The cloud, like every other technology, was developed to help us do more things faster and more efficiently. It’s a business tool that provides the self-service flexibility of on-demand technological services decoupled from the need to physically deliver hardware and software. Organizations are flocking to leverage this power, but there are nagging questions: Is cloud security getting better or worse? Why does it seem that there are more cloud breaches happening now than before? If an organization moves to the cloud, is it more likely to get hacked?

These questions are understandable. Although many organizations are rushing to the cloud or being driven there by their leadership, no one wants to end up in a headline because of a security fiasco. IT decision makers need to know how to avoid the most likely ways to fail. In part 1 of this article series, we unpack these questions about the prevalence and danger of cloud breaches.

Cloud Services and Deployment Models

First off, there isn’t one definitive type of cloud. The National Institute of Standards and Technology's (NIST) definition of cloud computing lists three cloud service models—infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS)—and four deployment models: private, community, public, and hybrid.¹

In F5’s 2019 State of Application Services survey, 87 percent of respondents indicated they operate in a multi-cloud environment, meaning any combination of the above. So far, we don’t have enough detail on many reported breaches to know if the affected assets were stored in the cloud, on premises, or in hybrid environments, nor do we know the kinds of services that were in use. As we unfold this story, we’ll be as specific as possible. That way you can map our individual datapoints back to the kinds of cloud services and deployment models you’re using.

What is a Breach?

When we talk about breaches, we’re specifically talking about the exposure of protected data to unauthorized persons, for example, cybercriminals getting our payment card data. However, in our 2018 Application Protection Report survey, we saw that some industry sectors care as much about availability as other sectors do about the confidentiality of their data. Is an outage—that is, the unexpected failure of availability of service—considered a breach? For some, it could be.

In some cases, major cloud platform outages have not just caused businesses to lose money, but also have had negative effects on cryptocurrency markets.² In one case, a cloud outage caused electronic door locks to remain shut, even for the authenticated owners.³ Looking through the major cloud services, we see all the major players have had outages, including Amazon Web Services (AWS), Microsoft Azure, Rackspace, Alibaba, Salesforce, and Google. The table below is a brief snapshot of major cloud outages since 2017:

Cloud Outages Since 2017
When	Who	What
Feb 2017	AWS	Regional outage⁴
Mar 2017	Azure	Storage systems outage⁵
June 2017	Rackspace	Networking outage⁶
Sep 2017	Google	Services outage⁷
Mar 2018	AWS	Regional outage⁸
May 2018	AWS	Regional outage⁹
Jun 2018	Azure	Regional storage and network outage¹⁰
Jul 2018	IBM	Global slowdown and outage¹¹
Mar 2019	Alibaba	Regional container outage¹²
May 2019	Azure	Services outage¹³
May 2019	Salesforce	Database access failure¹⁴
June 2019	Google	Services outage¹⁵
Aug 2019	AWS	Regional outage¹⁶
Nov 2019	Google	Services outage¹⁷

Outages do occasionally happen, and this is probably a contributing reason why many organizations adopt a hybrid cloud approach.

The Broad Spectrum of Cloud Breaches

If you don’t consider a cloud outage a breach, let’s talk about the diverse types of cloud data breaches. It’s best to focus on the operational components of the cloud that either strengthen or weaken the security of a deployed solution.

Not a Cloud Breach but a Cloud-Assisted Breach

A case to be aware of involved a malicious insider at the Oregon Department of Revenue who uploaded stolen files to a private cloud account.¹⁸ The cloud is yet another exfiltration path and since cloud resources are encrypted in transit, leakages are hard to spot.

A case to be aware of involved a malicious insider at the Oregon Department of Revenue who uploaded stolen files to a private cloud account. The cloud is yet another exfiltration path and since cloud resources are encrypted in transit, leakages are hard to spot.

For many, a breach of a large database is the same as a cloud breach. Consider the Indian government’s 2018 breach of 1.1 billion registered citizens through a vulnerability in its Aadhaar national identity database.¹⁹ There aren’t enough details available on this breach to indicate how much the cloud contributed or blunted the breach. The breach seemed to stem from an application vulnerability, which we’ve always had in and out of the cloud.

