CLOUD DATA SECURITY

Cloud data security refers to the technologies, policies, services and

security controls that protect any type of data in the cloud from loss,
leakage or misuse through breaches, exfiltration and unauthorized access.
A robust cloud data security strategy should include:
 Ensuring the security and privacy of data across networks as well as
within applications, containers, workloads and other cloud
environments
 Controlling data access for all users, devices and software
 Providing complete visibility into all data on the network
Cloud data security is the combination of technology solutions, policies, and
procedures that the enterprise implements to protect cloud-based applications
and systems, along with the associated data and user access.
The core principles of information security and data governance—
data confidentiality, integrity, and availability (known as the CIA triad)—also
apply to the cloud:
 Confidentiality: protecting the data from unauthorized access and
sclosure
 Integrity: safeguard the data from unauthorized modification so it can
be trusted
 Availability: ensuring the data is fully available and accessible when it’s
needed

Confidentiality

Confidentiality involves the efforts of an organization to make sure data is kept

secret or private. To accomplish this, access to information must be controlled
to prevent the unauthorized sharing of data—whether intentional or
accidental. A key component of maintaining confidentiality is making sure that
people without proper authorization are prevented from accessing assets
important to your business. Conversely, an effective system also ensures that
those who need to have access have the necessary privileges.

For example, those who work with an organization’s finances should be able to
access the spreadsheets, bank accounts, and other information related to the
flow of money. However, the vast majority of other employees—and perhaps
even certain executives—may not be granted access. To ensure these policies
are followed, stringent restrictions have to be in place to limit who can see
what.

There are several ways confidentiality can be compromised. This may involve
direct attacks aimed at gaining access to systems the attacker does not have
the rights to see. It can also involve an attacker making a direct attempt to
infiltrate an application or database so they can take data or alter it.

These direct attacks may use techniques such as man-in-the-middle (MITM)

attacks, where an attacker positions themselves in the stream of information
to intercept data and then either steal or alter it. Some attackers engage in
other types of network spying to gain access to credentials. In some cases, the
attacker will try to gain more system privileges to obtain the next level of
clearance.

However, not all violations of confidentiality are intentional. Human error or

insufficient security controls may be to blame as well. For example, someone
may fail to protect their password—either to a workstation or to log in to a
restricted area. Users may share their credentials with someone else, or they
may allow someone to see their login while they enter it. In other situations, a
user may not properly encrypt a communication, allowing an attacker to
intercept their information. Also, a thief may steal hardware, whether an
entire computer or a device used in the login process and use it to access
confidential information.

To fight against confidentiality breaches, you can classify and label restricted
data, enable access control policies, encrypt data, and use multi-factor
authentication (MFA) systems. It is also advisable to ensure that all in the
organization have the training and knowledge they need to recognize the
dangers and avoid them.

Integrity

Integrity involves making sure your data is trustworthy and free from
tampering. The integrity of your data is maintained only if the data is
authentic, accurate, and reliable.

For example, if your company provides information about senior managers on

your website, this information needs to have integrity. If it is inaccurate, those
visiting the website for information may feel your organization is not
trustworthy. Someone with a vested interest in damaging the reputation of
your organization may try to hack your website and alter the descriptions,
photographs, or titles of the executives to hurt their reputation or that of the
company as a whole.

Compromising integrity is often done intentionally. An attacker may bypass an

intrusion detection system (IDS), change file configurations to allow
unauthorized access, or alter the logs kept by the system to hide the attack.
Integrity may also be violated by accident. Someone may accidentally enter the
wrong code or make another kind of careless mistake. Also, if the company’s
security policies, protections, and procedures are inadequate, integrity can be
violated without any one person in the organization accountable for the
blame.

To protect the integrity of your data, you can use hashing, encryption, digital
certificates, or digital signatures. For websites, you can employ trustworthy
certificate authorities (CAs) that verify the authenticity of your website so
visitors know they are getting the site they intended to visit.

A method for verifying integrity is non-repudiation, which refers to when

something cannot be repudiated or denied. For example, if employees in your
company use digital signatures when sending emails, the fact that the email
came from them cannot be denied. Also, the recipient cannot deny that they
received the email from the sender.

Availability

Even if data is kept confidential and its integrity maintained, it is often useless
unless it is available to those in the organization and the customers they serve.
This means that systems, networks, and applications must be functioning as
they should and when they should. Also, individuals with access to specific
information must be able to consume it when they need to, and getting to the
data should not take an inordinate amount of time.

If, for example, there is a power outage and there is no disaster recovery
system in place to help users regain access to critical systems, availability will
be compromised. Also, a natural disaster like a flood or even a severe
snowstorm may prevent users from getting to the office, which can interrupt
the availability of their workstations and other devices that provide business-
critical information or applications. Availability can also be compromised
through deliberate acts of sabotage, such as the use of denial-of-service (DoS)
attacks or ransomware.

