The cloud provides unique data sharing opportunities through a myriad of apps, but with more freedom comes greater security risks.

Recently, the cloud has become an integral part of business operations. Organizations are using more and more cloud services to support remote users and devices and to streamline business functions. But with multiple data centers, networks, devices, and users with different access rights, cloud security can be complex.

As cloud usage increases, so do cyber attacks in the virtual environment. In the past few years, there were several high-profile breaches in the cloud, most notably the Mirai botnet distributed denial of service (DDoS) attack on Dyn.

The cloud presents unique security challenges—such as multiple entry points into networks and devices—that traditional security measures aren’t equipped to handle. So what are the primary security challenges facing the cloud? And what are the best practices for preventing a security breach? Let’s take a look at a few.

Risky App Usage

The widespread use of cloud applications often makes life easier for users, but it also puts organizations at risk due to the amount of data exchanged across apps and the security loopholes within each app.

According to a Symantec report, the average enterprise uses 928 cloud apps. But if you ask CIOs, they think their organization is only using about 40 apps. When the top IT officer is unaware of hundreds of apps being used, chances are they are not very secure.

In fact, 25 percent of data is shared externally, or with the public. Of that data, 3% contains sensitive information.

To protect your organization’s apps from threats like SQL Injection, DDoS, and other attacks, use application-level security solutions, such as server firewalls, to define what applications can be used to access data and how that data can be viewed. You can also embed controlled file sync and document editors that tie back into a secure environment so data never sits on the endpoint.

Other security solutions like app scanners, vulnerability assessment scanners, and patch management mitigate the risk of app usage.

Vulnerabilities in APP Code and APIs

Sometimes the security issues with cloud apps aren’t in how they’re used or in the data being exchanged through them, but rather the problem lies in how they’re designed. An app’s code and it’s APIs often define it’s security.

Most cloud-based apps are designed for usability, not security. So while an app may be functional, it can have innate vulnerabilities. Additionally, risks increase when third parties rely on and build upon APIs and interfaces, both of which are easily accessible. All apps from vendors should be tested and reviewed for security. You can ask vendors for the results of a security analysis or request to test it yourself.

Securing Sensitive Data

recent survey found that 62% of companies store sensitive customer data in the public cloud and 40% of organizations commission cloud services without input from IT departments.

Not only does this make organizations vulnerable to data breaches, but it also makes them susceptible to fines, lawsuits and damaged public reputation if (and when) the data is breached.

While cloud providers deploy security controls to protect their environments, organizations are ultimately responsible for protecting their data. The best way to secure this data is through multifactor authentication and encryption. Data should be encrypted both in transit and at rest.

The Cloud Security Alliance provides the following recommendations for sensitive data:

  • Encrypt for data privacy with approved algorithms and long, random keys
  • Encrypt data before it passes from the enterprise to the cloud provider
  • Keep data encrypted in transit, at rest, and in use
  • The cloud provider and its staff should never have access to decryption keys
  • For unstructured files that must be protected when stored or shared in the cloud, use data-centric encryption, or encryption embedded into the file format, to apply protection directly to files
  • Protect overlooked files such as log files and metadata

System Vulnerabilities

While system vulnerabilities and bugs are not unique to the cloud, they can still be an issue, especially in shared cloud environments.

For example, thousands of MongoDB open source databases were involved in a ransomware incident after older databases were left open by users in a default configuration setting.

System vulnerabilities can be fixed with basic IT processes such as scanning, patching, and swift follow-up on reported system threats. It is also important to regularly monitor system activity and logs to assess risk.

Advanced Persistent Threats

An advanced persistent threat (APT) is when someone gains access to your system and stays there undetected. APTs move laterally through the network and blend in with normal traffic. What makes APTs advanced is the combination of techniques used to penetrate the network.

Common entry points include spear phishing, direct attacks, USB drives preloaded with malware, and third-party networks. The best practices against APTs are maintaining a vulnerability management system, regular patches, an incident response plan, and security hygiene training for users. In other words, implementing multiple layers of security.

Other recommendations include monitoring user behavior and capabilities and then comparing those with normal patterns to spot any anomalies in traffic and usage.

The nature of cloud computing will always present unique challenges for IT departments. However, by following the best practices in monitoring and analyzing your network, as well as securing sensitive data, your organization can mitigate these potential risks.

About the Author

Kevin Howell is freelance writer and content strategist based in New Jersey. He writes about technology, cybersecurity, and HR tech. He has more than 15 years of journalism experience and has written for the New York Daily News, The Star-Ledger, The Baltimore Sun, Dice Insights, UrbanGeekz, as well as startups and established businesses.

 


This article was originally published on the Ipswitch blog.