Cloud computing: biggest risks and best practices

Kieran Roberts Headshot
Kieran Roberts
Penetration Tester
01st February 2022

Cloud computing is a highly convenient and cost-effective way of storing data, but it also comes with risks. Businesses often use this technology without understanding how vulnerable they are to security breaches. With the rise in cybercrimes, businesses need to be more vigilant about their data security than ever before.

This article will discuss some of the most common cyber security risks associated with cloud computing and provide information on how they can be managed.

What is cloud computing?

It makes sense to begin by discussing what cloud computing is; many people working in the IT industry would understand it as a way of storing data online. However, when we look closer we realise that cloud computing is far from being just a storage system.

The National Institute of Standards and Technology (NIST), an agency that works under the United States Department of Commerce, defines cloud computing as;

"A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

In other words, cloud computing refers to hosting your files on someone else's servers instead of your own computer. This provides users with ease of access across multiple devices and cost savings since businesses do not have to invest in their own servers.

Having your files in an online space is not necessarily dangerous, but the convenience of cloud computing has led to weakness among businesses when it comes to security. As more companies rely on cloud based technology for their work, especially with remote working practices in place, they need to ensure that everything is secure so that confidential data remains protected.

Cloud computing security risks

Cloud computing has made information available to businesses and individuals from anywhere that has an internet connection. While this sounds beneficial, there are substantial risks associated with storing important data on external servers. Let us take a look at some of the most common security pitfalls associated with cloud storage:

  • Data breaches

    One of the biggest cloud security risks is unauthorised access due to poor security measures resulting in a data breach. Businesses have to ask themselves whether their online storage provider guarantees complete protection against leakage or unauthorised access to personal or sensitive data. If organisations need high levels of security as per industry standards, they should only sign up with a cloud service provider who meets all criteria related to cloud security. Weve outlined what to look for here, or you can get in touch with us to find out how to strengthen your security infrastructure.

  • Data loss

    Cloud services have the potential to back up massive amounts of data. While this may be convenient, it is important to note that not all cloud service providers are equipped to deal with producing backups when needed. As such, data loss is a risk if businesses do not store their files with an organisation that offers reliable backups. Regularly backed up files and folders will help keep your business protected against data loss, so make sure your chosen cloud service provider offers this feature.

  • Data leakage

    Cloud services often come with publicly accessible links or URLs for uploading and downloading files. This is convenient but may result in data leakage if you do not take care of your security controls. It is crucial that businesses mitigate the risk by using strong link encryption and restricting access to links in line with best practice.

  • Data deletion

    Even though you're probably used to deleting files from your own computer when they're no longer needed, it's important to learn that simply hitting the delete button when using most online storage solutions is not enough to get rid of all traces of your backed up data. For example, Microsoft OneDrive keeps files in a cloud based recycle bin even after they have been deleted locally, so they need to be removed directly in the cloud. It’s best to find out before signing up for a new service exactly how they permanently remove old files from their servers, so there aren't any unexpected surprises down the line.

  • Account hijacking

    Cybercriminals can obtain login information to remotely access sensitive data stored in the cloud. This means that when you or your employees use cloud services, it is best practice to use strong passwords that are changed frequently. If you choose to implement additional security layers on top of the login information, hackers have been known to exploit vulnerabilities in network infrastructure, so having a short expiry date for any necessary access credentials is recommended.

  • Regulatory compliance

    Data protection rules and regulations may vary from one country to another. Before signing up for a cloud-based service provider or migrating your operations to an offshore location, consult with an expert who can advise you on compliance and data sovereignty issues as per industry standards.

    Read another related blog post on Data Protection and GDPR
  • Insider threats

    It isn't necessarily security threats from outside your workplace that you need to worry about when it comes to cloud security risks. IT administrators, system developers, and other trusted employees with access to sensitive data might cause damage by accident, or use the cloud for non-work related purposes. So business owners need a way of recording and monitoring all actions taken on their accounts.

    It's clear that cloud computing provides many benefits, but it is also important to be aware of the associated security risks to ensure your business isn't adversely affected in the event of a breach.

  • Insecure API

    Application Programming Interface (API) is a set of routines, protocols, and tools for building software applications. It is best practice to ensure that cloud services have secure APIs that guarantee the confidentiality and integrity of information. If you're using a cloud computing environment that does not have secure APIs, you run the risk of exposing your data and systems to unnecessary risks. Typically, there are three types of attacks that hackers will use to try to compromise APIs: brute force, denial of service (DoS) and man in the middle (MITM) attacks.

