top of page

What are the Risks of Cloud Computing

Writer's picture: Tyler WallTyler Wall

Updated: Dec 8, 2024


what are the risks of cloud computing

What are the Risks of Cloud Computing?

Like any disruptive technology which comes along and shakes things up; cloud computing brings its own unique challenges and risks. Understanding these risks is the first step to putting in a proper mitigation strategy to protect your data in the cloud. Despite the cloud’s obvious advantages, it is a seriously bad idea for companies to jump into cloud adoption without knowing the security risks. This is What are the Risks of Cloud Computing?


So, without further delay, let's look at some of the key risks in the cloud


Lack of Cloud Security Skills

Easily the number one challenge facing most companies is the lack of cloud security skills. The cloud has a learning curve and without investing in training and certifications; cybersecurity teams will not be able to meet the challenge that cloud security brings. Remember that the cloud removes several of the security perimeters which companies take for granted and replaces it with other (and in some cases better) controls. There is already a lack of cloud expertise in the market and an even bigger gap for cloud security.


The 2022 Cloud Security Report states that shortage of experienced staff is one of the biggest barriers that stops companies from going all in when it comes to the cloud.

This problem becomes even greater in a multi-cloud environment which puts a huge burden on your IT and cybersecurity teams. Securing one cloud is hard enough but imagine trying to secure multiple! Unless CIOs and CISOs think smart and put dedicated cloud training in their roadmaps they will find themselves saddled with a cloud environment that is just waiting for a data breach to happen. This relates also to the next risk.


Misconfigurations

Misconfigurations in the cloud are the primary reason for most data breaches and it grows exponentially with the size of your cloud footprint. This directly ties into the previous risks as staff without proper training are more prone to make these mistakes. The cloud makes it VERY easy to make changes and push them to production thus a simple mistake can lead to your database containing credit card numbers being exposed over the internet. Despite cloud providers putting in numerous controls to prevent these mistakes from happening, customers are frequently unaware of their security obligations. We will discuss this in detail when we go over the Shared Responsibility Model.


Most cybersecurity teams also do not take advantage of the cloud’s native security controls and automation resulting in delayed response times.


Increased attack surface

The public cloud by its nature is accessible outside an organization’s on-premises perimeter and thus becomes a very attractive target for attackers. Poorly configured cloud storage, ingress ports can become the steppingstone they need to access and take over workloads in the cloud. This problem also increases with the common mistake of companies accidentally hard coding and storing their credentials in cloud repos which are regularly scanned by attackers. Security in the cloud requires a mindset change and a focus on identity as the firewall which leads us to the next risk


Lack of Focus on Securing Cloud Identities

Managing identities on the cloud becomes a major problem if it is not given priority at the beginning. As a cloud environment increases, user management becomes increasingly complex as each cloud usually has its own identity store which is set up differently with different authorization policies and access privileges. AWS Identity and Access Management (IAM) and Azure Active Directory are different from each other and managing identities can become a major hassle unless you have a strategy setup for handling this from the start.


The best way to solve this issue is to federate to a Single Sign On solution so you have a single source of truth for your identities. This is much easier than handling each cloud identity differently and allows the centralization of user access policies. We will discuss this in detail when we go over cloud security tools in the coming lectures.


Lack of Standardization and Visibility

CISOs (pronounced see-so’s) or Chief Information Security Officers who have executive leadership of cybersecurity teams often have two main concerns in the cloud:


  • How do I enforce security controls consistently in all cloud environments?

  • How do I know what is happening where in the cloud?

Enforcing your cloud security policies can be a serious challenge in one environment but imagine doing that in several! Azure, AWS, and Google each have different security tooling, and enforcing a cloud security standard uniformly across the same can be a massive challenge if done manually. The lack of visibility and control is further extended in the Platform as a Service and Software as a Service cloud models. Cloud customers often cannot effectively identify and quantify their cloud assets or visualize their cloud environments. Additionally, you can potentially have hundreds to thousands of daily automated changes happening in your environment which are impossible for security teams to secure unless they invest in something like a Cloud Security Posture Management tool (CSPM). In short, a CSPM will automate the detection and remediation of cloud policy violations provided it is implemented properly and give you a centralized dashboard of your cloud security posture.


Data Leakage

We discussed Broad Network Access earlier as one of the defining characteristics of cloud computing. The cloud was designed to make IT services and systems available at any time and place without the restrictions of physical infrastructure which is amazing.


Unfortunately, as a side effect, it also increases the risk of data leakage and exfiltration as the traditional security perimeter went away. The ease at which data can be shared i.e., with a simple URL or button click can become a major cloud security issue if staff are not aware of what they are doing. For example, sharing collaboration links to third parties without putting in restrictions can lead to a cloud folder being accessible over the entire internet. This problem increases with the number of vendors and service providers that usually are provided access to a company’s cloud infrastructure.


Around 51% of teams cite accidental over sharing as a major concern for companies considering cloud migrations especially if their workloads contain customer data or PII.

One of the best ways to mitigate the risk of data leakage is via implementation of a Cloud Access Security Broker (CASB).


Data privacy and compliance

Data privacy and compliance is another area that can become a key cloud security risk for companies that rush into cloud adoption. Standards like PCI DSS, HIPAA (pronunced hippa), and GDPR require controls to be put in place or limit access to sensitive data such as card numbers, medical data, PII, etc. and this requires a good understanding of cloud security controls to be effectively done. The cloud operates on a shared responsibility model and compliance is shared between the customer and the cloud service provider. Most providers are usually compliant with standards like PCI DSS, NIST, HIPAA (hippa), GDPR, etc. however customers need to understand where their obligations begin and this changes depending on what model or service they are using.


Data Sovereignty, Residence and Control

One of the great features of the cloud is how easy it is to move data between geographical regions which makes disaster recovery and continuity much easier than on-prem. However, this same issue can also become a regulatory nightmare for companies who must comply with strict data residency laws. Data residency refers to where data can be stored and is usually governed by a country’s data laws with strict fines for non-compliance. In some cases, it is not allowed to transfer data out of a country’s borders which becomes a problem if a company does not even know where their data is being stored. Make sure you are aware of the fine print in your cloud service provider if you have data residency controls before you start putting customer data in the cloud.


Incident Response in the Cloud

Less of a risk and more of a mindset change but this is still important enough to be mentioned is incident response and how it changes. In the cloud, changes can happen rapidly and if your company is still relying on email tickets to be raised before the security team investigates anything then you might be putting your environment at serious risk. The cloud lends itself to automation and without using cloud-native controls, the security team will find themselves unable to respond effectively to potential security incidents.


Summary

We quickly covered cloud computing risks. The majority of these risks are a result of the skills required to effectively manage assets in the cloud. The cloud is fast emerging and even faster adopted and it has so much power to make data available at the click of a button that the majority of risks associated with the cloud are unintended misconfigurations by your own people. In security, our data is often our crown jewel and the cloud, by design, makes it so that data is easily accessed and shared. To complicate things more, formal incident response hasn’t been well ironed out in most cases. Knowing where your data is, and governing who has access to it is among the top concerns of security in the cloud.


Cyber NOW Education: How to start a career in cybersecurity

Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts.


You can connect with him on LinkedIn.


You can sign up for a Lifetime Membership of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits.


Download the Azure Security Labs eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing.


Some of our free resources include the Forums, the Knowledge Base, our True Entry Level SOC Analyst Jobs, Job Hunting Application Tracker, Resume Template, and Weekly Networking Checklist. Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer.


Check out my latest book, Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success, 2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here

Tags:

27 views0 comments

Recent Posts

See All

Comments


bottom of page