Top 11 cloud security challenges and how to combat them

1. Data breaches

Data breaches are a top cloud security concern -- and for good reason. Many data breaches have been attributed to the cloud over the past years, one of the most notable being Capital One's cloud misconfigurations in 2019 that led to exposed customer data.

A data breach can bring a company to its knees, causing irreversible damage to its reputation, financial woes due to regulatory implications, legal liabilities, incident response cost and decreased market value.

Steps to prevent a data breach in the cloud include the following:

• Conduct data risk assessments.
• Protect data with cloud encryption.
• Maintain an incident response plan.
• Follow the principle of least privilege.
• Establish policies for secure data removal and disposal.

2. Misconfigurations

Cloud assets are vulnerable to attack if set up incorrectly. For example, the Capital One breach was traced back to a web application firewall misconfiguration that exposed Amazon Simple Storage Service buckets. In addition to insecure storage, excessive permissions and the use of default credentials are two other major sources of cloud vulnerabilities. Ineffective change control can also cause cloud misconfigurations.

Strategies to counter cloud misconfigurations include the following:

• Conduct data risk assessments.
• Maintain an incident response plan.
• Monitor which data is accessible via the internet.
• Ensure external partners adhere to change management, release and testing procedures used by internal developers.
• Use automated change control to support rapid changes.
• Hold regular security awareness trainings with employees, contractors and third-party users.

3. Insecure APIs

CSP UIs and APIs that customers use to interact with cloud services are some of the most exposed components of a cloud environment. The security of any cloud service starts with how well UIs and APIs are safeguarded -- a responsibility of both customers and their CSPs. CSPs must ensure security is integrated, and customers must be diligent in managing, monitoring and securely using cloud services.

Practices to manage and fix insecure APIs include the following:

• Practice good API hygiene.
• Avoid API key reuse.
• Use standard and open API frameworks.
• Vet all CSPs and cloud applications before use.

4. Limited visibility

Cloud visibility has long been a concern of enterprise admins. Limited visibility of cloud infrastructure and applications across various IaaS, PaaS and SaaS offerings can lead to cloud sprawl, shadow IT, misconfigurations and improper security coverage, which could result in cyberattacks, data loss and data breaches.

Multi-cloud environments have exacerbated visibility challenges as security teams have difficulty finding tools that effectively maintain visibility across two or more CSPs.

Steps to improve visibility and mitigate the effects of poor visibility include the following:

• Mandate and enforce a cloud security policy.
• Hold regular security awareness trainings.
• Conduct regular cloud security assessments.
• Perform continuous, real-time monitoring.

5. Identity, credential, access and key management

The majority of cloud security threats -- and cybersecurity threats in general -- are linked to identity and access management (IAM) issues. These threats include the following:

• Improper credential protection.
• Lack of automated cryptographic key, password and certificate rotation.
• IAM scalability challenges.
• Lack of MFA.
• Poor password hygiene.

Standard IAM challenges are exacerbated by cloud use. Taking inventory, as well as tracking, monitoring and managing the sheer number of cloud accounts in use, is compounded by provisioning and deprovisioning issues, zombie accounts, excessive admin accounts and users bypassing IAM controls, in addition to challenges with defining roles and privileges.

Strategies to counter identity security issues in the cloud include the following:

• Use MFA.
• Extend key management best practices to the cloud.
• Monitor user accounts regularly.
• Remove unused and unnecessary credentials and access privileges.
• Follow password best practices.

6. Account hijacking attacks

Cloud account hijacking is when an employee's cloud account is taken over by an attacker. The attacker then uses the employee's cloud account to gain unauthorized access to an organization's sensitive data and systems.

Cloud account compromise can result from phishing attacks, credential stuffing attacks, attackers guessing weak passwords or using stolen credentials, improper coding, accidental exposure and cloud misconfigurations. If successful, cloud account hijacking attacks can lead to service disruptions and data breaches.

Steps to prevent cloud account hijacking attacks include the following:

• Use MFA.
• Follow the principle of least privilege.
• Disallow as much access as the CSP supports.
• Segregate cloud environments whenever possible.
• Perform regular user access reviews.

7. Insider threats

Insiders, including current and former employees, contractors and partners, can cause data loss, system downtime, reduced customer confidence and data breaches.

