ASSIGNMENT 2.

2: CLOUD VULNERABILITY 1

Top 10 Cybersecurity Risks to Data in The Cloud

Russell A. Findley

Masters of Science in Cyber Security Operations and Leadership, University of San Diego

Professor Nikolas Behar

September 19, 2020

ASSIGNMENT 2.2: CLOUD VULNERABILITY 2

What is the Cloud?

Cloud computing is a broadly used terminology, but the name represents a data center that deliv-

ers services and infrastructure over the internet and on-demand. Cloud Services Providers (CSP)

like Box.com store documents and offer collaborative services or AWS Cloud Services that pro-

vide infrastructures and platforms as-a-service. All CSP's process data, inherent risks, and bene-

fits come with that.

Identity and Access Management

Digital identities are a critical part of securing cloud infrastructures. Businesses are adopting

multi-cloud infrastructures, which increase the attack surface for hackers. A data breach can

occur due to weak access controls and a failure to implement identity controls. (Brooks et al.,

2017) Developing and deploying preventative measures such as tools, policies, and protocols can

reduce the risk of a data breach. Data breaches can incur tangible costs to the business. For

example, hiring security experts, digital forensics, legal fees, and compliance fines. There are

also non-tangible issues that take time to measure, like loss of reputation, customer

abandonment, and building a new reputation. (Brooks et al., 2017)

User passwords are the first line of defense to securing an account. Security practitioners

recommend strong and unique passwords because they prevent someone from performing a brute

force attack with your account. There are differences of opinion on the length and expiration,
ASSIGNMENT 2.2: CLOUD VULNERABILITY 3

but standards like NIST and CIS20 support alphanumeric passwords that are greater than ten

characters. (Duffy, 2016).

Security standards like NIST agree that using Multifactor Authentication (MFA) as a secondary

form of authentication is a best practice. MFA ensures the person logging in has a unique token

that regularly changes to identify the user logging in.

Security Assertion Markup Language (SAML) is an Identity Protocol that will enable users to

log in securely with the same credentials across multiple clouds. SAML, often used with Single

Sign-on Technologies, will allow users to consolidate their identity, so it is the same for all

logins. Consider the alternative, where you can have multiple clouds, but each account

management is unique.

Insecure APIs

Public cloud infrastructures rely on Application Programming Interfaces (API), allowing more

than one application to communicate with each other. The API is a roadmap to the internal

application and will enable functions such as passing login credentials or sharing information.

The risks of insecure API's of a cloud offering exposing their API exposes the operators to the

loss of data, reputation for the business, accountability, and availability. (Brooks et al., 2017)

API is not only convenient and powerful. They pose a significant risk to the Cloud. Preserving

the security and integrity of an API is much like securing other digital assets. Maintaining

access lists, vulnerability management with the API codebase, authentication profiles,

continuous upgrades to the quick releases due to the lifecycle of such tools. (Skowronski, 2019)
ASSIGNMENT 2.2: CLOUD VULNERABILITY 4

API's are vulnerable to attacks, like Man-in-the-Middle, CSRF Attacks, XSS, SQL Injection, and

DDoS. Implementing detection capabilities to identify when an API is misused requires

additional monitoring.

A properly secure and implemented API or use of a cloud API allows businesses to invest less on

infrastructure and focus more on enabling applications to communicate.

Insufficient Due Diligence

Migrating to the Cloud requires planning and design. The same attention to detail that a

company gives a new business plan is no different from deciding which Cloud to use or how to

secure it. A common misconception of using a cloud service or infrastructure is that the

implementation, design, and use will be straightforward. No matter which cloud services one

chooses (e.g., storing files in Box or migrating your eCommerce platform to Azure), you risk

putting your company and reputation at risk without proper due diligence. (Brooks et al., 2017)

Developing a roadmap of infrastructure requirements, data protection, access controls, defensive

and detective controls can mitigate risk. Additional recommendations are following guidelines

like CIS20 or employing professionals who have experience building and securing cloud

environments. A well-crafted and written implementation plan is a reference point for all future

work.

