehensive ERM framework
to help you succeed, as does the International Organization for
Standardization (ISO).

Governance, risk management, and compliance (GRC) software can help

you track and automate many of your risk management tasks to ensure
compliance with various frameworks.

ZenGRC Is Your Partner for Risk Mitigation

ZenGRC is a governance, risk, and compliance (GRC) platform that helps you
assess and manage your organization’s risks. Its SaaS solution offers seed content
for industry standards, regulations, and frameworks, including COSO’s ERM
framework, ISO, HIPAA, GDPR, and more.

By combining all records, reports, policies, procedures, workflows, and checklists

in one location, ZenGRC creates a single source of truth. Incorporate vendor
management into your enterprise risk management processes more quickly with
vendor questionnaire storage and analysis.

Its advanced reporting capabilities provide easy-to-understand reports and dashb

Using Cloud Security Assessment Tools to Prevent

Threats
Security threats like the ones listed above are best handled with a consistent,
expert-driven approach. The next step toward implementing a
comprehensive cloud security assessment framework—or risk
106 | P a g e
management informed by cloud risk assessment—is conducting a thorough
inventory of all your digital assets.
By looking at your company’s most valuable digital assets first and foremost,
you can begin to think like the attacker and start patching holes before
they’re exploited. RSI Security implements ongoing tests and system scans to
develop a customized approach that meets your needs. Then, we help you
design and implement policies and controls to maximize your cloud security.
Beyond a comprehensive cloud risk assessment, our service utilizes many
other threat and vulnerability management tools to help bolster your
network’s overall security, including:
▪ General threat intelligence
▪ Comprehensive penetration testing
▪ Ongoing system patch management
▪ Continuous vulnerability scanning
▪ Root cause analysis
▪ Application security analysis
▪ Detailed reports
▪ Platform-specific security assessment (AWS, Azure, Google Cloud)
▪ Complete threat and vulnerability lifecycle management
▪ Dedicated asset management
▪ Internet of Things (IoT) security and efficiency

Responding to Active Incidents With Detection

Management
The final step to implementing a robust cloud security assessment
framework is using your assessments’ results and insights to respond to and
recover from any attacks that do occur. In practice, this involves
integrating threat intelligence into your mitigation and business continuity
protocols. You should also continuously monitor your cloud, even during and
after an attack.
It’s always a good idea to perform your security assessments ahead of time,
when possible, but there might be some instances when you’re caught
unprepared. For situations like this, you will benefit from active threat
hunting capabilities, such as managed detection and response (MDR).
RSI Security offers a suite of MDR services, including but not limited to the
following:
▪ Active threat detection – Our continuous risk scanning systems work
around the clock to detect, identify, inventory, and respond to all
attacks and other incidents in real time.

107 | P a g e
 ▪ Timely incident response – Any potential or suspicious activities are
addressed immediately via our dedicated incident response and
incident management framework.
▪ Comprehensive root cause analysis – To prevent these same issues
from recurring in the future, we uncover the underlying problem and
put an end to it for good.
▪ Ongoing regulatory compliance – Maintaining compliance with
applicable regulations helps you avoid costly fines while also
preserving the integrity of your cloud ecosystem.
By combining our MDR services with our comprehensive cloud risk
assessment, you’ll ensure the security of your cloud, along with all personnel
and clientele for whom it is essential.

WHAT ARE CLOUD SERVICE PROVIDER RISKS?

Cloud service providers (CSPs) offer a wide range of benefits to businesses, including increased
flexibility, scalability, and cost savings. However, there are also a number of risks associated with
using CSPs, which organizations should be aware of and take steps to mitigate.

1. Data breaches: Data breaches are one of the most serious risks associated
with cloud computing. CSPs store large amounts of sensitive data on behalf of
their customers, and this data is a prime target for hackers. Data breaches
can result in financial losses, reputational damage, and legal liabilities.

Protection measures:

• Encrypt sensitive data at rest and in transit.

• Use strong access controls to restrict who can access sensitive data.
• Monitor cloud environments for suspicious activity.
• Implement a data loss prevention (DLP) solution to prevent sensitive data
from being accidentally or intentionally leaked.

2. Misconfigurations: Cloud misconfigurations are another common security

risk. These misconfigurations can occur when cloud resources are not
properly provisioned or configured, or when security controls are not
implemented or enforced correctly. Misconfigurations can leave cloud
environments vulnerable to attack.

Protection measures:

• Use a cloud governance platform to help you provision and configure cloud
resources securely.

108 | P a g e
 • Implement a cloud security policy to outline the security controls that must be
implemented in your cloud environment.
• Regularly audit your cloud environment for misconfigurations.

3. Insider threats: Insider threats are a risk in any organization, but they can be
particularly problematic in cloud environments. Cloud environments can make
it easier for insiders to access and steal sensitive data, and they can also
provide insiders with opportunities to disrupt or sabotage cloud services.

Protection measures:

• Implement a least privilege access control model to give users only the
access they need to do their jobs.
• Monitor user activity to identify suspicious behavior.
• Educate employees about the risks of insider threats.

4. Insecure APIs: APIs are used to connect applications and services in the
cloud. However, insecure APIs can be exploited by attackers to gain access
to sensitive data or systems.

Protection measures:

• Use a secure API gateway to manage and protect your APIs.

• Implement strong authentication and authorization controls for your APIs.
• Regularly scan your APIs for vulnerabilities.

5. Vendor lock-in: Vendor lock-in can occur when an organization becomes too
reliant on a particular CSP's services. This can make it difficult and expensive
to switch to another CSP in the future.

