Companies are increasingly moving to cloud storage for their cybersecurity and ever-expanding corporate data, and just as quickly the ever-attendant data thieves are hustling around, trying to figure out how to break in.
The growing use of cloud computingOpens a new window is creating a data bonanza for would-be hackers and cyber crime because of the sensitive customer information that companies may store, such as social security numbers, bank account details and passwords to other accounts.
And the amount of available information is growing: Cloud-computer services will grow an estimated 17% to $247 billion this year, according to research firm Gartner, benefiting from the intense scaling up of service-based companies built on customer data such as Expedia and Uber.
Attacks on cloud servers and cloud drives can have a wide range of end-games. A 2018 hack of Tesla’s Amazon Web Services cloud infrastructure appears to have installed cryptocurrency mining software to co-opt its computing power and electricity usage for a computing-intensive activity.
There is also a growing professionalization among criminals hackers, with more than half of all cyber-crimes involving organized criminal groups, according to Verizon’s 2017 Data Breach Investigations Report.
Password Violations on the Cloud
Computer security experts agree that the easiest way for hackers to get access to cloud data is through a compromised corporate-system password, as was illustrated by last year’s hack of Anthem, one of the largest US health insurers.
In this case, the hackers used a system administrator’s password information to run a database query, then uploaded that data to a cloud storage provider. The data breach impacted more than 80 million customers, whose data were extracted using a cloud-based file sharing service.
Some of the easiest ways to make access more difficult for hackers is by bulking up the protection that a password provides. Creating unique passwords for each account makes it more difficult for a potential hacker to guess or borrow a password from another account.
An additional form of protection, two-factor authentication, can feel like a hassle but makes the verification process much more stringent. This process involves a secondary passcode being sent via a text message, complicating hackers’ efforts to access cloud data even if they have obtained a user password.
Cloud Drive Configuration Errors
Another common way hackers can get into cloud data is because of a configuration mistake made when setting up cloud data storage, according to the Cloud Security Alliance. If not carried out properly, access permissions can be set up in a way that enables outsiders to see data.
IT security company Upguard recently stated that critical data from the Pentagon has been leakedOpens a new window on a publicly accessible data repository through the likes of Amazon Web Services cloud storage. Similarly, Dow Jones has acknowledged that it was such a mistake that led last year to the names and contact information of 2.2 million customers being made accessible inadvertently on the Amazon cloud.
As a result of an incorrectly configured Amazon Simple Storage Service account, data including names, email addresses, home addresses, internal account details and the last four digits of credit card numbers became accessible to anyone with an Amazon Web Services account. Problems with configuration typically stem from inadequate training or experience in setting security parameters for cloud access.
The misuse of automatic passwords can also provide an opportunity, as the case of Uber late last year illustrates, when hackers got into the company’s cloud computing system by stealing the log-in credentials used by in-house software engineers.
The credentials had been stored on a private GitHub software account used to enable programmers to gain automated access to confidential data, but this capability does not constrain how these privileges can be shared.
The GitHub credentials were used to access data stored on an Amazon Web Services account, enabling the hackers to access names, emails and phone numbers of millions of Uber customers, as well as the license numbers of 600,000 drivers.
API Open Doors
One of the benefits of cloud storage systems is that they offer tools and protocols that enable company software programmers to build application programming interfaces that can manage and interact with the cloud service.
However, because these programmers and others are managing specific portions of the cloud service, they leave a possible door open to a security breach. Snapchat, which enables users to share photos or short videos that disappear after a few seconds, was hacked in 2014 using an API-linked strategy, resulting in the publication of names and partial phone numbers of 4.6 million users.
Means of protection against API-related data breaches include ensuring that company software developers understand how to customize an API without increasing the risk of being hacked, and ensuring that the cloud infrastructure meets necessary security standards, including security-focused code reviews designed to identify problems before a hack occurs, and conducting frequent testing to ensure hackers cannot access the system.
Offering rewards to individuals that help detect potential weaknesses of an API system has also been a valuable means of exposing problems. Google, for example, offers $1,000 through its bounty program to developers who find problems with any of the Android apps it offers.
Public Cloud Strategies for Protecting Data
Cloud service providers themselves adopt a range of strategies to keep the information stored on their equipment safe. For major players, including Dropbox, Google and Amazon, there is an underlying emphasis on a security culture, with background checks on employees and extensive security training.
Cloud data centers themselves are extensively protected: physical security for Google data centers including safeguards such as access cards, alarms, fencing, metal detectors, biometrics, and even laser beam intrusion detection.
The larger cloud companies have extensive vulnerability management processes, to deter hacks from sneaking in electronically, such as actively scanning for security threats using both in-house and commercially available tools. Cloud storage companies also conduct manual and automated penetration efforts to test the durability of their security systems, as well as software security reviews and external audits.
Companies offer multi-factor authentication protection to users as well. Amazon Web Services customers can opt to use an additional single-use code, generated by a device kept in the user’s possession, in addition to the standard user name and password credentials to gain access to an account.
They also use sophisticated encryption techniques to protect stored information. Dropbox encrypts all data in transit using specialized software, via Secure Sockets Layer and its successor protocol, Transport Layer Security, to prevent information from being intercepted as it moves between the Dropbox server and a user’s computer. The data is encrypted with industry-recognized 250-bit AES software when it is stored on the Dropbox server.
While cloud storage companies promise that their cybersecurity systems offer almost impenetrable protection against hackers, security specialists say that for maximum protection, users should also encrypt information with their own software before putting it in the cloud. As a further step, authenticated encryption not only makes the file unreadable to anyone without the necessary passwords, but also notifies a user if the file is modified in any way on a cloud drive.