Cloud Computing is ubiquitous.
Organizations across the globe are increasingly relying on flexible, scalable cloud storage solutions to keep sensitive, confidential data. Google Drive, Dropbox, Microsoft OneDrive all exemplify how cloud has become integral to our day-to-day work.
Cloud storage is convenient for it eliminates the need for carrying hardware devices everywhere. Transferring data to the cloud is far more efficient than creating a physical backup on pen drives or hard discs. It is also more budget-friendly in the long run.
The concept of cloud storage was introduced back in 1969 by J.C.R. Lickliter, America’s leading computer scientist. Lickliter conceived the idea of an “intergalactic computer network,” a global connection that let users with an internet connection access a remote storage system.
Even after the inception of the World Wide Web in 1989 and first popular browser ‘Mosaic’ in 1993, the concept of the cloud was in infancy in the 1990s. Cloud storage gained ground in 2006 when Amazon released Elastic Compute Cloud (EC2). This was followed by the release of cloud application systems such as Google Docs and Google Sheets.
Over the last 10 years, cloud solutions have soared in popularity, so much so that robust cloud storage is a must-have for any organization, large or small. As more and more data gets stored remotely, the danger of a cyberattack lurks around.
So, what are the possible risks of cloud-based storage solutions? Is it possible to eliminate these risks? Let us dive deep and explore.
Cloud storage solutions are considered safer in comparison to hardware storage on account of several factors.
Cloud solutions offer a high level of redundancy. Popular cloud storage services by Google, Amazon, and Microsoft store minimum three copies of each piece of data and that too in different locations. To lose the data, you have to lose all three copies. That will happen only when three different hard drives in separate locations fail. The probability of such a mishap is understandably low. Even if the data gets lost from all the locations, it is still possible to recover the data. It will take a couple of days.
In cloud storage, your data is kept on drives placed in remote data centers with multiple, almost impenetrable layers of security. Besides, cloud applications have password-restricted access that makes difficult, if not impossible for malicious entities to access the data.
In addition to all this, cloud applications have a safe sharing policy. Those who use Google Drive for data storage might have a good idea of how cloud sharing works.
The administrator can restrict access to files in the shared location. He can share a file with another user without letting him edit it or share it with a third user. He can prevent users outside his enterprise from accessing files, viewers, and commentators from downloading, copying, and printing files. The varying levels of control make the cloud a much secure platform.
However, we should not forget that the cloud is a trove of valuable information and, therefore, susceptible to cyberattacks. This brings us to the next point, i.e. the possible risks of keeping data on the cloud.
Data stored on the cloud may be safer than that on physical devices, but it isn’t impenetrable by any standard.
Let us discuss the risks involved with storing data on the cloud.
Authentication: Cloud storage applications are password-protected. Users are recommended to keep strong passwords, but this does not always happen. Weak passwords put enterprise data at risk. Passwords stored in easily-accessible locations raise the risk of a data breach.
Insecure Application Programming Interfaces (APIs): Cloud service providers offer a set of APIs that customers use to interact with cloud services. These interfaces allow the cloud service provider to provision, manage, and monitor the cloud platform.
Tampering with the APIs can affect the availability and security of the cloud platform.
Account Hijacking: While account hijacking is not exclusive to the cloud, cloud applications are more vulnerable.
In account hijacking, the attackers gain access to user credentials and impersonate the account owners. They eavesdrop on activities and transactions in the cloud, manipulate data, return counterfeit information, and direct clients to illegitimate sites. Stolen account credentials allow malicious actors to access critical data and exploit it to their advantage.
Insider Threat: An organization’s worst nightmare can be a disgruntled employee leaking confidential information in public. Cloud applications have expanded the scope of insider threat. The vast number of cloud applications, along with their inadequate governance controls, have opened new avenues for data infiltration. The cloud providers also need to protect the data from unsolicited intrusion within their premises.
