As one of the most significant inventions of the recent era, cloud computing — or the delivery of on-demand computing services hosted on remote servers — has benefitted millions of businesses worldwide. The fact that servers, storage, databases, networking, software, analytics and intelligence can now all be run over the internet has meant that people and organisations worldwide have been able to be more innovative, more flexible with their resources and better able to achieve economies of scale than ever before. Cloud computing has proliferated in popularity, and in 2020, according to the Australian Bureau of Statistics, 55 per cent of all businesses used paid-for cloud services.
However, cloud computing comes with many potential risks and vulnerabilities. Cyber security professionals and the companies they serve must understand the risks of cloud computing and how they can impact an organisation.
It is crucial that cyber security experts have the knowledge they need to respond to emerging threats. ECU’s 100% online Master of Cyber Security will give you skills that you can apply to attacks in cloud computing and other areas of cyber security.
What is cloud computing?
Cloud computing is the use of systems to help computers store, manage or communicate information. These systems are hosted remotely in the cloud (the internet) on virtual servers that connect through a secure network, instead of locally on a computer. Cloud systems, which can encompass anything from email servers to complex software programs, enable a computer to run, build, deploy or interact with information.
Cloud computing is often delivered by major IT providers like Microsoft in the form of a private service implemented for a specific organisation. However, but are also public cloud services like Dropbox or Gmail which deliver services from a shared platform for users around the globe.
Cloud computing has three main types.
1. Software as a service
The term ‘software as a service’ (SaaS) refers to any software or services that users can access online. Popular examples of SaaS platforms are Salesforce (an online customer relationship management system), Google apps (including the Google Drive mobile app) and Slack (a professional online chat platform).
2. Infrastructure as a service
Infrastructure as a service (IaaS) systems include infrastructure components such as services, storage, networking and security. Examples of IaaS platforms are Amazon Web Services, Microsoft Azure and Rackspace.
3. Platform as a service
Platform as a service (PaaS) provides computing systems, including operating systems, programming language environments, databases and web servers. PaaS services are better known to developers and those in the IT sphere, but well-known ones include Google App Engine and Heroku (platforms that give web developers access to hosting and other services).
Want to learn more about programming languages? Read our blog article on five programming languages for cyber security experts.
Benefits of cloud computing
There is no doubt that cloud computing risks exist. However, cloud computing also provides significant benefits to businesses everywhere, hence their rapid adoption. Here are five of the most significant benefits of cloud computing.
1. Cost savings
Many organisations worry about the cost of moving to the cloud. However, once organisations invest in moving to the cloud, there are considerable savings.
Using cloud infrastructure means that businesses don’t have to spend large amounts of money on purchasing, maintaining and upgrading equipment, including hardware, facilities, utilities or data centres. Cloud systems also enable companies to save money as they don’t have to employ internal IT staff to manage onsite systems. Instead, the cloud provider’s staff handles technical issues.
Switching to cloud services also reduces lost productivity due to server problems. Cloud services rarely go down, so organisations don’t have the traditional losses associated with downtime.
2. Flexible payment options
Unlike traditional hardware, which organisations had to pay for and own forever, the cloud is usually offered on a pay-as-you-go basis, which offers further flexibility.
Companies are then able to only pay for services they need, when they need them, and further, can pay for specific features when they need to use them.
Traditionally, a lot of work in organisations was siloed, creating inefficiencies. The cloud helps by enabling better collaboration across organisations, especially among the developer, operations, security and product teams.
The cloud creates better collaboration as it exposes all of these teams to the same architecture, and each team can operate simultaneously. Further, permissions and roles within cloud systems enable better visibility, so businesses can easily track who does what and when.
Cloud systems are also often extremely flexible and can be built for specific purposes, e.g. staging, quality testing or pre-production. This ensures that every step is transparent.
4. Increased mobility
Cloud systems truly can take anyone anywhere. Cloud computing allows mobile access to corporate information via devices and smartphones, enabling employees to access whatever they need, wherever they are.
