Blog

One fact is immutable: Humans are responsible for the vast majority of cloud storage security issues and risks. The human element can cover a wide range of possibilities and is, therefore, less specific than some of the other security issues on our list. To be clear, when we refer to the human element, we do not mean deliberate acts, as those reside in their own category.

In cloud storage, human error is most commonly related to login credentials on the end-user side. Examples include choosing weak passwords or not enabling two-factor authentication. On the company side, human error results in data leaks and exposure, which we will cover later in this article.

How to Mitigate This Issue:

• Training: Implementing a training program helps keep employees aware and informed of proper and safe online behavior.
• Awareness: Awareness helps keep employees and customers up to date on the latest threats and risks.
• Education: Similar to training and awareness, educating anyone who has access to a cloud storage system, whether employees or consumers, helps mitigate the potential for human error.

Security configurations manage how a cloud storage provider implements tools, measures and policies that protect its users’ data. Misconfigurations can lead to unintended vulnerabilities and exploits that risk exposing data stored on remote servers. A few examples of misconfiguration include improper access controls, systems or network configurations.

Users play a role in security configurations, namely by updating the applications that provide access to a cloud storage account. Security patches are pushed through application updates, and failing to install them can lead to unnecessary account data vulnerabilities.

How to Mitigate This Issue:

• Perform regular updates: Routinely check for and install updates to your cloud storage applications.
• Stay in the know: Educate yourself on the common security risks that threaten cloud storage providers, and research those that target your chosen service specifically.
• Compliance is key: Don’t violate the terms of service that govern how you use a cloud storage service. Doing so could put your account at risk.

Identity and access management refers to the technology, systems and policies that determine which resources users can or cannot access. This is particularly impactful for cloud storage business plans with many users and administrators, which makes managing access to specific data or team folders complex and prone to vulnerabilities.

Although the typical end user doesn’t see it, the backend of a cloud service technology is complicated and sophisticated — at least when it comes to user access. When you add in the complexity of business plans and an admin console that gives more control to the end user, it’s clear that identity and access management is a significant risk.

A good example of this is an administrator providing access to data from a team folder to the wrong user or group of users. This type of access management mistake could compromise the progress made on a project or even expose sensitive data to employees who should not have seen it.

How to Mitigate This Issue:

• Enable SSO: SSO, or single sign-on, is an authentication method that helps ensure only authorized users gain access to a given system.
• Enforce policy: Administrators and managers need to enforce authentication policies, such as password requirements or password change frequency.
• Track activity: Knowing what the end users are doing and the actions they are taking is a helpful way to mitigate unauthorized access.

Insider threats exist when someone who works for a company or who has privileged access to a system deliberately takes actions to compromise the system or data contained within the system. Those with the appropriate level of access can easily circumvent security systems and other protections.

Someone who deliberately compromises security and data integrity represents the highest level of potential negative impact from humans interacting with cloud-based technology. That’s the risk of an insider threat.

How to Mitigate This Issue:

• Compartmentalize: Compartmentalization entails employees only having access to the systems and tools they need to perform their jobs.
• Vetting: In essence, know your people. If there’s any doubt, consider steps to minimize a potential issue.
• Incident response: If the worst-case scenario happens and your company falls victim to an insider threat, ensure that an incident response plan is in place to mitigate the damage.

Malware is a computer virus containing malicious code that is often hidden in a program. It can replicate itself with the intent to destroy data and harm computers. It’s one of the most common types of cyberattacks that include ransomware, adware and spyware.

In 2023, there were over 6 billion malware attacks worldwide. This makes malware one of the most prevalent kinds of cyberattacks.

How to Mitigate This Issue:

• Perform data backups: Performing regular data backups protects your information and helps you recover faster from a malware attack.
• Filter content: You can filter content from either internal or external sources in several ways. One example is mail filtering, which can block questionable emails and remove potentially contaminated attachments. If an email or website looks fishy, avoid interacting with it.
• Use an antivirus: If your computer ends up with a virus, having strong antivirus software can help minimize the damage and remove the threat.

