SH&NR Week 3 Posting - Vulnerabilities and Threats Associated With Cloud Computing

 Vulnerabilities and Threats Associated With the Cloud 

Cloud services allow users and organizations the ability to grow and operate servers, storage, and other resources without the cost of physical infrastructure.  There is no one-size-fits-all when it comes to cloud solutions. Users and organizations must recognize their unique needs in order to choose the proper cloud solution. After understanding the cloud solutions, users and organizations must be aware of the responsibilities, risks, and vulnerabilities associated with cloud. From there clients can have a more informed look at cloud security and the threats associated with it. 

Cloud Models and Shared Responsibility 

Cloud services are broken down into four models: Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), and On-Premises. Each of these models come with their own level of control, responsibility, and security to the client and provider. The shared responsibility model looks to break down who is responsible for what. 

  Image source: "Shared responsibility in the cloud," Microsoft Learn, https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility

On-Premises 

On-Premises, or On-prem, is the cloud service model where the client handles the entire workload. On-prem allows users and organizations to have complete control of the infrastructure. This control comes at the cost of paying for the physical datacenter, hardware, and network. It also falls to the organization to monitor and maintain the network and all applications or services the infrastructure uses. While offering the most control, On-prem costs the most for users and organizations. 

Infrastructure as a Service (IaaS)

IaaS is the next step up in the shared responsibility model. IaaS takes the physical responsibility of cloud computing from the client and moves it to the provider. In IaaS, the client is still responsible for monitor and maintain the network and all applications or services the infrastructure uses. IaaS frees the client of upfront physical costs and replaces it with a lower monthly cost for service. 

Platform as a Service (PaaS)

The next step in the shared responsibility model is PaaS. PaaS transfers even more responsibility over to the cloud provider. The client will handle the devices, accounts, and information. Clients and cloud providers will split responsibility on the network control, applications, and directory. PaaS frees more client resources at a higher operational cost. 

Software as a Service (SaaS) 

SaaS is the cloud model for clients that only want the minimum responsibility. In SaaS, the cloud providers operates a majority of the cloud infrastructure, like the hardware, network, and applications. Clients will only manage the devices, accounts, and information used in those applications. 

Security in the Cloud

While the responsibilities and workloads shift within the shared responsibility model, it is important that cloud security works slightly different. Unfortunately, this notion of shared responsibility can be misunderstood, leading to the assumption that cloud workloads – as well as any applications, data or activity associated with them – are fully protected by the cloud provider (Alvarenga, 2022). Cloud security is one of the shared responsibilities. Cloud providers must monitor and mitigate any threats to the overall cloud infrastructure, and the client must protect any data, application, or other resources kept in the cloud. The security responsibility does not shift as easy as other responsibilities.

Threats to the Cloud

There are many threats that pose a risk to cloud security. Consistent monitoring and vulnerability scans are key to catching or preventing these threats. Data breaches are an extreme threat as users and organizations store sensitive information in cloud systems. Since clouds are accessed through the Internet, they are a prime target for hackers to obtain a variety of sensitive data like personal health, identifiable, or financial information. Social engineering attack are other threat as they can allow unauthorized physical or digital access an organization's cloud systems. If login credentials are obtained, threat actors can use them to access and steal any sensitive data the account might have access to. Data loss is another threat to cloud systems. Natural disasters, provider error, and human error are all ways that organizations can lose data temporarily or even permanently. Data backups are crucial to preventing data loss. Another threat to cloud systems are Denial of Service (DoS) attacks. These attacks flood systems with requests that can take up resources and cause a massive slowdown. While not normally responsible for data loss, DoS attacks can bring organizational operation to a standstill. These attacks can have long term effects for the victim organization. 

References:

Alvarenga, G. (2022, November 13). What is the Shared Responsibility Model?. CrowdStrike. https://www.crowdstrike.com/en-us/cybersecurity-101/cloud-security/shared-responsibility/

Chapman, B., & Maymí, F. (2021). Comptia Cysa+ Cybersecurity Analyst Certification Exam Guide (exam CS0-002). MCGRAW-HILL EDUCATION

Microsoft. (2024, September 29). Shared responsibility in the cloud - microsoft azure. Microsoft Azure | Microsoft Learn. https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility

Verizon. (n.d.). Top cloud security risks. Verizon Enterprise. https://www.verizon.com/business/resources/learn-the-basics/top-cloud-security-risks-today/