Protection measures:

• Choose a CSP that is committed to open standards and interoperability.

• Avoid using proprietary cloud services that are not supported by other CSPs.
• Use a cloud management platform (CMP) to manage your cloud infrastructure
across multiple CSPs.

6. Compliance risks: Organizations must comply with a variety of laws and

regulations, including data privacy laws and financial regulations. CSPs can
help organizations to comply with these regulations, but organizations
ultimately bear the responsibility for ensuring compliance.

Protection measures:

109 | P a g e
 • Understand the compliance requirements that apply to your organization.
• Choose a CSP that can help you comply with these requirements.
• Implement a compliance program to monitor and manage your compliance
risks.

7. Outages: Outages can occur in any cloud environment, and they can have a
significant impact on businesses. Outages can result in lost
revenue, productivity losses, and reputational damage.

Protection measures:

• Choose a CSP that has a proven track record of reliability.

• Implement a disaster recovery plan to minimize the impact of outages.
• Use a cloud monitoring solution to monitor your cloud environment for
outages.

8. Data sovereignty: Data sovereignty refers to the laws and regulations that
govern the storage and processing of data. Organizations need to be aware of
the data sovereignty laws in the jurisdictions in which they operate to ensure
that their data is handled in compliance with these laws.

Protection measures:

• Understand the data sovereignty laws that apply to your organization.

• Choose a CSP that can store and process your data in the jurisdictions you
require.
• Implement a data residency policy to specify where your data can be stored
and processed.

9. Third-party risks: CSPs often rely on third-party vendors to provide

services, such as network connectivity and data storage. Organizations
should evaluate the security practices of these third-party vendors to ensure
that they are adequately protecting their data.

Protection measures:

• Assess the security risks of third-party vendors before using their services.
• Include security requirements in your contracts with third-party vendors.
• Monitor the security practices of third-party vendors on an ongoing basis.

10. Regulatory changes: The regulatory landscape for cloud computing is

constantly evolving, and organizations need to be aware of these changes to
ensure that they are complying with the latest requirements.

110 | P a g e
Protection measures:

• Stay up-to-date on the latest regulatory changes that affect cloud computing.
• Work with a compliance consultant .

Virtualization security in cloud

computing
Keeping this information in mind, we can now look into the security issues that
arise within a cloud-computing scenario. As more and more organizations follow
the "Into the Cloud" concept, malicious hackers keep finding ways to get their
hands on valuable information by manipulating safeguards and breaching the
security layers (if any) of cloud environments. One issue is that the cloud-
computing scenario is not as transparent as it claims to be. The service user has
no clue about how his information is processed and stored. In addition, the
service user cannot directly control the flow of data/information storage and
processing. The service provider usually is not aware of the details of the service
running on his or her environment. Thus, possible attacks on the cloud-
computing environment can be classified in to:

• Resource attacks:These kinds of attacks include manipulating the

available resources into mounting a large-scale botnet attack. These kinds
of attacks target either cloud providers or service providers.
• Data attacks: These kinds of attacks include unauthorized modification of
sensitive data at nodes, or performing configuration changes to enable a
sniffing attack via a specific device etc. These attacks are focused on cloud
providers, service providers, and also on service users.
• Denial of Service attacks: The creation of a new virtual machine is not a
difficult task, and thus, creating rogue VMs and allocating huge spaces for
them can lead to a Denial of Service attack for service providers when
they opt to create a new VM on the cloud. This kind of attack is generally
called virtual machine sprawling.
• Backdoor: Another threat on a virtual environment empowered by cloud
computing is the use of backdoor VMs that leak sensitive information and
can destroy data privacy.
• Having virtual machines would indirectly allow anyone with access to the
host disk files of the VM to take a snapshot or illegal copy of the whole
System. This can lead to corporate espionage and piracy of legitimate
products.

111 | P a g e
With so many obvious security issues (and a lot more can be added to the list),
we need to enumerate some steps that can be used to secure virtualization in
cloud computing.

The most neglected aspect of any organization is its physical security. An

advanced social engineer can take advantage of weak physical-security policies
an organization has put in place. Thus, it's important to have a consistent,
context-aware security policy when it comes to controlling access to a data
center. Traffic between the virtual machines needs to be monitored closely by
using at least a few standard monitoring tools.

After thoroughly enhancing physical security, it's time to check security on the
inside. A well-configured gateway should be able to enforce security when any
virtual machine is reconfigured, migrated, or added. This will help prevent VM
sprawls and rogue VMs. Another approach that might help enhance internal
security is the use of third-party validation checks, preformed in accordance with
security standards.

In the above figure, we see that the service provider and cloud provider work
together and are bound by the Service Level Agreement. The cloud is used to
run various instances, where as the service end users pay for each use instant
the cloud is used. The following section tries to explain an approach that can be
used to check the integrity of virtual systems running inside the cloud.

Checking virtual systems for integrity increases the capabilities for monitoring
and securing environments. One of the primary focuses of this integrity check
should the seamless integration of existing virtual systems like VMware and
virtual box. This would lead to file integrity checking and increased protection
against data losses within VMs. Involving agentless anti-malware intrusion
detection and prevention in one single virtual appliance (unlike isolated point
security solutions) would contribute greatly towards VM integrity checks. This
will greatly reduce operational overhead while adding zero footprints.

