CLOUD VULNERABILITY

CLOUD VULNERABILITY

Sabrina Toubbeh

CSOL 500 Foundations of Cyber Security

University of San Diego

CLOUD VULNERABILITY
1
Abstract

The “cloud” is a term that has been coined to describe data that is being remotely stored

on servers and delivered to users over the internet. Cloud computing has become the default

option for many organizations and users. Cloud infrastructure is designed to be user friendly and

a way for people to access their data anywhere and anytime. However, there are many

disadvantages to cloud computing. So much of our data is being transmitted and stored on the

cloud that it is highly vulnerable to attacks. Fortunately, there are ways to mitigate and address

each risk to data being stored on the cloud.

Keywords: cloud computing, threat, risk, mitigation strategies, data, security

Introduction

Cloud computing has become a basic necessity in our everyday life and you may not

even realize it. There is a common misconception that cloud computing is only used to store and

backup documents and photos. If you own a phone, laptop, video game console or have an email

account or even an account to Netflix, it is utilizing some sort of cloud computing. Some of the

biggest tech companies have even created their own cloud services. A good example is Apple’s

iCloud storage. iCloud allows you to access your data, from photos to important contacts,

anywhere as long you are connected to the internet. Another feature of iCloud is being able to

stream music and videos without having to download them (Crawford, 2011). Both of these

features free up storage on your devices because the data is being stored remotely on the cloud.

All you need is a monthly subscription to essentially “rent” out the cloud space. The utilization

of cloud computing is growing so quickly that Analyst Gartner predicts half of global enterprises

will be utilizing cloud computing by 2021 (Ranger, 2018).

CLOUD VULNERABILITY
2
While cloud computing is extremely convenient and useful, there are many security risks

that come with having our data stored on the cloud. It is important that organizations and users

are aware of the potential risks cloud computing has. Because data is flowing through cloud

systems 24/7, 365 days of the year, it has become a huge target for cybercriminals to attack.

There are many different types of security threats and risks to cloud computing. This paper will

go over the different threats to cloud computing and how organizations can mitigate these data

breaches.

Cloud Computing Models

Simply put, cloud computing uses pay as you go pricing and delivers IT resources over

the internet on demand. It allows access to computer resources such as servers, storage,

databases, networking, software, analytics, and intelligence. Rather than purchasing, possessing,

and keeping up actual data centers and servers, you typically only pay for the cloud services you

use. This can help lower your operating costs, run your infrastructure smoother, and scale as

your personal or business needs change. With the explosion of the Internet Of Things (IoT)

devices, more and more data is being stored on the cloud. Some examples of cloud-storage

services that are very popular are Amazon Cloud Drive, Apple iCloud, Box, DropBox, Google

Drive, and Microsoft OneDrive (Mehra, 2018). These cloud services can be used for personal or

business needs. There are three unique kinds of cloud computing with each providing various

levels of control, flexibility, and management.

Infrastructure as a Service (IaaS) provides access to networking features, computers, and

data storage space (“What is Cloud Computing?”, n.d). IaaS gives organizations a cloud-based

alternative to owning and maintaining a physical data center. IaaS computing is also very

flexible and exceptionally versatile, and can be replaced a lot easier without losing an initial
CLOUD VULNERABILITY
3
investment. IaaS is beneficial for businesses of every type, size and industry because it permits

unlimited oversight over infrastructure and organizations only pay for what they need (Hou).

While there are many benefits of IaaS, there are also some disadvantages. One disadvantage that

organizations should be aware of are the security risks. IaaS providers may secure the

infrastructure, but organizations are responsible for anything they host.

Platform as a Service (PaaS) vendors provide users a computing platform for software

creation which is delivered over the internet (Watts & Raza, 2019). This platform consists of a

framework that developers can build on and use to create unique applications. By not having to

worry about underlying infrastructure (hardware and operating systems), PaaS assists developers

focus on deployment and management of their applications. This permits businesses to be more

productive as PaaS removes the need to think about asset acquisition, capacity planning,

software maintenance, and patching (“What is Cloud Computing?”, n.d). As many companies

switch over to the cloud, they are using PaaS to develop their own SaaS.

Software as a Service (SaaS) is the most commonly utilized option for businesses and

users. SaaS provides users access to a complete application that is delivered over the internet

(“What is Cloud Computing?”, n.d). The entire application is managed by a third-party vendor.

