Organisations continue to develop new applications in or migrate existing applications to cloud-based services. The federal government recently made cloud adoption a central tenet of its IT modernisation strategy. An organisation that adopts cloud technologies and chooses cloud service providers (CSP)s and services or applications without becoming fully informed of the risks involved exposes itself to a myriad of commercial, financial, technical, legal, and compliance risks.
The threats and vulnerabilities involved in migrating to the cloud are ever-evolving, and the ones listed are by no means exhaustive. It is essential to consider other challenges and risks associated with cloud adoption specific to their missions, systems, and data.
There are a few characteristics and models for cloud computing:
Cloud environments experience--at a high level--the same threats as traditional data centre environments; the threat picture is the same. Cloud computing runs software, the software has vulnerabilities, and adversaries try to exploit those vulnerabilities. However, unlike information technology systems in a traditional data centre, in cloud computing, responsibility for mitigating the risks that result from these software vulnerabilities is shared between the CSP and the cloud consumer.
As a result, consumers must understand the division of responsibilities and trust that the CSP meets their obligations. Based on our literature searches and analysis efforts, the following list of cloud-unique and shared cloud/on-premise vulnerabilities and threats were identified.
When transitioning assets/operations to the cloud, organisations lose some visibility and control over those assets/operations. When using external cloud services, some of the policies and infrastructure move to the CSP.
The actual shift of responsibility depends on the cloud service model(s) used, leading to a paradigm shift for security monitoring and logging agencies. Organisations need to monitor and analyse information about applications, services, data, and users, without using network-based tracking and logging, which is available for on-premises IT.
CSPs make it very easy to provision new services. The on-demand self-service provisioning features of the cloud enable an organisation's personnel to provide additional benefits from the agency's CSP without IT consent. Using software in an organisation that the organisation's IT department does not support is commonly referred to as shadow IT.
Due to the lower costs and ease of implementing PaaS and SaaS products, the probability of unauthorised cloud services increases. However, services provisioned or used without IT's knowledge present risks to an organisation. Unauthorised cloud services could increase malware infections or data exfiltration since the organisation is unable to protect resources it does not know about. Unauthorised cloud services also decrease an organisation's visibility and control of its network and data.
CSPs exposes a set of application programming interfaces (APIs) that customers use to manage and interact with cloud services (also known as the management plane). Organisations use these APIs to provision, manage, orchestrate, and monitor their assets and users. These APIs can contain the same software vulnerabilities as an API for an operating system, library, etc. Unlike management APIs for on-premises computing, CSP APIs are accessible via the Internet, exposing them more broadly to potential exploitation.
Threat actors look for vulnerabilities in management APIs. If discovered, these vulnerabilities can be turned into successful attacks, and organisation cloud assets can be compromised. From there, attackers can use organisation assets to perpetrate further attacks against other CSP customers.
The exploitation of system and software vulnerabilities within a CSP's infrastructure, platforms, or applications that support multi-tenancy can lead to a failure to maintain separation among tenants. An attacker can use this failure to access one organisation's resource to another user's or organisation's assets or data. Multi-tenancy increases the attack surface, leading to increased data leakage if the separation controls fail.
This attack can be accomplished by exploiting vulnerabilities in the CSP's applications, hypervisor, or hardware, subverting logical isolation controls, or attacks on the CSP's management API. To date, there has not been a documented security failure of a CSP's SaaS platform that resulted in an external attacker gaining access to tenants' data.
No reports of an attack based on logical separation failure were identified; however, proof-of-concept exploits have been demonstrated.
Threats associated with data deletion exist because the consumer has reduced visibility into where their data is physically stored in the cloud and a reduced ability to verify the secure deletion of their data.
This risk is concerning because the data is spread over several different storage devices within the CSP's infrastructure in a multi-tenancy environment. In addition, deletion procedures may differ from provider to provider. Organisations may not verify that their data was securely deleted and those remnants of the data are not available to attackers. This threat increases as an agency use more CSP services.
The following are risks applicable to both cloud and on-premise IT data centres that organisations need to address.
Suppose an attacker gains access to a user's cloud credentials. In that case, the attacker can have access to the CSP's services to provide additional resources (if certificates allow access to provisioning) and target the organisation's assets. The attacker could leverage cloud computing resources to target the organisation's administrative users, other organisations using the same CSP or the CSP's administrators. An attacker who gains access to a CSP administrator's cloud credentials may use those credentials to access the agency's systems and data.
Administrator roles vary between a CSP and an organisation. The CSP administrator has access to the CSP network, systems, and applications (depending on the service) of the CSP's infrastructure. The consumer's administrators have access only to the organisation's cloud implementations. In essence, the CSP administrator has administrative rights over more than one customer and supports multiple services.
Vendor lock-in becomes an issue when an organisation considers moving its assets/operations from one CSP to another. The organisation discovers the cost/effort/schedule time necessary for the move is much higher than initially considered due to non-standard data formats, non-standard APIs, and reliance on one CSP's proprietary tools and unique APIs.
This issue increases in service models where the CSP takes more responsibility as an agency uses more features, services, or APIs, the exposure to a CSP's unique implementations increases. These individual implementations require changes when a capability is moved to a different CSP. If a selected CSP goes out of business, it becomes a significant problem since data can be lost or cannot be transferred to another CSP promptly.
Migrating to the cloud can introduce complexity into IT operations. Managing, integrating, and operating in the cloud may require that the agency's existing IT staff learn a new model. IT staff must have the capacity and skill level to manage, integrate, and maintain the migration of assets and data to the cloud in addition to their current responsibilities for on-premises IT.