A server on a cloud may be used to deploy web applications, and in this scenario
an OWASP top-ten vulnerability check will have to be performed. Data on a cloud
should be encrypted with suitable encryption and data-protection algorithms.
Using these algorithms, we can check the integrity of the user profile or system
profile trying to access disk files on the VMs. Profiles lacking in security
protections can be considered infected by malwares. Working with a system

112 | P a g e
ratio of one user to one machine would also greatly reduce risks in virtual
computing platforms. To enhance the security aspect even more, after a
particular environment is used, it's best to sanitize the system (reload) and
destroy all the residual data. Using incoming IP addresses to determine scope on
Windows-based machines, and using SSH configuration settings on Linux
machines, will help maintain a secure one-to-one connection.

Lightweight Directory Access Protocol (LDAP) and

cloud computing
LDAP is an extension to DAP (directory access protocol), as the name suggests,
by use of smaller pieces of code. It helps by locating organizations, individuals,
and other files or resources over the network. Automation of manual tasks in a
cloud environment is done using a concept known as virtual system patterns.
These virtual system patterns enable fast and repeatable use of systems. Having
dedicated LDAP servers is not typically necessary, but LDAP services have to be
considered when designing an efficient virtual system pattern. Extending LDAP
servers to cloud management would lead a buffering of existing security policies
and cloud infrastructure. This also allows users to remotely manage and operate
within the infrastructure.

Various security aspects to be considered:

• Granular access control

• Role-based access control

The directory synchronization client is a client-residential application. Only one

instance of DSC can be run at a time. Multiple instances may lead to
inconsistencies in the data being updated. If any new user is added or removed,
DSC updates the information on its next scheduled update. The clients then
have the option to merge data from multiple DSCs and synchronize. For web
security, the clients don't need to register separately if they are in the network,
provided that the DSC used is set up for NTLM identification and IDs.

A host-side architecture for securing virtualization in cloud

environment:

The security model prescribed here is purely host-side architecture that can be
placed in a cloud system "as it is" without changing any aspect of the cloud. The
system assumes the attacker is located in any form within the guest VM. This

113 | P a g e
system is also asynchronous in nature and therefore is easier to hide from an
attacker. Asynchronicity prevents timing analysis attacks from detect this
system. The model believes that the host system is trustworthy. When a guest
system is placed in the network, it's susceptible to various kinds of attacks like,
viruses, code injections (in terms of web applications), and buffer overflows.
Other lesser-known attacks on clouds include DoS, keystroke analysis, and
estimating traffic rates. In addition, an exploitation framework like metasploit
can easily attack a buffer overflow vulnerability and compromise the entire
environment.

The above approach basically monitors key components. It takes into account
the fact that the key attacks would be on kernel and middleware. Thus integrity
checks are in place for these modules. Overall, the system checks for any
malicious modifications in the kernel components. The design of the system
takes into consideration attacks from outside the cloud and also from sibling
virtual machines. In the above figure the dotted lines stand for monitoring data
and red lines symbolize malicious data. This system is totally transparent to the
guest VMs, as this is a totally host-integrated architecture.

The implementation of this system basically starts with attaching few modules
onto the hosts. The following are the modules along with their functions:

Interceptor: The first module that all the host-traffic will encounter. The
interceptor doesn't block any traffic and so the presence of a third-party security
system shouldn't be detected by an attacker; thus, that the attacker's activities
can be logged in more detail. This feature also allows the system to be made
more intelligent. This module takes the responsibility of monitoring suspicious
guest activities. This also plays a role in replacing/restoring the affected modules
in the case of an attack.

Warning Recorder: The result of the interceptor's analysis is directly sent to this
module. Here a warning pool is created for security checks. The warnings
generated are prioritized for future reference.

Evaluator and hasher: This module performs security checks based on the
priorities of the warning pool created by the warning recorder. Increased
warning will lead to a security alert.

Actuator: The actuator actually makes the final decision whether to issue a
security alert or not. This is done after receiving confirmation from Evaluator,
hasher, and warning recorder.

114 | P a g e
This system performs an analysis on the memory footprints, and checks for both
abnormal memory usages and connection attempts. This kind of detection of
malicious activity is called an anamoly based detection. Once any system is
compromised the devious malware tries to affect other systems in the network
until the entire unit is owned by the hacker. Targets of this type of attack also
include the command and control servers, as in case of Botnets. In either case,
there is an increase in memory activity and connection attempts that occur from
a single point in the environment.

Another key strategy used by atteckers is to utilize hidden processes as listed in

the process list. An attacker performs a dynamic data attack/leveraging which
hides the process he is using from the display on the system. The modules of
this protection system performs periodic checks of the kernel schedulers. On
scanning the kernel scheduler, it would detect hidden structures there by
nullifying the attack.

Current Implementation:

This approach has been followed by two of the main open-source cloud
distributions, namely Eucalyptus and OpenECP. In all implementation, this
system remains transparent to the guest VM and the modules are generally
attached to the key components of the architecture.

Performance Evaluation:

The system claims to be CPU-free in nature (as it's asynchronous)and has shown
few complex behaviors on I/O operations. It's reasoned that this characteristic is
due to constant file-integrity checks and analysis done by the warning recorder.

In this article, we have seen a novel architecture design that aims to secure
virtualization on cloud environments. The architecture is purely host-integrated
and remains transparent to the guest VMs. This system also assumes
trustworthiness of the host, and assumes attacks originate from the guests. As
in security, the rule of thumb says: Anything and everything can be penetrated
with time and patience. But an intelligent security consultant can make things
difficult for an attacker by integrating transparent systems so that they remain
invisible and that it takes time for hackers to detect these systems under normal
scenarios.

What is Virtualization Security?

