Embed Size (px)
Citation preview
Cloud Vulnerability
1. Loss or Theft of intellectual property
Each year more and more companies are moving their data to the cloud. According to an analysis by Skyhigh, they found that 21% of the data uploaded to cloud-based file sharing services contain sensitive data including intellectual property. Intellectual property is a work or invention that is the result of creativity. Therefore, if that cloud service is breached, the data that was uploaded can end up in the hands of cyber criminals. Another risk is the loss of ownership of intellectual property. Some cloud services pose a risk, due to their terms and conditions, which claim ownership of any data that is uploaded to their services.
The impact of this risk can be devastating in many aspects. It can be devastating financially because the data or intellectual property that was compromised or stolen could have been worth a large amount or even make a company go out of business, depending on the value of the data stolen. It can also be devastating in the public eye or media because of the loss of intellectual property. Can cause a company to drop in value, due to the lack of awareness of what services they are using.
The best way to mitigate this type of risk in cloud-services is to not upload sensitive data to the cloud, therefore, there is no chance a company will have to deal with this risk. Also, the company needs to fully understand the terms and conditions of the cloud-service they are using and to ensure that service cannot claim ownership of that data.
2. Compliance violations and regulatory actions
There are many government and industry regulations that covers how an organization must handle their information, such as, HIPAA, FERPA, etc. However, under certain mandates, organizations must know where their data is, who has access, and how is it protected. The growth of cloud-services has brought in many new users, from organizations to individuals. Along side of new users, a new policy such as Bring Your Own Cloud (BYOC) has come into play. BYOC is a when employees can use public or third-party cloud services to perform certain job roles. The issue at hand is that BYOC often violates these regulations and can cause organizations problems.
The impact of this risk can lead to a large financial burden. According to Erin Tolbert, from Health Care Communication News, Individuals and entities such as hospitals and insurance companies face anywhere from a $100 to $50,000 government fine (maximum of $1.5 million per year) for negligence in handling private patient information. This is just for violating one of the government/industry regulations. Most of the time, if BYOC violates one of them, then it violates all of them.
In order to mitigate this risk, organizations must enforce policies that restricts employees from using BYOC or inform employees on what approved cloud-services they can use for work documents.
3. Loss of control over end user actions
BYOC allows employees to have a lot of freedom and most the time an organization has no clue what their employees are doing with certain information. An example from Cameron Coles, from Sky High Networks, a salesperson who is about to resign from the company could download a report of all customer contacts, upload the data to a personal cloud storage service, and then access that information once she is employed by a competitor.
The impact of this risk can damage an organization financially and competitively. This type of activity is usually difficult to detect, therefore, hard to mitigate. But as technology advances, solutions continue to develop to fight these insider threats. According to Kaushik Narayan, from Sky High Networks, Today’s most advanced machine-learning algorithms address this age-old dilemma. Analysis of audit logs for activity in a service will compare data traffic with normal usage. Therefore, when a sale representative downloads large files, the active monitoring will detect and send a notification of high-risk behavior.
This graphic shows the complexity of cloud computing.
4. Malware infections that unleash a targeted attack
As the cloud-service industry grows, organizations are not the only users taking advantage of this new technology. Cyber criminals are also jumping on board of the cloud hype and using these file sharing services as an attack vector.
The impact of this risk can be detrimental to an organization. Cyber criminals can extract information from customer credit card numbers and social security numbers to intellectual property. The attacker can use this stolen data and sell it to its competitors for large profits, leaving an organization in financial and competitive downfall.
To mitigate this risk, organizations need to continuously monitor their data logs and keep an eye out for anomalous activities, which indicate something is wrong. Organizations need scalable cloud analytics to analyze large volumes of transaction data to automatically find any anomalous activity.
5. Contractual breaches with customers or business partners
According to Coles, from Sky High Networks, Contracts among business parties often restrict how data is used and who is authorized to access it. When employees move restricted data into the cloud without authorization, the business contracts may be violated, which can lead to legal action. For example, some cloud services can maintain the right to share any data uploaded to their service and share it with third parties.
