- Developers
- Developer Blog
- Cloud Computing and IoT Software
- What are the Top Cloud Computing Security Issues for Businesses
profile
Verified Expert
1 year of experience
Alexey Semeney is an entrepreneur, founder, and CEO of DevTeam.Space. He is a product development expert and an occasional writer on different topics related to team management and product development. He is an avid traveler and sports enthusiast.
Interested in the top 7 cloud computing security issues and wondering should you be worried?
This is a great question which we will answer here.
Top Cloud Computing Security Issues
Below are seven of the top cloud computing security concerns, and how you can better protect yourself against them while still enjoying the cloud.
No. 1 Threat: Data Breaches
Just like traditional corporate security networks, data stored in a cloud service provider’s data centers is at the mercy of numerous major security risks which, if exploited, can be devastating if you’re a business with a large client base.
Cybercriminals are constantly undertaking all kinds of cyber malicious attacks like denial of service, firewall, and phishing attacks that often aim to steal private information such as customer data or intellectual property.
Your data needs to be secure, whether using the public cloud services or private cloud, and that’s the bottom line, but we’ve seen horrible breaches happen in recent years that tarnished brands’ images, and left customers’ sensitive information exposed.
One example of data loss occurred at the massive web-hosting service Weebly, which compromised millions of individuals and businesses who ran their websites through the service.
In October of 2016, over 43.5 million accounts were affected, and information such as user names, email addresses, passwords, and IP addresses was exposed.
Thankfully, Weebly found that no credit card information was taken, but had it been, it could have been disastrous. There’s a whole lot someone could do with email addresses and passwords, and you can’t allow your business to be exposed that way.
How Data Breaches Happen, and How You Can Protect Your Business
Perhaps one of the most famous examples of a recent data breach was when iCloud was hacked and a wealth of private photos from celebrities like Jennifer Lawrence and Kate Upton were leaked online. The reason this happened wasn’t just because some people are terrible (yes, I’m talking to you, hackers) but because of a lack of two-factor authentication.
Two–factor authentication requires a cloud user to provide two forms of identification, and without it, hackers could easily sign in, again and again, something which could result in substantial data leakage.
Get a complimentary discovery call and a free ballpark estimate for your project
Trusted by 100x of startups and companies like
To fix this issue, Apple created iCloud backup alerts and expanded its two-factor authentication to additional Apple services like iCloud. So, next time you find it difficult to log in because you have to type in so many passwords and confirm on different devices, at least smile in knowing a data breach is less likely to happen.
According to Yvonne Li, co-founder of SurMD, a leading provider of HIPAA compliant cloud services, not only is a data breach a huge risk, but many cloud services have issues protecting data while it’s ‘in flight’ (transferring/sharing). This is where you need to protect yourself the most.
“It is important to create several points of unique user identification, authentication, and automatic logoff timers. Cloud data must be encrypted during transferring and later decrypted once received,” she said. “Data ‘at rest’ on servers can still be stolen and should be encrypted as well, although this can prove to be costly. Data at rest refers to inactive data that is stored on the cloud, on mobile devices, thumb drives, and other inactive mediums. This provides control over the data as well as deters data breaches.”
So, protecting your business is simple. Make sure you use services that have several points of unique user identification and automatic logoff capabilities, just in case you forget. Make sure everything is encrypted, so even if it’s stolen, it will be useless.
Should I Be Worried?
Data breaches seem scary, but they only really matter if you have sensitive data on your devices, to begin with. If you’re a business, yes, you should be terrified. Make every effort to protect yourself and your customers because one breach of information can tarnish your entire brand and put you at risk for a financial meltdown.
For example, the massive retailer Target, which had a data breach that compromised 70 million customers’ credit card information, saw a 46 percent loss in profits shortly after.
To further protect yourself make sure you don’t save any financial information on your phone or devices that may be linked to your business’ accounts. Buying supplies with services like Amazon, which can automatically store credit card data? Don’t click that save button!
As long as your business chooses a cloud infrastructure with rigorous authentication, you should be totally fine.
No 2. Threat: Compromised Credentials and Broken Authentication
The CSA listed compromised credentials and broken authentication as their number two threat to cloud computing security. This falls under the umbrella of data breaches because it’s basically the Achilles heel of a number of cloud-based services.
I already touched upon the idea of two-factor authentication, and how multifactor authentication is the best way to protect your information, but did you know your business and cloud user practices – not the company that runs the cloud-based service — may be putting your business at risk as well?
How Credentials Become Compromised and How to Protect Yourself
Data breaches are often the result of end-users and security management protocols of the individual businesses and not successful cyberattacks on the cloud environments they use. Some businesses may allow for lax authentication, weak passwords, and poor key or certificate management.
Permissions should be based on a person’s job – if someone in the company doesn’t need to see information to do their job, they should not have access to it.
You would think this is a no-brainer, but many businesses trust their employees when they should not. Most importantly, many businesses fail to use security controls to remove user access when someone’s job changes or they leave the company, thereby creating security threats.
