2018 is set to be a very exciting year for cloud computing. In the fourth financial quarter of 2017, Amazon, SAP, Microsoft, IBM, Salesforce, Oracle, and Google combined had over $22 billion in their revenue from cloud services. Cloud services will only get bigger in 2018. It’s easy to understand why businesses love the cloud. It’s easier and more affordable to use third-party cloud services than for every enterprise to have to maintain their own datacenters on their own premises.It’s certainly possible to keep your company’s data on cloud servers secure. But cyber threats are evolving, and cloud servers are a major target. Keep 2018’s top cloud security threats in mind, and you’ll have the right mindset for properly securing your business’ valuable data.Data Breaches2017 was a huge year for data breaches. Even laypeople to the cybersecurity world heard about September’s Equifax breach because it affected at least 143 million ordinary people.Breaches frequently happen to cloud data as well.In May 2017, a major data breach that hit OneLogin was discovered. OneLogin provides identity management and single sign-on capabilities for the cloud services of over 2,000 companies worldwide.“Today we detected unauthorized access to OneLogin data in our US data region. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident. We want our customers to know that the trust they have placed in us is paramount,” OneLogin CISO Alvaro Hoyos wrote on May 31st.Over 1.4 billion records were lost to data breaches in March 2017 alone, many of which involved cloud servers.Data lossSometimes data lost from cloud servers is not due to cyber attack. Non-malicious causes of data loss include natural disasters like floods and earthquakes and simple human error, such as when a cloud administrator accidentally deletes files. Threats to your cloud data don’t always look like clever kids wearing hoodies. It’s easy to underestimate the risk of something bad happening to your data due to an innocent mistake.One of the keys to mitigating the non-malicious data loss threat is to maintain lots of backups at physical sites at different geographic locations.Insider threatsInsider threats to cloud security are also underestimated. Most employees are trustworthy, but a rogue cloud service employee has a lot of access that an outside cyber attacker would have to work much harder to acquire.From a whitepaper by security researchers William R Claycomb and Alex Nicoll:“Insider threats are a persistent and increasing problem. Cloud computing services provide a resource for organizations to improve business efficiency, but also expose new possibilities for insider attacks. Fortunately, it appears that few, if any, rogue administrator attacks have been successful within cloud service providers, but insiders continue to abuse organizational trust in other ways, such as using cloud services to carry out attacks. Organizations should be aware of vulnerabilities exposed by the use of cloud services and mindful of the availability of cloud services to employees within the organization. The good news is that existing data protection techniques can be effective, if diligently and carefully applied.”Denial of Service attacksDenial of service (DoS) attacks are pretty simple for cyber attackers to execute, especially if they have control of a botnet. Also, DDoS-as-a-service is growing in popularity on the Dark Web. Now attackers don’t need know-how and their own bots; all they have to do is transfer some of their cryptocurrency in order to buy a Dark Web service.Denis Makrushin wrote for Kaspersky Lab:“Ordering a DDoS attack is usually done using a full-fledged web service, eliminating the need for direct contact between the organizer and the customer. The majority of offers that we came across left links to these resources rather than contact details. Customers can use them to make payments, get reports on work done or utilize additional services. In fact, the functionality of these web services looks similar to that offered by legal services.”An effective DDoS attack on a cloud service gives a cyber attacker the time they need to execute other types of cyber attacks without getting caught.Spectre and MeltdownThis is a new addition to the list of known cloud security threats for 2018. The Meltdown and Spectre speculative execution vulnerabilities also affect CPUs that are used by cloud services. Spectre is especially difficult to patch.From CSO Online:“Both Spectre and Meltdown permit side-channel attacks because they break down the isolation between applications. An attacker that is able to access a system through unprivileged log in can read information from the kernel, or attackers can read the host kernel if they are a root user on a guest virtual machine (VM).This is a huge issue for cloud service providers. While patches are becoming available, they only make it harder to execute an attack. The patches might also degrade performance, so some businesses might choose to leave their systems unpatched. The CERT Advisory is recommending the replacement of all affected processors—tough to do when replacements don’t yet exist.”Insecure APIsApplication Programming Interfaces are important software components for cloud services. In many cloud systems, APIs are the only facets outside of the trusted organizational boundary with a public IP address. Exploiting a cloud API gives cyber attackers considerable access to your cloud applications. This is a huge problem!Cloud APIs represent a public front door to your applications. Secure them very carefully.To learn more about maintaining control in your cloud environment, click here.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.