Software Vulnerabilities Hosted in the Cloud

Is the cloud to blame for exploiting software vulnerabilities in cloud-hosted web applications? Consider Stein Mart's breach from May 2018,²⁰ in which its vendor, Annex Cloud, fell victim to an ongoing rash of formjacking attacks against payment card shopping carts. This was clearly a software vulnerability problem and not necessarily a cloud problem. Would an attack against an unpatched Apache vulnerability count as a cloud breach if it were hosted in the cloud as opposed to sitting in a rack in a colocation facility? It may depend on how the visibility and operational control varies in a cloud environment. This particular aspect is worth investigating. Given that many large databases now dwell in the cloud, the same question of visibility and control arises.

A Cloud in the Supply Chain

The Stein Mart case also raises questions about cloud use within an organization’s supply chain. Another supply chain case occurred in February 2018 in which Capital Digestive Care’s patient data was exposed on a vendor’s cloud server.²¹ So, even organizations that don’t formally adopt the cloud may still contend with cloud security issues through their third parties.

Cloud APIs Everywhere

Lastly, we should consider cloud breaches that involve APIs. In our 2019 Application Protection Report, we examined breaches stemming from API attacks and found a significant number occurring on large platforms running in the cloud. Cloud systems make heavy use of APIs for administrative control, and these APIs are easily accidentally exposed. We see this as a problem that the cloud exacerbates in terms of observability, but not necessarily one that’s unique to the cloud.

What’s Next?

In part 2, we’ll dive into traditional cloud breaches. This includes confidential data falling into the hands of unauthorized individuals, either on purpose, from hacking, or by accident from leaking.

Next article in this series

Authors & Contributors

Raymond Pompon (Author)

All Articles

Footnotes

¹ https://csrc.nist.gov/publications/detail/sp/800-145/final

² https://www.coindesk.com/amazon-cloud-outage-causing-major-issues-at-some-crypto-exchanges

³ https://www.fastcompany.com/90358396/that-major-google-outage-meant-some-nest-users-couldnt-unlock-doors-or-use-the-ac

⁴ https://www.vox.com/2017/3/2/14792636/amazon-aws-internet-outage-cause-human-error-incorrect-command

⁵ https://venturebeat.com/2017/03/15/microsoft-confirms-azure-storage-issues-around-the-world/

⁶ https://www.theregister.co.uk/2017/06/29/rackspace_hit_with_global_outage/

⁷ https://thenextweb.com/google/2017/09/12/google-down-gmail-youtube-maps/

⁸ https://blog.thousandeyes.com/amazon-aws-outage-lesson-managing-cloud-first-risks/

⁹ https://www.datacenterdynamics.com/news/power-event-at-aws-data-center-disrupts-us-east-1/

¹⁰ https://www.geekwire.com/2018/microsoft-releases-details-last-weeks-big-azure-outage-servers-damaged-no-data-lost/

¹¹ https://www.itnews.com.au/news/ibm-reveals-how-its-broke-its-own-cloud-500727

¹² https://technode.com/2019/03/04/alibaba-cloud-outrage/

¹³ https://www.geekwire.com/2019/microsoft-azure-recovering-major-networking-related-outage-took-office-365-xbox-live-services/

¹⁴ https://www.cnbc.com/2019/05/17/salesforce-says-a-major-issue-with-cloud-service-results-in-downtime.html

¹⁵ https://www.engadget.com/2019/06/02/google-cloud-outage/

¹⁶ https://www.bleepingcomputer.com/news/technology/amazon-aws-outage-shows-data-in-the-cloud-is-not-always-safe/

¹⁷ https://www.cbronline.com/news/google-cloud-down

¹⁸ https://www.oregon.gov/newsroom/Pages/NewsDetail.aspx?newsid=2639

¹⁹ https://www.zdnet.com/article/another-data-leak-hits-india-aadhaar-biometric-database/

²⁰ https://www.spglobal.com/marketintelligence/en/news-insights/trending/paqtxwzt5zhuqx9hjatjgq2

²¹ https://www.beckersasc.com/gastroenterology-and-endoscopy/data-breach-at-capital-digestive-care-4-insights.html

TAGS: cloud security cloud Exfiltration breach trends Threats Outage Credential stuffing cryptocurrency third-party security Injection API Attacks Access Tier Credential Theft NIST Services Tier