Insider threats fall into three categories:

1. Compromised insiders -- for example, an employee who clicks a phishing link and has their credentials stolen or downloads malware onto the company network.
2. Negligent insiders -- for example, an employee who loses a device containing company data or from which an attacker can steal their credentials.
3. Malicious insiders -- for example, an employee who steals data to commit fraud.

Insider threats in the cloud pose the same risks and fall into the same categories, although the issue expands due to the inherent remote access security risks of the cloud and ease of sharing or accidentally exposing data stored in the cloud.

Strategies to counter insider threats in the cloud include the following:

• Hold regular security awareness trainings.
• Address cloud misconfigurations.
• Follow the principle of least privilege.
• Segregate cloud environments whenever possible.
• Perform regular access reviews.
• Authorize and revalidate user access controls regularly.

8. Cyberattacks

Cloud environments and cloud accounts are subject to the same attacks that target on-premises environments. These include DoS, DDoS, account hijacking, phishing, ransomware and other malware attacks, as well as cloud vulnerabilities and insider threats.

Some cyberattacks are specific to the cloud, such as the nefarious use of clouds services. Attackers use legitimate SaaS, PaaS and IaaS offerings, disguising themselves as CSPs to attack cloud customers who assume the attacker is a legitimate source.

Cloud-specific malware is also an issue -- namely malware that uses the cloud for command and control, as well as malware that targets cloud assets and accounts. For example, malicious cryptomining, known as cryptojacking, is an attack in which threat actors steal a victim device's resources, including energy and computing power, to verify transactions within a blockchain.

Cloud cyberattacks can lead to performance degradation, downtime, customers unknowingly hosting malware, data loss and more.

Steps to mitigate cloud cyberattacks include the following:

• Use MFA.
• Encrypt all data stored in the cloud.
• Monitor employee cloud use.
• Back up cloud workloads and data.
• Segment cloud networks.
• Use data loss prevention technologies.
• Follow the principle of least privilege.
• Implement allowlists and blocklists.

9. Shadow IT

Shadow IT is hardware or software used by employees that isn't allowed or supported by their organization's IT team. Shadow IT use can result in network bandwidth issues, compliance risks and security threats, such as data loss and data breaches.

Cloud shadow IT, specifically, is the use of unsupported cloud software, such as Google Workspace, Slack or Netflix.

Steps to reduce the threat of cloud shadow IT include the following:

• Hold regular security awareness trainings that highlight shadow IT and its effects.
• Use tools to detect cloud shadow IT apps.
• Create and implement a shadow IT policy.
• Use a cloud access security broker to detect, monitor and manage cloud shadow IT.
• Implement allowlists and blocklists.

10. Skills shortage and staffing issues

The IT industry has faced a skills gap and staffing shortages for years, especially in security personnel. This well-known issue is prevalent when it comes to cloud expertise and even more so when it comes to cloud security, which requires specific skills and tool sets.

The cybersecurity skills gap can be attributed to the following five main causes:

1. The demand for cybersecurity talent keeps increasing.
2. The pool of cybersecurity talent lacks diversity.
3. Employers have unrealistic expectations.
4. Employees aren't keeping their skills up to date.
5. Burnout is increasing, and cybersecurity experts are leaving the profession.

Staffing shortages and lack of skilled cloud security professionals can lead to cloud vulnerabilities, data exposures and data breaches.

Steps to address the skills gap and staffing shortages include the following:

• Upskill existing workers.
• Sponsor cloud security certifications and trainings for employees.
• Support existing security teams to ease stress and mitigate burnout.
• Recruit and hire from a diverse pool of employees.
• Automate tasks where possible.

11. Compliance

Achieving compliance with internal, government and industry regulations and specifications was challenging before cloud use was ubiquitous. It has only become more challenging since its widespread adoption.

Maintaining cloud compliance with regulations such as HIPAA, PCI DSS and GDPR is a shared responsibility between customers and CSPs. Customers must do their part to comply and also vet their CSPs to ensure they're meeting requirements. Noncompliance can result in legal action, fines, business disruptions, data loss and data breaches.

Steps to help ensure compliance include the following:

• Follow the principle of least privilege.
• Use MFA.
• Define and implement strong access controls.
• Perform a compliance audit.
• Follow cloud frameworks.
• Mandate and enforce a cloud security policy.
• Regularly update and patch systems.

Sharon Shea is executive editor of TechTarget Security.