Top 7 Cloud Security Challenges (2024 Edition)

What is Cloud Computing?

Cloud computing mainly refers to the practice of utilizing on-demand services, including computing, storage, databases, etc., via subscription to a Cloud Service Provider like Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and more. Cloud users can provision the cloud providers’ resources and access them online. Consumers only pay for what they use and are spared the hassle of maintaining their own infrastructure on-premises.  

According to Forbes, the global cloud computing expenditure has been forecasted to surpass 1 trillion USD this year. Organizations have been migrating their workloads to the cloud in increasing numbers. This move is fueled by the benefits provided by cloud computing as opposed to traditional computing, like better cost efficiency, scalability, and speed.

Varied types of cloud computing services offer different features to the user:

1. Infrastructure-as-a-service (IaaS) – Provides only hardware, user handles all software
2. Platform-as-a-service (PaaS) – Provides a platform for users to develop their applications
3. Software-as-a-service (SaaS) – Cloud-hosted software that customers can use

Security in the cloud

With the increasing rate of adoption of cloud services across the global spectrum, it is imperative that cloud computing workloads be managed securely. Ensuring that the data and workloads within the cloud are secured is a responsibility that falls to both the consumer and the service provider. This is known as the Shared Responsibility Model.

This model depicts that the security of resources within a cloud environment is shared by the customer and the provider, depending on the type of service used. This is in contrast to hosting infrastructure on-premises, where the customer is responsible for everything. This serves as a helpful representation for anyone wishing to move to the cloud.

Current state of Cloud Security

As more organizations migrate to the cloud, adversaries are targeting cloud assets more. Orca Security recently reported that a whopping 81% of organizations using cloud resources have public-facing cloud assets that could become valuable targets for adversaries. Sysdig’s 2024 report on Cloud Native Security and Usage revealed that Identity and Access Management is an area that is continually being overlooked when it comes to security.

On the other hand, regardless of the global economic situation, organizations are increasing expenditure for their cloud security spending. Cloud service providers have also been learning from past incidents and making constant endeavours to improve the security of their infrastructure. AI-based detection models have also been making waves and their usage is only going to increase this year. Organizations are shifting their focus to vulnerability management programs within the cloud to secure their workloads.

Future projections

Experts predict cloud security expenditure to grow from 40.7 billion USD to 62.9 billion USD by 2028. By the end of next year, a whopping 100 ZB of data is predicted to be stored within the cloud, which further increases security concerns. According to Trend Micro, attacks on cloud environments are expected to become even more complex this year, with edge computing becoming a new target for attackers. Attacks against cloud identity management and hybrid multi-cloud environments are projected to be on the rise as well. As per CrowdStrike’s Global Threat Report 2024 , attacks against cloud environments also continue to increase.

Cloud security challenges in 2024

As the global IT industry records an ever-increasing shift towards cloud service adoption, it becomes important to address the issue of cloud security. While the presence of cloud computing has made it very beneficial for organizations to run their workloads, it has also brought about a plethora of challenges that need to be addressed with regard to security within the cloud:

1. Lack of resources/documentation – Whenever we consider a new/emerging technology, the best way to familiarize ourselves with it is to look up online documentation in order to upskill. One of the major challenges with cloud security is that there is a lack of materials online with a focus on cloud security. While some providers offer extensive documentation regarding their offerings, it’s not enough when it comes to security. Community material is often a good resource, but apart from a couple of major cloud providers, even the community doesn’t have much to offer when it comes to such documentation.
2. Shadow IT – Shadow IT refers to IT resources that have been provisioned outside of the official channels and are, therefore, not tracked. This issue is amplified within the cloud since spinning up new resources is easier and quicker here. Organizations generally tend to segregate workloads across testing (or development) and production environments. Testing environments usually have relaxed security controls and reduced monitoring in place. Consequently, extraneous resources provisioned within such environments are not tracked properly and can become easy targets for potential adversaries.
3. Lack of control over physical security—One of the major benefits of cloud computing is that the customer does not need to maintain infrastructure on-premises. However, this can have a negative impact on the security of organizational assets. The customer does not have any insight into the security of the hardware storing their data and assets. The customer has little to no control over how this is managed, which can be a deterrent to some people when it comes to adopting a cloud-first mindset.
4. Shared responsibility confusion – While the shared responsibility model does a pretty good job of dividing the responsibilities for the security of the cloud and security in the cloud to the provider and the customer respectively, not all users are aware of this fact. For services that offer on-demand hardware to an end-user, the user is supposed to manage all the software, including keeping the operating system and applications up to date. End users often forget this and do not stay on top of the change management and update process needed to maintain the security of their cloud resources. The lines often become blurred, and users cannot uphold their end when securing their resources. For example, when you use a Virtual Machine within the cloud to host your application, the cloud provider is responsible for ensuring the physical security of the hardware your instance runs on, but you are responsible for ensuring the security of the hosted application along with the maintenance and updation of the libraries and frameworks you install for the same.
5. Supply chain security—Modern applications hosted within the cloud are quite sophisticated and consist of a large number of features. Various third-party libraries and frameworks are utilized to achieve that. However, these libraries often come from external sources that aren’t controlled by the end user. If undetected, any vulnerabilities present in such libraries may pose a security risk to the cloud environment where such an application is hosted.
6. Improper implementation of logging and monitoring services – Cloud providers offer a range of services which provide monitoring capabilities for users’ workloads. However, as the workloads grow, so do the costs associated with monitoring them. In a bid to reduce expenditure on such monitoring services, users often do not implement either the full range of monitoring services required to secure their environments or turn off important features when it comes to logging. As a result, security incidents and breaches within the account go undetected and without the proper logs, it becomes difficult to perform incident triage.
7. Keeping up with the constantly changing attack surface – Cloud service offerings receive regular updates since cloud providers add new features to their catalogue constantly. As a result, new attack vectors arise, and it becomes very difficult for security professionals to stay on top of constantly emerging threats. This is compounded for multi-cloud environments, where expertise with multiple cloud vendors is required.

Solving the problem

One of the major issues at hand here is the lack of end-user awareness. As a community, we need to band together and conduct more awareness sessions, get together for webinars and workshops in order to facilitate knowledge sharing. Organizational processes which involve the creation, usage, or maintenance of cloud resources must become more stringent and introduce better monitoring to ensure employees follow through. Organizations that wish to migrate to the cloud should also ensure that their employees who are responsible for handling cloud workloads are provided with the essential security training to ensure they’re protected from potential attacks against their infrastructure.

Another important step would be to maintain a multi-layered defence against attacks, more commonly known as Defence-in-Depth. Focusing on increasing the security of Identity and Access Management systems within the cloud will also tend to go a long way towards ensuring a secure cloud environment.

At Payatu, we regularly conduct webinars, publish e-books and contribute towards constantly creating content that the community can benefit from.

We at Payatu can help concerned customers improve their cloud security posture by conducting cloud security training sessions specifically tailored to the customer’s needs, performing regular cloud security audits, cloud configuration reviews and conducting penetration tests to assess the security of the clients’ cloud infrastructure.

Conclusion

The growth in the adoption of cloud computing services is rising, and so are the potential threat vectors for the same. However, by enabling efficient knowledge sharing as a community, we can make our cloud workloads more resilient to all kinds of adversaries.

References:

• https://orca.security/resources/press-releases/state-of-cloud-security-2024-report/
• https://www.forbes.com/sites/bernardmarr/2023/10/09/the-10-biggest-cloud-computing-trends-in-2024-everyone-must-be-ready-for-now/?sh=308a475b66d6
• https://www.trendmicro.com/vinfo/in/security/news/virtualization-and-cloud/building-resilience-2024-security-predictions-for-the-cloud
• https://www.cisecurity.org/insights/blog/shared-responsibility-cloud-security-what-you-need-to-know