Skip to main content

Is Cloud Computing a Security Concern | Optiv

November 16, 2010

Before cloud computing had even gotten off the ground, people were talking about the security implications of computing in the cloud. When you step down from the semantic sugar and look at the basics, cloud computing is not fundamentally different from any other technology. When a technology can be influenced to execute outside of its intended purpose, a vulnerability is present. The following elucidates some of my thoughts regarding cloud computing.

Let me start off with enterprise vulnerabilities. First off, enterprises face exactly the same vulnerabilities whether they’re using on-premise equipment, cloud computing, or some combination thereof. The standard enterprise vulnerabilities range from the Open Web Application Security Project (OWASP) Top 10 to the low level buffer overflow, all of which people have been fighting for the past 15 years or so. The big change with mobile rising from cloud adoption is that vulnerabilities move from something the enterprise owns and controls to something a third party owns and controls. It raises the question about who owns the vulnerabilities and who is able to find the vulnerabilities and remediate them.

There is also no difference in using social media as an avenue for attack (one of the biggest threats for most organizations) when comparing on-premise versus mobile computing. A computer accessing Facebook or Twitter is just as easily hacked as a mobile device accessing those same sites. That’s because the fundamental constructs of accessing a site over mobile or via a traditional method are identical. Despite the device the consumer is using, hackers can still get to sensitive data by exploiting the same vulnerabilities present in the various social media platforms.

In my opinion, the more real and immediate dangers of cloud computing impact individual consumers, but not enterprises. For example, consumers have traditionally been able to protect their data by using the latest patches and avoiding risky behavior while on the Internet. As consumers use more mobile technology tied to the cloud, attackers looking to compromise data are going to have an easier time finding specific consumer's data, and may do it at any time throughout the day.

This is a new paradigm because consumer data has historically been available to attackers only when consumers’ computers have been on or they’ve been browsing Web sites. Consumers have been able to unplug their computers from their network and turn them off in order to protect their data. With cloud computing, there is a server out there with available data 24 hours a day, seven days a week. It will no longer matter what steps consumers take to protect their data - the onus shifts to the third party MSP, and IT departments need to be constantly vigilant.

Another real consumer danger: if an attacker is able to compromise the credentials in a cloud-based environment, they can access all of the data. This is often not an issue with enterprises since passwords are generally just the first line of defense. But, with consumers, usernames and passwords are often the only lines of defense for cloud computing (consumers don’t need usernames and passwords if their data resides on their hard drives). Often times, password compromise is the easiest way to gain access to a system.

As cloud adoption continues to become more prevalent, vulnerabilities within Web browsers will matter less to attackers. The data that is valuable to attackers will soon be predominantly located on cloud-based computing servers, rather than on consumers’ systems. Although getting into cloud-based computing servers will be a more difficult task, the reward will be greater. Compromising a single entity will lead to the exfiltration of a large number of consumers’ personal information.

Related Blogs

April 13, 2018

Observations on Smoke Tests – Part 2

There are a variety of scanning tools in the market today, from commercial to open source. Some are intended only for identifying a particular vulnera...

See Details

March 15, 2018

Pass-the-Hash

Pass-the-hash (PtH) is an all too common form of credentials attack, especially since the advent of a tool called Mimikatz. Using PtH to extract from ...

See Details

January 31, 2018

Cloud Critical Controls

It’s no secret – organizations are moving to the cloud faster than their security teams can secure them. The daunting task of catching up to the secur...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

RELATED INSIGHTS

June 16, 2016

Cloud Security Services

Movement to the cloud is a necessity for organizations. Learn how Optiv’s comprehensive suite of cloud solutions can help you get there securely.

See Details

September 20, 2017

Cloud Security Architecture

Learn how our experts formulate an actionable strategy with key stakeholders and help implement your cloud security program across the enterprise.

See Details

February 04, 2014

Internet Security Questions for the Cloud Provider | Optiv

When considering a move to the cloud, there are a number of security questions that should be considered as you select a potential cloud provider. Alm...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.