115 | P a g e
Virtualization security (also known as security virtualization) is a software-based
network security solution built to protect virtualized IT environments.
Virtualization—or deploying software-based security such as next-generation
firewalls or antivirus protection in place of hardware—is quickly becoming the
main way organizations build out their network infrastructure.

The types of virtualizations include:

• Server virtualization.
• Desktop virtualization.
• Storage virtualization.
• Network virtualization.
• Application virtualization.

Deploying rigid hardware-based network security solutions doesn’t provide

comprehensive protection in virtualized environments. Instead, you must
implement a flexible, dynamic virtual security solution to match your new
infrastructure needs.

How Does Virtualization Help

Security Risks?
Virtualization and security go hand in hand, as there are inherent security
advantages baked into virtualization. For example, virtualization allows for data
to be stored in a centralized location rather than on unsanctioned or insecure
end-user devices.

Other positive effects of virtualization security include:

• Granular Access Control: IT teams and admins have much more control over
network access than with a legacy hardware-based infrastructure. Teams can
use micro-segmentation techniques to grant user access to specific applications
or resources at the workload level.
• Application Isolation: A key security benefit of virtualization is the ability to
isolate applications from one another on the network. Keeping apps isolated can
protect data from being shared across them, or from malware or viruses that
may have infected other parts of the system. Isolation is often accomplished via
containerization and sandboxing.
• Increased Control Over Desktop and Application Updates: Operating
systems (OSs) and applications are constantly going through security patches,
but your employees might not be keeping up with these updates on their

116 | P a g e
 devices. By virtualizing desktops, IT will have full control to ensure OSs and
applications are updated.
• Virtual Machine (VM) Isolation: Running several virtual machines on a single
server allows for a high level of isolation. If security is compromised within one
server, this separation provides protection for the other virtual servers.
• Network Isolation and Segmentation: Independent workloads or apps on a
network can be divided and shared across segmented virtual networks that are
isolated from each other. This ensures that information and access aren’t shared
across the entire network.
• Hypervisor Maintenance: Hypervisors that create and run VMs typically require
fewer resources than hardware-based solutions, giving them a smaller attack
surface. Plus, hypervisors usually update automatically.

Does Virtualization Pose Any Security

Risks?
While there are several security benefits to virtualization, there are also a few
inherent virtualization security issues that you should be aware of. These risks
include:

• Increased Complexity: Virtualized environments can be complex, especially as

several workloads and apps are migrated across different servers. This makes it
more difficult for IT teams to follow virtualization security best practices and
maintain consistent policies or configurations across the entire network.
• Virtual Local Area Network (VLAN) Vulnerabilities: When using VLANs,
network traffic is routed from the hose to a firewall, which can lead to network
latency. Additionally, communication between multiple VMs on a VLAN cannot be
inspected, rendering it insecure.
• VM Sprawl: VM sprawl occurs when there are unused and unaccounted-for VMs
present in your system. Because VMs are so easy to deploy, many IT teams spin-
up too many of them—often deploying one for testing purposes and not deleting
it after it’s no longer needed. Unused VMs are often ignored and don’t receive
security updates, leaving them unpatched and vulnerable to attacks.
• Distributed Denial of Service (DDoS) Attacks: Regardless of their isolation,
VMs running on the same server share that server’s resources (e.g., CPU, RAM,
and memory). If a DDoS attack is flooding a VM with malicious traffic to
compromise its performance, other VMs on the server will feel the effects.
• Hypervisor Attacks: While hypervisors have relatively small attack surfaces,
they can still be compromised. If a hypervisor is successfully attacked, all VMs
running on the same server are at risk. This gives attackers a centralized point of
access to target. In addition, hypervisor admins oversee their security
credentials, which means a malicious insider could share these credentials with
anyone.

117 | P a g e
Your organization’s cloud infrastructure could also introduce inherent network
security risks—compounding the risks associated with virtualization.

10 Tips for Developing a

Virtualization Security Policy
Security virtualization will help keep your organization’s systems secure, but
virtualization alone will not get the job done. It’s important that you set up a
clear and actionable virtualization security policy. These are some of the best
practices for virtualization security you should adopt:

1. Make sure your hosts are running the latest firmware and that all software is
updated regularly.
2. Ensure firmware for all active network elements is up to date.
3. Set up automatic updates for all OSs with installation and reboots scheduled for
off-hours.
4. Install virtualization antivirus and antimalware software and ensure it’s kept
updated.
5. Clearly divide administrator privileges to easily track who has changed what
across the system, and follow the principle of least privilege (PoLP) for each
admin.
6. Make sure that all network traffic is encrypted.
7. Have a clear user policy and train employees on best practices for password
security.
8. Ensure that all VMs have a clear purpose. Delete all unused VMs.
9. Schedule regular backups for your VMs and physical servers, as well as full
system backups.
10. Review and deploy VMware best practices for security.

Enhance Virtualization Security with

Liquid Web
Explain virtualization security management.
Historically, the development and implementation of new technology has
preceded the full understanding of its inherent security risks, and virtualized
systems are no different. The global adoption of virtualization is a relatively
recent event, threats to the virtualized infrastructure.

A virtual machine (VM) is an operating system (OS) or application

environment that is installed on software, which imitates dedicated hardware.

118 | P a g e
The Virtual Machine (VM), Virtual Memory Manager (VMM), and hypervisor
or host OS are the minimum set of components needed in a virtual
environment.

Virtualization Types:

Based on the minimum set of components, we classify the Virtual

Environments in the following distinct ways.

• Type 1 virtual environments are considered “full virtualization”

environments and have VMs running on a hypervisor that interacts with
the hardware.
• Type 2 virtual environments are also considered “full virtualization” but
work with a host OS instead of a hypervisor.

