Top 3 Cloud Migration Security Risks

Originally published by Synack.

Written by Charlie Waterhouse and Justine Desmond.

The benefits of cloud computing are hard to ignore – the speed, flexibility and cost savings make it a worthwhile investment for many enterprises. What’s written in fine print is that while cloud providers do maintain many security certifications (i.e. Microsoft Azure), a large number of security roles and responsibilities will continue to fall on your team. Additionally, if you have a database or application that was previously secure on premise, it may not be in the cloud.

The cloud is simply distributed servers that are accessed over the internet. A key thing to keep in mind is that the server exists in a physical location somewhere but not one that the asset owner controls. During a cloud migration, a company’s digital assets, services, databases and applications either wholly or partially move into the cloud. This is also true of cloud-to-cloud migrations between cloud providers.

As your organization ramps up its efforts for digital transformation, there should be a security testing plan in place with security and risk management leaders. This may lead to additional questions like which assets should be tested and what the organization’s responsibility for security is. While you usually can’t test assets you don’t own (i.e. the cloud’s on-premise physical data centers), you are able to test things that you fully control such as your websites, databases and other items. If your company wrote the code or maintains it, you can probably test it.

A strategic security testing plan for the cloud could look like testing continuously on assets that are critical to the business and less important assets tested quarterly or annually. Continuous security testing would mean regular automated scans and sending in fresh eyes regularly to spot potential vulnerabilities.

What risks should you be looking for when testing? Typically, there are a few risks that are top of mind for security practitioners:

1. Sensitive data exposure

Data loss or leaks can, and often do, occur. By the nature of the cloud, everything can be reached from the internet or remotely. That means anyone, anywhere, with the right information can access it. A common risk vector is storage buckets, which are frequently exposed due to misconfiguration challenges. Recently, an Amazon S3 bucket containing 3TB of data, including airport employee records across Columbia and Peru, was left unprotected and exposed over one million files online.

The transfer of data that occurs during a cloud migration increases risk by its nature. Your data is “exposed” during the migration process and security controls in the cloud may not match the previous environment. Role-based authorization controls (RBAC) are normally quite detailed to work within your organization. RBAC designed by the cloud provider may be significantly different and lead to a violation of best practices where someone can get access to files that they shouldn’t. Testing the infrastructure for data leakage and access control issues is critical.

2. Application program interface (API) security

APIs are “a critical part of modern mobile, SaaS, and web applications and can be found in customer-facing, partner-facing, and internal applications,” as stated in the recently published OWASP API Top 10. It is important to test APIs for common vulnerabilities like broken authentication mechanisms or excessive data exposure.

An API breach can be near devastating with the right conditions. For example, in September 2022 the Australian network service provider Optus had a breach that exposed the data of 10 million customers due to an exposed API endpoint.

With digital transformation, there are more applications to manage than ever and that includes APIs. Hackers are increasingly targeting APIs hosted in the cloud as they are exposed to the internet and provide potential points of ingress into applications. An API that doesn’t require proper authentication can put your business and customers at risk. It would be the equivalent of leaving your computer open and unattended at DefCON.

3. Increased compliance fines

In 2017, Equifax failed to patch a vulnerability in an open source Apache Struts framework in one of its databases. The vulnerability was exploited and the information of 150,000 individuals was exposed. They were fined $575 million by the Federal Trade Commission.

The UK, China, the US and the EU, are increasingly passing laws that impose significant fines for security breaches. With the nature of the cloud, some security incidents are more likely to occur, and it is vital to be familiar with GDPR, CCPA, COPPA, PCI-DSS, HIPPA and other compliance frameworks.

How to Secure Your Cloud Migration

The examples given above are some of the most egregious breaches and fines, but the reality is most companies will experience some kind of attack and should be prepared with their best defenses. You can only understand potential weaknesses by conducting security testing to get the adversarial perspective.

The cloud may be what your team and customers need for operational efficiency. A migration to the cloud also means you have to change your security suite to align with today’s threats. Traditional pentesting worked for testing a small number of on-premise solutions once a year, but companies now have to evolve to continuous testing to keep up with cloud assets.

You should look for cloud security testing that includes benefits like:

• Continuous testing to identify weaknesses and potential data exposure in critical assets before adversaries
• Test Web, Host, Mobile and API endpoints for vulnerabilities or exposures
• Reports to document pentesting in compliance with frameworks like GDPR, PCI, FISMA and ISO27001
• Re-testing to make sure critical vulnerabilities are successfully patched
• Ability to test API endpoints and provides proof-of-coverage reports
• Can test assets hosted in major cloud providers including Azure, GCP, and AWS.
• Audit-ready reporting to prove that assets have been thoroughly tested