68% of businesses in India, and 75% globally, say that more than 40% of data stored in the cloud is classified as sensitive. And 35% of organisations in India note that their data was breached in a cloud environment last year, according to a 2023 survey by Thales Cloud Security, which included responses from nearly 3,000 IT and security professionals across 18 countries.
In June, a bot on messaging platform Telegram allegedly returned personal data of Indian citizens who registered with the CoWIN portal. The country’s Health Ministry denied reports of any data leak and said the Indian Computer Emergency Response Team (CERT-In) was reviewing the existing security infrastructure of the portal.
Earlier, in January, reports emerged that HR management portal myrocket.co allegedly exposed personal information of employees and job candidates. Later, in separate breaches, in April and May, ICICI Bank and university admission platform Leverage EDU’s data were allegedly leaked respectively. These incidents were reported by research-based online publication Cybernews. ICICI Bank has, however, denied the breach, calling the allegations “baseless and false“.
These breaches were fixed after the organisations and authorities were notified. However, even momentary exposure of personal user data can have far-reaching consequences. In particular, personally identifiable information can be used by threat actors to target individuals’ financial assets and online accounts.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
What is cloud storage and why do companies use it?
Cloud storage is a method in which digital data, including files, business data, videos, or images, are stored on servers in off-site locations. These servers may be maintained by the companies themselves or by third-party providers responsible for hosting, managing, and securing stored data. These servers can be accessed either by the public or through private internet connections, depending on the nature of the data.
Companies use cloud storage to store, access and maintain data so they do not need to invest in operating and maintaining data centres. An added advantage of cloud storage is its scalability; organisations can expand or reduce their data footprint depending on need. Most cloud providers offer security features like physical security at data centres, in addition to zero-trust architecture, identity and access management, and encryption to ensure the security of data on their servers.
What are the risks associated with cloud storage?
The risks arise from deployment of incompatible legacy IT systems and third-party data storage architecture. Additionally, the use of weak authentication practices and easily guessable passwords can allow unauthorised individuals to access sensitive data. Data stored in the cloud also face the risk of exposure due to insecure APIs, poorly designed or inadequate security controls, internal threats due to human error and inadequate encryption during transfer or storage, Jaydeep Singh, General Manager for India, Kaspersky told The Hindu.
How legacy systems weaken cloud storage setup?
Though cloud security may appear similar to legacy IT security, the difference in their architecture necessitates different strategies, Singh explained.
Due to the lack of support or upgrades, legacy IT security may have known vulnerabilities that are yet to be fixed. Such vulnerabilities make them an appealing target for hackers who may use the gaps to gain unauthorised access to cloud resources connected with these legacy systems. Additionally, legacy systems may not be capable of supporting more advanced encryption techniques such as secure boot methods or hardware-based encryption, which increases the risks to the cloud infrastructure.
Updating and auditing legacy systems when used in tandem cloud infrastructure is therefore important.
Should data breaches be treated on par with an incident of data exposure in the cloud?
Data breaches and data exposure incidents in the cloud should be treated identically. While in a data breach, confidential or protected information is exposed to unauthorised individuals, data exposure is often depicted as the unintentional disclosure or accidental disclosure of data, resulting from misconfiguration or human error.
“Both data breaches and data exposure incidents require close monitoring to ensure the confidentiality and availability of sensitive information housed in the cloud, ” Singh said.
What are system misconfigurations and how do they happen?
Cloud storage involves multiple systems, servers, and software working in tandem. The overall system is designed to ensure individuals within a company can access data stored on the cloud as and when required. A system misconfiguration arises when there is a lack of thorough security configurations on the devices accessing the cloud data, the servers, or a weakness in the software used. Misconfigurations can either expose user data, making it accessible to unauthorised individuals, compromising security.
“Many times, companies using cloud storage leave security configuration to the cloud vendor, but the cloud vendor is just a vendor and the plans companies opt for may not include access encryption or firewall rules on the cloud. These settings, though important, may be missed, leading to threat actors making use of the misconfigurations in the cloud to access stored data,” said Sanjay Katkar, joint MD, Quick Heal Technologies Ltd.
Who is liable for data protection in the cloud?
The onus of ensuring data security lies with them the companies even though they grant access to data to vendors and partners. If the data is sensitive in nature, it is the company’s responsibility to make sure that a selected vendor has all the right checks in place and has conducted due diligence. This includes checking cloud compliances like ensuring passwords have two-factor authentication, monitoring access to the database, ensuring it is encrypted, and ensuring all firewall rules are set so that only access through certain places and certain departments is allowed.
How effective is encryption in the cloud against fending off attacks from threat actors?
Data encryption is seen as one of the most effective approaches for securing sensitive information in the cloud. However, it comes with its own set of challenges which include encryption before data is stored, ensuring the security of encryption keys, and changing the encryption keys periodically to ensure continued safety.
What are the risks of data migration in the cloud?
There is risk involved when switching between vendors for cloud storage or when systems are upgraded, Katkar said.
Without a proper migration plan and process based on thorough assessment of the cloud provider, data could get exposed. Additionally, ensuring that data is encrypted whenever in transit, and making relevant backups are also key aspects of ensuring data security, he added.
How can users keep their data safe?
When users get to know of possible data breaches, they are recommended to change passwords, two-factor authentication setup, push security question answers, and monitor accounts for unauthorised transactions and SMSs for suspicious activity.
The lifespan of financial data exposed in a breach is short. It is used by threat actors within weeks. However, for personally identifiable data, the lifespan can be longer, with data sold on the dark web to target users for phishing scams and other illicit activities.
- Cloud storage is a method in which digital data, including files, business data, videos, or images, are stored on servers in off-site locations. These servers may be maintained by the companies themselves or by third-party providers responsible for hosting, managing, and securing stored data.
- The risks arise from deployment of incompatible legacy IT systems and third-party data storage architecture. Additionally, the use of weak authentication practices and easily guessable passwords can allow unauthorised individuals to access sensitive data.
- When users get to know of possible data breaches, they are recommended to change passwords, two-factor authentication setup, push security question answers, and monitor accounts for unauthorised transactions and SMSs for suspicious activity.
(The story has been updated with statement from the ICICI Bank)
Published - July 15, 2023 09:58 am IST