Because cloud-based services work from anywhere, users can access data without needing to physically be at work. This can be a problem.
Developers also frequently make a major mistake by embedding credentials and cryptographic keys in source code. This lets anyone view them if they know how to look.
“Keys need to be appropriately protected, and a well-secured public key infrastructure is necessary,” said the CSA. “They also need to be rotated periodically to make it harder for attackers to use keys they‘ve obtained without authorization.”
Should I Be Worried?
Yes. Using an IaaS, PaaS, or SaaS service with one-factor authentication always opens you up for a potential data breach. It can happen to anyone, and it has happened to me.
While I’m not running a million-dollar business on my laptop or working on a cloud infrastructure that needs to be deeply protected, I do casually make purchases on Amazon.
I remain logged in on my account at all times. Amazon requires no authentication beyond a password and maybe a security question or two if you get it wrong to log in. My credit card information (from an expired card only) is linked to my account. Just the other day, I discovered that someone tried to make a purchase with my expired credit card.
I only found out because Amazon alerted me when the payment failed. Needless to say, I deleted my credit cards and changed my passwords. This could have been a devastating breach if I was a large company. You’re only as open to data breaches as you allow yourself to be.
No. 3 Threat: Hacked Interfaces and APIs
An API is a set of routines, protocols, and tools that help build software applications – some of these are customizable, and some of these are simply used as they are. Almost every cloud service offers APIs which allow IT teams to manage and interact with the cloud service.
Alternatively, user interfaces help IT teams and regular employees manage, monitor, and orchestrate specific functions of the cloud service they use. If one of these gets hacked, it’s basically an open door to your most sensitive information. A cloud service is only as secure as its API.
Hire expert developers for your next project
1,200 top developers
us since 2016
How Interfaces and APIs Get Hacked, and How to Protect Yourself
APIs are one of the most exposed parts of a system because they’re usually accessible from any Internet connection. The CSA recommends you use a cloud service that has frequent security-focused code reviews to find problems before hackers find them.
This includes rigorous penetration testing to ensure that hackers can’t enter the system. Using threat modeling applications and systems helps detect where an API is the weakest, so you can fix it before some nasty hacker figures it out.
Should I Be Worried?
As a business owner, this is a concern. Make sure your developers know how to customize an API or UI without leaving you open to threats. Pick a cloud infrastructure that meets all the security checks I listed above.
I would recommend being wary about sending important financial documents through things like Google Drive and only using your office’s cloud to transfer sensitive documents. Never let an employee use a personal email for business purposes.
No. 4 Threat: Exploited System Vulnerabilities
Programs have bugs, and that’s nothing new. Patches are released every day that help fix problems in various apps. One of the best parts about using a cloud-based service is that you can get regular bug fixes as they’re created.
Just like traditional software, bugs are a major cloud computing data security issue. Some bugs are exploitable, and as organizations use the cloud to share a memory, databases, and other resources in close proximity to another, the vulnerabilities become more enticing for hackers.
How to Protect Yourself From System Vulnerabilities
Your best defense against system vulnerabilities and exploitable bugs is by regularly updating your cloud software. According to the CSA, “basic IT processes” frequently knock out any chance of a threat.
Think about it: your cloud service is constantly evolving and getting better. If you refuse to update it because you don’t want to spend the time installing a patch, you don’t get any of the important bug fixes that may have fixed a newly-discovered vulnerability or bug.
The best part is that this kind of routine maintenance – the discovery and repair of vulnerabilities – is a small cost compared to how much it’d cost to fix the major damage it could cause if left alone.
Should I Be Worried?
Not really. Obviously, you shouldn‘t choose a cloud provider that is renowned for being buggy and having system vulnerabilities, but the people behind your average cloud service are constantly working to make it better as soon as a bug or threat is brought to their attention.
If you install all updates and patches as soon as they are available, there’s not much you have to worry about. Now, I don’t blame you for kicking yourself over how many times you didn‘t update your iTunes software when it asked. Get on it!
No. 5 Threat: Account Hijacking
Have you ever gotten an e-mail saying someone logged into your Google account from another country, but Google had blocked it? This is one of the cloud security solutions Google has in place to prevent your account from being hijacked without your knowledge.
Since the beginning of the Internet, phishing and fraud have been happening. If you move your business to the cloud, you are opening your business up to everything terrible the Internet has been doing for the last 30 years.
Yes, a hacker can hijack your account, watch your online activities, make or manipulate transactions, modify your data and even use your account to launch attacks on other unsuspecting individuals. The hacker can be a stranger, a disgruntled past employee, or a shady friend-of-a-friend.
How to Protect Yourself from Account Hijacking
To protect yourself from account hijacking, the first security measure is to ensure you have a secure password. This should be a mix of numbers, symbols, capital letters, and lower-case letters. You’re even safer if it’s not a dictionary word or a combination of dictionary words.
Basically, the less likely you are to remember a password, the stronger it is. Also, use a cloud service that has automatic log-out capabilities so you’re not logged in longer than you’re using the service. Some services, like Google, also alert you when you log in on a new device. Always enable this option when available.