To ensure availability, organizations can use redundant networks, servers, and

applications. These can be programmed to become available when the primary
system has been disrupted or broken. You can also enhance availability by
staying on top of upgrades to software packages and security systems. In this
way, you make it less likely for an application to malfunction or for a relatively
new threat to infiltrate your system. Backups and full disaster recovery plans
also help a company regain availability soon after a negative event.

Why Should You Use the CIA Triad?

The CIA triad provides a simple yet comprehensive high-level checklist for the
evaluation of your security procedures and tools. An effective system satisfies
all three components: confidentiality, integrity, and availability. An information
security system that is lacking in one of the three aspects of the CIA triad is
insufficient.

The CIA security triad is also valuable in assessing what went wrong—and what
worked—after a negative incident. For example, perhaps availability was
compromised after a malware attack such as ransomware, but the systems in
place were still able to maintain the confidentiality of important information.
This data can be used to address weak points and replicate successful policies
and implementations.

When Should You Use the CIA Triad ?

You should use the CIA triad in the majority of security situations, particularly
because each component is critical. However, it is particularly helpful when
developing systems around data classification and managing permissions and
access privileges. You should also stringently employ the CIA triad when
addressing the cyber vulnerabilities of your organization. It can be a powerful
tool in disrupting the Cyber Kill Chain, which refers to the process of targeting
and executing a cyberattack. The CIA security triad can help you hone in on
what attackers may be after and then implement policies and tools to
adequately protect those assets.

In addition, the CIA triad can be used when training employees regarding
cybersecurity. You can use hypothetical scenarios or real-life case studies to
help employees think in terms of the maintenance of confidentiality, integrity,
and availability of information and systems.

Data breaches

When the safety of data is compromised within the cloud, this can lead to
attacks such as leaked data. If the cloud service – or a connected device – is
breached, sensitive data has been accessed. If a cyber criminal has access to
this information, they could choose to distribute it. When the data in storage is
transferred, either electronically or physically, it becomes leaked. As the cloud
does not use hardware, cyber criminals can leak cloud data online or by
remembering information and distributing it later. Also known as low and slow
data theft, data leakage is a common danger in cloud computing.

Personal health information (PHI), personally identifiable information (PII),

trade secrets and intellectual property are often the targets of data breaches
and require some of the highest levels of security in cloud computing.

Data Loss
Another common cloud storage security risk is data loss. As opposed to
information being stolen and distributed, it is erased entirely. This could either
be the result of hacking, a virus or a system failure – this poses an issue when
data is not backed up, highlighting the importance of securing cloud services.
However, if a cyber criminal is targeting specific data, they may target the
backup as well.

Data loss can be damaging for a business – the information can be difficult or
impossible to recover, and you may find recovery attempts use a lot of time,
money and resources. Some data may have to be recreated, and others may
be found in hard copy formats that need converting. Data loss can be very
disruptive to workflow.

Cryptojacking

Cryptojacking is a form of threat that uses resources to mine cryptocurrencies.

The threat can control cloud networks to hack web browsers and compromise
endpoints. This can happen if there are weaknesses in security and the cloud
infrastructure becomes vulnerable, enabling devices to be hacked without the
user’s knowledge to mine cryptocurrencies.

While cryptomining is legal, this mining activity can then use up a lot of
resources, hence why cyber criminals opt to mine on devices that aren’t theirs.
You may find you have higher electricity bills, lower battery life and slower
processes. Cryptomining can be a profitable business, however, in order to be
successful; you will likely have to spend a lot in advance on the resources you
use.

What Is an Insider Threat

An insider threat is a security risk that originates from within the targeted
organization. It typically involves a current or former employee or business
associate who has access to sensitive information or privileged accounts within
the network of an organization, and who misuses this access.

Traditional security measures tend to focus on external threats and are not
always capable of identifying an internal threat emanating from inside the
organization.

Types of insider threats include:

 Malicious insider—also known as a Turncloak, someone who maliciously and

intentionally abuses legitimate credentials, typically to steal information for
financial or personal incentives. For example, an individual who holds a grudge
against a former employer, or an opportunistic employee who sells secret
information to a competitor. Turncloaks have an advantage over other
attackers because they are familiar with the security policies and procedures of
an organization, as well as its vulnerabilities.
 Careless insider—an innocent pawn who unknowingly exposes the system to
outside threats. This is the most common type of insider threat, resulting from
mistakes, such as leaving a device exposed or falling victim to a scam. For
example, an employee who intends no harm may click on an insecure link,
infecting the system with malware.
 A mole—an imposter who is technically an outsider but has managed to gain
insider access to a privileged network. This is someone from outside the
organization who poses as an employee or partner.

