How Gaps in Cloud System Configuration Could Expose Sensitive User Data
- According to a 2023 survey, across 18 countries, 35% of organisations in India note that their data was breached in a cloud environment last year.
- Moreover, 68% of businesses in India, and 75% globally, say that more than 40% of data stored in the cloud is classified as sensitive.
Cloud storage
- It is a method through which digital data, including files, business data, videos, or images, are stored on servers in off-site locations.
- These servers may be maintained by the companies themselves or by third-party providers responsible for hosting, managing, and securing stored data.
- These servers can be accessed either by the public or through private internet connections, depending on the nature of the data.
- Companies use cloud storage to store, access and maintain data so that they do not need to invest in operating and maintaining data centres.
- An added advantage of cloud storage is its scalability — organisations can expand or reduce their data footprint depending on its needs.
- Most cloud providers offer security features like physical security at data centres, in addition to zero-trust architecture, identity and access management, and encryption to ensure the security of data on their servers.
Risk of Cloud storage
- The risks arise from the deployment of incompatible legacy IT systems and third-party data storage architecture.
- Additionally, the use of weak authentication practices and easily guessable passwords can allow unauthorised individuals to access sensitive data.
- Data stored in the cloud also faces the risk of exposure due to insecure APIs, poorly designed or inadequate security controls, internal threats due to human error and inadequate encryption during transfer or storage.
Legacy systems and their efficacy
- Though cloud security may appear similar to legacy IT security, the difference in their architecture necessitates different strategies.
- Due to the lack of support or upgrades, legacy IT security may have known vulnerabilities that are yet to be fixed.
- Such vulnerabilities make them an appealing target for hackers who may use the gaps to gain unauthorised access to cloud resources connected with these legacy systems.
- Additionally, legacy systems may not be capable of supporting more advanced encryption techniques such as secure boot methods or hardware-based encryption, which increases the risks to cloud infrastructure.
- Therefore, updating and auditing legacy systems when used in tandem with cloud infrastructure is important.
System misconfigurations
- A system misconfiguration arises when there is a lack of thorough security configurations on the devices accessing the cloud data and the servers, or a weakness in the software used.
- Misconfigurations can expose user data, making it accessible to unauthorised individuals, and compromising security.
- Companies using cloud storage leave security configuration to the cloud vendor, but the cloud vendor is just a vendor and the plans companies opt for may not include access encryption or firewall rules on the cloud.
Data protection
- The onus of ensuring data security lies with the companies even though they grant access to data to vendors and partners.
- If the data is sensitive in nature, it is the company’s responsibility to make sure that a selected vendor has all the right checks in place and has conducted due diligence.
- This includes checking cloud compliances like ensuring passwords have two-factor authentication, monitoring access to the database, ensuring it is encrypted, and ensuring all firewall rules are set so that only access through certain places and certain departments is allowed.
- Data encryption is seen as one of the most effective approaches for securing sensitive information in the cloud.
- However, it comes with its own set of challenges which include encryption before data is stored, ensuring the security of encryption keys, and changing the encryption keys periodically to ensure continued safety.
Risks of data migration in cloud
- There is risk involved when switching between vendors for cloud storage or when systems are upgraded.
- Without a proper migration plan and process based on thorough assessment of the cloud provider, data could get exposed.
- Additionally, ensuring that data is encrypted whenever in transit, and making relevant backups are also key aspects of ensuring data security, he added.
Users safety
- When users get to know of possible data breaches, they are recommended to change passwords and the two-factor authentication setup, push security question answers, and monitor accounts for unauthorised transactions and SMSs for suspicious activity.
- The lifespan of financial data exposed in a breach is short. It is used by threat actors within weeks.
- However, for personally identifiable data, the lifespan can be longer, with data sold on the dark web to target users for phishing scams and other illicit activities.
Way forward
- Data breaches and data exposure incidents in the cloud should be treated identically.
- While in a data breach, confidential or protected information is exposed to unauthorised individuals, data exposure is often depicted as the unintentional disclosure or accidental disclosure of data, resulting from misconfiguration or human error.
- Both data breaches and data exposure incidents require close monitoring to ensure the confidentiality and availability of sensitive information housed in the cloud.