The number of cloud migrations is growing every year, and security issues remain a serious topic. The first step to minimize the risks in the cloud is the timely identification of key security concerns. These issues also disturb the bookkeeping of the company. At a conference, CSA (Cloud Security Alliance) presented a list of ten threats to cloud security that organizations face, which are as follows.
The cloud is subject to the same concerns as traditional infrastructures. Because of the large amount of data that is now often transferred to the clouds, the cloud hosting provider sites become an attractive target for intruders. Simultaneously, the severity of potential threats directly depends on the importance of the stored data. Disclosure of personal user information, as a rule, receives less publicity than disclosure of medical reports, commercial secrets, intellectual property, which causes significant damage to the reputation of a company.
Compromising Accounts and Bypassing Authentication
Data leakage is often the result of a negligent attitude to authentication mechanisms when weak passwords are used. The management of encryption keys and certificates is inadequate. Also, organizations face managing rights and permissions when end users are assigned much higher power than needed. The issue also occurs when the user is transferred to another position or gets fired. As a result, the account contains many more features than required, which is a bottleneck in security.
Hacking Interfaces and API
Today, cloud-based services and applications are inconceivable without a user-friendly interface. The security and availability of cloud services depend on how well the mechanisms of access control, encryption in the API are developed. When interacting with a third party using their APIs, the risks increase because companies need to provide additional information, up to the user’s login and password. Weak security interfaces are becoming a bottleneck in issues of accessibility, confidentiality, integrity, and security.
The vulnerability of the systems used
The vulnerability of the systems used is a problem that occurs in multi-tenant cloud environments. According to CSA reports, the costs spent on reducing system vulnerabilities are lower than other IT costs. A common mistake when using cloud solutions in the IaaS model, companies pay insufficient attention to the security of their applications, which are located in the security infrastructure of the cloud provider.
Phishing and other fraud are often present in the cloud environment. This fraud adds concerns in the form of attempts to manipulate transactions and modify data. Attackers consider cloud platforms as a field for committing attacks. And even compliance with the strategy of “protection in depth” may not be sufficient. It is necessary to prohibit the “sharing” of user accounts and services and pay attention to multifactor authentication mechanisms.
Insiders and Intruders
Insider threats can come from current or former employees, system administrators, contractors, or business partners. Insider-attackers pursue different goals, ranging from data theft to the desire to revenge. In the case of a cloud, the goal may be to destroy the infrastructure, gain access wholly or partially to data, and so on.
A developed sustainable threat, or targeted cyber attack, is, at this time, not uncommon. Having sufficient knowledge and a set of relevant tools, an individual can achieve results. The malefactor, who set out to establish and consolidate his presence in the target infrastructure, is not easy to detect.
Permanent Data Loss
Since the clouds have matured enough, cases with loss of data without recovery due to the service provider are sporadic. At the same time, intruders, knowing about the consequences of permanent data deletion, aim to commit such destructive actions. Cloud hosting providers to comply with security measures recommend separating user data from these applications, saving them in different locations.
Organizations that move into the cloud without understanding cloud capabilities face risks. If, for example, the client-side development team is not familiar with the cloud technology features and the principles of deploying cloud applications, operational and architectural problems arise.
Abuse of Cloud Services
Legitimate and illegitimate organizations can use clouds. The latter’s goal is to use cloud resources to commit malicious acts: launching DDoS attacks, sending spam, distributing malicious content, etc. Service providers need to be able to recognize such participants. Study traffic in detail and use cloud monitoring tools.About Complete Controller® – America’s Bookkeeping Experts Complete Controller is the Nation’s Leader in virtual bookkeeping, providing service to businesses and households alike. Utilizing Complete Controller’s technology, clients gain access to a cloud-hosted desktop where their entire team and tax accountant may access the QuickBooks™️ file, critical financial documents, and back-office tools in an efficient and secure environment. Complete Controller’s team of certified US-based accounting professionals provide bookkeeping, record storage, performance reporting, and controller services including training, cash-flow management, budgeting and forecasting, process and controls advisement, and bill-pay. With flat-rate service plans, Complete Controller is the most cost-effective expert accounting solution for business, family-office, trusts, and households of any size or complexity.