Many businesses immediately put a cloud migration plan into motion after hearing about all the advantages of the cloud. After all, cloud services have skyrocketed in popularity over the last decade and failing to offer your software services in this fashion is often seen as being "behind the times."
However, in the race to cloud adoption, cloud security is often overlooked. Remember, cloud application development involves utilizing a "shared responsibility model" with the cloud service provider (CSP) your organization chooses. There are far more potentially vulnerable facets when dealing with cloud services. The "attack surface" increases, since, unlike traditional consumer desktop applications, there is the CSP, typically an API service, content to and from various sources, the core code of the application, and of course the end user's machine.
We’ve identified some risks and vulnerabilities involved when a business chooses cloud adoption and how to avoid them:
- Far less consumer control: The end-user does not have complete autonomy when running cloud applications. Much of the logic and processing is done on a separate server. An attack on this server could compromise the data of all your users, sinking a successful application overnight.
- Unauthorized instance spawning: As you know, it is very simple to spin up a new "instance" of a virtual machine or container through any major cloud provider. However, if the administrative credentials are compromised, a malicious user could spawn new instances that cost your company a great deal of money. These instances could also potentially connect to your other instances and steal data from them.
- Potential API vulnerabilities: Most cloud application development involves utilizing an API to make common calls easier and more intuitive. However, any user of the application can use one of a variety of tools to see both the URL to each API call and the parameters it expects. If credentials aren't checked with every API call, you may have trouble.
- Shared cloud services exploits: By nature, the servers that power the cloud are shared by multiple companies. Though companies try to logically segregate each company's data, it may be possible for an attacker who has access to the server to exploit it and steal your data.
- Secure deletion issues: From time to time, you will need to safely delete data. That can be very easily done on desktop applications, but it becomes more complex when you use multiple servers and providers (and, of course, cached data of the end-user).
- Improper user privileges: Any company's cloud credentials could get stolen. Every major cloud service offers an internal user management feature, where people are assigned roles that have privileges. If everyone shares an account, there is an even higher likelihood of this.
- Single-vendor monopoly: Cloud providers have attractive offers to begin with, but if you need to change providers, it can be very difficult and time-consuming. This can cost a huge amount of money and time.
- Overworked IT staff: Largely overlooked, any cloud migration plan can put a large burden on your IT staff. If their days are already overflowing, it can make the job unbearable, and egregious mistakes can be made.
- The insider threat: As always, there is a risk of an insider threat. Unlike traditional software, an insider with administrative cloud access can completely ruin an application and a company's reputation in seconds.
- Data loss: Through using multiple providers, anything from an attacker to a power outage at a data center may incur sudden, unexpected data loss. Without a proper backup plan, this can instantly put an application out of commission.
- Too many suppliers: With so many suppliers of cloud programs, your data may go through several providers. If a single provider is compromised, the data may go out of your control.
- Too little research: Many organizations instantly want to switch after hearing of the advantages of the cloud. However, in their excitement, they fail to do the proper research. This can lead to fatal errors.
Mitigating cloud risks
Here are some cloud security mechanisms you can use to stay safe:
- Take your time setting up your cloud account and ensure that users have appropriate privileges. Never allow shared accounts and remember to give the least privilege practical to each user.
- Instead of manually performing processes, like database backups, automate them. Don't make any room for human error.
- Ensure that you can adequately log and see data going in and out. Invest in a tool suite that allows you to easily "drill down" into sessions to identify potentially malicious users.
- Make sure your team fully understands the chain of providers being used. Assign team members duties such as ensuring that every provider utilized is staying up to date with patches.
Despite some imperfections, cloud adoption is the future. Of course, it's important to be mindful of the risks involved with the practice. Rather than avoiding it completely, simply use best practices and ensure that you have vigilant staff and a strong chain of suppliers and tools.
Gaurav Sharma is a Director of Operations at Chetu Inc. based in Las Vegas, Nevada. For 11 years, he has overseen various technical projects including software development in the cloud.