Skip to main content

Moving to the cloud for an easier life? Cybercriminals are coming with you

(Image credit: Image Credit: Everything Possible / Shutterstock)

The power of the cloud is now well established in the minds of businesses: over 90 per cent of companies use at least one variety of cloud service, and 77 per cent of enterprises have at least one application in the cloud. The benefits are multiple: greater storage capacity, streamlining of development processes and smooth deployment of digital transformation initiatives. But too often, decision makers get blinded by promises of business agility and demand quick implementation, long before security is ready. As a result, the door is wide open for attackers who, just like businesses, want to make the most of the cloud too.

A recent survey from Barracuda showed that 42 per cent of IT decision makers put security as their biggest concern when implementing cloud infrastructures in the business. And rightly so: the average enterprise is now subject to at least 20 breach attempts per month on their cloud infrastructure, and almost every organisation is attacked at least once every 30 days. These numbers act as a stark reminder for the C-suite that security can never be overlooked in favour of quicker business results. To counterattack, it’s crucial that IT teams know what they’re up against, and how they can work to secure their cloud environments against today’s savvy hackers.

The biggest threats in the cloud

There are almost as many ways to breach a cloud environment as there are cloud environments. Whatever your cloud mix is, whether private, public or hybrid, hackers will find a way to get to what they need. Being one step ahead of them is always going to be difficult but being aware of their most common techniques is a step in the right direction.

  • Man-in-the-cloud attacks

Man-in-the-cloud attacks are similar to man-in-the-middle attacks, except they take place in the cloud. In these attacks, hackers gain access to data and documents stored in file synchronisation services, such as Google Drive and Dropbox, and assume control of the user’s drive itself. These attacks do not require compromised credentials, malware, or malicious code to be executed: all that’s needed is access to the synchronisation token system. Once the token has been replaced with one that gives access to both the victim and attacker, it’s game over – and the worst is, you might not even know that you’ve been attacked.

  • Abuse of cloud services

This scenario involves outside actors gaining access to your cloud, then using your own resources to launch attacks against others. For example, hackers may infiltrate your cloud, assume control of your resources, then launch a DDoS attack against your own cloud or that of another.

Not only can this cause obvious financial and reputational damage to your business, but your cloud provider may be required to use their remaining resources to fight the attacker, further reducing your own.

  • Cloud malware injection attacks

During a cloud malware injection attack, hackers will attempt to ‘inject’ malicious or dangerous services and VMs into the cloud itself. Once done, any authorised user will be redirected to the malicious version of the service, as opposed to the legitimate one – and the hacker will gain complete control of this user’s data.

These attacks are not very challenging to deal with, but they are popular, because web applications are exposed to potentially billions of other internet users – meaning that anyone who wants to have a go, probably will. And that goes for both legitimate users and hackers.

Security requires agility

To overcome these challenges, businesses must deploy cloud architecture that is designed from the ground up to provide end-to-end security. Relying on the cloud vendor for your security needs is not enough: never assume your full security requirements will be met solely by the vendor as they are not familiar with your wider architecture. You must create your own strategy and do so while you’re deploying the cloud across your business. This ensures security is baked into your cloud architecture from the start. Doing so requires development and security teams to work closely together, a best practice which is sadly not in place in many businesses. It requires a rethink of how teams work together, but the benefits far outweigh the costs of redesigning your team’s operation.

Once these crucial principles are nailed down, a set of best practices must be implemented to ensure cloud environments remain secure over time:

  • Encryption is key: Local data encryption is a vital tool for any business looking to bolster privacy in the cloud. This ensures ‘double security,’ and helps to protect even the most sensitive information from system administrators and service providers.
  • Focus on your employees: Make sure you have the right procedures in place to educate your staff on cloud security. Multi-factor authentication, only connecting to secure Wi-Fi networks, monitoring privileges, and education around the most common hacking techniques, will go a long way in ensuring the continuous security of your cloud. Weaving security into the business culture is key to avoiding a security gap that leaves a network vulnerable.
  • Test vulnerabilities and action the results: To meet compliance and regulation needs and defend themselves against growing security threats, businesses must take a rigorous approach to cloud security management. This demands regular testing for potential system weaknesses. It often helps to have an outside perspective, so make sure the tests are performed by external experts.

One thing is certain: the cloud is here to stay, and as cloud use grows and the tools become more powerful, so will attackers and their methods. Staying one step ahead of hackers is a difficult feat but having the security basics baked into cloud infrastructure deployments will ensure that your business is as secure in the cloud as it is on premise.

Andy Simpson-Pirie, CTO, Cyberfort Group

Andy Simpson-Pirie is CTO at Cyberfort Group. Andy was previously Portfolio CTO of LDC, Lloyd’s Banking Group’s private equity arm and prior to this, he was CTO at Zurich Insurance.