Data Loss

Data loss is a common problem with Cloud Service Providers, but we rarely read about them

unless related to a security breach. Data loss in a cloud environment can happen due to human

error, losing an encryption key, or not understanding how to properly backup or create a high

availability environment. (Morrow, 2018)

ASSIGNMENT 2.2: CLOUD VULNERABILITY 5

Data is the lifeblood of most organizations. (Brooks et al., 2017) Information is the one item that

sets most organizations apart and makes them unique—losing data through any means, whether

or a breach, human error, or malfunction, can result in the loss of revenue or business.

An example of data loss by a human error occurred on Christmas Eve, 2013, when an employee

of Netflix performed maintenance and erased code on the Elastic Load Balancers. The change

had propagated out to 6.8% of Netflix load balancers within the next few hours. (Butler, 2013)

This situation illustrates one potential risk that data loss can impact a business. In this case, a

portion of Netflix customers could not access the service during this outage. Operators and users

of cloud service providers share in the responsibility that they need to be knowledgeable about

how to back up data locally and geographically. There are available options for customers to

distribute copies of data for high availability, multi-cloud options, backup, and high availability.

Incident Analysis and Forensic Support

Performing incident analysis and digital forensics in a cloud environment can differ from

traditional data center environments. There are different types of cloud offerings, and some like

Dropbox or Service-Now will provide an interface to serve all your work, but power users won't

have access to backend services. We rely on these cloud operators to perform their analysis and

forensics. The second type of CSP is an Infrastructure-as-a-service (IAAS). In these

environments, administrators can have direct access to a server. Still, the cloud governance can

limit the ability to perform digital forensics, which requires the users to use the cloud tools first.

Besides, performing incident analysis and forensics can be complicated if the cloud environment

crosses different jurisdictions. An example of this is when businesses store logs in other regions,
ASSIGNMENT 2.2: CLOUD VULNERABILITY 6

states, or countries. Owing to complex integrations and involvedness related to cloud

environments, time to detect and resolve takes longer than usual.

Non-Production Environment Exposure

Deployment of cloud services is treated much like a traditional environment when creating lower

environments (non-production). The lower environments are used to deploy new builds, test

patches, develop new features, and perform load tests. Some companies that use a non-

production environment don't want the burden of production-like security controls because they

feel constrained.

Here are some risks associated with non-production environments:

1. Data copied from production to non-production is sometimes not adequately sanitized

and contains sensitive data;

2. The rapidly developed software is sometimes not scanned and contains flaws or

vulnerabilities. (Shankar et al., 2019)

Deploying non-production environments is a good practice if done securely and establishes

policies and procedures from the beginning. Risk can be reduced if security designs are

identified during the planning phase to build a cloud environment.

Disaster Recovery

Cloud environments suffer outages, just like everyone else. Some outages are due to the cloud

provider and others by the customer. Still, in either situation, a disaster recovery plan should be

a critical part of the overall design of a cloud environment.

ASSIGNMENT 2.2: CLOUD VULNERABILITY 7

Most cloud providers offer disaster recovery options to customers in the form of an availability

zone, backups, and high availability. The cost of these offerings can pose a challenge to cus-

tomers, but when a disaster strikes, such as a hurricane, fire, or cyber-attack, the customers can

restore or failover to a

According to the EC-Council, there are benefits to using a cloud provider for disaster recovery.

(EC-Council, 2020)

1. Accessibility of recovery resources- Cloud providers can offer options for disaster recov-

ery that suit the size of the business and the accessibility of their clients.

2. The responsiveness from providers – Cloud providers, offer distributed recovery services,

which will allow them to be responsive whether they are experiencing an issue or your

business.

3. Reduced costs – The total cost of ownership (TCO) by building disaster recovery in the

Cloud is usually less than doing it yourself because the tools and automation are built into

the cloud infrastructure.

The EC-Council also states that companies and users can transfer the risk using cloud providers

for disaster recovery. The following is a list of the risk that can be transferred to the cloud

provider: (EC-Council, 2020)

1. Compliance and Jurisdictional Risks-If a business is bound to regulatory requirements,

this issue can be transferred to the cloud provider.

2. Lack of Data Security and Privacy/ Unauthorized Access – if you don't have a security

team, use the cloud providers.

