Common cloud computing vulnerabilities
In a cloud environment, cybersecurity responsibilities are divided between a cloud service provider (CSP) and clients. This division complicates data protection because it creates more entry points for malicious actors and room for human error. The responsibilities of both sides also differ depending on the chosen cloud computing model.
Let’s take a look at some common vulnerabilities that can become cloud attack vectors:
Security misconfigurations. Major CSPs like AWS, Google Cloud, and Azure provide their clients with numerous ways to configure the security of their environments. Developers can set additional protection measures for storage, infrastructure elements, virtual machines, etc. But developers can also misconfigure an environment due to:
- Human error
- Incomplete documentation from the CSP
- Hidden or unobvious settings
Malicious actors can abuse a misconfigured cloud environment to gain access to sensitive data or take control of a cloud application or environment.
Weak access management. Access to cloud resources should be protected with multi-factor authentication (MFA), password management, configurable access rights, etc. Ideally, users should be able to access only the resources they need after the system verifies their identity, credentials, and access rights.
When a CSP doesn’t provide enough access protection capabilities or cloud administrators neglect to use them, hackers can acquire access to sensitive resources.
Unprotected APIs. APIs allow users to interact with cloud-based services. Vulnerabilities in APIs may significantly impact the security of a cloud-based application. For example, an API can overshare access information, grant unwanted visibility into the internals of an application, or ignore a service’s traffic limitations.
That’s why hackers often use cloud APIs to gain unauthorized access to data or perform a denial-of-service (DoS) attack.
Susceptibility to DoS attacks. One of the key benefits of cloud computing is 24/7 availability of a cloud application. If an organization and CSP fail to implement DoS protection mechanisms, malicious actors can spam their instances with requests and make them unavailable to legitimate users.
In this way, an organization can lose access to its sensitive data and internal cloud-hosted applications, or fail to provide services to its users. In some instances, hackers also demand a ransom from organizations to stop DoS attacks.
Account hijacking and compromise. Privileged access to cloud infrastructure and applications is often the target of hacking attacks. Using an admin’s credentials, hackers can infiltrate an organization without anyone noticing.
Account compromise can happen because of social engineering, failing to secure admin credentials, cross-site scripting and buffer overflow attacks, or failing to detect keyloggers and similar malware.
Weak or absent cryptography. Though cloud providers use cryptographic algorithms to protect data in storage, they usually rely on limited sources of entropy to automatically generate random numbers for data encryption. For instance, Linux-based virtual machines generate random keys from the exact millisecond. There may need to be more flexible to ensure for strong data encryption, as attackers also use sophisticated decoding mechanisms to hack information.
Thus, your team should think about how to secure data before moving it to the cloud.
Shared technology vulnerabilities. Cloud computing involves the use of shared technologies such as virtualization and cloud orchestration. By exploiting vulnerabilities in any part of these technologies, attackers can cause significant damage to many cloud users.
Weaknesses in a hypervisor can allow hackers to gain control over virtual machines or even the host itself. In case a hacker escapes a virtual machine, they can gain unrestricted access to the host through shared resources. It’s necessary to pay attention to the security of the cloud provider that you entrust with your cloud solution.
To learn more, read the full article at the Apriorit blog, where we offer practical advice on how to ensure the security of your cloud-based solution considering industry best practices and our own experience.
