Top 11 cloud security challenges and how to combat them: Cloud security threats, challenges and vulnerabilities occur

for
several reasons. For one, many organizations can't delineate where cloud service provider (CSP) obligations end and their
own begin as part of the shared responsibility model. This leaves gaps unsecured and vulnerabilities unaddressed. Plus, the
expansiveness of cloud services increases an organization's attack surface. To further complicate the matter, traditional
security controls and tools might not fulfill cloud security needs.

1. Data breaches

Data breaches are a top cloud security concern -- and for good reason. Many data breaches have been attributed to the cloud

over the past years, one of the most notable being Capital One's cloud misconfigurations in 2019 that led to exposed

customer data. A data breach can bring a company to its knees, causing irreversible damage to its reputation, financial woes

due to regulatory implications, legal liabilities, incident response cost and decreased market value.

Steps to prevent a data breach in the cloud include the following:

 Conduct data risk assessments.

 Protect data with cloud encryption.

 Maintain an incident response plan.

 Follow the principle of least privilege.

 Establish policies for secure data removal and disposal.

2. Misconfigurations

Cloud assets are vulnerable to attack if set up incorrectly. For example, the Capital One breach was traced back to a web

application firewall misconfiguration that exposed Amazon Simple Storage Service buckets. In addition to insecure storage,

excessive permissions and the use of default credentials are two other major sources of cloud vulnerabilities. Ineffective

change control can also cause cloud misconfigurations. Strategies to counter cloud misconfigurations include the following:

 Conduct data risk assessments.

 Maintain an incident response plan.

 Monitor which data is accessible via the internet.

 Ensure external partners adhere to change management, release and testing procedures used by internal

developers.

 Use automated change control to support rapid changes.

  Hold regular security awareness trainings with employees, contractors and third-party users.

Organiz
ations that use the cloud face traditional security risks and threats unique to cloud environments.
3. Insecure APIs

CSP UIs and APIs that customers use to interact with cloud services are some of the most exposed components of a cloud

environment. The security of any cloud service starts with how well UIs and APIs are safeguarded -- a responsibility of both

customers and their CSPs. CSPs must ensure security is integrated, and customers must be diligent in managing, monitoring

and securely using cloud services.

Practices to manage and fix insecure APIs include the following:

 Practice good API hygiene.

 Avoid API key reuse.

 Use standard and open API frameworks.

 Vet all CSPs and cloud applications before use.

4. Limited visibility

Cloud visibility has long been a concern of enterprise admins. Limited visibility of cloud infrastructure and applications

across various IaaS, PaaS and SaaS offerings can lead to cloud sprawl, shadow IT, misconfigurations and improper security

coverage, which could result in cyberattacks, data loss and data breaches.
Multi-cloud environments have exacerbated visibility challenges as security teams have difficulty finding tools that

effectively maintain visibility across two or more CSPs.

Steps to improve visibility and mitigate the effects of poor visibility include the following:

 Mandate and enforce a cloud security policy.

 Hold regular security awareness trainings.

 Conduct regular cloud security assessments.

 Perform continuous, real-time monitoring.

5. Identity, credential, access and key management

The majority of cloud security threats -- and cybersecurity threats in general -- are linked to identity and access management

(IAM) issues. These threats include the following:

 Improper credential protection.

 Lack of automated cryptographic key, password and certificate rotation.

 IAM scalability challenges.

 Lack of MFA.

 Poor password hygiene.

Standard IAM challenges are exacerbated by cloud use. Taking inventory, as well as tracking, monitoring and managing the

sheer number of cloud accounts in use, is compounded by provisioning and deprovisioning issues, zombie accounts,

excessive admin accounts and users bypassing IAM controls, in addition to challenges with defining roles and privileges.

Strategies to counter identity security issues in the cloud include the following:

 Use MFA.

 Extend key management best practices to the cloud.

 Monitor user accounts regularly.

 Remove unused and unnecessary credentials and access privileges.

 Follow password best practices.

6. Account hijacking attacks

Cloud account hijacking is when an employee's cloud account is taken over by an attacker. The attacker then uses the

employee's cloud account to gain unauthorized access to an organization's sensitive data and systems.

Cloud account compromise can result from phishing attacks, credential stuffing attacks, attackers guessing weak passwords

or using stolen credentials, improper coding, accidental exposure and cloud misconfigurations. If successful, cloud account

hijacking attacks can lead to service disruptions and data breaches.

Steps to prevent cloud account hijacking attacks include the following:

 Use MFA.

 Follow the principle of least privilege.

 Disallow as much access as the CSP supports.

 Segregate cloud environments whenever possible.

 Perform regular user access reviews.

