Is Your Data Safe In The Cloud?

According to the Harvard Business Review and the National Security Agency (NSA), cloud misconfiguration is one of three major causes of a 20% spike in data breaches last year. At Black Breach, we consistently hear from potential clients how "bulletproof" their security is just because they are in the cloud. The cloud is the backbone of countless businesses, offering flexibility and scalability, with 60% of the world's corporate data now in the cloud.

However, the major growth toward moving to the cloud makes it a major target for cybercriminals. In 2023, over 80% of all data breaches involved data stored in the cloud.

Consider Cloud Components

Cloud architectures are not standardized, and each Cloud Service Provider, or CSP, implements foundational cloud services differently. Understanding a CSP's cloud implementation should be part of a customer's risk decision ("nothing is bulletproof") during cloud service procurement.

Identity and Access Management (IdAM): IdAM refers to controls in place for customers to protect access to their resources and controls the CSP uses to protect access to back-end cloud resources. Secure customer and cloud back-end IdAM, both enforcement and auditing, is critical to safeguarding cloud customer resources.

Compute: Clouds generally rely on virtualization and containerization to manage and isolate customer computation workloads. Serverless computing, the dynamic allocation of cloud compute resources to run customer code, is built upon either virtualization or containerization, depending on the cloud service.

  • Virtualization is a cloud backbone technology, not only for customer workloads but also for the cloud architecture itself. Virtualization is an enabling technology that provides isolation in the cloud for both storage and networking. Virtualization typically implements and secures internal cloud nodes.

  • Containerization is a more lightweight cloud technology commonly used to manage and isolate customer workloads. Containerization is less secure than virtualization as an isolation technology because of its shared kernel characteristics, but CSPs offer technologies that help address containerization security drawbacks.

Networking: The isolation of customer networks is a critical security function of the cloud. In addition, cloud networking must implement controls throughout the cloud architecture to protect customer cloud resources from insider threats. Software Defined Networking is commonly used in the cloud to both logically separate customer networks and implement backbone networking for the cloud.

Storage (Objects, Blocks, and Database Records): Logically separate customer data from each other on cloud nodes. Security mechanisms are crucial to protect customer data from other customers and protect all data from insider threats.

Cloud Encryption and Key Management

Encryption and key management (KM) are critical for protecting information in the cloud. While CSPs offer encryption to protect customer data, customers should understand their options for additional protection based on data sensitivity requirements. CSP-provided encryption and KM services, including Hardware Security Module (HSM) offerings, are available and accredited for sensitive information protection. Alternatively, customers can perform encryption and KM outside the cloud to avoid exposing data to cloud administrators. However, this approach requires building encryption into applications or data management layers and may limit integration with other CSP services.

Sharing Cloud Security Responsibilities

CSPs and cloud customers are both responsible for providing security to services and sensitive data stored in public cloud environments. CSPs are accountable for securing the cloud infrastructure and implementing logical controls for separating customer data, while organizational administrators typically handle application-level security configurations. While CSPs may provide security tools and monitoring systems, customers are responsible for configuring services to meet organizational security requirements. This shared responsibility extends to routine operations like patch management and exceptional events such as security incident response, with specific responsibilities varying based on CSP, cloud service type, and product offering.

Figure 1: National Security Agency (NSA) Cloud Shared Responsibility Model

Shared responsibility considerations include:

  • Threat Detection: While CSPs are generally responsible for detecting threats to the underlying cloud platform, customers are responsible for detecting threats to their own cloud resources. CSPs and third parties may offer cloud-based tools that can assist customers in threat detection.

  • Incident Response: CSPs are positioned to respond to internal incidents in the cloud infrastructure and are responsible for doing so. Incidents internal to customer cloud environments are generally the customer’s responsibility, but CSPs may support incident response teams.

  • Patching & Updating: CSPs are responsible for ensuring their cloud offerings are secure and rapidly patch software within their purview. However, they usually do not patch software the customer manages (e.g., operating systems in IaaS offerings). Because of this, customers should vigilantly deploy patches to mitigate software vulnerabilities in the cloud. In some cases, CSPs offer managed solutions in which they perform operating system patching as well.

Cloud Threat Actors

The cloud is quickly becoming the primary target for threat actors. In 2023, over 80% of all data breaches involved data stored in the cloud. Threat actors may target the same types of weaknesses in both cloud and traditional system architectures. Administrators should know that traditional tactics still apply. For example, an unpatched web application in the cloud has a similar risk of compromise as one from an on-premises network.

Cloud Vulnerabilities and Mitigations

Cloud vulnerabilities are similar to those in traditional architectures, but the cloud characteristics of shared tenancy and potentially universal access can increase the risk of exploitation.

Figure 2: NSA Cloud Vulnerabilities – Prevalence versus Sophistication of Exploitation

Mitigating cloud vulnerabilities is a shared responsibility between the CSP and the customer organization. Cloud technology moves rapidly, making oversight a complex task. Organizations need dedicated resources proportional to the organization's size to ensure adequate protection in the cloud. If the customer organization cannot fulfill its responsibilities for mitigating cloud vulnerabilities due to workload or skill set, consider hiring a managed security service provider (MSSP) to support this role. Critical to an organization's success in both transitioning to the cloud and maintaining cloud resources is support from informed leadership, which ensures the proper governance, budget, and oversight. With this support, administrators can enable effective mitigations for cloud resources.

Final Thoughts

Organizations often take shortcuts, don't hire expert third-party consultation or management, and don't spend enough time confirming that the cloud configuration is correct and secure. As a result, users might not realize all the settings and if their data storage is openly exposed to the public internet.

As an MSSP with unprecedented expertise in cybersecurity, Black Breach is positioned to provide our clients with a variety of consulting services focused on cloud security.

Works Cited:

Madnick, S. (2024). Why Data Breaches Spiked in 2023. https://doi.org/February 19, 2024

(2020). Mitigating Cloud Vulnerabilities. National Security Agency | Cybersecurity Information. https://www.cisa.gov/news-events/alerts/2020/01/24/nsa-releases-guidance-mitigating-cloud-vulnerabilities January 2020

Disclaimer of Endorsement: The information and opinions contained in this blog are provided "as is" and without any warranties or guarantees. The National Security Agency has not and cannot endourse private organizations to include Black Breach, LLC.  
Previous
Previous

Urgent Action Required to Counter Cybercriminals Exploiting Auto Dealers from CrowdStrike Outage