Top Risks
December 11, 2019

Is the Cloud Safe? Part 1: Models and Misadventures

blog
5 min. read
Next article in this series

The cloud, like every other technology, was developed to help us do more things faster and more efficiently. It’s a business tool that provides the self-service flexibility of on-demand technological services decoupled from the need to physically deliver hardware and software. Organizations are flocking to leverage this power, but there are nagging questions: Is cloud security getting better or worse? Why does it seem that there are more cloud breaches happening now than before? If an organization moves to the cloud, is it more likely to get hacked?

These questions are understandable. Although many organizations are rushing to the cloud or being driven there by their leadership, no one wants to end up in a headline because of a security fiasco. IT decision makers need to know how to avoid the most likely ways to fail. In part 1 of this article series, we unpack these questions about the prevalence and danger of cloud breaches.

Cloud Services and Deployment Models

First off, there isn’t one definitive type of cloud. The National Institute of Standards and Technology's (NIST) definition of cloud computing lists three cloud service models—infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS)—and four deployment models: private, community, public, and hybrid.1

In F5’s 2019 State of Application Services survey, 87 percent of respondents indicated they operate in a multi-cloud environment, meaning any combination of the above. So far, we don’t have enough detail on many reported breaches to know if the affected assets were stored in the cloud, on premises, or in hybrid environments, nor do we know the kinds of services that were in use. As we unfold this story, we’ll be as specific as possible. That way you can map our individual datapoints back to the kinds of cloud services and deployment models you’re using.

What is a Breach?

When we talk about breaches, we’re specifically talking about the exposure of protected data to unauthorized persons, for example, cybercriminals getting our payment card data. However, in our 2018 Application Protection Report survey, we saw that some industry sectors care as much about availability as other sectors do about the confidentiality of their data. Is an outage—that is, the unexpected failure of availability of service—considered a breach? For some, it could be.

In some cases, major cloud platform outages have not just caused businesses to lose money, but also have had negative effects on cryptocurrency markets.2 In one case, a cloud outage caused electronic door locks to remain shut, even for the authenticated owners.3 Looking through the major cloud services, we see all the major players have had outages, including Amazon Web Services (AWS), Microsoft Azure, Rackspace, Alibaba, Salesforce, and Google. The table below is a brief snapshot of major cloud outages since 2017:

Cloud Outages Since 2017
When Who What
Feb 2017 AWS Regional outage4
Mar 2017 Azure Storage systems outage5
June 2017 Rackspace Networking outage6
Sep 2017 Google Services outage7
Mar 2018 AWS Regional outage8
May 2018 AWS Regional outage9
Jun 2018 Azure Regional storage and network outage10
Jul 2018 IBM Global slowdown and outage11
Mar 2019 Alibaba Regional container outage12
May 2019 Azure Services outage13
May 2019 Salesforce Database access failure14
June 2019 Google Services outage15
Aug 2019 AWS Regional outage16
Nov 2019 Google Services outage17

Outages do occasionally happen, and this is probably a contributing reason why many organizations adopt a hybrid cloud approach.

The Broad Spectrum of Cloud Breaches

If you don’t consider a cloud outage a breach, let’s talk about the diverse types of cloud data breaches. It’s best to focus on the operational components of the cloud that either strengthen or weaken the security of a deployed solution.

Not a Cloud Breach but a Cloud-Assisted Breach

A case to be aware of involved a malicious insider at the Oregon Department of Revenue who uploaded stolen files to a private cloud account.18 The cloud is yet another exfiltration path and since cloud resources are encrypted in transit, leakages are hard to spot.

A case to be aware of involved a malicious insider at the Oregon Department of Revenue who uploaded stolen files to a private cloud account. The cloud is yet another exfiltration path and since cloud resources are encrypted in transit, leakages are hard to spot.

For many, a breach of a large database is the same as a cloud breach. Consider the Indian government’s 2018 breach of 1.1 billion registered citizens through a vulnerability in its Aadhaar national identity database.19 There aren’t enough details available on this breach to indicate how much the cloud contributed or blunted the breach. The breach seemed to stem from an application vulnerability, which we’ve always had in and out of the cloud.

Software Vulnerabilities Hosted in the Cloud

Is the cloud to blame for exploiting software vulnerabilities in cloud-hosted web applications? Consider Stein Mart's breach from May 2018,20 in which its vendor, Annex Cloud, fell victim to an ongoing rash of formjacking attacks against payment card shopping carts. This was clearly a software vulnerability problem and not necessarily a cloud problem. Would an attack against an unpatched Apache vulnerability count as a cloud breach if it were hosted in the cloud as opposed to sitting in a rack in a colocation facility? It may depend on how the visibility and operational control varies in a cloud environment. This particular aspect is worth investigating. Given that many large databases now dwell in the cloud, the same question of visibility and control arises.

A Cloud in the Supply Chain

The Stein Mart case also raises questions about cloud use within an organization’s supply chain. Another supply chain case occurred in February 2018 in which Capital Digestive Care’s patient data was exposed on a vendor’s cloud server.21 So, even organizations that don’t formally adopt the cloud may still contend with cloud security issues through their third parties.

Cloud APIs Everywhere

Lastly, we should consider cloud breaches that involve APIs. In our 2019 Application Protection Report, we examined breaches stemming from API attacks and found a significant number occurring on large platforms running in the cloud. Cloud systems make heavy use of APIs for administrative control, and these APIs are easily accidentally exposed. We see this as a problem that the cloud exacerbates in terms of observability, but not necessarily one that’s unique to the cloud.

What’s Next?

In part 2, we’ll dive into traditional cloud breaches. This includes confidential data falling into the hands of unauthorized individuals, either on purpose, from hacking, or by accident from leaking.

Next article in this series

Need-to-Know

Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.