Insight Code Top
Insight Code Bottom
Secure Digital Data Network. Cloud Computing Cyber Security Conc

What are main cloud security risks?

9th November 2020

4 min read

Cloud computing solutions are becoming increasingly popular within business technology ecosystems as they are resilient, scalable and agile. The nature of cloud computing is complex and there are several important security considerations before committing to a cloud solution. As your business moves to digitally transform your operations, cloud security controls should not be an afterthought to ensure risks can be assessed and managed effectively.

According to Sophos, 70% of organisations hosting data or workloads in the cloud experienced a security incident in the last year. Without effective cloud security controls in place, your organisation’s information may be exposed to an increased risk of compromise.

Accidental and unknown exposure can cause significant challenges for your organisation. Sophos found that security weaknesses caused by misconfigurations were exploited in 66% of attacks. As businesses start to bring new cloud services into operation, the opportunity for misconfiguration increases which in turn increases the organisation’s attack surface. Businesses must develop a comprehensive cloud security strategy that involves the integration of all business areas to ensure cloud security is a priority and shared responsibility is established.


What are the major cloud platforms and which should you choose?

Cloud platforms offer your organisation an alternative to building your IT infrastructure in-house. This saves your business the cost of investing in and maintaining systems, technology and applications. There are many companies that offer cloud platforms that support the development and management of your organisation’s IT needs.

1. Amazon Web Services

Amazon Web Services (AWS) is considered one of the most powerful and flexible cloud solutions. Its Identity Access Management (IAM) capabilities offer a large range of granular user permissions heavily centred on the principle of least privilege.

2. Microsoft Azure

Microsoft Azure is a great cloud solution for organisations that predominantly use Microsoft infrastructure and services. Azure is developed to provide flexible integration with Microsoft services such as O365 and Active Directory, enabling organisations to transform and scale existing services to a fast and reliable cloud-based solution.

3. Google Cloud

Google Cloud offers a multi-layered security infrastructure providing organisations with a wide range of services that they can use to build flexible and reliable cloud-based IT environments. Google Cloud focuses on ensuring consistent performance and management with services including Compute Engine, Cloud Storage and Big Query.

4. IBM Cloud

IBM Cloud offers PaaS, SaaS and IaaS solutions. Not all of IBM Cloud’s extensive range of services are cloud-based, some are both virtual and hardware services giving users complete control of their infrastructure. It is fully integrated and manageable within a single environment via the web portal, Application Programming Interface (API) or mobile application.

5. Oracle Cloud

Oracle Cloud Infrastructure offers two main service solutions including cloud infrastructure and data processing. Oracle’s cloud infrastructure services relate to databases, data management and applications, and data processing includes analytics and insights for big data. A clear difference between Oracle and the other cloud platform providers is that it is more suited to large enterprises rather than small businesses or individuals.

The key to developing effective security across your cloud infrastructure is to integrate it into the planning, design and implementation phases of your cloud transformation program. Regular testing can supplement the cloud security strategy to maintain a strong security posture as cloud resources are modified over time.

Think about issues including availability, connectivity, flexibility and scalability. Identify the risks that are unacceptable to your organisation and those that would not be. The NCSC has created 14 cloud security principles that can help you identify the risks you should be aware of. Your service provider should best protect the security risks that are a priority to your business.


What are the risks involved in using the cloud and how can these be managed?

Lack of cloud expertise

A significant risk of cloud computing is a lack of cloud expertise. Oracle found that 75% of IT professionals view the public cloud as more secure than their own on-site infrastructure, but 92% feel that their lack of expertise in cloud security programs is creating a readiness gap.

To properly secure your cloud environment, you must be able to leverage the platform tools, secure and configure the architecture and integrate them with third-party services. This requires experts either employed in-house or via a third-party to ensure you can gain complete visibility of your infrastructure. You must know who has access to your cloud services and be able to maintain a security management strategy across your cloud environment.

Cloud misconfigurations

Gaps in your understanding of cloud security can lead to misconfigurations. Correctly configuring your cloud infrastructure is the responsibility of your organisation, not the cloud provider. One of the main causes of misconfiguration is over-privileged accounts. A report conducted by Oracle found that 33% of organisations reported that cyber criminals gained access to their cloud environments by stealing cloud provider account credentials.