Most SaaS solutions are end-user applications. SaaS allows clients to not have to consider any

of the technical aspects such as infrastructure or how it is maintained. This allows users to focus

only on how to utilize the software. A popular example of SaaS is Office 365, which is an

integrated suite of apps and services that include Word, Excel, PowerPoint and more; Monthly

updates include the latest features and security updates (“What is SaaS?”).
CLOUD VULNERABILITY
4

Service Model Characteristics Responsibility for Level of IT skills

Security

Infrastructure as a Organizations are Organization has full High level IT skills

Service (IaaS) provided access to control over services for management of
networking features, and is responsible for OS, networks,
computers, and data system security such firewalls, etc.
storage space. These as operating system
services are highly and application
scalable and flexible.
Pay by usage.

Platform as a Service Builds on a pre- Limited control over Advanced IT skills

(PaaS) configured computer system security. needed since PaaS is
platform. Provides Consumers have used by developers
services to assist with control over
development, testing, applications. No
and deployment of control over
applications underlying
infrastructure
(hardware and OS)

Software as a Service Accessible over the No control over Basic IT skills needed
(SaaS) web. Hosted on system security.
remote server Users not responsible
for hardware or
software updates
Table 1: Cloud Computing Service Models

Cybersecurity Risks to Data in the Cloud

All different kinds of organizations -- regardless of size and industry -- are utilizing the cloud to

satisfy their unique business needs. Some examples include disaster recovery, data backup,

virtual desktops, email, software development and testing big data analytics, and customer-facing

web applications. There are many advantages to cloud computing such as cost saving, mobility,

back-up and restore data, high speed, and reliability, but there come many risks to data that is

processed on, stored on, and/or transmitted through the cloud. The biggest concern with utilizing
CLOUD VULNERABILITY
5
the cloud is data breaches where hackers will steal, sell, copy, or delete information. In order to

mitigate these different risks, companies must practice proper risk management.

A big threat to cloud storage systems is Access Management. While the threat is not

directly a feature of the cloud system, it is a result of the way companies are using the system.

Access management is essential to IT security because it oversees digital identities and user

access (“What Is IAM Security?”, n.d). There are two mitigation strategies to address this risk;

access policy and a set of authentication and identity verification tools (Stevens, 2020). When it

comes to policy, a company should assess and remove any unnecessary privileges if an employee

does not need access to a certain file or system to do their job. This is also important because a

high number of data breaches have been carried out by disgruntled employees who still had

access to their corporate accounts. A survey conducted in 2018 found that the second biggest

threat to cloud security is the unauthorized access through misuse of employee credentials

(“Crowd Security Report”, n.d). To avoid this, the IT department needs to work closely with

HR. To ensure extra security, companies should use authentication and identity verification

tools that work with their cloud environment. A good number of cloud service providers (CSP)

offer multi-factor authentication (MFA) frameworks as a feature of their standard bundles. Users

require access to a second device in order to log in (Stevens, 2020).

Account hijacking is another major threat to cloud computing. Many people have

extremely weak passwords and reuse them so it allows an attacker to use a single stolen

password on multiple accounts (“Top 15 Cloud Security Issues”, n.d). An attacker can use stolen

employee credentials to access sensitive information and an organization's functionality.

Hijacking of accounts can be especially dangerous because it is difficult for organizations to

identify and address these threats compared to physical data centers. Mitigation strategies
CLOUD VULNERABILITY
6
include practicing good “hygiene,” meaning employees should create strong passwords and not

reuse them for other accounts. Ideally, people should have a different password for all their

accounts. Proper access management is also a great mitigation strategy to prevent unauthorized

access into accounts.

Another emerging cloud computing threat are data breaches and data leaks. This is to a

greater extent a danger in cloud systems than systems managed on-site. The motivation behind

why it forces a lot greater danger is because of the way that a lot of information is streaming

between employees/users and cloud frameworks. Hackers can intercept the flow of data to look

for weaknesses in the system. One way to mitigate this threat is to secure data that is in-transit

and at-rest. Through the use of encryption for email servers and messages, you are providing an

extra layer of security (Stevens, 2020). Another mitigation strategy is to use a trusted reputable

VPN (Virtual Private Network) service to encrypt data between Wi-Fi access points. It is

advisable that companies research beforehand as some VPN services are not secure and will sell

the information they log.

Data Loss is also considered another huge risk in cloud computing. Cloud computing has

allowed an unimaginable size of data to be stored remotely making it difficult and costly for

organizations to complete backups. Due to the rise of ransomware attacks, not performing

regular backups can leave your cloud storage vulnerable to hackers who can encrypt the cloud

storage and demand payment to release the information (Stevens, 2020). In order to mitigate or

prevent this threat, companies must design and implement a stable backup system. An ideal

backup system is a distributed framework where information is backed up in multiple systems

and locations. Another remedy would be to use strong API access control.
CLOUD VULNERABILITY
7
Application User Interfaces (APIs) are tools that many organizations rely on to allow

users to interact with cloud systems. The increase in use of cloud APIs has made them a big

target to cybercriminals. More than two-thirds of organizations expose APIs to the public so

business partners and developers can access software platforms making them insecure and

vulnerable to attacks (Davis, 2020). Cybercriminals have found techniques to use APIs to their

advantage for malicious attacks. Due to the lack of authentication when developers create APIs,

a lot of the interfaces are completely open to the web where anybody can utilize them to access

enterprise applications and information (Davis, 2020). Many developers will also incorporate

open source software into their code which can leave many applications open to supply chain

attacks (Davis, 2020). Supply chain attacks occur when a hacker infiltrates your system through

a third party. There are many mitigation strategies to defend against insecure cloud APIs threats.