7. Insider threats

Insiders, including current and former employees, contractors and partners, can cause data loss, system downtime, reduced

customer confidence and data breaches.

Insider threats fall into three categories:

1. Compromised insiders -- for example, an employee who clicks a phishing link and has their credentials

stolen or downloads malware onto the company network.

2. Negligent insiders -- for example, an employee who loses a device containing company data or from which

an attacker can steal their credentials.

3. Malicious insiders -- for example, an employee who steals data to commit fraud.

Insider threats in the cloud pose the same risks and fall into the same categories, although the issue expands due to the

inherent remote access security risks of the cloud and ease of sharing or accidentally exposing data stored in the cloud.

Strategies to counter insider threats in the cloud include the following:

  Hold regular security awareness trainings.

 Address cloud misconfigurations.

 Follow the principle of least privilege.

 Segregate cloud environments whenever possible.

 Perform regular access reviews.

 Authorize and revalidate user access controls regularly.

8. Cyberattacks

Cloud environments and cloud accounts are subject to the same attacks that target on-premises environments. These include

DoS, DDoS, account hijacking, phishing, ransomware and other malware attacks, as well as cloud vulnerabilities and insider

threats.

Some cyberattacks are specific to the cloud, such as the nefarious use of clouds services. Attackers use legitimate SaaS, PaaS

and IaaS offerings, disguising themselves as CSPs to attack cloud customers who assume the attacker is a legitimate source.

Cloud-specific malware is also an issue -- namely malware that uses the cloud for command and control, as well as malware

that targets cloud assets and accounts. For example, malicious cryptomining, known as cryptojacking, is an attack in which

threat actors steal a victim device's resources, including energy and computing power, to verify transactions within a

blockchain.

Cloud cyberattacks can lead to performance degradation, downtime, customers unknowingly hosting malware, data loss and

more.

Steps to mitigate cloud cyberattacks include the following:

 Use MFA.

 Encrypt all data stored in the cloud.

 Monitor employee cloud use.

 Back up cloud workloads and data.

 Segment cloud networks.

 Use data loss prevention technologies.

  Follow the principle of least privilege.

 Implement allowlists and blocklists.

9. Shadow IT

Shadow IT is hardware or software used by employees that isn't allowed or supported by their organization's IT team.

Shadow IT use can result in network bandwidth issues, compliance risks and security threats, such as data loss and data

breaches.

Cloud shadow IT, specifically, is the use of unsupported cloud software, such as Google Workspace, Slack or Netflix.

Steps to reduce the threat of cloud shadow IT include the following:

 Hold regular security awareness trainings that highlight shadow IT and its effects.

 Use tools to detect cloud shadow IT apps.

 Create and implement a shadow IT policy.

 Use a cloud access security broker to detect, monitor and manage cloud shadow IT.

 Implement allowlists and blocklists.

10. Skills shortage and staffing issues

The IT industry has faced a skills gap and staffing shortages for years, especially in security personnel. This well-known

issue is prevalent when it comes to cloud expertise and even more so when it comes to cloud security, which requires

specific skills and tool sets.

The cybersecurity skills gap can be attributed to the following five main causes:

1. The demand for cybersecurity talent keeps increasing.

2. The pool of cybersecurity talent lacks diversity.

3. Employers have unrealistic expectations.

4. Employees aren't keeping their skills up to date.

5. Burnout is increasing, and cybersecurity experts are leaving the profession.

Staffing shortages and lack of skilled cloud security professionals can lead to cloud vulnerabilities, data exposures and data

breaches.
Steps to address the skills gap and staffing shortages include the following:

 Upskill existing workers.

 Sponsor cloud security certifications and trainings for employees.

 Support existing security teams to ease stress and mitigate burnout.

 Recruit and hire from a diverse pool of employees.

 Automate tasks where possible.

11. Compliance

Achieving compliance with internal, government and industry regulations and specifications was challenging before cloud

use was ubiquitous. It has only become more challenging since its widespread adoption.

Maintaining cloud compliance with regulations such as HIPAA, PCI DSS and GDPR is a shared responsibility between

customers and CSPs. Customers must do their part to comply and also vet their CSPs to ensure they're meeting requirements.

Noncompliance can result in legal action, fines, business disruptions, data loss and data breaches.

Steps to help ensure compliance include the following:

 Follow the principle of least privilege.

 Use MFA.

 Define and implement strong access controls.

 Perform a compliance audit.

 Follow cloud frameworks.

 Mandate and enforce a cloud security policy.

 Regularly update and patch systems.

Cloud Computing Security Architecture

Security in cloud computing is a major concern. Proxy and brokerage services should be employed to restrict a client from
accessing the shared data directly. Data in the cloud should be stored in encrypted form.

