Lenticular clouds floating above snow-capped mountains

The cloud is one of the most important developments in modern computing. It gives organizations of all sizes the ability to quickly scale and streamline their storage, computing, and deployment operations. But these advantages come with their own set of vulnerabilities. In this article, we’ll look at a few major cloud security challenges, as well as what cloud service providers and their customers can do to mitigate risks.

Security Vulnerabilities and the Cloud

Many of the security challenges faced by organizations with operations in the cloud are also common to traditional data centers. All organizations need to proactively look for vulnerabilities in the design of their systems while ensuring that sufficient authentication procedures are in place to prevent unauthorized access. In the cloud, though, these concerns are multiplied. Your organization is likely to share storage and computing resources with many other companies, which can leave your data exposed in the event that their systems are compromised.

Security in the cloud falls on both providers and the organizations who use their services, though ultimately it’s the responsibility of each organization to ensure that its data is secure. The Cloud Security Alliance (CSA), a not-for-profit organization to promote best practices in cloud security, recommends that organizations use multifactor authentication and encryption to protect their data whenever it’s being transmitted or stored outside the organization. This is, according to the CSA, especially critical for organizations in regulated industries like banking and healthcare, which have much stricter standards for how data can be stored and transmitted.

Now, we’ll take a look at some of the new security dimensions that storing data in the cloud introduces.

Physical security

One of the cloud’s biggest advantages is virtualization, which allows organizations to expand their data centers without having to worry about physical space. Instead, the responsibilities of maintaining a physical data center fall on the cloud service provider. At the same time, this means that organizations don’t have immediate physical access to their servers and routers.

At its physical data centers, the cloud service provider Rackspace uses two-factor authentication, biometric-controlled locks, video surveillance, and regular access reviews to ensure the physical integrity of their servers. But even those measures can’t protect against search warrants and raids by security services that result in the seizure of servers regardless of whether your organization is the target of the search.


Related to virtualization is multitenancy. In the cloud, your data is likely to be stored alongside data from other companies, which could potentially include your competitors. One especially difficult part of cloud security is the potential for widespread collateral damage resulting from data breaches. Multitenancy, sharing storage and computing resources across clients, means that your organization’s data can be compromised as a result of another company’s security failure. For example, a poorly designed access policy in another tenant’s application code could result in your company’s data being exposed, especially in cases where multiple tenants’ data is stored in the same tables. That said, these risks can largely be mitigated with rigorous security procedures.

Some cloud service providers (Amazon Web Services and Rackspace, for example) offer dedicated servers (Amazon calls them “instances”), which are customizable, single-tenant solutions that put all of a client’s data on their own dedicated hardware.

API vulnerabilities

APIs are the ties that bind your systems to cloud services. Think of your data as being like a library, and an API as a library card that gives another company access to your data. You need to make sure that these cards only give them access to the sections of your library you want them to see, while keeping the rest roped off. Unfortunately, the convenience and wide availability of APIs also represents a potential security threat, as more third-party systems rely on APIs, the more potential there is that a security flaw far removed from your own system will compromise your data as well. Especially in regulated industries (like finance and health care), using APIs at all entails some amount of risk, which makes the need for stringent security measures all the more pressing.

This makes securing APIs a paramount concern. Both public and private APIs should have some combination of identification, authentication, and authorization measures to control who is accessing what, and what they’re authorized to do with those assets. The more you’re able to control access to your assets, the less likely they are to be compromised by vulnerabilities in your cloud infrastructure.

Insider Threats

Cloud service providers are responsible for the data of many different companies, making it imperative that the administrators and contractors who oversee those services can maintain the integrity of their customers’ data.

Insider threats don’t refer only to current or former workers who seek to intentionally compromise or misuse the organization’s network or system. Damage can also be done by inexpert or improperly trained workers who inadvertently cause data or security problems in the course of their work. For instance, a network administrator could inadvertently delete important data in the process of migrating from one database to another.

Whether the actions are malicious or inadvertent, the effects can be profound. For cloud service providers, this makes properly vetting and training workers extremely important. For their clients, it’s crucial that they encrypt their data and maintain their own logging and auditing systems.

Compliance and Due Diligence

Closely related to security is compliance. When choosing a cloud service provider, it’s critical for customers to make sure that the service level agreement (SLA) covers all their security and compliance requirements. The terms of the SLA will likely vary depending on the kind of services being offered: IaaS (Infrastructure as a Service) agreements typically assign more responsibility for the software and data on the customer, while SaaS (Software as a Service) agreements usually make software and data the responsibility of the provider. PaaS (Platform as a Service) agreements fall somewhere in the middle. As a result, it’s imperative that customers thoroughly evaluate their SLAs to make sure they understand exactly what their responsibilities and liabilities are.

For enterprises in regulated industries, working in the cloud introduces a whole new layer of complexity, as any cloud solution used must also comply with relevant mandates, whether HIPAA, Sarbanes-Oxley, PCI-DSS, or European privacy requirements. This places an additional burden on the providers to ensure their systems work in accordance with a number of regulatory schemas, but it’s also the clients’ responsibility to perform the due diligence to ensure that they choose compliant providers. Audit trails, continuity and recovery services, and record keeping are just some of the features that companies in regulated industries may need to look for.

It Takes a Village (to Secure Your Data)

The complexity of the cloud means that responsibility for keeping your data and your customers’ data may be spread not just across your own organization, but between your organization and your service provider. Therefore, it’s important to make sure that you have clearly defined and proactive security measures in place to ensure the integrity of your data in the event of a security event and to quickly get your systems back up in case of a failure.

In addition to a cloud server architect to design and build a secure system, you’ll probably want a cloud security expert to continually evaluate your security practices and evolve them as necessary. Learn more about trends in cyber security or explore freelancers on Upwork today.