If you’re a business, follow all of the above advice but also prohibit the sharing of credentials between users, services, and employees. Enable multifactor authentication and monitor every single transaction that occurs. If you catch a hacked account early, you can shut it down.
Should I Be Worried?
Yes, but being proactive limits your vulnerability. Phishing emails have been around since the beginning of time. Almost everyone has heard the story of some sort of Arabian or African Prince needing your bank account information to transfer you millions of dollars. Don’t fall for it.
Think before you share your information, and as long as you stay on your toes, an account hijack is unlikely. Even if your account gets hijacked, if you catch it right when it happens, it’s easy to change passwords and shut the hacker out.
No. 6 Threat: Malicious Insiders
Cloud computing services can’t prevent malicious insiders on their own. This falls mainly on your company policies but is still considered a vulnerability within cloud-based services.
It used to be that you fire an employee and make them immediately leave the office without touching their computer. This prevented them from accessing company servers and stealing confidential and sensitive information.
With the cloud, employees can access information remotely. This means they don’t have to be in your office to get the details they want.
Hire expert developers for your next project
How to Protect Yourself from Malicious Insiders
I’d hate to say that the best way to protect your business from a malicious insider is to be a good boss. If you have a happy work environment, foster a feeling of teamwork, and pay your employees fairly, they’re less likely to turn on you in the future. This is obvious, but it also doesn’t account for the fact that some people are just bad seeds.
To protect yourself from a malicious insider, the CSA recommends that you control the encryption process and keys within your cloud-based processes. Ensure access control by minimizing access given to users and segregating duties. Employees should have the minimum amount of access required to do their jobs.
You should also have a system in place that logs, monitors, and audits administrator activities. Proper training and management are key.
Should I Be Worried?
For most businesses that use the cloud, this is a low-level worry. I guess it would really depend on how many enemies you think you have. Proper management and training should help protect businesses from making these sorts of mistakes.
No. 7 Threat: The APT Parasite
APT Parasites, or advanced persistent threats, are the CSA’s seventh biggest threat. The difference between an APT and a virus is the fact that it’s so much more advanced. It’s bigger than a simple Trojan virus, some malware, or malicious code. In fact, oftentimes antivirus software does not detect an APT.
An APT is a set of stealthy and continuous computer hacking processes. These are often targeted toward private organizations, states, and even governments for business or political reasons. APTs move through the network undetected by blending in with normal traffic and reaping the information they need over a long period of time.
How to Protect Yourself Against APT Parasites
All major cloud providers have advanced techniques that they use to detect APTS and prevent them from happening. There’s always more you, as a user, can do to help prevent them on-premises.
The most common ways for an APT to get loaded onto your server are through phishing, direct attacks, third-party networks, and USB drives loaded with malware (see the above section about malicious insiders).
To protect yourself, keep your users alert and train them on how to avoid being tricked into letting an APT in. Avoid using third-party networks and be wary of those promotional USBs mailed to your company. You never know.
Should I Be Worried?
APTs can affect every user. Most companies are already wary of such things happening — but your employees may not be. If you love to stream movies without actually paying for them, be wary of pirating websites that are notorious for loading your computer with malware.
If your employees download a program for work, make sure they download it directly from the company that makes it and beware of scams that tell you to download programs because your computer has a virus. That‘s the quickest way the Internet scares people into downloading malware.
If you train your team properly, you’ll be able to steer them clear of APT parasites.
Final Thoughts on Cloud Computing Security
The same reason the cloud makes it easy to run a business from anywhere is the same reason why cloud security is open to so many threats. Stay proactive, train your staff and keep up with all patches and bug fixes to better protect yourself.
If you’re worried about picking the safest cloud infrastructure for your business or about secure cloud services integrated into your business process, seek assistance from professional cloud engineers experts in a cloud security solution.
If you are looking for a software development company experienced in cloud computing security, identity and access management, etc. DevTeam.Space can help you.
Write to us your initial cloud computing environments requirements via this form to partner with the field-expert cloud developers community. One of our technical managers will get back to you to discuss further details of your cloud computing security and development project.
Frequently Asked Questions on Cloud Computing Security
It is the use of remote computing power and storage for the running of applications, developing software, cloud storage, etc. With the exception of an operating system, just about any computer function can be run through the cloud.
While direct attacks on any computer system are always a problem, most cloud service providers have extensive security systems in place to deter all but the most advanced attacks. The real issue is the cloud user’s computer and the link between it and the cloud. This is far more vulnerable to a security breach.
Almost every security issue since the cloud was present before the advent of the internet. While attacks grow ever more sophisticated, malware, spyware, ransomware, etc., were all around in some form or another even before the cloud.
Alexey Semeney
Founder of DevTeam.Space
Hire Alexey and His Team To Build a Great Product
Alexey is the founder of DevTeam.Space. He is award nominee among TOP 26 mentors of FI's 'Global Startup Mentor Awards'.
Alexey is Expert Startup Review Panel member and advices the oldest angel investment group in Silicon Valley on products investment deals.