Rapidly changing environments, increasing demand, evolving technologies and major worldwide events make 2016 a challenging era for cloud data security. While many security concerns have not changed since last year, 2016 will provide several unique situations motivating attackers to intensify malicious activities – business organizations should be prepared for the assault.
1. Intensifying Cloud Attacks
As more organizations move to SaaS and other cloud-based services, traditional security measures are phasing out. No longer can organizations lock down their sensitive data or monitor access to data center servers, because they are no longer behind the organization’s firewall. The hardware and software is in the hands of third party providers and organizations must ‘trust’ their data is protected.
Though cloud services enable overall cost benefits and allow users to access data and applications from any location, concerns for data security have increased. The available surface for attacks has increased with cloud services as hackers attack applications from any device from any location. Encryption of data between cloud providers and customer organizations increases data security but causes uneven monitoring and auditing of the data, making it difficult for organizations to detect and stop suspicious activity to sensitive data and impeding forensic investigations. While SaaS providers rigorously seek SAS 70 or ISO 27001 compliance, they are pressured to integrate with third-parties through API support which increases the surface vulnerabilities to attack. As more cloud services are adopted by organizations, the traffic surrounding the network perimeter will increase and the demand will place additional burden on internal security devices.
2. Themed Attacks
Major events in the world attract attention to spectators and participants, but also hackers and hacktivists. Large sporting events, political campaigns and demonstrations provide ready-made platforms for an attack. With an estimated 74% of adults active on social networking, the surface area for potential attacks is primed and available. Many attacks will likely focus on promoting propaganda or providing misinformation, but some will use these events as Trojan horses to spread malware and other malicious programs.
Elections and large events are temporary states and, as such, rapid deployment of technology without a clear plan for data security will create exploitable vulnerabilities. Candidate, constituent and donator information are more attractive to hackers. Lack of data security knowledge by organizers and volunteers will lead to lax attempts in protecting sensitive campaign data.
3. Data Privacy vs Law Enforcement
Governments have enacted a number of regulations to safeguard the privacy of individuals while law enforcement agencies have increased the number of requests to access data. Individual rights to data privacy and access to data by law enforcement and intelligence agencies seem in dire opposition to each other in light of potential terrorist attacks. Organizations are caught between maintaining obligations to data security and providing reasonable access to data to law enforcement.
4. Mobile Wallet Attacks Prevail
The financial landscape is changing rapidly as more consumers are relying on electronic payments methods to complete one-time and regular transactions. To support the evolving landscape, financial institutions and retail companies are building a new infrastructure and adopting new payment methodologies; however, the landscape is still relatively new to determine the security impact of these changes.
Money is always a motivator for hackers and mobile wallets are a new attraction for potential attacks. Efforts to access consumer’s wallets will increase as malware authors exploit vulnerabilities in the expanding infrastructure and new methodologies for transactions. Cell phones have become the preferred source for two-factor authentication, increasing the value of exploiting security flaws in physical devices and mobile applications. Ransomware will become more prominent on mobile devices. Additionally, allowances by corporate organizations regarding employees and customers bringing personal devices into ‘secure’ environments increase the security vulnerabilities as these devices become a bridge into corporate networks to syphon monies, gain intellectual property and obtain confidential and insider information.
5. Internet of Things – Connecting Cybercrime
Internet-connected and mobiles devices benefit productivity but put organizations at risk as employees are accessing data in ways unknown to security personnel. These devices are being used as authentication measures without traditional security controls in place: i.e. an employee accesses email through a personal phone rather than a VPN-protected laptop. Healthcare is a major proponent of IoT with increased need for connected medical devices within and outside hospital networks. However, 75% of hospital network traffic is unmonitored and a 340% increase in security incidents demonstrating the vulnerabilities to IoT-based data security according to a recent research study.
The number and breadth of security vulnerabilities in 2016 are increasing and will be more attractive to potential hackers and hacktivists. The growing separation between organizations and cloud service providers regarding data security requirements will test the ‘trust’ and reliance of cloud-based services in the coming year. The demand for control over data security may overshadow the cost benefits of using third party providers. The cloud industry is expected to amp up security measures to address the rising data security challenges facing the enterprise cloud segment in 2016, which will be far from an Armageddon for cloud as long as users follow industry-proven best practices.
Planning your cloud security measures? HOSTING can help. Contact our certified information and compliance teams anytime to review your specific needs. And view this on-demand webinar, How to Spend Your Cloud Security Dollar, for help in creating a comprehensive cost-effective cloud security plan.