The principle of least privilege means it is important to only grant admin privileges to users that require this access to complete their job functions. Implementing multi-factor authentication on all accounts will make it harder for a malicious actor to gain access via the end-user. Stronger identity measures provide an additional challenge for criminals should your employees’ devices be stolen or lost and their accounts compromised.

Non-compliance with data regulations

Migrating to the cloud can lead to complex issues with data compliance. Organisations that process sensitive data including Personally Identifiable Information (PII) must comply with data regulations, such as the EU’s General Data Protection Regulations. It is important to identify which data regulations you are subject to depending on where your data is processed; as processing data internationally can have additional challenges for compliance.

Shared responsibility models determine that it is the responsibility of the customer to protect data stored in the cloud, while the cloud provider is responsible for the security of the cloud platform. When using a cloud provider it is important to understand exactly where the data is stored in the cloud, who has access to it and how it is protected in accordance with the relevant data regulations you are subject to.


Impact of security risks of cloud computing

Data loss is one of the biggest impacts caused by the security risks of cloud computing. Companies store sensitive data in the cloud including intellectual property and Personally Identifiable Information (PII) that can have serious implications if lost. Cloud platforms offer features to prevent data loss caused by loss of connectivity, outages and data corruption. However, these features must be configured correctly.  Having a backup and disaster recovery plan in place is critical to ensure your data can be recovered if a breach or loss is to occur.

Cloud computing resources are easy and fast to deploy but require knowledge and experience to manage risks effectively. Improving your organisation’s knowledge surrounding cloud services is crucial to fill gaps in the misunderstanding that can compromise your security posture. Cloud services must be configured correctly to secure your infrastructure and prevent data breach or loss from occurring whether it is via the end-user or a malicious actor.


  • Insights
  • Labs
White box penetration testing

Uncovering vulnerabilities with white box penetration testing

As a business owner or IT professional, you understand the importance of protecting your company’s sensitive data, systems and reputation from cyber threats. One of…

API penetration testing

Securing APIs through penetration testing

APIs (Application Programming Interfaces) have become the backbone of many modern applications, and indeed the foundation of some businesses services. APIs enable seamless communication between…

The importance of a post-penetration test action plan

The importance of a post-penetration test action plan

As cyber threats continue to evolve and become more sophisticated, businesses must stay one step ahead in protecting their sensitive data and network infrastructure. Penetration…

How to choose the right penetration testing partner

How to choose the right penetration testing partner for your business

In today’s digital landscape, cybersecurity threats are evolving at an alarming rate. With the growing number of cyber-attacks and data breaches, businesses must prioritise their…

IoT device security, penetration testing

Securing the Internet of Things: Penetration testing’s role in IoT device security

The world is witnessing a remarkable transformation as more devices become interconnected, forming what’s known as the Internet of Things (IoT). From smart refrigerators and…

Man working as a junior penetration tester

My first month working as a junior penetration tester

Entering the world of cyber security as a junior penetration tester has been an eye-opening experience for me. In my first month, I’ve encountered challenges,…

Password cracking: How to crack a password

An introduction to password security: How to crack a password

Online Password Cracking An online attack is performed in real-time, against live services or applications to compromise active user accounts. Such attacks typically occur when…

Application Security 101 – HTTP headers

Application Security 101 – HTTP Headers Information Disclosure

Server Header Information Disclosure The most common HTTP header that is enabled by default in most web servers is the ‘Server’ header, which can lead…

SPF, DKIM, DMARC and BIMI for Email Security

SPF, DKIM, DMARC and BIMI for Email Security

Sender Policy Framework Sender Policy Framework (SPF) is a DNS TXT record that is added to a domain that tells email recipients which IP addresses…

Terraform security best practices

Terraform security best practices (2022)

The following sections discuss our most important Terraform security best practices: The importance of Terraform State Terraform must keep track of the resources created. When…

Security vulnerability in Follina exploit

Preventing exploitation of the Follina vulnerability in MSDT

The Follina Exploit A zero-click Remote Code Execution (RCE) vulnerability has started making the rounds which is leveraging functionality within applications such as Microsoft Word.…

Application Security 101 – HTTP headers

Application Security 101 – HTTP headers

1. Strict-Transport-Security The HTTP Strict Transport Security (HSTS) header forces browsers and other agents to interact with web servers over the encrypted HTTPS protocol, which…

Get in touch with our experts to discuss your needs

Phone +44(0)1242 388634 or email [email protected]

Get in touch