• Para virtualized environments offer performance gains by eliminating

some of the emulation that occurs in full virtualization environments.
• Other type designations include hybrid virtual machines (HVMs) and
hardware assisted techniques.
• These classifications are somewhat ambiguous in the IT community at
large. The most important thing to remember from a security
perspective is that there is a more significant impact when a host OS
with user applications and interfaces is running outside of a VM at a
level lower than the other VMs (i.e., a Type 2 architecture). Because of
its architecture, the Type 2 environment increases the potential risk of
attacks against the host OS. For example, a laptop running VMware with
a Linux VM on a Windows XP system inherits the attack surface of both
OSs, plus the virtualization code (VMM).

Virtualization Management Roles:

119 | P a g e
The roles assumed by administrators are the Virtualization Server
Administrator, Virtual Machine Administrator, and Guest Administrator. The
roles assumed by administrators are configured in VMS and are defined to
provide role responsibilities.

1. Virtual Server Administrator — This role is resp onsible for installing

and configuring the ESX Server hardware, storage, physical and virtual
networks, service console, and management applications.
2. Virtual Machine Administrator — This role is res ponsible for creating
and configuring virtual machines, virtual networks, virtual machine
resources, and security policies. The Virtual Machine Administrator
creates, maintains, and provisions virtual machines.
3. Guest Administrator — This role is responsib le for managing a guest
virtual machine Tasks typically performed by Guest Administrators
include connecting virtual devices, adding system updates, and
managing applications that may reside on the operating system.

Explain briefly about virtual threats.

Some threats to virtualized systems are general in nature, as they are inherent
threats to all computerized systems (such as denial-of-service, or DoS,
attacks). Other threats and vulnerabilities, however, are unique to virtual
machines. Many VM vulnerabilities stem from the fact that vulnerability in one
VM system can be exploited to attack other VM systems or the host systems,
as multiple virtual machines share the same physical hardware.

120 | P a g e
Some of the vulnerabilities exposed to any malicious-minded individuals
regarding security in virtual environments:

Shared clipboard — Shared clipboard technology allows data to be tra

nsferred between VMs and the host, providing a means of moving data
between malicious programs in VMs of different security realms.

Keystroke logging — Some VM technologies enable the logging of keystr

okes and screen updates to be passed across virtual terminals in the virtual
machine, writing to host files and permitting the monitoring of encrypted
terminal connections inside the VM.

VM monitoring from the host — because all network packets coming from
or going to a VM pass through the host, the host may be able to affect the VM
by the following:

1. Starting, stopping, pausing, and restart VMs.

2. Monitoring and configuring resources available to the VMs, including
CPU, memory, disk, and network usage of VMs.
3. Adjusting the number of CPUs, amount of memory, amount and number
of virtual disks and number of virtual network interfaces available to a
VM.
4. Monitoring the applications running inside the VM.
5. Viewing, copying, and modifying data stored on the VM’s virtual disks.

121 | P a g e
Virtual machine monitoring from another VM — Usually, VMs should not
be able to directly access one another’s virtual disks on the host.

Virtual machine backdoors — a backdoor, covert communications channel

between the guest and host could allow intruders to perform potentially
dangerous operations.

Virtualization security management in the cloud is the process of planning, implementing, and
operating virtualization security controls in a cloud environment. This process is critical for
safeguarding virtual machines (VMs) and the sensitive data they contain from unauthorized access,
utilization, disclosure, disruption, modification, or destruction.

Cloud-based virtualized environments, while offering enhanced flexibility and scalability, present
unique security challenges compared to traditional physical environments. The increased complexity
of virtualized environments, the ease with which VMs can be copied and migrated, and the shared
nature of cloud resources make them more vulnerable to cyberattacks.

To effectively manage virtualization security in the cloud, organizations should adopt a

comprehensive approach that encompasses the following key elements:

. Access Control:

Effective access control is paramount in protecting VMs from unauthorized access.

Implement role-based access control (RBAC) to assign specific permissions to users
based on their roles and responsibilities. Implement multi-factor authentication (MFA)
to add an extra layer of security beyond just passwords. Utilize access control lists
(ACLs) to restrict access to specific resources and services within the virtualized
environment.

2. Data Encryption:

Protect sensitive data stored within VMs by employing encryption at both rest and in
transit. Data at rest encryption ensures that data remains protected even if the VM is
compromised. Data in transit encryption safeguards data during transmission across
the network. Employ strong encryption algorithms like AES 256-bit or higher to
provide robust protection.

3. Vulnerability Management:

Regularly scan VMs for known vulnerabilities using vulnerability scanning tools.
Prioritize patching critical vulnerabilities promptly to minimize the window of
opportunity for attackers to exploit them. Implement automated patching
mechanisms to ensure timely remediation. Utilize vulnerability management
solutions that provide clear remediation guidance and track patch status.

4. Monitoring and Logging:

122 | P a g e
Establish continuous monitoring of VMs and the underlying networks to detect and
respond to suspicious activities promptly. Implement logging mechanisms to capture
events and activities within the virtualized environment. Utilize security analytics
tools to analyze logs and identify anomalies that may indicate potential attacks. Set
up alerts and notifications to trigger timely responses to suspicious events.

5. Incident Response:

Develop a well-defined incident response plan that clearly outlines procedures for
identifying, isolating, and remediating virtualization security breaches. Clearly define
roles and responsibilities for incident response teams. Conduct regular training and
simulations to ensure preparedness. Implement incident management tools to
facilitate efficient and organized response processes.