Advanced Persistent Threats (APTs): An advanced persistent threat is a sophisticated cyber attack program often orchestrated by a group of hackers. Designed with a specific motive, the attack targets carefully-chosen government networks or large enterprises.
An APT on the cloud can result in theft of intellectual property, website takeover, compromised sensitive information, and/or sabotaging of organizational infrastructure (through deletion of data, etc.).
Distinct from traditional attacks, APTs are manually executed against a specific mark. They often infiltrate an entire network and remain there for a long time to steal as much information as possible.
Accidental Loss of Data: In addition to malicious attacks, data stored on the cloud can also be lost through accidental deletion by administrator or cloud service provider or a physical catastrophe such as floods or earthquake.
Denial-of-Service (DoS) Attack: One of the most common cyberattacks, a denial-of-service attack is designed to prevent the legitimate users of a cloud storage service from accessing it. A DoS attack forces the cloud service to consume disproportionate amounts of finite resources such as memory, disc space, network bandwidth, and processing power, making it unavailable to the intended users.
While DoS may not result in significant loss of information or assets, the victim is often required to spend a lot of time and money fixing it.
Phishing: As per a report by Wombat Security, 76% of the organizations suffered phishing attacks in 2017.
The sheer number of cloud services have opened new routes for accessing critical enterprise data. Experts believe that phishing attacks involving cloud storage will soon outnumber the attacks on financial institutions.
Majority of phishing campaigns involving the cloud have lures saying an important document and/or picture has been shared with the user. This entices the user to log in on a fake webpage resembling Google Drive or Dropbox. Once the user enters his credentials, the cyber attacker gets this information and uses it to log in to the real cloud application account.
Inadequate Access and Identity Management: Organizations need to define and manage the roles and access privilege of individual network users and the conditions under which those users are granted or denied access.
There should be just one digital identity per user. Once this digital identity has been established, it needs to be monitored throughout the life cycle of the user.
Inadequate access or identity management can cause unauthorized users to access the data and cause irreversible damage. Malicious entities masquerading as legitimate users can access, modify, or steal valuable data, control management functions, and release malware that appears to be coming from a legitimate source.
While there is no denying that data stored on the cloud poses certain security risks, it is possible to avert the threat to a great deal by bringing in stringent cloud security measures, some of which are:
Strong Passwords: Strong passwords are an easy way to minimize the chances of unsolicited parties accessing your data.
Enterprises need to have unique, complex passwords that are tough to crack. A password should have a combination of uppercase and lowercase letters, numbers, and special characters. It should have at least 8 characters. Right to stay away from obvious passwords such as qwerty, 12345678, password to name a few.
Then, different applications should have different passwords. These should be changed at regular intervals, stored in secure locations, and shared sparingly.
You can choose a much safer two-step verification for logging in if your cloud vendor offers the option.
Regular Backup: Although most of the cloud services provide regular backups, it is good to create an additional local backup. You can either choose a local cloud or back up manually with an external storage device such as a hard disc.
Effective Anti-Virus: Systems not adequately shielded against bugs and viruses offer easy access points to intruders. Robust anti-virus software prevents such malicious actors from making way into your systems.
Data Encryption: While most cloud services offer local encryption, some provide encryption during the uploading and downloading of files as well. Such a cloud security feature benefits businesses with sensitive data.
Even if your cloud service encrypts the data automatically, it is a good practice to use third-party tools that apply encryption to your files once you are done with editing.
Test your Security Measures: Even when you have all the necessary cloud security measures in place, it is vital to assess how difficult or easy it is for bad actors to gain authorized access. Some organizations hire ethical hackers to gauge their security position. If these hackers can easily make their way into your data, so can unsolicited entities.
The Final Word
Cloud storage solutions are an incredibly convenient way of storing your critical files. However, being a repository of valuable data, the cloud remains vulnerable to unsolicited parties. Selection of an appropriate cloud vendor and the adoption of robust security measures can go a long way in ensuring the safety and security of your data.