Successful attacks against cloud platforms and infrastructure can be prohibitively expensive. The Dyn cyber attack that took place in October, for example, in which multiple denial-of-service (DoS) attacks targeting systems operated by DNS provider Dyn, rendered major Internet platforms and services unavailable to masses of users across Europe and the US.
“The attack took down Amazon, Reddit, Tumblr, Twitter and others, and was carried out via compromised Internet of Things (IoT) devices, such as digital video recorders,” says Lutz Blaeser, MD of Intact Security, a provider of Bitdefender security solutions.
He says research indicates that around 70% of the world’s organisations now operate, at least on some level, in the cloud. “The benefits of cloud are numerous. Lowered and fixed expenses, greater flexibility, automatic software updates, improved collaboration, as well as the flexibility to work from anywhere at any time. It’s no surprise then that the adoption of cloud services is only set to increase in the future. However, alongside these benefits come a slew of security issues.”
At the same time, the increase in use of cloud services goes hand in hand with an increased risk to business disruptions due to widespread outages from some dependency in the cloud that is affected. “For example, a disruption in Google maps would have a roll-on affect on many other services. Similarly, an attack on Facebook’s authentication services could affect numerous other applications and Web sites that rely on Facebook authentication for users’ access. This is exactly what happened to the sites and services that were dependent on Dyn’s DNS services.”
However, it isn’t only DDoS attacks that could compromise cloud services, he says. “Take a look at the data breach at Target, which resulted in the loss of personal and credit card information of many millions of people. This breach was only one of many that affected businesses during the daily processing and storage of information. Whichever way you look at it, cloud computing has brought with it significant new vectors for attacks.”
As with all platforms and technologies, there is no silver bullet for cloud security. “While many of the past attacks on cloud systems haven’t been ‘new’ attacks per se, rather old ones that are aimed at cloud systems, Web application attacks constituted the majority of breaches this year. These attacks have included cross-site scripting, SQL injection, broken authentication and suchlike,” Blaeser says.
According to him, there are many other types of attacks that are worrying to organisations: Application weaknesses, targeted attacks and advanced persistent threats (APTs), new and sophisticated malware, access management and many others.
“Take APTs for example. Once they have gained a foothold into a company’s systems, irrespective of whether that system is a cloud system, an on-premise or Web application, they will exploit any vulnerabilities that exist to entrench themselves on the network, or use the compromised system as a stepping stone to attack other systems.”
And these attacks are costly. “The full financial impact of an attack is hard to determine. There are quantifiable costs such as loss of money, data and intellectual property, there are other costs such as damage to reputation, loss of customer confidence and similar, that are near impossible to measure.”
At the end of the day, the more businesses rely on cloud services, and the more the interdependence between these services escalates, the more the security posture of all these services matters, Blaeser concludes.