BitSight

What Companies Using Cloud Services Need To Know About Their Risk Responsibilities

Kaitlyn Graham | August 4, 2020

Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But who is responsible for breaches in the cloud data, the service provider or the organization using their services?

When organizations integrate cloud services to help make their business more efficient, they are also incorporating the risks of extending their network into new environments which require security methods they may not fully understand. The shared responsibility model created by Amazon, which runs cloud computing platform Amazon Web Services (AWS), is one example and offers guidelines for which areas the user of the cloud service should be responsible for, and which the provider needs to control in order to mitigate cloud computing vulnerabilities for both sides. Different cloud providers have offered varying versions of a user responsibility framework with the goal of nailing down which areas of security the user and the provider are responsible for.

One Cloud Provider’s Solution: The Shared Responsibility Model

AWS is used by over 1,000,000 organizations to aid in processes like content delivery, analytics, AR & VR, computing, storage, and much more. Following their shared responsibility model, Amazon agrees to take responsibility for the security “of” the cloud, including the software behind Amazon’s services, as well as the physical infrastructure where the data from the products lives. 

Amazon gives the users of their cloud computing services the responsibility of the security “in” the cloud, which is determined by the level of services they use AWS for. This includes responsibility for who has entry to their cloud platforms, the operating system and integration into a company’s system, as well as the client-side data, including a company’s customer and employee information. As long as Amazon is providing the network and protection of the physical locations where the network servers are stored, their users are responsible for configuring their systems to successfully integrate with Amazon. 

So what types of errors and security breaches resulted in the need for a responsibility model? Data shows that 90% of data breaches related to cloud computing vulnerabilities are due to human error. Below are the human error hotspots businesses should prepare for, and how they can use the Amazon-provided model as a framework for where they should take responsibility.

The Biggest Cloud Vulnerabilities: Three Types of Human Errors 

Misconfiguration and Integration

One cloud computing vulnerability  that has caused companies major headaches is the misconfiguration and integration of a cloud service into their internal platform, a product of a human error. Engineers that have worked with cloud computing systems have frequently noted that system integrations are not always straightforward, and specifically “are not like IKEA”. The Capital One data breach in 2019 is a real-world example of the devastating impacts associated with a misconfiguration by an employee. When Capital One engineers integrated cloud solutions from AWS, human error left a firewall “poorly configured”, allowing hackers to sneak into the system and remain undetected for months. By the tie engineers realized the breach, information from over 106 million credit card customers was already in the hands of hackers.

The shared responsibility model designates a company’s internal employees are responsible for the correct integration of cloud service platforms, which is why Capital One was held accountable for the monetary loss and time spent fixing the error. Needless to say, the Capital One engineers’ pain has warned integration teams everywhere of the need to monitor their cloud service platforms long after the initial introduction into the internal company software.

Errors or Threats Within A Physical Storage Center

Real, human employees are responsible for maintaining the physical warehouse/storage centers where the data in the cloud is physically stored. Many people might not consider this when thinking about the security dangers behind cloud storage, but it is one risk area that cloud providers, according to models like the Shared Responsibility Model, need to consider when establishing security protocols. Your vendors or contractors are physically managing the data storage centers, which means that the building maintenance, upkeep, as well as security needs to be managed to not prevent data loss or breach.

A prime example of this cloud computing vulnerability was when a large percentage of Amazon’s networks shut down randomly in 2017. An Amazon employee in one of the cloud provider's data centers went to manually enter a shutdown code to help fix a slowdown issue in their systems. The code was entered incorrectly, which caused a significantly larger amount of the cloud platform to shut down than was originally intended. 

The shutdown lasted approximately four hours until the employees on-site could restore the system’s power as well as fix the original slowdown issue that occurred. Companies with programs that relied on the affected systems experienced a data pile-up that resulted in storage delays, further impacting program efficiency for many cloud users. Amazon took full responsibility for the human-caused error in their services, but their error exemplifies the risks behind cloud computing that companies take on.

Lagging Behind On Updates

A cloud computing vulnerability that might not be on the top of security professionals’ minds but provides a prime environment for hackers is when updates or tasks are not done on time. It is believed that part of the reason hackers were able to infiltrate the Equifax data cloud in 2017 was because IT employees responsible for dealing with the system issues prioritized other projects before dealing with the threatened security measures. Whether they underestimated the severity of the flaw in the system, or they just had too much else on their plate that week, waiting to focus on the issue further extended the damage of the hack, exploiting information from 145 million Americans, and hurting company efficiency and reputation.

Misprioritization can affect both the cloud provider and the user of the cloud services, making it a cloud computing vulnerability that all those related to cloud security should consider.

Other Cloud Computing Vulnerabilities 

Besides the three human-caused cloud computing vulnerabilities described above, there are other common threats to cloud systems that companies and providers should consider. 

  • Account Access: There are risks associated with who has access to different account levels within cloud service accounts. Depending on your service provider, there might be lower level access for those only using limited parts of the cloud service, as well as administrator access for the most-trusted account managers. Limiting credentialed access, rotating who manages the administrative accounts, and using two-factor authentication are all ways companies can manage the account-level cloud computing vulnerabilities on their end.
  • System Updates: There are also risks associated with ignoring system updates both for the cloud provider and the user. Maintaining the most up-to-date software on all fronts (hard drives, web browsers, cloud providers, third-party softwares) will also include updates to your security patches to best protect your system from new threats. 
  • Third-Party Threats: It is important to note that while managing your own cloud computing vulnerabilities is critical to operational efficiency, the security measures your third-party organizations have in place also directly impact your cyber footprint. Cloud services might extend far beyond what your organization is familiar with, and with each vendor onboarded to your company’s cyberspace, the more cloud computing vulnerabilities your organization is subject to. 

 

Are You Comfortable With Your Organization's Cloud Risks?

Does your organization have measures in place to protect from cloud computing vulnerabilities? Have you taken into account the human-caused security breaches that have already left huge impacts on industry leaders? 

Learn more about how to manage your cloud risk and regulation with BitSight.

New call-to-action

Suggested Posts

What Companies Using Cloud Services Need To Know About Their Risk Responsibilities

Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But...

READ MORE »

Joint Effort with Microsoft to Disrupt Massive Criminal Botnet Necurs

Since 2017 BitSight has been working together with Microsoft’s Digital Crimes Unit (DCU) to understand the inner workings of the Necurs malware, its botnets and command and control infrastructure in order to take disruptive action against...

READ MORE »

Forecasting and Advanced Analytics: Building a Solid Security Strategy For 2020

2020 is not only the beginning of a new year, but the start of a new decade, and with it comes the dawn of a new era for the digital world. We’re now in the midst of the once far-off, “futuristic” time periods old books and movies used to...

READ MORE »

Subscribe to get security news and updates in your inbox.