Cloud resources can be easily stored, retrieved, recovered and processed with just a few clicks. Upgrades and updates are also automatic, creating an uninterrupted service that also saves IT teams the effort when it comes to maintenance.
5. Ease of data recovery
Data and data security are major issues for all organisations. While security issues in cloud computing exist, cloud computing can also assist with data recovery, as it ensures that data is available, even if onsite computers or devices are damaged.
Cloud computing helps with not only data recovery but also loss prevention. If data is stored on local servers, it can easily be lost if computers malfunction or are infected with viruses. However, information stored in the cloud remains accessible on any computer with an internet connection for as long as businesses need it to be stored.
What are the security risks of cloud computing?
Cyber security attacks of all types are on the rise in Australia. Security risks in cloud computing are just one of the many risks that organisations encounter when using cloud systems, and before a business moves to the cloud, it should compare the benefits with the risks that it may incur.
Want to know how common cyber crime is? Read our blog article on cyber crime in Australia.
Here are 15 of the most common security threats that can accompany cloud computing.
1. Limited visibility into network operations
One issue is that cloud computing means that organisations have limited visibility into their own network operations. The reason is that when using the cloud, responsibility for managing systems shifts to the cloud service provider. When organisations aren’t able to effectively monitor their network infrastructure, they may be subject to security breaches without knowing it and may be exposed to vulnerabilities that they have no insight into.
Malware — intrusive software designed to damage and destroy systems — becomes a risk when a significant amount of private data is transferred over the internet and it becomes vulnerable to cyber threats.
As cloud systems grow, so too does the sophistication of attack methods for online data. For this reason, many organisations that fail to manage their cloud security may inadvertently end up sharing confidential information.
3. Compatibility issues
While cloud systems are versatile and scalable, they may not necessarily be compatible with legacy non-cloud systems. They may be incompatible with existing infrastructure, or they may be incompatible with company security requirements or other access or data use policies.
4. Data loss
While data stored in the cloud is usually perceived as safer from a storage perspective, data loss is one of the risks of cloud computing.
In the cloud, data can be lost in many ways. It can be lost for malicious reasons, or it can be accidentally deleted, either by the cloud service provider or by a server-based accident, such as a fire or earthquake. Data can also be lost if an organisation encrypts its data, but then before uploading the data to the cloud, that encryption key is lost.
Often, data is easily recoverable in the cloud, but this isn’t always the case.
5. Insufficient due diligence
Due to the perceived safety of moving to the cloud, one of the surprising security threats is that companies often don’t perform the due diligence that they should.
Companies often move to the cloud without understanding the full scope of what they’re doing. They also often don’t understand what security measures the cloud service provider offers and what security measures they need to implement in parallel.
6. Creation of ‘Shadow IT’
‘Shadow IT’ refers to IT systems that departments other than the IT department deploy, often to work around or entirely outside of the bounds of current systems. Shadow IT creates both security and compliance issues.
Cloud computing may be particularly prone to becoming shadow IT, as most cloud systems are easy to purchase and use, so they don’t require heavy involvement from traditional IT departments.
7. Management application programming interfaces can be compromised
One important security issue is that Internet-accessible management application programming interfaces (APIs) are vulnerable to being compromised.
When using cloud services, cloud service providers give organisations access to a set of APIs to manage and monitor their assets. The APIs, however, are particularly vulnerable, as they’re accessible via the internet, as opposed to being used on premises only.
Cyber criminals often look for vulnerabilities in management APIs as a way to orchestrate attacks, as they allow management access to most data.
8. Tenant separation can fail
Multitenancy, in which multiple users can independently use a system in a shared environment, can be a security issue. If attackers gain access via one tenant, they may be able to also access other tenant accounts, meaning that they can compromise a huge volume of data.
Multitenancy within cloud computing increases the attack surface, leading to an increased chance of a data breach if the separation function fails.