6. Cloud Access Security Broker (CASB):

Leverage a Cloud Access Security Broker (CASB) to centrally enforce security

policies and control access to cloud resources, including VMs. A CASB acts as an
intermediary between cloud applications and user devices, applying security policies
and monitoring access patterns. This centralized approach helps mitigate
unauthorized access and enhance overall security posture.

7. Cloud Security Posture Management (CSPM):

Utilize a Cloud Security Posture Management (CSPM) tool to continuously monitor

and assess the security posture of cloud resources, including VMs. A CSPM
provides visibility into the security configuration of cloud resources, identifies
misconfigurations, and assesses compliance with security policies. Proactive
remediation of misconfigurations can help prevent potential security breaches.

8. Cloud Workload Protection Platform (CWPP):

Employ a Cloud Workload Protection Platform (CWPP) to safeguard VMs from

malware and other cyberattacks. A CWPP provides real-time protection against
malware attacks, data breaches, and ransomware. It also helps prevent
unauthorized access and data exfiltration. CWPPs can integrate with other security
tools, such as antivirus, anti-malware, and intrusion detection systems, to provide
comprehensive protection.

By implementing these comprehensive virtualization security management practices,

organizations can significantly enhance the security of their cloud-based VMs and
the valuable data they contain, safeguarding their business operations and assets
from cyberattacks.

123 | P a g e
 TRUSTED COMPUTING BASE (TCB)
What is a trusted computing base?

A trusted computing base (TCB) is everything in a computing system that

provides a secure environment for operations. This includes
its hardware, firmware, software, operating system, physical locations,
built-in security controls, and prescribed security and safety procedures.

The components of the TCB are the only components in the computing
system that operate at a very high level of trust. But "trusted" does not
necessarily mean "secure." It simply means that the components in the TCB
are critical to the system's security.

That's why the TCB is charged with enforcing system-wide information

security policies. It is also responsible for maintaining the confidentiality
and integrity of the system's data. If the TCB is flawed or if its security is
hampered in any way, the overall system's security and security policies can
be compromised.

Trusted computing base explained

A TCB consists of multiple components. All these components work

together to secure the computing system in expected and desired ways. As
a result, if any one trusted component is compromised, the entire system
may be compromised and fail to behave as expected.

Before the TCB is used, systems administrators usually test it or validate its
qualities. By installing the TCB, system admins or IT managers can define
user access to the trusted communication path. Doing this ensures secure
communication between the TCB and its users. To enable the TCB's
features, it's important to first install the operating system.

124 | P a g e
The TCB achieves system security by means of:

• provisioning methods like controlling access

• giving privileges only to specific applications or processes

• enforcing authorization to access specific resources

• enforcing user authentication

• taking regular data backups

• installing antivirus and antimalware software

The various components that constitute the TCB should work well together
to maintain the system's security. Moreover, these components should only
be part of the TCB if they are specifically designed to be part of the
mechanisms governing the TCB's security, capabilities and performance.
These mechanisms should take into account the human security factor in
order to ensure that user weaknesses, mistakes or malicious behaviors
don't affect the TCB's security posture.

TECHTARGET
Trusted computing bases secure individual computers and the networks
they are connected to by addressing issues around provisioning, privileges,
authorization, authentication, backups and antivirus/antimalware.

125 | P a g e
Characteristics or guiding principles of a trusted computing base

An effective TCB has the following characteristics:

• Tamperproof. No external part of the computing system should be

able to modify or tamper with the TCB's code or state. This will
ensure that the TCB's integrity is maintained.

• Not bypassable. There should be no way to bypass the TCB to

breach the system's security.

• Verifiable. Admins should be able to verify the TCB's correctness

to ensure that its features and subsystems are secure.

• Simple. A simple TCB is easier to verify and maintain than a

complex trusted computing implementation.

What does a trusted computing base monitor?

Among its several functions, the TCB is responsible for monitoring a variety
of system activities, including:

Input/output operations. Because I/O operations involve transactions

between components that may be less secure and components that are
more secure, they may end up compromising system security. The TCB
monitors such transactions to prevent security lapses.

Memory. The TCB also monitors any calls or references to the

system memory. This action verifies the integrity and confidentiality of any
data that may be temporarily stored in memory.

Process activation. In a multitasking and multi-programming environment,

the TCB monitors activities where file access lists, registers and process

126 | P a g e
status information are invoked. Such actions may lead to the compromise
or loss of sensitive data, so they must be monitored by the TCB.

Switching of the execution domain. The TCB monitors systems with

interconnected domains or rings of protection, where applications in one
domain call upon applications or services in other domains. The goal is to
regulate access to sensitive information or services, and prevent tampering,
compromise or loss.

Working of trusted computer base. To enforce security policy, the TCB

monitors the functioning of all system activities and aims to ensure that the
system adheres to the policy. To this end, it acts according to the reference
monitor which is an abstract machine model. The TCB also has a
security kernel architecture to secure the system and resist attacks.

Reference monitor. The TCB acts as the reference monitor that works at the
boundary between the trusted and untrusted domains of a computing
system. It functions as a barrier between those domains and validates
access to objects by authorized subjects.

The reference monitor has three distinct characteristics:

• It cannot be bypassed and it controls all access.

• It is protected from all types of modification so that it remains

unaltered.

• It is tested and verified to maintain its validity.

Security kernel. The security kernel also provides a boundary between

trusted and untrusted domains. It runs the necessary processes to enforce

127 | P a g e
security functions and resist attacks. These enforcement and control
mechanisms are themselves located inside the security perimeter.