Security Planning

Before deploying a particular resource to the cloud, one should need to analyze several aspects of the resource, such as:
 o A select resource needs to move to the cloud and analyze its sensitivity to risk.

o Consider cloud service models such as IaaS, PaaS,and These models require the customer to be responsible for

Security at different service levels.

o Consider the cloud type, such as public, private, community, or

o Understand the cloud service provider's system regarding data storage and its transfer into and out of the cloud.

o The risk in cloud deployment mainly depends upon the service models and cloud types.

Understanding Security of Cloud

Security Boundaries

The Cloud Security Alliance (CSA) stack model defines the boundaries between each service model and shows how
different functional units relate. A particular service model defines the boundary between the service provider's
responsibilities and the customer. The following diagram shows the CSA stack model:

Key Points to CSA Model

o IaaS is the most basic level of service, with PaaS and SaaS next two above levels of services.

o Moving upwards, each service inherits the capabilities and security concerns of the model beneath.

o IaaS provides the infrastructure, PaaS provides the platform development environment, and SaaS provides the

operating environment.

o IaaS has the lowest integrated functionality and security level, while SaaS has the highest.

o This model describes the security boundaries at which cloud service providers' responsibilities end and customers'

responsibilities begin.

o Any protection mechanism below the security limit must be built into the system and maintained by the customer.

Although each service model has a security mechanism, security requirements also depend on where these services are
located, private, public, hybrid, or community cloud.

Understanding data security

Since all data is transferred using the Internet, data security in the cloud is a major concern. Here are the key mechanisms to
protect the data.

o access control
 o audit trail

o certification

o authority

The service model should include security mechanisms working in all of the above areas.

Separate access to data

Since the data stored in the cloud can be accessed from anywhere, we need to have a mechanism to isolate the data and
protect it from the client's direct access.

Broker cloud storage is a way of separating storage in the Access Cloud. In this approach, two services are created:

1. A broker has full access to the storage but does not have access to the client.

2. A proxy does not have access to storage but has access to both the client and the broker.

3. Working on a Brocade cloud storage access system

4. When the client issues a request to access data:

5. The client data request goes to the external service interface of the proxy.

6. The proxy forwards the request to the broker.

7. The broker requests the data from the cloud storage system.

8. The cloud storage system returns the data to the broker.

9. The broker returns the data to the proxy.

10. Finally, the proxy sends the data to the client.

All the above steps are shown in the following diagram:

Encoding

Encryption helps to protect the data from being hacked. It protects the data being transferred and the data stored in the cloud.
Although encryption helps protect data from unauthorized access, it does not prevent data loss.

Why is cloud security architecture important?

The difference between "cloud security" and "cloud security architecture" is that the former is built from problem-specific
measures while the latter is built from threats. A cloud security architecture can reduce or eliminate the holes in Security that
point-of-solution approaches are almost certainly about to leave.

It does this by building down - defining threats starting with the users, moving to the cloud environment and service
provider, and then to the applications. Cloud security architectures can also reduce redundancy in security measures, which
will contribute to threat mitigation and increase both capital and operating costs.

The cloud security architecture also organizes security measures, making them more consistent and easier to implement,
particularly during cloud deployments and redeployments. Security is often destroyed because it is illogical or complex, and
these flaws can be identified with the proper cloud security architecture.

Elements of cloud security architecture

The best way to approach cloud security architecture is to start with a description of the goals. The architecture has to
address three things: an attack surface represented by external access interfaces, a protected asset set that represents the
information being protected, and vectors designed to perform indirect attacks anywhere, including in the cloud and attacks
the system.

The goal of the cloud security architecture is accomplished through a series of functional elements. These elements are often
considered separately rather than part of a coordinated architectural plan. It includes access security or access control,
network security, application security, contractual Security, and monitoring, sometimes called service security. Finally, there
is data protection, which are measures implemented at the protected-asset level.

A complete cloud security architecture addresses the goals by unifying the functional elements.

Cloud security architecture and shared responsibility model

The security and security architectures for the cloud are not single-player processes. Most enterprises will keep a large
portion of their IT workflow within their data centers, local networks, and VPNs. The cloud adds additional players, so the
cloud security architecture should be part of a broader shared responsibility model.

A shared responsibility model is an architecture diagram and a contract form. It exists formally between a cloud user and
each cloud provider and network service provider if they are contracted separately.

Each will divide the components of a cloud application into layers, with the top layer being the responsibility of the customer
and the lower layer being the responsibility of the cloud provider. Each separate function or component of the application is
mapped to the appropriate layer depending on who provides it. The contract form then describes how each party responds.