A misconfigured system or network can provide an attacker with an entry point, allowing them to move laterally within the network and gain unauthorized access to sensitive resources. Misconfigurations can be the result of lack of security awareness during configuration of cloud systems, human error, or improperly defined automation templates.
Data Privacy and Confidentiality
Data privacy and confidentiality are major concerns for many organizations. Data protection regulations such as the EU General Data Protection Regulation (GDPR), the US Health Insurance Interoperability and Accessibility Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS), require organizations to protect customer data. Most organizations also have sensitive or confidential data that is not covered by compliance standards, but would be extremely damaging to the business if exposed.
Moving data to the cloud has many benefits, but also poses serious security concerns. Cloud-based storage services are often exposed to public networks by default, and if not properly secured, can make data easily accessible by attackers.
Many organizations migrating data and workloads to the cloud lack the expertise to ensure it is securely configured and deployed. This creates the risk that sensitive data moved to the cloud will be compromised, leading to expensive audits, compliance fines, and reputational damage.
Social Engineering and Credential Theft
Threat actors often use cloud applications and environments as part of social engineering attacks. With the growing use of cloud-based email and document sharing services (such as G-Suite, Google Drive, Office 365, and OneDrive), it is easy for attackers to trick employees into granting access to sensitive data. All is needed is to send a link requesting access to content, and provide a good excuse for the user to grant access.
There are many ways cybercriminals can compromise employee credentials to cloud services. Securing identities on the cloud is a major problem for organizations, because compromised identities can expose the privacy and security of critical cloud-based data and resources.
Specific Compliance Requirements
Most data protection standards require organizations to demonstrate that they properly restrict access to protected information (such as credit card data or medical patient records). This may require creating physical or logical isolation in an organization's network, ensuring that protected data can only be accessed by authorized employees.
Cloud deployments provide limited visibility and control over the infrastructure, and are also structured differently from traditional data centers. This can make it more difficult to achieve and demonstrate these types of compliance requirements in the cloud.
Related content: Read our guide to cloud security threats (coming soon)