Trusted computing base vs. trusted platform module

The TCB is not the same as a trusted platform module (TPM). A TPM
usually refers to a specific chip or specification, while TCB is a security
architecture term that refers to all components in a computing system that
are critical for establishing and maintaining its overall security.

TECHTARGET
Unlike a trusted computing base, which covers all components in a
computing system, a trusted platform module often refers to specific
components or specifications. The above table offers trusted platform
module types used in internet of things devices.

The components included in the TCB can vary from one system to another.
But in general, every system with security properties has a TCB.

What is trusted cloud computing?

128 | P a g e
 • Cloud computing infrastructures enable companies to cut costs by
outsourcing computations on-demand. However, clients of cloud
computing services currently have no means of verifying the
confidentiality and integrity of their data and computation.

• To address this problem the design of a trusted cloud computing

platform (TCCP) was introduced.

• TCCP enables Infrastructure as a Service (IaaS) providers such as

Amazon EC2 to provide a closed box execution environment that
guarantees confidential execution of guest virtual machines.

• Moreover, it allows users to attest to the IaaS provider and determine

whether or not the service is secure before they launch their virtual
machines.

• The goal of trusted cloud computing is to make the computation of

virtual machines confidential which is deployed by the service
provider.

• Customers can verify that the computation is confidential and

prevent inspection of computation state at the service provider site

• It allows customers to verify that computation is secure and deployed

with cooperation of the cloud provider

• Two components :

A trusted virtual machine monitor (TVMM)

A trusted co-ordinator.

• It helps to determine whether the service is secure before they launch

their VM

• Hence, TCCP provides a closed box execution environment by

extending the concept of trusted platform to an entire IAAS backend.

129 | P a g e
Why do we need the trusted cloud?

As digitization has picked up speed over the last decades, the word “trust”
has become more and more important and taken on a whole new meaning in
the era of cloud computing. Business needs drive companies to transfer as
many processes as possible to the digital space inevitably creating millions
of petabytes of data. To handle data loads of such size, businesses rely on
the cloud. But, handling such massive amounts of data, varying widely in
type and source, is a huge challenge for today’s cloud environments. This
challenge combined with security incidents making headlines every day
makes companies rightfully skeptical about the cloud and how their
customers and enterprise data is managed. Most importantly they ask: How
secure is my data when stored in the cloud ?

So, what is a “trusted cloud”?

To ensure the confidentiality and integrity of your company’s data, cloud

providers must take appropriate measures to guarantee data security to
their customers. As a first step they should have processes in place that
guarantee proper monitoring and, when needed, immediate alerts in case of
any data policy violations. A trusted cloud provides all the privacy and
control choices to their customers and guarantees that only the customer
retains control of their data and any access protocols and permissions that
apply. Government and legal regulations also affect the practicability of
enforcing data confidentiality as providers might be forced by federal and
state agencies to give access to company data. All a cloud provider can do
then is to inform the user about such a breach happening.

In summary, today’s trusted cloud is following these key principles:

130 | P a g e
Data ownership
The data always belongs to the customer, even if they decide to transfer to any
other service.

Limited access to customer data

No employee should be able to gain access to the data, except for emergencies
like support cases (actually nobody but the owner should usually get access, but
this limitation applies in today’s trusted clouds).

No transfer to third parties

Cloud providers shall not use customer data to exploit them for any other
purposes, for instance in order to improve their marketing processes.

Transparency
The customers shall be able to identify where data is stored and who has access
to it any time.

These guidelines are pretty hard to check (and enforce) by the customer
because most of them are internal policies put in place by the providers and
invisible to users. Although there are several different certification
standards like ISO27001 and audit rights are in place, the customer still
needs to trust the provider that they are executing everything as outlined in
the user agreement.

Why should you think about going beyond the trusted cloud?

As described, trusted clouds rely in general on policies and standards that

cover technical and organizational procedures to protect your data. It really

131 | P a g e
comes down to the old concept of you trusting your business partner —
considering what’s at stake, that just might not be enough.

We believe that today’s security breaches and increasing awareness of privacy

demands more sophisticated measures to protect confidential data. For
instance, Intel introduced SGX (Software Guard Extensions). While processing
data, the CPU loads this data in-memory and runs program instructions to
manipulate the data. While in traditional systems the memory could be
accessed by other potentially malicious processes, SGX introduced special
memory areas, called enclaves, that are access protected and can only be used
by authorized processes. In practice this means that even when you are running
on the cloud your risk of another cloud user accessing your data is minimized.

Although advancements in this area are a step forward and help increase trust,
handling sensible customer data like health records requires thinking out of the
box.

The basic principles for the current encryption and security algorithms are
generally pretty old and widely used by technical experts and security engineers.
Nevertheless, effectively applying those techniques to end user data and to the
cloud often fails due to the inherent complexity of using cryptography.

Only the use of mathematically secure algorithms could overcome the lack of
trust in public clouds. Let us call clouds that use end-to-end encryption while
transferring and storing data Crypto Clouds. Only a Crypto Cloud allows you to
know that your data is secure like it never left your device providing ultimate
assurance to the customer.

132 | P a g e
Crypto Clouds, ensuring security via advanced algorithms

Crypto Clouds by definition are not able to gain access to your data at any time!
From a technical perspective it is impossible to unpack your sealed customer
and enterprise data.

One example of such a Crypto Cloud is Bdrive, designed and built in partnership
by neXenio and the German federal mint. As Crypto Clouds and the used client
software can tend to lack in user acceptance, user friendliness is key and Bdrive
tackles this challenge by executing Security by Design in a tight collaboration
with UX experts and users themselves.