This type of risk can have a financial impact to an organization because it can lead to the loss of a business partner. It can also have legal repercussions, due to the breaching of the confidentiality agreement between a company and its business partner.
To mitigate this type of risk, organizations must enforce strict policies on what type of data can go in and out of a cloud service. Organizations also need to maintain constant observation on the activities of their employees, ensuring no restricted data is uploaded to the cloud.
6. Diminished customer trust
The 2013 Target data breach is a recent example of customers losing trust in a company. This data breach was one of the largest breaches of payment card data ever, over 40 million customer credit and debit card numbers were stolen. This resulted in diminished customer trust and customers avoided Target stores for quite some time.
This type of risk had retail giant, Target, paying $18.5 million in multistate settlements, as stated by Kevin McCoy, from USA Today. This type of risk will not only impact an organization financially but also impact the reputation of that organization. Luckily, Target is a massive corporation, therefore was able to recover, but most companies would not be able to recover from an event like that.
To mitigate this type of risk, organizations need to enforce corporate data security, compliance, and governance policies to protect corporate data in the clouds. As stated by Coles, for Sky High Networks, the cloud is here to stay, and companies must balance the risks of cloud services with the clear benefits they bring.
Target Breach Statistics.
7. Data breach requiring disclosure and notification to victims
Following the 2013 Target breach, Target had to disclose and send notification to all potential victims. According to McCoy, from USA Today, Target provided free credit monitoring services for consumers affected by the breach. Adding to that, Target paid a $10 million class-action lawsuit and agreed to pay up to $10,000 to consumers with evidence they suffered losses from the data breach.
Obviously, this type of risk is a financial burden on organizations. Target officials came out and mentioned how embarrassing this incident was. For organizations to mitigate this type of risk and avoid Target’s embarrassing episode, organizations must put cyber security as their top priority and develop proper security policies, assessments, and programs.
According to McCoy from USA Today, following that whole event, the court required Target to: “Develop, implement and maintain a comprehensive information security program, Employ an executive or officer responsible for executing the program, Hire an independent expert to conduct a security assessment, Maintain and support data security software on the company’s network, Segregate the cardholder data from the rest of the network, Take steps to control network access, including password rotation polices and two-factor authentication.” This event was a wake-up call for large corporations to put cyber security as a priority in the boardroom.
Anatomy of the Target Breach.
8. Increased customer churn
As cloud technology benefits are becoming more public and known, the risks are also getting noticed. This creates customers to take their business to companies that they trust and to avoid cloud companies that do not emphasis privacy of customer information.
We are seeing this today with many companies and brands. Consumers are becoming more aware of who to trust and who cares about their consumers’ personal data. For example, Facebook has been taking serious heat because they continue to have mishaps with their users’ data. Most of these mishaps led to Facebook’s stock dropping instantly.
From a consumer standpoint, the best way to mitigate risks of consumer data being leaked or shared to third-party applications, is to properly understand the terms and conditions applications state. Consumers also must be aware of the permissions they allow applications to have. Consumers should familiarize themselves with proper cyber awareness and not put sensitive information on social media.
9. Human Error
“In fact, Gartner predicts that, through 2020, 95 percent of cloud security failures will be the customer’s fault,” said Jay Heiser, research vice president at Gartner. There is a common belief that cloud providers are fully responsible for their customers’ security. This can mean many of these enterprises are failing to enforce proper security policies and training upon their employees, which can lead them to transferring restricted data to a public cloud.
The impact of this risk affects cloud service providers and companies that are not on the cloud yet, due to security fears of the cloud. This risk affects cloud service providers financially because they are losing out on a consumer due to human error and not actual cloud technology error. This affects companies that are not on the cloud to miss out on the benefits of this technological service. To mitigate this risk, current enterprises on the cloud must enforce the proper control over its employees and implement clear policies on usage of cloud-services. This will get rid of the belief that the cloud is insecure and show others that it is mainly the organizations’ responsibility implement proper security measures.
