Cloud Security Challenges for Businesses

Cloud Security Challenges in Business Environments

Exploring Cloud Security: Risks, Regulations & Remedies. Learn from incidents & strategies for robust cloud protection in an evolving digital landscape.

Felix Habgood
Felix Habgood
Head of Marketing
April 26, 2024

The rapid global shift to cloud computing continues to gather momentum, and with it, a sharp increase in both the sophistication and frequency of attacks against cloud infrastructure.

Cloud Adoption in the UK

The UK now boasts over 5.5 Million businesses that rely on cloud computing, with British data centers responsible for storing over $135 Billion worth of data annually. Both of these numbers are increasing year on year, and with cloud infrastructure becoming so widely adopted - ensuring the correct level of cloud security is in place is important.

Understanding Cloud Security Concerns

Cloud-hosted infrastructure provides us with new and emerging security concerns, and without forming a deeper understanding of those concerns, how are we going to address them?

Gartner's Security Incident Report

In 2019, US IT giant, Gartner, reported that up to 95% of security incidents and breaches were the fault of the customer. Fast forward to their 2023 estimates and they predict that 99% of cloud security failures will have occurred on the customer's side of the shared responsibility model.

Before a business starts to implement cloud solutions, it should carefully consider its aims and objectives in line with law and regulations. Failure to adhere to both could cost the business large fines and significant reputational damage.

Premature Cloud Operations

Too many organisations are becoming operational in the cloud before they have implemented a sufficient cloud strategy or appropriate security measures.

Common Cloud Misconfigurations

Common cloud misconfigurations can include any of the following:

  • Public exposed cloud resource
  • Insecure APIs and interfaces
  • Lack of Visibility of Security Events
  • Vulnerabilities in cloud compute resources (Out of date operating system or software)

Case Study: Capital One Breach

One prominent example that springs to mind of recent cloud security breaches is the now infamous credit giant Capital One breach in 2019. Remarkably, this example is one of the largest data breaches in US history.

Notable Cloud Security Incidents

Incident 1 - Online Retail Giant

In 2021 Turkish beauty giant Cosmolog Kozmetik’ had a 20GB trove of customer data leaked from a misconfigured AWS S3 Bucket, including over 9500 files with customer names, addresses, emails, and mobile numbers.

Incident 2 - Online SaaS provider

In the middle of 2021 the Online SaaS communication provider Twilio, accidentally misconfigured an access policy on one of their AWS S3 buckets to allow unauthenticated users permissions to both read and write to the bucket.

Incident 3 - Large Manufacturer

Towards the close of 2021, audio equipment manufacturer Sennheiser had a Christmas to forget as they became the latest victim of a poorly configured S3 bucket that was made public.

Incident 4 - InfoSec company

In 2019, Cyber security company Imperva was left red-faced after accidentally leaving an internal AWS EC2 instance exposed to the public that contained an administrative AWS key.

The Ongoing Challenge of Cloud Security

The scale of this problem is mind-blowing, and with the complexity of the environment constantly intensifying, it doesn’t feel like it is an issue that is going to slow down anytime soon.

Addressing Cloud Misconfigurations

So what are the risks to the business? Potentially millions for each instance of misconfiguration and severe reputational damage! This is why the best approach is to try and mitigate the risk right from the start, instead of in the middle or towards the end of any implementation.

Strategies for Enhancing Cloud Security

We need to know our cloud attack surface and understand where we could potentially be breached. Sensitive data require sophisticated access controls - allowing the right users to see the right data while preventing all others from accessing it is key. Businesses must continuously monitor our services, with unused and non-critical instances decommissioned and frequently audit access controls to snapshots.

And remember, it is vitally important to ensure our services are running the latest version or update provided by the vendor/service. Patch. Patch. Patch, then test and frequently retest.

More recommended articles

© 2024 ONSECURITY TECHNOLOGY LIMITED (company registered in England and Wales. Registered number: 14184026 Registered office: Runway East, 101 Victoria Street, Bristol, England, BS1 6PU). All rights reserved.