Using Crypto Clouds you can handle your data with the highest possible level of
security. Your data is encrypted with private keys (keys unique to your device)
and the confidentiality of these is as crucial as the data itself. Access to your
data is limited to those devices with the right private key. However, encrypting
data also has its limitations in terms of feasible operations. As of today, Crypto
Clouds cannot be used to outsource analytics or other computations. This might
change in the future. Current research on homomorphic encryption shows that
simple operations can also be executed.

Trusted clouds give you policies and procedures that secure your data from
external access. Crypto Clouds go several steps further and secure your data
using cryptography. In this way it becomes technically impossible to access your
data because the effort for an attacker goes far beyond simply gaining access to
data stored in the clouds.

133 | P a g e
Are you interested in using or creating secure software with us? We are
always looking for customers, partners and motivated engineers. Get in
touch at nexenio.com.

The Trusted Cloud Computing Platform components, including the untrusted

cloud manager (CM), the trusted coordinator (TC) and a set of trusted nodes
(N).
What do we refer to as trusted cloud computing?

Trusted cloud computing refers to a cloud computing environment that

meets specific security and privacy requirements, ensuring that data stored
and processed in the cloud is protected from unauthorized access,
modification, or disclosure. It encompasses a range of security measures,
practices, and technologies that enable organizations to trust that their

134 | P a g e
cloud provider is taking adequate steps to protect their sensitive data and
systems.

Key characteristics of trusted cloud computing include:

1. Transparency: Cloud providers should be transparent about their

security practices, data handling procedures, and incident response plans.
This transparency allows customers to make informed decisions about
trusting their data to the cloud provider.

2. Data security: Cloud providers should implement robust data security

measures to protect customer data from unauthorized access,
modification, or disclosure. This includes encryption at rest and in transit,
access controls, and data loss prevention (DLP) mechanisms.

3. Compliance: Cloud providers should comply with relevant industry

regulations and data privacy laws. This ensures that customer data is
handled in accordance with legal requirements and protects customer
rights.

4. Continuous improvement: Cloud providers should continuously improve

their security posture and adapt to evolving threats. This involves regular
vulnerability scanning, patching, and implementing new security
technologies as they become available.

5. Third-party audits: Cloud providers should undergo independent third-

party audits to verify their compliance with security standards and best
practices. These audits provide assurance to customers that the cloud
provider is meeting industry benchmarks for security.

135 | P a g e
 6. Customer control: Cloud providers should give customers control over
their data and security settings. This allows customers to customize their
cloud environment to meet their specific security requirements.

7. Incident response: Cloud providers should have a comprehensive

incident response plan to address security breaches promptly and
effectively. This plan should include procedures for identifying, isolating,
and remediating incidents, as well as communicating with affected
customers.

8. Data sovereignty: Cloud providers should respect data sovereignty

requirements, which dictate where customer data can be stored and
processed. This ensures that customer data is subject to the laws and
regulations of the jurisdictions in which it is stored.

By adhering to these principles, cloud providers can establish themselves as

trusted partners for organizations seeking to leverage the benefits of cloud
computing while maintaining a high level of security and privacy for their
sensitive data.

Benefits of Trusted Cloud Computing

There are several benefits to using a trusted cloud computing provider,

including:

• Enhanced security and compliance: Trusted cloud providers implement

robust security measures and comply with industry regulations and data
privacy laws, reducing the risk of data breaches and ensuring that data is
handled in accordance with legal requirements.

136 | P a g e
 • Reduced IT costs: Organizations can offload IT infrastructure and
management tasks to the cloud provider, saving on the costs of
hardware, software, and personnel.

• Increased agility and scalability: Cloud computing provides on-demand

access to computing resources, enabling businesses to quickly scale up or
down their IT resources to meet changing demands.

• Improved collaboration and communication: Cloud-based applications

and services facilitate collaboration and communication among
employees, partners, and customers, regardless of their location.

• Access to innovation: Cloud providers continuously innovate and

introduce new technologies and services, allowing businesses to benefit
from the latest advancements without having to make significant
investments in their own IT infrastructure.

Choosing a TrusTed Cloud Provider

When selecting a cloud provider, organizations should consider the

following factors:

• Security and compliance: Evaluate the cloud provider's security

practices, compliance with relevant regulations, and third-party audit
certifications.

• Data sovereignty: Ensure that the cloud provider can store and process
data in the jurisdictions required by the organization.

• Service offerings: Assess the cloud provider's range of services,

including Infrastructure as a Service (IaaS), Platform as a Service (PaaS),
and Software as a Service (SaaS), to match the organization's needs.

137 | P a g e
 • Scalability and performance: Evaluate the cloud provider's ability to
scale up or down to meet changing demands and ensure that it can
provide the performance required for the organization's applications and
workloads.

• Pricing and cost-effectiveness: Compare pricing models and consider

factors such as per-hour or per-usage pricing, storage costs, and data
transfer fees.

• Customer support: Evaluate the cloud provider's customer support

offerings, including response times, availability, and expertise.

By carefully evaluating these factors, organizations can select a trusted

cloud provider that can meet their specific security, compliance,
performance, and cost requirements.

Examples of Trusted Cloud Providers

• Amazon Web Services (AWS)

• Microsoft Azure

• Google Cloud Platform (GCP)

• IBM Cloud

• Oracle Cloud Infrastructure (OCI)

• Alibaba Cloud

These providers have a proven track record of security, compliance, and

innovation, making them popular choices for businesses of all sizes.

138 | P a g e
a

139 | P a g e