Cloud Leaks: The basics you need to know

In today’s data-driven economy enterprises are increasingly concerned about protecting their data assets. To this end, they are investing in Cloud Security’ href=’https://www.itexchangeweb.com/blog/seven-cloud-security-challenges-and-their-solutions/’ target=’_blank’>advanced security and data protection processes, which comprise both technical and organizational solutions. Nevertheless, most organizations remain vulnerable as evident in the proliferating number of security incidents such as data breaches, hacks, and attacks against IT systems. For example, in the scope of data breaches, adversarial parties break into IT systems and gain access to sensitive information. On the other hand, hacks enable unauthorized access to systems and databases based on mechanisms like ransomware and the establishment of botnets.  As a prominent example, three years ago, the WannaCry large-scale, ransomware attack, affected thousands of enterprises worldwide.
One of the most prominent types of security incidents is the so-called “leaks”.  The latter involves accidental physical exposure of sensitive data on the Internet. A main characteristic of leaks is that they are not caused by an external adversary. Rather they are due to some action or inaction on the data. Most people are familiar with major data leaks that have happened during the last decade, such as the Cambridge Analytica data leak that provided access to the personal data of millions of Facebook users.

In recent years, several notorious data leaks are associated with the expanded use of cloud computing. They are considered as special cases of large-scale data leaks and are conveniently called cloud leaks.

Understanding Cloud Leaks

During the last decade, the cloud is the computer. Companies are increasingly abandoning on-premise deployments towards moving to the cloud. In this way, they leverage the flexibility, cost-effectiveness, resilience, and scalability of cloud computing. However, cloud adoption comes with a downside: enterprises relinquish control of the security of their data asset to the cloud providers.
In several cases, cloud computing infrastructures are misconfigured, which provides opportunities for adversarial parties to gain access to precious data. On the other hand, the way cloud infrastructures are configured is beyond the control of the cloud customers. Moreover, the latter has very poor visibility on how their cloud infrastructures are configured and very limited opportunities for scrutinizing the respective security measures. This makes it very challenging to identify poor cloud configurations and to prevent cloud data breaches.
Cloud leaks are quite different from other types of security incidents, as they are not the result of an adversary’s actions. Rather they are due to poor security implementations, including mistakes or negligence of IT employees. In several cases, misconfigured cloud instances go unnoticed by the cloud customers, especially when they are not exploited by some adversarial parties. The speed of cloud adoption is usually to blame for this issue. As cloud deployments proliferate at an unprecedented pace, enterprises lack the resources needed to audit and safeguard the security of their cloud deployments.
During the last decade, many organizations have suffered from cloud leaks, including organizations of different sizes and industries. For instance, back in April 2016, the National Electoral Institute of Mexico become the victim of a cloud leak that compromised nearly 93 million voter registration records. Likewise, most IT giants have reported some sort of cloud security incident that led to data exposure.

Commonly Leaked Information and Business Impact

The cloud leaks that receive attention are the ones that entail high-value data assets. This is the case with customer datasets such as credit card numbers, bank account numbers, medical records, and other forms of personally identifiable information (PII) like addresses, phone numbers, and social security numbers. The leak of such data can have significant consequences, including:

• Economic Loss: The leak of sensitive data such as credit cards and bank account numbers lead to considerable economic damage for the stakeholders involved. Likewise, companies in charge of the cloud leak are faced with significant regulatory penalties. For example, the General Data Protection Regulation (GDPR) in Europe foresees penalties of 2% of the liable company’s entire global turnover or 10 million Euros, whichever is higher. This is a significant amount of money that can have a catastrophic impact on the finances of a business enterprise.
• Loss of Customer Trust: One of the short and medium effects of cloud data leaks can be a significant loss of customer trust in the services of the cloud provider. Customers that have their data leaked will automatically become reluctant to continue to use the services of the cloud enterprise. Likewise, customers that will not be affected will have doubts about the security processes of the cloud provider. One cloud leak is enough to weaken customer trust. It can take several months or years for this trust to be restored.
• Brand Damage: Cloud leaks damage the brand image of the enterprises that are to blame for the cloud misconfiguration. This was particularly evident in the case of the Cambridge Analytica breach when Facebook was severely questioned about its platform’s security and data protection processes. The same holds for cloud data providers that are affected by cloud leaks. Their names will play in the news in a very negative context.

Overall, cloud data leaks can have a severe business impact on the enterprises that will be held liable for the leak. Enterprises must put in place mechanisms that diminish the probability of a catastrophic cloud leak.

Best Practices and Solution Guidelines

To minimize the probability of cloud leaks and to mitigate their impacts, enterprises should adhere to the following best practices:

• Standards and Regulatory Compliance: The chances of a cloud leak are usually minimized in the case of infrastructures that serve regulated industries. In such cases, cloud infrastructures must comply with standards-based processes as specified in regulations like the Health Insurance Portability and Accountability Act (HIPAA) in healthcare and the PCI DSS (Payment Card Industry Data Security Standard) in finance.
• Frequent and In-Depth Auditing: To ensure that crucial cloud configuration issues are not overlooked, enterprises must perform frequent and in-depth auditing of their infrastructures. The security audit may include well designed pen-testing procedures towards identifying vulnerabilities stemming from cloud misconfigurations.
• Security Auditing Automation: Cloud providers are currently confronted with the challenge of scrutinizing many cloud deployments. To alleviate this challenge, organizations can exploit automation. Security automation may, for example, be employed as part of DevOps processes. Likewise, DevSecOps workflows that integrate security practices in the development pipelines can be considered. Moreover, Artificial Intelligence can be employed in order to identify abnormal behaviors due to misconfigurations.
• Organizational Factors and Data Policies: Much as Cloud leaks are technology-related, they are also associated with poor security policies as well. Hence, there is a need for designing and deploying effective security policies that mandate continuous checks on cloud configurations. Furthermore, the establishment of proper data policies that safeguard access to sensitive data can play a salient role when a leak happens.
• Consideration of Third-Party Risks: Nowadays organizations tend to combine and orchestrate multiple cloud services. The latter are often provided by different providers. Therefore, it is important to watch out for third-party cloud security risks that could lead to cloud data breaches and leaks. Enterprises must consider the full range of cloud services that comprise an IT service. Such considerations are key to performing a proper risk assessment that could prevent cloud leaks.

Overall, there is no silver bullet for preventing cloud leaks. Organizations should combine the above-listed best practices towards creating a well-structured, responsible, automated, and regulatory compliant environment for cloud security. The latter will minimize the chances of a cloud leak and of the subsequent risks of brand damage and regulatory penalties.