10. There’s always a risk
The biggest risk when it comes to cloud computing and technology, is that you never know what is up ahead. As technology advances, so do the risks. This is where organizations need to carefully decide whether they want to implement new technology. As Neil Rerup, author of “Cyber Peril,” states that “The cloud is not for everyone. Like with all solutions, you have to weigh what level of risk you are comfortable dealing with.” He also states that “Using cloud solution is like kissing someone you don’t know – you don’t know what type of germs they have and whether you’ll catch something from them.”
The impact this risk can have on an organization can positive or negative. Organizations must critically decide the proper risk they are willing to accept and decide if the benefits outweigh the risks. If an organization does not take the time to make the right decision, they can be affected by losing an edge to its competitors by not having cloud capabilities or have poorly implemented security polices and be hit by detrimental security risks.
How CSPs stack up against each other.
Percentages of Cloud Challenges.
Citations
10 critical cloud security threats in 2018 and beyond | Synopsys. (2019, May 29). Retrieved from
https://www.synopsys.com/blogs/software-security/10-cloud-security-threats-2018/
Angeles, S. (2013, October 01). 8 Reasons to Fear Cloud Computing. Retrieved from
https://www.businessnewsdaily.com/5215-dangers-cloud-computing.html
Calyptix. (2017, June 22). Top 5 Risks of Cloud Computing. Retrieved from
https://www.calyptix.com/research-2/top-5-risks-of-cloud-computing/
Coles, C. (2016, December 06). 100,000 Tweets in 1 Day. Retrieved from
https://www.skyhighnetworks.com/cloud-security-blog/100000-tweets-in-1-day-how-company-
discovered-security-breach-using-big-data-analytics/
Coles, C. (2018, October 31). 9 Cloud Security Risks Every Company Faces. Retrieved from
https://www.skyhighnetworks.com/cloud-security-blog/9-cloud-computing-security-risks-every-
company-faces/
Dignan, L. (2019, February 12). Top cloud providers 2018: How AWS, Microsoft, Google, IBM,
Oracle, Alibaba stack up. Retrieved from https://www.zdnet.com/article/top-cloud-providers-
2018-how-aws-microsoft-google-ibm-oracle-alibaba-stack-up/
McCoy, K. (2017, May 23). Target to pay $18.5M for 2013 data breach that affected 41 million
consumers. Retrieved from https://www.usatoday.com/story/money/2017/05/23/target-pay-
185m-2013-data-breach-affected-consumers/102063932/
Narayan, K. (2017, May 18). 5 Devious Instances of Insider Threat in the Cloud. Retrieved from
https://www.skyhighnetworks.com/cloud-security-blog/5-devious-instances-insider-threat-cloud/
Narayan, K. (2017, January 17). In Plain Sight: How Hackers Exfiltrate Corporate Data Using
Video. Retrieved from https://www.skyhighnetworks.com/cloud-security-blog/in-plain-sight-
how-hackers-exfiltrate-corporate-data-using-video/
Saracsalinas. (2018, June 08). A Facebook bug changed suggested sharing settings to 'public' for up
to 14 million users. Retrieved from https://www.cnbc.com/2018/06/07/facebook-bug-made-
private-posts-of-up-to-14-million-users-public.html
Top 10 Cloud Computing Challenges. (n.d.). Retrieved from https://www.datamation.com/cloud-
computing/top-10-cloud-computing-challenges.html
Top 20 Cloud Computing Issues and Challenges (Latest). (2019, March 04). Retrieved from
https://www.educba.com/cloud-computing-issues-challenges/
What is Bring Your Own Cloud (BYOC)? - Definition from Techopedia. (n.d.). Retrieved from
https://www.techopedia.com/definition/29069/bring-your-own-cloud-byoc
Why Cloud Security Is Everyone's Business. (n.d.). Retrieved from
https://www.gartner.com/smarterwithgartner/why-cloud-security-is-everyones-business/