3. Availability Risks – rely on the Service Level Agreements of the CSP

ASSIGNMENT 2.2: CLOUD VULNERABILITY 8

Stolen Credential

Credential theft is a rampant problem with users of cloud environments. Stolen identities can al-

low an attacker to infiltrate an application or the administrative components of a cloud environ-

ment. For example, if you were to log into Ceridian's Dayforce application with a user account,

you can modify an employee's direct deposit. Or, stealing the credentials of an administrator in

Microsoft Azure with "Owner privileges" allows an attacker to create machines, move laterally

through the network, and even perform destructive activities like deleting data.

The number one defense to protecting stolen credentials from being used in a cloud application is

MFA (Two-Factor Authentication). MFA prevents someone from using simple usernames and

passwords to break in because of the second challenge. Other mitigating factors for stolen cre-

dentials are implementing Single Sign-On, using strong passwords, Role-based access controls,

or using a privileged access management solution to proxy access to the cloud service.

Increased Complexity for IT Staff

Deployment of cloud technologies requires a new skill that traditional IT companies may not

possess. The skill needed to build a secure and available environment that doesn't allow attack-

ers to expose vulnerabilities may require a team retooling. "IT staff must have the capacity and

skill level to manage, integrate, and maintain the migration of assets and data to the cloud in ad-

dition to their current responsibilities for on-premises IT" (Morrow, 2018, para 22). Cloud envi-

ronments and the data they secure are not just about the cloud tools but the system's design and

daily care and feeding. Networks are not entirely in the control of network administrators any-

more, databases need to be backed up and tuned differently depending on the configuration, and

files are not stored the same as they would be on-premise.

ASSIGNMENT 2.2: CLOUD VULNERABILITY 9

On the bright side, clouds have made some of these tasks easy with the introduction of PaaS ser-

vices that are self-secure and self-tuned.

Changes in Service

Changes to cloud providers can change at any time through the acquisition or bankruptcy of the

provider. Customers may receive services from your new service provider but with different

terms and conditions when it comes to company acquisitions. Staffing and in-house expertise of

the environment and data handling may also need time to transition. If the cloud provider files

for bankruptcy or goes out of business, loss of service is possible. In these events, customers

may experience data loss or unavailability.

There are a few ways to mitigate the risks due to service changes.

1. Use a market-leading service provider like Amazon, Microsoft, or Google. The likeli-

hood of one of these services going out of business is very low.

2. Ensure contracts, NDA, Master Service Contracts are reviewed by legal experts and have

penalties, lead times, and options for remediation.

3. Keep a backup of data stored in an offsite location.

ASSIGNMENT 2.2: CLOUD VULNERABILITY 10

References

Brooks, J. C., Field, S., Shackleford, D., Hargrave, V., Jameson, L., & Roza, M. (2017). CE The
Treacherous 12 - Top Threats to Cloud Computing + Industry Insig. Retrieved September
17, 2020, from https://downloads.cloudsecurityalliance.org/assets/research/top-threats/
treacherous-12-top-threats.pdf
Duffy, T. F. (2016, March). Why Strong, Unique Passwords Matter. Retrieved September 17,
2020, from https://www.cisecurity.org/newsletter/why-strong-unique-passwords-matter/

Skowronski, J. (2019, January). Common API Vulnerabilities and How to Secure Them.
Retrieved September 18, 2020, from https://www.papertrail.com/blog/common-api-
vulnerabilities-and-how-to-secure-them/

Morrow, T. (2018, March 05). 12 Risks, Threats, & Vulnerabilities in Moving to the Cloud.
Retrieved September 19, 2020, from https://insights.sei.cmu.edu/sei_blog/2018/03/12-
risks-threats-vulnerabilities-in-moving-to-the-cloud.html

Butler, B. (2013, January 03). How long will big-name customers like Netflix put up with
Amazon cloud outages? Retrieved September 19, 2020, from
https://www.networkworld.com/article/2162488/how-long-will-big-name-customers-like-
netflix-put-up-with-amazon-cloud-outages-.html

Shankar Babu Chebrolu, Vinay Bansal, and Pankaj Telang. "Top 10 cloud risks that will keep
you awake at night". In: CISCO, available at: https://www.owasp.org/images/4/47/Cloud-
Top10-Security-Risks.pdf

EC-Council,. (2020, July 09). How will the Cloud strengthen business continuity?: EC-Council
Official Blog. Retrieved September 20, 2020, from https://blog.eccouncil.org/how-will-
the-cloud-strengthen-business-continuity/