Cloud computing has made companies more flexible when it comes to their infrastructure, especially since cloud computing offers things like flexibility, scalability and cost saving plans. With saving and flexibility usually comes risks. Many companies have merged to a cloud based service, while some have not due to the various security risks and financial factors. Some security risk with cloud computing include misconfiguration and lack of visibility.
Misconfiguration:
While many companies rely on security controls by their cloud service provider to configure and secure their deployments that is not their complete responsibility. Companies have to take ownership of their configurations in order to reduce their risk with utilizing cloud services. There are also some companies that use multiple cloud service providers from various vendors, which can put them at an even greater risk. Configuration management is vital when it comes to infrastructure and systems and one must pay close attention to it or they may run into the risk of exposing information. Studies have shown that misconfigurations account for 70% of breaches in cloud servers.
Misconfiguration can include insecure default settings, incomplete configurations, open cloud storage, too many permissions given to a single user, error messages with too much information, missing patches and much more. If a cloud server is using default setting, companies will run into the risk of someone gaining access to their system(s) and possibly taking control of it and/or gaining access to the information within it. If a cloud server isn’t completely configured correctly, companies run into the risk of being exposed due to not having strong configurations or the lack of security controls on their systems/infrastructure. If a cloud server is using an open cloud storage, companies run into the risk of having their data shared or exposed. If a cloud server is configured to having someone with permissions that are not needed, companies run into the risk of user access issues or the potential for their credentials being stolen and gained access where the user didn’t need access to. If a cloud server is given error messages with too much information, companies will run into the risk of giving out information that wasn’t needed and now the malicious attacker knows more information than before such as the system the company is using, the version type of the system being used and much more. If the cloud server is using an older patch with known vulnerabilities that will also be a risk companies can run into. Overall, there are many different types of risk with configuration mismanagement that can occur but if companies ensure they have their system configured correctly themselves that will help reduce their risk. Companies can not solely rely on their cloud provider to make these changes they have to take charge of these changes as well.
Lack of visibility:
With cloud based services being outside of company networks and because cloud services are ran on a totally different infrastructure, the company can run into risks. Having a lack of visibility can cause one to limit how much access they have on their cloud based systems. The ability to monitor, control and protect cloud based system is virtually impossible to do when the services is not on premises. Companies need to be able to see if their system is performing well, spot lapses, managing cost and much more.
Companies should be able to see if their system is performing up to their expectations (and for their end-users) and if not, they need to be able to address that issue. Companies need to be able to see laps in their cloud services to address those issues as well as make sure they are managing their money correctly, by having the visibility to see how much of the cloud resources they are actually using from the cloud service(s) and what they are not using so they can make the call on which plan is more beneficial to them. Overall, cloud companies are a benefit for many but without the visibility they can be a hindrance to some. Companies need to be able to see these types of things in their face verses having to call customer service for the information. Being able to see these features may help companies become more comfortable with utilizing the cloud based services.
Overall, there are many issues that come to play when using cloud based services but companies have to take full responsibility over those potential risks to help reduce threats involved in the process. Taking control includes ensuring systems are configured correctly based on current standards and seeing where the system lacks in visibility to ensure the system isn’t lagging with the potential to cause harm from a malicious attacker.
References:
https://www.cloudbolt.io/blog/does-your-organization-need-cloud-visibility/
MillerOnCyber 