Three types of risky behavior explained

Malicious Insider Threat Indicators

Anomalous activity at the network level could indicate an inside threat.

Likewise, if an employee appears to be dissatisfied or holds a grudge, or if an
employee starts to take on more tasks with excessive enthusiasm, this could be
an indication of foul play. Trackable insider threat indicators include:

 Activity at unusual times—signing in to the network at 3 am

 The volume of traffic—transferring too much data via the network
 The type of activity—accessing unusual resources
How To Protect Against an Insider Attack: Best Practices

You can take the following steps to help reduce the risk of insider threats:

 Protect critical assets—these can be physical or logical, including systems,

technology, facilities, and people. Intellectual property, including customer
data for vendors, proprietary software, schematics, and internal manufacturing
processes, are also critical assets. Form a comprehensive understanding of
your critical assets. Ask questions such as: What critical assets do we possess?
Can we prioritize our assets? And, What do we understand about the current
state of each asset?
 Enforce policies—clearly document organizational policies so you can enforce
them and prevent misunderstandings. Everyone in the organization should be
familiar with security procedures and should understand their rights in relation
to intellectual property (IP) so they don’t share privileged content that they
have created.
 Increase visibility—deploy solutions to keep track of employee actions and
correlate information from multiple data sources. For example, you can use
deception technology to lure a malicious insider or imposter and gain visibility
into their actions.
 Promote culture changes—ensuring security is not only about know-how but
also about attitudes and beliefs. To combat negligence and address the drivers
of malicious behavior, you should educate your employees regarding security
issues and work to improve employee satisfaction.
Insider Threat Detection Solutions

Insider threats can be harder to identify or prevent than outside attacks, and
they are invisible to traditional security solutions like firewalls and intrusion
detection systems, which focus on external threats. If an attacker exploits an
authorized login, the security mechanisms in place may not identify the
abnormal behavior. Moreover, malicious insiders can more easily avoid
detection if they are familiar with the security measures of an organization.

To protect all your assets, you should diversify your insider threat detection
strategy, instead of relying on a single solution. An effective insider threat
detection system combines several tools to not only monitor insider behavior,
but also filter through the large number of alerts and eliminate false positives.
Tools like Machine Learning (ML) applications can help analyze the data stream
and prioritize the most relevant alerts. You can use digital forensics and
analytics tools like User and Event Behavior Analytics (UEBA) to help detect,
analyze, and alert the security team to any potential insider threats.
User behavior analytics can establish a baseline for normal data access activity,
while database activity monitoring can help identify policy violations.

Denial of services

Types of Denial of Service Attacks

There are three main types of DoS attacks:

1. Application-layer Flood

In this attack type, an attacker simply floods the service with requests from a
spoofed IP address in an attempt to slow or crash the service, illustrated in .
This could take the form of millions of requests per second or a few thousand
requests to a particularly resource-intensive service that eat up resources until
the service is unable to continue processing the requests.

2. Distributed Denial of Service Attacks (DDoS)

Distributed Denial of Service (DDoS) attacks occur in much the same way as
DoS attacks except that requests are sent from many clients as opposed to just
one, illustrated in . DDoS attacks often involve many "zombie" machines
(machines that have been previously compromised and are being controlled by
attackers). These "zombie" machines then send massive amounts of requests
to a service to disable it.

DDoS attacks are famously hard to mitigate, which is why outsourcing network
filtering to a third party is the recommended approach. We'll cover this later
on.

3. Unintended Denial of Service Attacks

Not all DoS attacks are nefarious. The third attack type is the "unintended"
Denial of Service attack. The canonical example of an unintended DDoS is
called "The Slashdot Effect (opens new window)". Slashdot is an internet news
site where anyone can post news stories and link to other sites. If a linked story
becomes popular, it can cause millions of users to visit the site overloading the
site with requests. If the site isn't built to handle that kind of load, the
increased traffic can slow or even crash the linked site. Reddit and "The Reddit
Hug of Death (opens new window)" is another excellent example of an
unintentional DoS.

The only way to prevent these types of unintended DoS attacks is to architect
your application for scale. Use patterns like edge-caching with CDNs, HTTP
caching headers, auto-scaling groups, and other methods to ensure that even
when you receive a large amount of burst-traffic, your site will not go down.

Another type of unintentional DoS attack can occur when servicing low
bandwidth areas. For instance, streaming content internationally means that
people in certain areas of the world with slow or bad internet connections
might cause problems. When your service attempts to send information to
these low-bandwidth areas, packets drop. In an attempt to get the information
to the destination, your service will attempt to resend all dropped packets. If
the connection drops the packets again, your service may make another
attempt. This cycle can cause your service's load to double or triple, causing
your service to be slow or unreachable for everyone.