Hey, You! Get Off of My Cloud.

The cloud is a way of storing data on remote servers rather than on a local computer or on-premises device.?While cloud storage offers some benefits such as outsourcing the liability of access and continuity, it also poses some major security risks.

As we've seen since the beginning of 2023, cloud hosting can expose you and your data to additional attack vectors and be housed in locations that garner greater attention from often higher-skilled attackers.?

These attacks can have serious consequences, and once outsourced to “the cloud,” you often have no say in how it is stored, managed, or protected. ?This loss of control complicates risk analysis, and often ends in more frequent data breaches, data loss, unauthorized access to sensitive information, and disruption of services.?

Not to mention these attacks can take months (sometimes years) to detect. The risks here can greatly outweigh the benefits.? There are incredibly few scenarios where full-cloud makes the most sense.? And it often hinges on whether or not you have access to adequate talent.

--------------------------------------------------------------------------------------------------------

Last week CISA revealed that they have developed a new tool that provides detecting signs of hacking activity in Microsoft cloud services. ?It's called "Untitled Goose Tool" and can dump telemetry information from Azure Active Directory, Microsoft Azure, and Microsoft 365 services. ?This obviously only pertains to outsider-threats, whereas insider threats (launched from within the cloud host) would go completely unnoticed.?

And for the record, over the past couple of years, the number of cloud breaches has surpassed on-premises breaches in number, vastness, and criticality.

As our friend Alexandre Blanc likes to say: "cloud = leak, abuse, lies, theft!" Remember, most of your favorite sites and tools (even ChatGPT) are cloud-based!

It is only to their demise that in 2023 many organizations are not even aware of the risks and vulnerabilities associated with cloud computing.? Further, most institutions still lack sufficient talent, defenses, or even awareness to protect against these pernicious threats (is your CRO or Chief Risk Officer even involved in these discussions?).

What do you think is the leading cause of breaches in the cloud? ?Well, believe it or not, even in “the cloud,” it’s still phishing! ?CISOs push zero trust as a top priority, believing it mitigates the fact that identities are the #1 cloud target.?

However, zero trust has its own problems - like the hidden dangers of excessive permissions. ?Excessive permissions can erode zero trust efforts and open your organization to further breaches, that can further complicate matters by being difficult to detect.

As more organizations and individuals rely on cloud computing for storing and processing data, there is a corresponding increase in the number of potential targets for attackers. ?Further, these cloud providers hold such tremendous value (your data, and the data of other millions of institutions), that they attract the most sophisticated attackers, whose favorite and often most fruitful attack vector is a placed insider threat. ?And they get more creative in their tactics every day.

Here are a few simple best practices for keeping your data safe and secure:?

1. Retain the best talent you can find and afford (and rate them strictly on RESULTS)
2. Use strong and unique passwords: Use complex passwords that are difficult to guess, (but not so difficult to remember that you write it down under your keyboard) and use a different password for each account.?Consider using a [private] password manager to help you keep track of your passwords.??I say private because even password managers these days are vulnerable cloud hosts.
3. Enable multi-factor authentication: Two-factor authentication involves using an additional layer of security, such as a text message or authentication app, to verify your identity when logging into an account.?Single-factor would be a password.?Multi-factor would incorporate a second (or more) line of defense upon a correct password being entered.
4. Keep software up to date: Ensure that your computer and devices are running the latest software and security updates. These updates often contain security patches that help protect against known vulnerabilities.?
5. Be cautious of phishing scams: Phishing scams involve tricking users into giving away their personal information.?Be cautious of emails, texts, or phone calls from unknown senders asking for personal information.?Also be cautious of known sender requests, and when prudent, always follow up with a text or call to the sender to verify the validity of any electronic messaging or requests, prior to engaging with it, loading images, or clicking links.

By following these best practices, you can do your part to help ensure that your data remains relatively safe and secure.? Again, there is no replacement for capable and wiling talent.? Capable talent is out there, as is willing talent. ?The real results ensue when you find both.