    • Brute force attacks are against any part of the system that presents an interface. Even though this may be a username and password login, it may also be trying to access other parts of the application or system through insecure APIs. Since these types of attacks take advantage of weak passwords, admins need to ensure all passwords used in connection with cloud services are strong and updated regularly.

    • Denial-of-Service attacks on APIs work by flooding systems with requests until they overload and become unresponsive – rendering them useless. When choosing a cloud service provider, you should look for one with DoS protection as well as threat detecting capabilities so that if your applications start getting hit by such an attack, the provider will either stop the attack or remove the system from the network until it is fixed.

    • Man-in-the-middle attacks occur when hackers create an alternative route between your servers and cloud providers by connecting their own equipment in between, accepting all traffic before passing it along to its original destination. Depending on how much data is being transferred over this pathway, hackers could potentially intercept all the information sent back and forth without either party knowing until the damage has been done. In order to prevent these types of attacks, make sure that any connections made with your provider are secure, encrypted and authenticated. Look for end-to-end security solutions that protect every connection.

  • No control over repositories

    When it comes to cloud security threats, you have little control over where your data is being stored. This means that if a data breach occurs, you may not even be aware or be able to find out where it happened.

    Unfortunately, that means that your data could potentially be hosted on cloud servers all over the world. This is why it's crucial for organisations to know where their data is being held and the security measures in place at each location.

    To mitigate this security risk, it is best practice for admins to encrypt their data before it leaves their own network to ensure that even if hackers manage to intercept it, they cannot decrypt and use the information.

Best practices for risk management

  • Cloud penetration testing

    Cloud penetration testing should be conducted regularly as part of your businesses risk management strategy as cloud networks are an attractive source for hackers to exploit. Cloud pen testing is an effective and proactive way to assess the cyber security posture within a cloud infrastructure. With the digital transformation and many organisations migrating to cloud technology, it leaves hackers with new opportunities to conduct cyber attacks. The remote nature of the cloud means there are greater vulnerabilities to exploit, including weak credentials, insecure APIs, and outdated software. Cloud penetration testing addresses these vulnerabilities by assessing weaknesses within the cloud, as a real-world hacker would, to evaluate the cloud’s security posture.

  • Contingency planning

    Ensure that your online storage provider has a business continuity plan (BCP) that outlines their strategy for protecting information stored within their servers in the case of any serious emergencies, such as natural disasters or terrorist attacks. You should also ask how often they test this plan to make sure everything works properly when needed.

  • Data security audit

    Ask your service provider whether they perform routine audits of security controls to protect end-user's personal data and sensitive files stored throughout their networks; if not, then you might want to look for another cloud computing partner who can provide complete transparency regarding the security measures implemented by their system’s administrators.

  • Security training

    You should also ask your cloud storage provider if they offer any training or workshops to help educate staff about potential cyber threats and security risks involved with cloud computing services. Employees working for a business must understand the inner workings of their company's data management system, especially when it comes to avoiding social engineering attacks on end-user's personal information, documents, and files stored within remote servers.

  • Customer service

    Be aware that many service providers fail to provide 24/7 support for clients, which can be very frustrating whenever problems occur outside office hours. Ask your online storage provider if they offer 24/7 technical support for their customers, or at least ensure that you know the average response time to resolve any service-related issues whenever possible.

In conclusion

There is no doubt that cloud computing provides businesses with access to their important data virtually anywhere around the world without needing to maintain a server. However, with remote accessibility to sensitive and business-critical data there is a need for sufficient risk management to prevent hackers from breaching cloud applications.

Understanding the risks and vulnerabilities of cloud services is crucial to safeguarding your business from cyber criminals. Cyber security solutions which include cloud penetration testing services will go a long way to providing greater peace of mind for businesses concerned about their cloud security. Cloud pen testing can identify and manage threat monitoring for most cloud service providers and deliver detailed threat assessments to businesses.

Just remember, before jumping on board and signing up for one of these cloud providers, it is ultimately up to you to conduct your own research to find out whether they are worth doing business with. The more research you conduct while looking into the different cloud services available, the easier it will be to determine which companies offer the best features and security systems along with a proven track record for maintaining customer confidentiality.

Kieran Roberts Headshot

Meet the author

Kieran Roberts Penetration Tester

Kieran is a security tester who’s contributed to articles on a range of pen testing topics, including industry insights and best practices.

Resolve your security weaknesses

Contact our team of experts to find out more about how penetration testing can help protect your business

Learn more

Related resources

Trusted cyber security & compliance services from a certified provider

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.