The cloud, like every other technology, was developed to help us do more things faster and more efficiently. It’s a business tool that provides the self-service flexibility of on-demand technological services decoupled from the need to physically deliver hardware and software. Organizations are flocking to leverage this power, but there are nagging questions: Is cloud security getting better or worse? Why does it seem that there are more cloud breaches happening now than before? If an organization moves to the cloud, is it more likely to get hacked?
These questions are understandable. Although many organizations are rushing to the cloud or being driven there by their leadership, no one wants to end up in a headline because of a security fiasco. IT decision makers need to know how to avoid the most likely ways to fail. In part 1 of this article series, we unpack these questions about the prevalence and danger of cloud breaches.
Cloud Services and Deployment Models
First off, there isn’t one definitive type of cloud. The National Institute of Standards and Technology's (NIST) definition of cloud computing lists three cloud service models—infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS)—and four deployment models: private, community, public, and hybrid.1
In F5’s 2019 State of Application Services survey, 87 percent of respondents indicated they operate in a multi-cloud environment, meaning any combination of the above. So far, we don’t have enough detail on many reported breaches to know if the affected assets were stored in the cloud, on premises, or in hybrid environments, nor do we know the kinds of services that were in use. As we unfold this story, we’ll be as specific as possible. That way you can map our individual datapoints back to the kinds of cloud services and deployment models you’re using.
What is a Breach?
When we talk about breaches, we’re specifically talking about the exposure of protected data to unauthorized persons, for example, cybercriminals getting our payment card data. However, in our 2018 Application Protection Report survey, we saw that some industry sectors care as much about availability as other sectors do about the confidentiality of their data. Is an outage—that is, the unexpected failure of availability of service—considered a breach? For some, it could be.
In some cases, major cloud platform outages have not just caused businesses to lose money, but also have had negative effects on cryptocurrency markets.2 In one case, a cloud outage caused electronic door locks to remain shut, even for the authenticated owners.3 Looking through the major cloud services, we see all the major players have had outages, including Amazon Web Services (AWS), Microsoft Azure, Rackspace, Alibaba, Salesforce, and Google. The table below is a brief snapshot of major cloud outages since 2017:
|Cloud Outages Since 2017|
|Feb 2017||AWS||Regional outage4|
|Mar 2017||Azure||Storage systems outage5|
|June 2017||Rackspace||Networking outage6|
|Sep 2017||Services outage7|
|Mar 2018||AWS||Regional outage8|
|May 2018||AWS||Regional outage9|
|Jun 2018||Azure||Regional storage and network outage10|
|Jul 2018||IBM||Global slowdown and outage11|
|Mar 2019||Alibaba||Regional container outage12|
|May 2019||Azure||Services outage13|
|May 2019||Salesforce||Database access failure14|
|June 2019||Services outage15|
|Aug 2019||AWS||Regional outage16|
|Nov 2019||Services outage17|
Outages do occasionally happen, and this is probably a contributing reason why many organizations adopt a hybrid cloud approach.
The Broad Spectrum of Cloud Breaches
If you don’t consider a cloud outage a breach, let’s talk about the diverse types of cloud data breaches. It’s best to focus on the operational components of the cloud that either strengthen or weaken the security of a deployed solution.
Not a Cloud Breach but a Cloud-Assisted Breach
A case to be aware of involved a malicious insider at the Oregon Department of Revenue who uploaded stolen files to a private cloud account.18 The cloud is yet another exfiltration path and since cloud resources are encrypted in transit, leakages are hard to spot.
A case to be aware of involved a malicious insider at the Oregon Department of Revenue who uploaded stolen files to a private cloud account. The cloud is yet another exfiltration path and since cloud resources are encrypted in transit, leakages are hard to spot.
For many, a breach of a large database is the same as a cloud breach. Consider the Indian government’s 2018 breach of 1.1 billion registered citizens through a vulnerability in its Aadhaar national identity database.19 There aren’t enough details available on this breach to indicate how much the cloud contributed or blunted the breach. The breach seemed to stem from an application vulnerability, which we’ve always had in and out of the cloud.
Software Vulnerabilities Hosted in the Cloud
Is the cloud to blame for exploiting software vulnerabilities in cloud-hosted web applications? Consider Stein Mart's breach from May 2018,20 in which its vendor, Annex Cloud, fell victim to an ongoing rash of formjacking attacks against payment card shopping carts. This was clearly a software vulnerability problem and not necessarily a cloud problem. Would an attack against an unpatched Apache vulnerability count as a cloud breach if it were hosted in the cloud as opposed to sitting in a rack in a colocation facility? It may depend on how the visibility and operational control varies in a cloud environment. This particular aspect is worth investigating. Given that many large databases now dwell in the cloud, the same question of visibility and control arises.
A Cloud in the Supply Chain
The Stein Mart case also raises questions about cloud use within an organization’s supply chain. Another supply chain case occurred in February 2018 in which Capital Digestive Care’s patient data was exposed on a vendor’s cloud server.21 So, even organizations that don’t formally adopt the cloud may still contend with cloud security issues through their third parties.
Cloud APIs Everywhere
Lastly, we should consider cloud breaches that involve APIs. In our 2019 Application Protection Report, we examined breaches stemming from API attacks and found a significant number occurring on large platforms running in the cloud. Cloud systems make heavy use of APIs for administrative control, and these APIs are easily accidentally exposed. We see this as a problem that the cloud exacerbates in terms of observability, but not necessarily one that’s unique to the cloud.
In part 2, we’ll dive into traditional cloud breaches. This includes confidential data falling into the hands of unauthorized individuals, either on purpose, from hacking, or by accident from leaking.