Key management and encryption services become more complex in the cloud. The benefits, techniques, and tools available to log and monitor cloud services typically vary across CSPs, further increasing complexity. There may also be emergent threats/risks in hybrid cloud implementations due to technology, policies, and implementation methods, which add complexity. This added complexity leads to an increased potential for security gaps in an agency's cloud and on-premises implementations.
Insiders, such as staff and administrators for both organisations and CSPs, who abuse their authorised access to the organisation's or CSP's networks, systems, and data are uniquely positioned to cause damage or exfiltrate information.
The impact is most likely worse when using IaaS due to an insider's ability to provision resources or perform nefarious activities that require forensics for detection. These forensic capabilities may not be available with cloud resources.
Data stored in the cloud can be lost for reasons other than malicious attacks. Accidental deletion of data by the cloud service provider or a physical catastrophe, such as a fire or earthquake, can lead to the permanent loss of customer data. The burden of avoiding data loss does not fall solely on the provider's shoulders.
If a customer encrypts its data before uploading it to the cloud but loses the encryption key, the data will be lost. In addition, an inadequate understanding of a CSP's storage model may result in data loss. Agencies must consider data recovery and be prepared for the possibility of their CSP being acquired, changing service offerings, or going bankrupt.
This threat increases as an agency use more CSP services. Recovering data on a CSP may be easier than recovering it at an agency because an SLA designates availability/uptime percentages. These percentages should be investigated when the agency selects a CSP.
If the CSP outsources parts of its infrastructure, operations, or maintenance, these third parties may not satisfy/support the requirements that the CSP is contracted to provide with an organisation. An organisation needs to evaluate how the CSP enforces compliance and check to see if the CSP flows its requirements down to third parties. If the conditions are not being levied on the supply chain, then the threat to the agency increases.
This threat increases as an organisation use more CSP services and are dependent on individual CSPs and their supply chain policies.
Organizations migrating to the cloud often perform insufficient due diligence. They move data to the cloud without understanding the full scope of doing so, the security measures used by the CSP, and their responsibility to provide security measures. They make decisions to use cloud services without fully understanding how those services must be secured.
Before cloud computing, companies had to budget for buying hardware (servers and network just to mention some) and software (operating systems, security suites, productivity programs). With the advent of cloud computing, they now can tap into shared resources without even needing to sacrifice office space!
Cloud computing is the right choice for many SMBs that are okay with outsourcing and comfortable using another party's facilities to store their data, software, and devices. Providers are paid a subscription cost and offer a pool of services, including updates, IT assistance, and training if needed. If so wished, companies are freed from the need to have their own IT department, IT server rooms, etc.? Of course, cloud computing cannot be for everyone.
Companies that have specific privacy concerns, however, still have the option to subscribe for hybrid systems. They can maintain control over their data, for example, while still using shared resources to cut costs. Cloud computing is also essential when a business has employees in satellite offices or works remotely while on the road or visiting a client through laptops or tablets. The cloud makes it much easier for them to access needed information and resources.
So why isn't cloud computing the choice for all companies? The answer is obvious: the inevitable risks of cloud computing. Switching to this new way of defining IT requires an in-depth evaluation of the business' needs and an analysis of how much trouble can be tolerated.
Migration to the cloud might sound like the most cost-effective option. Still, businesses should carefully compare the costs of owning software and equipment with the price of "leasing" IT technologies. Parameters like speed, security, usage, quality of service, scalability, and support must be considered.
Migration to the cloud might pose problems of compatibility with an existing IT infrastructure or with a company's security requirements and organisational policies. Pre-planning is once again crucial in considering all these aspects before committing to the change.
Not all providers are equal. Services through cloud computing may be interrupted by unforeseen events. Outages from a service provider, for example, can happen. Since providers are unable to guarantee no service disruptions will occur, data may not be available 24/7.
In a disaster situation, communications may be slow or shut down for some time. Once again, a careful assessment of the cloud service provider is paramount. Businesses need to consider the risks associated with trusting all their operations to an external party and what would happen in case of default and interruption of service. What guarantees the cloud service provider offers if disaster strikes are what a business needs to consider.
Probably the main concern, confidentiality is often mentioned as the reason for not embracing cloud computing. If a company's operations require the handling of sensitive data, the protection of these data becomes a priority and a concern. A business might not feel confident in sharing with an external party their vital information. Responsibility for a data leak could be hard to assign when data are handled and transmitted between two parties.
There are risks involving non-compliance with existing policies and contractual obligations related to the handled data or the business operations. The legal implication of using an external IT provider should be carefully reviewed.
Not just confidentiality, but the entire structure should be evaluated. Where's your data going to be stored? Who will have access to the information? What security measures and protection does the cloud provider offer? Is all information (even when non-sensitive) transmitted in unsecured plaintext or is it encrypted at all times?
There is always the risk that the system quality may be inadequate or that a cloud service provider is unable to provide quality services at all times. It should be clear what guarantees the provider can offer in terms of systems performance and, especially, how prompt is its corrective action in case of a disruption of service. Not having direct access to the infrastructure means that a business must rely on the prompt action of the provider when something goes wrong.
A business needs to trust the quality standards that a provider can offer over time. How easy would it be to switch providers in case of an obvious degradation of quality?
Many of these risks can be mitigated by careful planning and attention to detail when drafting service contracts with cloud providers. For example, risks related to privacy and data confidentiality can be reduced by using hybrid cloud computing? sharing only some resources but not relinquishing data control.
Cloud computing is most certainly revolutionizing the way small-medium businesses (SMBs), and companies in general, use IT. Cloud computing has allowed businesses to access high-end technology and information at an affordable cost. In most cases, SMBs can access new technology and more resources without the premium price it would have cost in the past.
Regardless of the risks and adverse opinions, however, it seems cloud computing will continue its growth. Only time will tell if the benefits of this IT revolution will outweigh for good the risks involved.