Cloud Services and the Security Challenges For Your Company
Blog / Cloud Services and the Security Challenges For Your Company
Cloud computing and services have revolutionised the world, especially the world of business and cybersecurity. Now, organisations coming in a variety of sizes and with varying resources have been able to reduce costs, save time, and allow easy saleability by adopting cloud services like Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS).
With the fast-pace of business and commerce, cloud computing can offer a deluge of benefits, including companies being able to speedily get their products and applications to the marketplace with having to waste time on building and setting up their own systems and software, saving money on servers and equipment in general, and bypassing loss of data via hardware failure by having readily-available backups.
Software-as-a-Service (SaaS) allows end users to connect to a cloud service and use cloud-based apps and software over the Internet. Popular examples of SaaS are Salesforce, Dropbox and Google Workspace.
With SaaS, it’s up to the consumer to provide the actual working data and configurations needed for their end users’ application requirements while the cloud software provider provides everything else, including:
- Making sure all the software is up to date.
- Taking care of most security issues.
However, there are a few security issues that the cloud consumers have to address themselves and these issues are no less critical.
- Weak administrator credentials, the problem being that you must ensure a threat actor can’t spoof the admin credentials and become an administrator relative to a Cloud consumer’s application.
- Incorrect data protection, where the consumer fails to save sensitive information in a place where it’s properly protected, such as putting a confidential list in a public area where anyone can see it.
- Plug-in vulnerabilities, where the consumer builds and installs a software plugin which can be downloaded into the SaaS system and the plugins have vulnerabilities that allow back doors into resources and attacks from the internet.
And, as is typical of cybersecurity, the risks don’t stop there. Your cloud provider also has attack vectors and risks that can impact your organisation due to the fact that they’re connected to your network and systems and are storing your company’s sensitive and critical data.
Risks from a cloud provider-end can include:
- Cloud providers having access to certain, sensitive sets of data when it’s not necessary.
- Plain texts being unencrypted when it's in storage and at-rest.
It’s important for organisations to look at SOC 2 reports and follow cybersecurity best practices before choosing their cloud provider, as that will give you more insight into the type of access controls, strategies and techniques a cloud provider uses in order to maintain the security of consumer systems and applications.
With Platform-as-a-Service (PaaS), the cloud consumer provides an application and possibly a few layers of middleware while the cloud provider provides the rest of the software, including possibly some more middleware, the operating system, and the computer hardware.
If, for example, we were talking about platform-as-a-service and web hosting, the consumer would provide the upper layers like content and configuration, like they would with SaaS, but also possibly the content management system (CMS) too. Meanwhile, at the lower layers, the cloud provider provides software support and updates for the software they have provided themselves.
Some of the most prolific names for PaaS are:
- Amazon's Simple Storage System (S3).
- Google Object Storage.
- Microsoft Azure (although it also encompasses SaaS and IaaS).
With Platform-as-a-Service not only do you have all the same issues as SaaS, but cloud consumers also have the additional problems of:
- Updating software, where you have to update the software that is above the cloud provider’s level.
- Coordinating user contexts, where you have to map different classes of users and IDs onto a cloud application and its different cloud consumer IDs, as you run different applications and access permissions.
- Managing data access controls, where it’s critical to ensure all access controls have been set up properly on all levels and account for the different user contexts.
- Logging and monitoring, where the cloud consumer sets up logging and monitoring in the PaaS environment. Good vendors will provide tools to make this process easier, but you’re in charge of making sure it’s running and keeping track of your system.
Another thing handled in the upper layer by the Cloud consumer is user-level application controls, where the consumer has to implement controls so the data remains protected. Broken access controls are the biggest way web data gets leaked, ranking top in OWASP.
The clients of Reindeer, a defunct marketing company, learned that the hard way when their data was exposed by the company due to broken access controls on the cloud.
When it comes to data handling, new problems arise for the cloud consumer as well with PaaS, where we're accessing particular named objects, files, fields and databases. This can be broken down into:
- Block storage, which is similar to an old-style hard drive or the modern, solid-state drive in that everything is block addressable.
- Files-as-a-service, where you can use file sharing services like Dropbox or Google Drive to pull files.
- Database-management-as-a-service, which cloud providers often provide a version of.
- An object store, which is provided by the cloud service provider and where you get buckets, blobs, etc., that can be access-controlled and each containing a bunch of uniquely-designated objects.
Now, in regards to Cloud object storage, you’re able to control access and limit it to a particular cloud consumer or authorised process IDs within said cloud consumer. Moreover, within the storage, you have objects, each one a block of application data that has a set of attributes associated with it and access controls available.
Objects essentially act like files, although are more flexible, not actually having a hierarchical file system unless you deliberately choose that type of organisation.
Infrastructure-as-a-service (IaaS) is essentially where the cloud service provider provides hardware or simulations of hardware. With the cloud provider providing physical or/and virtual infrastructure, they are in charge of making sure that that infrastructure is secure and reliable.
In contrast, the cloud consumer provides all the software from the operating system up, being responsible for said software as well as user and administrative controls. The consumer is in charge of a number of controls to help ensure the cloud systems are protected from threat actors, which involves configuring the storage areas being used by the cloud software.
Popular IaaS services offered include:
- Digital Ocean.
- Amazon AWS.
- IBM Cloud.
- Microsoft Azure.
In regards to IaaS security issues, they essentially include the same issues as PaaS and SaaS issues. We have to update the software and coordinate user contexts, although the latter is clear due to there being significantly less factors and different types of things to protect in IaaS compared to PaaS.
Moreover, cloud consumers still have to manage data access controls that ties back to our user contexts logging and monitoring. The disadvantage here is it can be more time consuming as you have to find the tools and make sure they actually are working properly yourself.
Securiwiser is a cybersecurity threat detection monitoring tool which evaluates your company’s cybersecurity posture, flagging up vulnerabilities and malicious activity in real-time, presenting the data you need to know in an easy-to-read, straightforward dashboard.
In order to help you keep track in cyberspace, Securiwiser checks and monitors the security of your network and cloud, checks if there are CMS vulnerabilities like dodgy CMS plugins, if there are misconfigurations with your Amazon S3 bucket, if your data is exposed, and much, much more.
Previous ArticleFileless Malware
How secure is
How secure is