By Madison Iler   /   Feb 18th, 2020

The 4 Most Common Cloud Storage Security Risks

Cloud Storage Security RisksCloud storage security risks are constantly evolving. As our consultants perform security assessments, we are finding that as increasing amounts of data are stored and accessed from the cloud, organizations need help understanding and assessing their cloud storage security risks. While many of our clients have structured and consistent approaches to cloud security, others are not yet fully aware of the shared responsibility model of cloud security and their options when it comes to using and securing cloud services.

As we see in the news all too often, the use of cloud applications can present various security risks, and organizations often fail to identify and properly manage those risks. Here are four common examples of cloud storage security risks that our consultants run across regularly, along with tips for improving security.

1. Gaps in Access Control Processes

  • Risk: Most organizations have consistent processes in place for access control, such as authorization, role-based access, regular account review, and prompt disabling of accounts when an employee leaves the company or changes roles. But sometimes their existing processes are not extended to include access to all cloud services.
  • Why it matters: Access to company data in the cloud should be carefully managed to reduce the risk of unauthorized access and protect against data breaches. When standard access control procedures are not extended to cloud applications, it can result in accounts with overly broad permissions and failures to disable accounts when they are no longer needed.
  • Recommendations: Conduct an inventory of what cloud services are in use and include them in your organization’s access control processes. This includes consistent authorization processes and restricting access to only what is needed for the specific job role. Maintain records of employee access authorizations, including cloud services, to ensure the full scope of access is disabled or modified in response to terminations or role changes. Regular account review should be done to identify inactive accounts that should be disabled, as these accounts could be compromised and lead to data exfiltration.

2. Authentication Weaknesses

  • Risk: Transitioning to cloud can create some gray areas on who is responsible for what security controls. This often comes up in relation to authentication. We’ve seen clients who think they are “stuck” with a cloud service’s weak password requirements or lack of multi-factor authentication (MFA). But in many cases, password configuration and MFA are under the client’s control!
  • Why it matters: Strong authentication requirements, including MFA, are the best defense against unauthorized access and account compromise. Cloud services are often configured with “anytime, anywhere” access, making them prime targets for malicious actors who know these accounts are often configured with weak passwords and overlooked in terms of security. Changing your password configuration and MFA options can significantly reduce cloud storage security risks.
  • Recommendations: Explore your cloud services’ FAQ, or contact your account manager or customer service representative to learn about security options, especially the scope of configurations and controls that are considered the customer’s responsibility. In some cases, you can make configuration changes yourself. In others, you need to ask for the change you want. In addition to password requirements and MFA, ask about account lockout settings and session timeout. And if the provider doesn’t offer what you need, such as MFA, let your account manager know it is important and ask that they make it available.
  • Office 365 resource: Ensure you are using best practices for your Office 365 configuration. Read this detailed blog on secure configuration of Office 365 for more information.

3. Unauthorized Use of Cloud Services

  • Risk: We frequently learn through interviews that a client’s employees are using cloud solutions that have not been vetted nor approved by the organization. This comes up most often in relation to file sharing with external parties using cloud solutions such as Dropbox, Box, SharePoint, or Google Docs. The file sharing is done for legitimate work reasons, but the employee may not be able to email the documents due to your data loss prevention implementation or size limits on attachments. Or the employee is simply not aware that the company has a secure file sharing solution in place. Typically we find that employees are not aware of the potential cloud storage security risks associated with using unauthorized services, and they view the use as harmless.
  • Why it matters: Step one for protecting sensitive information is to know where it is! If company data is being stored in locations unknown to IT and security, they don’t have the opportunity to make sure appropriate security protections are in place. This is one of the most common cloud storage security risks our team finds during a cloud security assessment.
  • Recommendations: Most organizations have restrictions on introducing new software to the environment, including security review and secure configuration. The same rules should apply to cloud services! Consider blocking access to unauthorized file sharing services. And make sure your Acceptable Use policy clearly includes the use of cloud services and your organization’s process for requesting the use of these services. Include cloud security in your security awareness training to make sure everyone understands third-party cloud storage security risks and their responsibilities.

4. Incident Response Preparedness

  • Risk: Have you considered how your organization will respond to a security incident that involves your use of cloud services? If not, you are not alone! Cloud services often present unique challenges in the incident handling process, and many organizations have not yet considered these challenges and incorporated them into their response plans and strategies.
  • Why it matters: Everyone knows that time is of the essence when dealing with an incident. That means it is important to consider possible incident scenarios before they happen to be sure your team is prepared to respond and has the information they need to do so. Lack of advance planning can lead to delays, inefficiencies, and other pain points that can negatively affect your response.
  • Recommendations: There are a lot of details to consider! Review your contract and work with your account manager to make sure you have the information you need. Topics include incident notification requirements, how to request access to logs, access to backups, and what support you can expect from their team. Review your cybersecurity insurance policy to understand how it may (or may not) apply to a third-party breach. And prepare your team by conducting tabletop exercises with cloud-based incident scenarios.

Moving to the cloud is a great way to achieve scalable, cost-effective IT solutions, but companies must be careful to identify and manage risk along the way.

Contact us if you need help assessing your company’s security posture, including your use of cloud services and your organization’s specific cloud storage security risks. We can also provide incident response if you suspect something has already gone wrong.

About the Author

Madison Iler

Madison is LMG’s Chief Strategy Officer. She assesses organizations’ compliance with regulatory requirements such as HIPAA, and assesses the strength of their security program and overall security posture using widely-accepted frameworks such as the NIST Cybersecurity Framework. She previously served as a Senior Network Security Engineer for Lockheed Martin in support of the National Science Foundation, Security Engineer for SecureInfo, and Security Compliance Analyst for Raytheon Technical Services. Prior to moving into IT security, Madison worked in IT operations. She has also worked as a management consultant with McKinsey & Company. Madison earned her BA in Economics from the University of Colorado and her MBA from MIT’s Sloan School of Management. She holds her CISSP and HCISPP security certifications.