Cloud computing has become an IT best practice for businesses of all sizes and industries, providing greater flexibility and reliability while cutting costs. However, cloud security remains a significant concern for many enterprise decision-makers.
In a 2022 survey of security professionals at large firms, 81 percent reported a cloud security incident in the past year. In addition, more than half of respondents said they believed that cloud security risks were higher than security issues for on-premise IT (Townsend, 2022).
Many cloud data breaches and attacks trace back to just a few of the most common cloud security mistakes. This article will discuss six of the biggest cloud security errors, from misconfigurations to poor security practices, and how to address each.
6 Top Common Mistakes That Can Result in Cloud Security Threats
In recent years, news headlines have displayed cautionary tales of companies that failed to pay enough attention to cloud security, suffering severe financial, legal, and reputational damages. Even the most basic mistake can result in a devastating cloud data breach.
In October 2017, for example, the cybersecurity risk management company UpGuard discovered that the consulting and management firm Accenture had left at least four cloud storage buckets in Amazon Web Services unsecured, which anyone with the address could download (UpGuard, 2017). The contents included passwords, API access keys, and software configuration settings that were then leaked onto the Dark Web and used to extort the affected individuals.
The good news is that being aware of possible cloud security threats is the first step to bolstering your cyber defenses. Once you know the common cloud security mistakes businesses make, you can begin to protect against them.
1. Misconfigurations
Misconfigurations might occur when setting up, provisioning, and managing cloud resources, with drastic consequences for cloud security. According to the National Security Agency (NSA), cloud misconfigurations are “the most prevalent cloud vulnerability” (National Security Agency, 2020). They can lead to everything from compromised accounts to denial of service susceptibility.
Cloud environments potentially contain hundreds or thousands of software applications, hardware devices, and other IT assets. With such a large attack surface, it’s easy for users to misconfigure assets such as a storage bucket, security group, or firewall. Attackers can then exploit this vulnerability to enter or spread throughout the environment.
Your business must establish proper change management and monitoring processes to prevent misconfigurations from becoming cloud security threats. This includes regularly reviewing and updating access controls, amending security settings, and testing and auditing security configurations for correctness.
2. Over-Permissioned Cloud Resources
Cloud resources can also have too many permissions. Sometimes, this happens accidentally, such as using the default security configurations without fine-tuning it to a specific cloud environment or understanding the consequences. For example, a container running in the cloud might receive host permissions, giving it access to resources elsewhere on the machine that should be off-limits.
You can avoid over-permissions cloud resources by following a cybersecurity principle known as “least privilege” (Gegick & Barnum, 2013). In this principle, users and roles are granted only the access rights explicitly needed for their job. If attackers hack into a user account or steal its credentials, following the principle of least privilege will limit the damage they can do.
3. Insufficient Credential Management
Another major cause of cloud security threats is inadequate credential management. For example, passwords may be too weak, easily guessable, or shared between multiple users. Even more advanced methods that rely on digital credentials, such as tokens and secrets, can fail if unauthorized individuals gain access.
Organizations should implement strong password policies to prevent credential management issues, making these passcodes unique and hard to guess. The best approach is to store credentials in a secure password manager and protect secrets and security tokens with strong access controls. Use multi-factor authentication (MFA) whenever possible, which requires users to verify their login attempts through another medium, such as text, email, or mobile app.
4. Insecure APIs
APIs (application programming interfaces) are tremendously useful for cloud computing, enabling different cloud systems and resources to exchange information. However, if an API is not secured correctly, it can become a cyberattack vector. For example, hackers could exploit weaknesses in an insecure API to gain unauthorized access to data and resources.
Securing an API requires implementing proper authentication and authorization controls. API best practices include using HTTPS and secure protocols such as OAuth and OpenID Connect. Monitoring APIs for unusual activity can also help detect API-based cloud security attacks.
5. Poor Security Practices
Beyond the issues mentioned, businesses can fall prey to several poor cloud security practices. For example, system administrators might neglect to keep software up-to-date or tweak security configurations as necessary. In addition, users might inadvertently expose data in cloud storage or work with sensitive and personal data in a way that violates regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR).
Organizations should draft and enact a comprehensive cloud security plan to strengthen their cloud security practices, ensuring that all users adhere to it. Document contents may include education and training programs, security assessments, and strategies for responding to and mitigating security incidents.
6. Failing To Understand the Shared Responsibility Model
In cloud computing, the shared responsibility model defines the responsibilities of both the cloud service provider (CSP) and the customer for securing the cloud environment. The CSP is generally responsible for securing the cloud infrastructure, including handling physical and network security concerns. Meanwhile, the customer is responsible for securing the cloud environment; this includes configuring the operating system and applications and implementing access controls.
Failing to understand the shared responsibility model can lead to cloud security problems. For example, negligence and lax permissions could result if the customer believes that the CSP is responsible for access controls. To resolve this issue, businesses should understand their responsibilities under this model and tackle vulnerabilities that surface from a lack of comprehension.
How Can You Master Cloud Security Concepts with the C|CSE Program
Master cloud security implementation and management with a first-of-its-kind certification that is both vendor-neutral and vendor specific. EC-Council’s Certified Cloud Security Engineer (C|CSE) is a hands-on learning certification that offers practical learning of tools, security practices, and techniques used to configure popular cloud providers such as AWS, Azure, and GCP. Industry experts curated the C|CSE curriculum to address the challenges organizations face in ensuring cloud security and enabling candidates to become job ready.
References
Gegick, M., & Barnum, S. (2013, May 10). Least Privilege. CISA. https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/least-privilege
NSA. (2020, January 22). Mitigating Cloud Vulnerabilities. https://media.defense.gov/2020/Jan/22/2002237484/-1/-1/0/CSI-MITIGATING-CLOUD-VULNERABILITIES_20200121.PDF
Townsend, K. (2022, September 29). More Than Half of Security Pros Say Risks Higher in Cloud Than On Premise. SecurityWeek.com. https://www.securityweek.com/more-half-security-pros-say-risks-higher-cloud-premise
UpGuard. (2017, October 10). System Shock: How A Cloud Leak Exposed Accenture’s Business. https://www.upguard.com/breaches/cloud-leak-accenture
About the Author
David Tidmarsh is a programmer and writer. He has worked as a software developer at MIT, holds a BA in history from Yale, and is currently a graduate student in computer science at UT Austin.