Developers need to practice good “hygiene” which means APIs need to be designed with

authentication, access control, and encryption. Another good practice is for organizations to

choose their cloud service provider carefully that will follow all the proper security guidelines.

Even with secure APIs, there is still a risk to security. Organizations should implement network

detection and response so security teams can address identified risks (Davis, 2020).

Misconfigurations of cloud settings is another common threat that I want to highlight.

Many organizations do not have “complete visibility and control over their infrastructure” so

they depend on default security settings “provided by their cloud service provider (CSP) to

configure their cloud deployments” (“Top 15 Cloud Security Issues”, n.d). Most organizations

utilize the cloud for all their business requirements and operational processes, making it easy for

a misconfiguration oversight to leave their resources exposed to attackers. A good preventive

method to this threat is to make sure all security controls are configured correctly. An
CLOUD VULNERABILITY
8
organization may also want to seek legal assurances as well. It is advised that an organization

take the time to gain an understanding of their cloud storage system and all the other systems

used alongside it.

External sharing of data is yet another threat to cloud computing that organizations and

users need to consider. Many cloud systems allow users to invite other collaborators via email

or through a shared link to access shared resources. Although file sharing has many advantages

such as easy collaboration worldwide, it also imposes many security risks. Anyone with access

to the URL can forward it to other users making it easy to fall into the hands of a cybercriminal

providing unauthorized access to the shared resource (“Top 15 Cloud Security Issues”, n.d). File

sharing also creates a higher risk of getting a virus from the remote file. The best mitigation

strategy to prevent unauthorized access to a file is to double check permission settings. Rather

than allowing public sharing, organizations should only allow file sharing with permission

requests. Another mitigation strategy is to remove any files from the cloud system that are no

longer needed.
CLOUD VULNERABILITY
9

References

Crawford, S. (2011, August 08). How the Apple iCloud Works. Retrieved January 20, 2021,

from https://computer.howstuffworks.com/cloud-computing/icloud.htm

Ranger, S. (2018, December 13). What is cloud computing? Everything you need to know about

the cloud explained. Retrieved January 21, 2021, from

https://www.zdnet.com/article/what-is-cloud-computing-everything-you-need-to-know-

about-the-cloud/

Mehra, G. (2018, October 24). 22 Cloud Storage Sites. Retrieved January 20, 2021, from

https://www.practicalecommerce.com/15-Cloud-Storage-Sites

What is Cloud Computing? (n.d.). Retrieved January 20, 2021, from

https://aws.amazon.com/what-is-cloud-computing/

Hou, T. IaaS vs PaaS vs SaaS: What You Need to Know + Examples (2018). (2021, January

14). Retrieved January 20, 2021, from https://www.bigcommerce.com/blog/saas-vs-paas-

vs-iaas/#examples-of-saas-paas-and-iaas

15, J., Watts, S., & Raza, M. (2019, June 15). SaaS vs PaaS vs IaaS: What's The Difference &

How To Choose. Retrieved January 22, 2021, from https://www.bmc.com/blogs/saas-vs-

paas-vs-iaas-whats-the-difference-and-how-to-choose/#ref2

What Is IAM Security? (n.d.). Retrieved January 22, 2021, from

https://www.coresecurity.com/blog/what-iam-security
CLOUD VULNERABILITY
10
Cloud Security Report. (2018, March 26). Retrieved January 22, 2021, from

https://crowdresearchpartners.com/portfolio/cloud-security-report/

Davis, R. Insecure API Cloud Computing: The Causes & Solutions. (n.d.). Retrieved January 22,

2021, from https://www.extrahop.com/company/blog/2020/insecure-apis-cloud-

computing-cause-solutions/

What Is SaaS - Advantages and Disadvantages: Cloud Computing: CompTIA. (n.d.). Retrieved

January 23, 2021, from https://www.comptia.org/content/articles/what-is-saas

Check Point Software. (2020, December 14). Top Cloud Security Issues, Threats and Concerns.

Retrieved January 22, 2021, from

https://www.checkpoint.com/cyber-hub/cloud-security/what-is-cloud-security/top-cloud-

security-issues-threats-and-concerns/