One of the most common talking points about cloud computing is the inherent security threats it holds. More often than not, whenever you read an article about cloud tech or whenever you hear two people talk about it, someone will recount how unsafe the cloud is to the data it shuffles about. While we, along with countless blogs, have discredited that myth, there are some true threats and vulnerabilities the cloud faces.
Here are a few.
1. Protecting From the Millions
The entire concept behind cloud tech is to reach as many users as possible with the most powerful and easy to use tech on the market. As the cloud has grown and applications have reached around the globe, one of the biggest threats to the overall cloud ecosystem are the people using the ecosystem. The rise of cloud tech has meant working to make services available to billions while also protecting those very same applications and ecosystems against those untold millions.
The answer to this problem continues to be the API. The API, or the Application Programming Interface, effectively defines how a user connects to an application through security verification and how that application defines user permissions. For most people, the API shows up when allowing or denying an application permission to view contacts or post on their behalf.
Currently, the leading authorization service for applications is OAuth. Built as an open source authorization platform to define user to application and application to user interactions, currently in its second version, OAuth offers security on both ends yet it isn’t without possible compromise. For the sole reason that OAuth was built through an open source project, i.e. engineers working on the same problem, other engineers’ developers have the ability to breach the service.
The simple truth is, as has been noted by many engineers and security experts, API’s are comprisable by way of pure accident or malevolent intent. If a group of engineers can build a security authorization tool, another group can infiltrate and expose its flaws. Like anything else, lapses in the technology might occur. Those missed spots will only aid to someone, somewhere, hacking the system.
As with most things security, you simply can’t tell where the next threat will come from.
2. The Ever Present DDoS Attack
The DDoS Attack, or the Distributed Denial of Service attack, has been with us from the start of the Internet. The DDoS attack is an attack wherein a group of hackers or a single user aims to shut down a server by overloading it with packets of malicious traffic. By continually sending malicious traffic to a server, a DDoS attack floods a single device, an overall network and/or a single server with the aim of shutting off connection to the Internet.
Even as network engineers and system admins have gotten better and better at fighting some of these attacks, as with all hacking, efforts to stay ahead of the protecting curve are always mounting. In most cases, company engineers see an incoming DDoS attack by monitoring incoming traffic and can stem off the attack through various protocols (monitoring the network, monitoring application-layers, relying on upstream support, monitoring lower Gbps connections), a determined attacker can still shut down a network.
This shut down, for the consumer or business utilizing that cloud service, is a sure bet to lose money. In turn, DDoS attacks zap consumer confidence in a certain provider causing more turn over and less market stability.
3. Sharing of Infrastructure and Technologies
One of the core concepts of the cloud is the sharing of technologies. Whether that sharing comes in the form a single server handling traffic running from Windows, to Mac Platforms, to Linux and Unix platforms, or whether that cloud tech handles the on boarding, security and off-boarding of multiple mobile devices – Android, iOS, Linux, Windows, the entire platform hinges on different technologies all talking to one another and getting along.
Moreover, the cloud hinges on multiple hardware devices are sharing tasks to make larger computing efforts run with fluidity. Within a multi-tenant ecosystem, the downfall of a single piece of hardware can spell disaster for the entire network. With so many pieces of equipment all working together, the larger a change for failure becomes.
This is where the problem comes in.
For engineers, fighting against the sharing problem is a matter of understanding how to build a network from the ground up knowing that each component is where it should be, doing what it should be doing and communicating as it should be communicating. To entirely make sure a cloud network doesn’t hit the fritz, engineers need to monitor the entire network as a whole and individual hardware components.
Sharing of technologies is a big sticking point for intrusion and network failure possibilities.
4. Browser & App Security Faults
We don’t think about it too often because the working world has moved from PC based operations to app based operations on mobile devices yet one of the largest threats to all cloud tech is browser and app hacking. Traditionally speaking, malevolent parties would attack the operating system of a machine through infection via a Trojan like virus. Yet, as the world has moved from desktop operations to browser and app operations, those malevolent parties have been targeting their attacks differently. Point in case, at a recent hacking summit held in Vancouver, CA, competing hackers found and exploited all major web browsers. The results of the competition:
- 5 bugs in the Windows operating system
- 4 bugs in IE 11
- 3 bugs on Mozilla Firefox
- 3 bugs in Adobe Flash
- 2 bugs in Apple Safari
- 1 bug in Google Chrome
Match this with our first listed threat, security faults in OAuth and API configurations and you have a recipe for disaster. When all of our work is now based on the fundamental structure of the browser and the app, any security gap in those structures can cause the entire system to fail.
Another major risk to cloud computing applications and tech are malevolent actors from inside an organization. While we don’t think about it much, the possibility of an annoyed employee purposefully bringing down an app or a cloud tech is more common than we think.
Not only does this problem find footing in actual IT provider organizations, it also finds footing in companies utilizing those IT provider solutions. With the ability to fully know the infrastructure and security regulations of your organization, a malcontent has the power to bring down your entire network with ease.
For this reason, it is always important to:
- Hire trustworthy employees
- Install trust regulations for all employees with hardware, software and data center access
- Deploy stringent levels of security and clearance for all employees
A malicious insider isn’t something we think about normally. That said, it pays to guard against the possibility.
6. Faulty Data Transfer
The last threat we will mention is secure data transfer. While most cloud companies offer VPN technologies to secure data transfer, data security runs deeper than just using a VPN. Data security online means only using websites with valid SSL certificates, only using websites which begin with “https:” and setting your browser security settings on high to guard against even the smallest possibility of threat.
It should also be noted that secure data transfer means knowing where your traffic is being routed through and how many hops it takes to reach that destination. By running a simple trace route on outgoing or incoming traffic, you can get a better idea of how many hops it takes your packets to reach their end point. By this logic, if you see too many stops in the pipeline, investing in a CDN service to bring that content closer to home will help secure your data even more.
In summary, while we haven’t touched on every possible threat to cloud computing, we have touched on those which loom large.
- API’s and authorization protocols need to become more secure to protect against anonymous threats
- DDoS attacks still need to be handled by proactive security protection and overall network monitoring – both whole networks and single devices
- Shared technology security protocols need to be hardened
- Web Browser and cloud based applications need to be built with tighter secure structures
- The hiring of truth worthy employees matched with the implementation of stringent security regulations
- Secure data transfer through tunneling protocols, tight browser security regulations and limiting touch points for all packet transfer