9. Incomplete data deletion
When companies want to delete data, it should be simple in the cloud. Unfortunately, that’s not always the case. Because organisations have reduced visibility of where their data is actually stored, they’re less able to verify that it’s actually been deleted.
This risk is particularly concerning, as data is often spread over multiple storage devices and deletion methods, and policies may vary depending on the provider.
10. Stolen credentials
Stolen credentials are a huge security issue with cloud computing, and one that organisations need to manage carefully.
If cyber criminals gain access to a user’s cloud credentials, they can do untold damage. They can access data in the cloud; plus provisioning services and potentially, the organisation’s other assets. An attacker may also leverage cloud computing resources to gain access to other cloud services or the organisation’s administrative systems.
11. Vendor lock-ins complicate moves to other systems
Another risk of cloud computing is that it can be complex to move from one cloud system to another.
Migrating from one cloud system to another can take a significant amount of time to schedule, and it can be expensive. Differing data formats and APIs, as well as reliance on one system’s tools, may further complicate the move. The need to train staff on new systems can further complicate moves.
12. Complexity strains on IT staff
A risk for any organisation is that introducing new cloud systems, or introducing too many cloud systems, can add complexity to IT operations that may overwhelm staff.
With any new system, IT staff needs to have the capacity and the skill to integrate, manage and maintain it. Cloud systems can be particularly complex to manage and encrypt, so they demand more of IT staff’s time than other systems.
13. Insiders abuse access
Insiders within an organisation, who do legitimately have access to cloud services, can abuse their authorised access and obtain information and data that they shouldn’t be privy to.
Insider access abuse can be particularly problematic with IaaS services, as it can be more difficult to detect such activity in this category of service.
14. Compromised cloud services provider supply chain
Outsourcing can create many problems in general in IT, and this is certainly true of cloud computing. If a cloud service provider outsources infrastructure, operations or maintenance, those third parties may not meet the standards of the organisation that the cloud service provider works with.
To mitigate this risk, organisations should perform their own evaluations to ensure that the provider and their suppliers meet their requirements.
15. Poor return on investment
No organisation invests in the cloud believing that it will create a significant return on investment (ROI). Unfortunately, one risk of cloud computing is that the time invested in setting up and managing cloud services can simply prove too expensive and not worthwhile, increasing the likelihood of errors and security risks.
This may be particularly true if an organisation subscribes to a payment model in which it has little flexibility, but doesn’t use all the services provided.
Organisations should do adequate research and projections ahead of time to find out if cloud services are productive assets to have, and if so, which services will work best within their parameters.
How to mitigate the risks of cloud computing
It is important for every business to understand cyber attacks and how to prevent them. There are many safeguards that help mitigate security issues in cloud computing. According to Intel, secure cloud computing architecture relies on three basic capabilities:
- Confidentiality ensures that information is private and only shared with authorised individuals. This includes internal data and information about customers and other external parties.
- Integrity means that programs and systems are what they say they are, and function as they are supposed to.
- Availability acknowledges and mitigates the threat of denial of service (DoS) attacks. Even if attackers can’t access confidential data, making systems unavailable hurts organisations.
Organisations can take steps to increase security and ensure cloud computing programs maintain these tenets. Some include:
- Implement multi-factor authentication.
- Conduct regular patching and security audits.
- Use anti-malware software from vetted sources.
- Maintain a physically separated backup.
Is cloud computing the future?
When it comes to the future of digital business, there’s no doubt that most, if not all, organisations will be using cloud systems in the next few years. Coupa, an international cloud service provider, goes as far as to say that by 2030, 100 per cent of all enterprise IT will be based in the cloud.
That means that skilled cyber security professionals will be in higher demand than ever, with many diverse roles on offer. If you’re thinking about pursuing an advanced degree, a Master of Cyber Security from ECU Online can ensure that you understand the risks of cloud computing and are equipped for a future in this exciting field. The program can provide you with readily-applicable skills for professional success, whether you are already working in cyber security or are new to the field. Explore how you can help maximise your cyber security career with ECU Online’s Master of Cyber Security.