Phishing is a common tactic that takes advantage of an unsuspecting user. It often appears as a link embedded in an email. Once the malicious link is clicked, it either takes you to a fake website or tries to install malware on your device. The ultimate goal is to steal credentials, gain access to your account or make you reveal personal information.

Phishing is sometimes mentioned in the same context as social engineering. With social engineering, the goal is to deceive or manipulate people into providing sensitive or confidential information. In the context of information security, phishing is most certainly a form of social engineering.

How to Mitigate This Issue:

• Don’t click links: Specific to emails, the best way to avoid malware and phishing is to never click a link in an email. Additionally, most companies have a way for you to report malicious links from phishing emails.
• Be wary: Similar to the previous mitigation tactic, if an email or website looks fishy, avoid interacting with it.
• Check your browser: Modern browsers have settings that help protect you from potentially harmful websites. However, you may need to activate or customize these settings.

Unauthorized access entails someone gaining access to your account without your consent. This can happen when companies have access to your login data, which is only possible if those companies don’t use zero-knowledge encryption. Unauthorized access can also occur when a hacker exploits security vulnerabilities.

How to Mitigate This Issue:

• Security configurations: Using a cloud service requires faith that the service has the necessary safeguards in place to protect your sensitive data. However, several providers also offer additional security options to users. If available, take advantage of them.
• Refresh credentials: It is wise to regularly change your login credentials and to choose a password that is hard to guess.
• Two-factor authentication: Enabling two-factor or multi-factor authentication, which nearly all cloud storage services offer, helps protect you from unauthorized access.

Data privacy and confidentiality, also known as information privacy, are driven by a combination of laws and regulations designed to protect user data stored on public cloud infrastructure. A company’s individual data privacy policies, in combination with laws and regulations, can have the greatest impact on a user’s data.

In addition to internal company policies, cloud storage providers are guided by laws and regulations that vary by location. Since most cloud storage has worldwide access, they are often required to comply with well-known regulations like the GDPR or HIPAA for health care data.

How to Mitigate This Issue:

• Understand the regulations: It’s important for cloud storage providers and their users to understand the laws and regulations that govern a given service.
• Stay updated: Laws and regulations that deal with personal data privacy are regularly changed and updated.
• Read the privacy policy: We highly recommend that you read and understand the privacy policy for the cloud storage provider that will store your data.

Network attacks are another subset of cyberattacks, with a special emphasis on disrupting or disabling the networks used to transmit data. A denial of service (DoS) or a distributed denial of service (DDoS) are two prime examples of a network-focused attack. However, this type of attack can be enacted on devices as well.

A man-in-the-middle attack is another network-focused attack. In this type of attack, a bad actor attempts to intercept a data transfer by impersonating the recipient’s digital credentials to steal the data. Another example is a brute force attack, which attempts to repeatedly guess elements of your credentials to gain access to your account or data.

When these attacks happen, the intent isn’t always to steal data or cause a data breach. Rather, the goal of a network attack can be to deny you access to your data. Attackers do so by flooding a network with requests to render it unavailable. Generally, they will then demand some kind of ransom to end the attack.

How to Mitigate This Issue:

• Early detection: The more quickly you can detect a network attack, which could be as simple as investigating a sustained slowdown in connectivity, the more likely you are to minimize the impact of a network attack.
• Rapid response: Companies that have a disaster response plan in place can help stop and mitigate a network attack.
• Traffic routing: For more advanced networks and users, monitoring network traffic to pinpoint usage anomalies could help identify a network attack early on.

An application program interface (API) is used when companies want to create integrations to cloud systems. APIs are how two or more computer programs can communicate with each other. Though not specific to cloud storage, we will focus on that perspective for the purposes of this article.

The infrastructure for the cloud can be complicated, as can the backend and configurations of the company looking to make the connections. These two factors can lead to configuration mistakes, which can introduce unintended weaknesses and vulnerabilities.

How to Mitigate This Issue:

• Error test: When connecting to an API, extensive error testing can reveal bugs and vulnerabilities.
• Data encryption: Encrypting data that connects with an API is one way to ensure it is not compromised in the event of an incident.
• OAuth: Open authorization, or OAuth, is a standardized method that allows websites and applications access to data. It does not use passwords but is an effective way to securely share information.