Cloud Security - Threats and Risk Management

            
 

            

        

          

     
          

         

             
          
 







    
Cloud Security Threats 

    
As cloud computing scales, the threat landscape has evolved into a mix of automated exploits and sophisticated AI-driven attacks. Below are the 12 critical threats organizations face today.









    

        
1. Data Breaches

        
Unauthorized access or theft of sensitive information. This is often the ultimate goal of cybercriminals.

        
Case Study: In 2024, National Public Data suffered a breach exposing 2.9 billion records, including Social Security Numbers.The National Public Data (NPD) breach occurred primarily due to egregious credential mismanagement, where a sister website accidentally hosted a public-facing ZIP archive containing the site's source code and plaintext administrator passwords. This lapse allowed the threat actor, known as "USDoD," to bypass the perimeter and gain high-level administrative access to internal systems that lacked critical secondary defenses like Multi-Factor Authentication (MFA). Once inside, the attackers exploited unpatched vulnerabilities in outdated Apache web servers to maintain persistence, quietly exfiltrating nearly 2.9 billion records over a four-month period—a massive "single point of failure" breach that eventually led to the company’s insolvency and total shutdown by late 2024

    


    

        
2. Data Loss

        
The permanent disappearance of data due to accidental deletion, malicious intent, or provider failure.

        
Case Study: UniSuper (2024) lost its entire cloud account and backups due to a Google Cloud software bug, affecting 620,000 members.The UniSuper crisis in May 2024 was caused by a "one-of-a-kind" software misconfiguration within Google Cloud’s internal provisioning system, which erroneously triggered the total deletion of UniSuper’s private cloud subscription. Because the deletion occurred at the account level, it cascaded across all of UniSuper’s geographically redundant sites, simultaneously wiping out their primary infrastructure and all cloud-native backups. The fund was only able to recover because they had maintained an "offsite" backup with a completely independent third-party provider, which remained untouched by the Google Cloud environment’s failure. This incident serves as a primary example of a "Shared Technology Vulnerability," where a flaw in the provider's management layer can bypass a customer's redundancy measure

    


    

        
3. Insider Threats

        
Threats from individuals with legitimate access, such as disgruntled employees or contractors.

        
Case Study: Tesla (2024) faced a leak of 75,000 personal records by two former employees.The 2023-2024 Tesla data breach was a classic example of an "Insider Threat," where two former employees misappropriated over 100 gigabytes of confidential information in violation of company IT and data protection policies. This massive leak, which became public after the German media outlet Handelsblatt obtained the files, exposed the personal identifiable information (PII) of 75,735 current and former employees, including names, addresses, phone numbers, and Social Security numbers—including that of CEO Elon Musk. Beyond employee records, the "Tesla Files" contained sensitive production secrets, customer bank details, and thousands of internal reports regarding safety complaints related to Tesla's Full Self-Driving (FSD) features. Tesla responded by filing lawsuits against the former employees, resulting in the seizure of their electronic devices and court orders prohibiting further dissemination of the data, underscoring that even high-tech firms are vulnerable to internal "whistleblower" or malicious actor incidents that bypass traditional external cybersecurity perimeters

    


    

        
4. Insecure APIs and Interfaces

        
Poorly secured "entry points" that allow attackers to bypass standard security screens.

        
Case Study: Optus (Australia) suffered a breach where 10 million customer records were scraped via an unauthenticated API.The 2022 Optus data breach was the result of a significant security oversight involving a dormant, "shadow" API that was inadvertently left exposed to the public internet without any authentication requirements. Originally intended for internal testing, the API endpoint remained active on a publicly accessible subdomain and lacked basic security controls like OAuth2 tokens or rate limiting. This allowed an attacker to perform a "Broken Object Level Authorization" (BOLA) attack—essentially using a simple script to cycle through sequential customer ID numbers (e.g., 1001, 1002, 1003) and receive the full personal records for each corresponding customer in return. Because there was no "lock" on the door, the hacker was able to scrape the sensitive data of nearly 10 million Australians by simply mimicking legitimate queries at scale, proving that even a low-complexity attack can be devastating if basic API security hygiene is ignored

    


    

        
5. Misconfigured Cloud Services

        
The most common threat, where complexity leads to security "doors" being left open (e.g., public storage buckets).

        
Case Study: Microsoft AI researchers accidentally leaked 38TB of data via an over-privileged SAS token in 2024. The 2023 disclosure of the Microsoft AI data leak revealed that researchers accidentally exposed 38 terabytes of sensitive internal data by including an overly permissive Shared Access Signature (SAS) token in a public GitHub repository. While the researchers intended only to share open-source image recognition models, the SAS token was misconfigured to grant "full control" over the entire storage account rather than read-only access to specific files. This allowed anyone with the link to access a massive cache of private information, including disk backups of two employees' workstations, over 30,000 internal Microsoft Teams messages, private cryptographic keys, and passwords. The threat was exacerbated by the fact that the token was set to expire in the year 2051, and because SAS tokens are difficult for administrators to track or revoke centrally, the data remained quietly accessible for three years until it was discovered by security researchers at Wiz

    


    

        
6. Account Hijacking

        
Gaining full control of a cloud account through stolen credentials or session cookies.

        
Case Study: The 2024 Snowflake campaign compromised over 100 organizations that lacked Multi-Factor Authentication (MFA).The 2024 Snowflake campaign was a massive credential-stuffing operation that targeted over 100 high-profile organizations by exploiting the lack of Multi-Factor Authentication (MFA) on their cloud-hosted data warehouses. The attackers, linked to the threat actor group UNC5537, did not breach Snowflake’s infrastructure directly; instead, they used passwords stolen from previous malware infections on employees' personal and unmanaged devices. Because the targeted accounts relied solely on single-factor authentication, the hackers were able to use these "infostealer" credentials to log in as legitimate administrators and exfiltrate massive volumes of sensitive data. This campaign highlighted a critical "Shared Responsibility" failure where customers assumed the provider's security was sufficient, while the provider assumed the customers would implement basic hygiene like MFA to secure their own entry points

    


    

        
7. Distributed Denial of Service (DDoS)

        
Overwhelming a service with a massive flood of internet traffic to make it unavailable.

        
Example: The "HTTP/2 Rapid Reset" attack in 2023-2024 peaked at 398 million requests per second.The "HTTP/2 Rapid Reset" attack exploited a fundamental zero-day vulnerability in the HTTP/2 protocol's "stream multiplexing" feature, which allows multiple requests to be sent over a single connection. By leveraging a new technique where the attacker sends a request and immediately cancels it (a "RST_STREAM" frame), they could force the server to do the heavy work of processing and then cleaning up the request without the attacker needing to wait for a response. This allowed a relatively small botnet to generate an unprecedented volume of traffic—peaking at 398 million requests per second—overwhelming the target's server resources while keeping the attacker's own bandwidth usage low. Major cloud providers like Google, Cloudflare, and Amazon had to coordinate a massive infrastructure-level patch to mitigate this threat, as it effectively bypassed standard rate-limiting tools by never technically "completing" the malicious requests

    


    

        
8. Lack of Visibility and Control

        
Difficulty in monitoring "Shadow IT" or tracking activities within infrastructure owned by a third party. The threat of Lack of Visibility and Control in 2026 is often driven by "Shadow IT"—the use of unsanctioned cloud applications, personal storage, or AI tools by employees without the knowledge or approval of the central IT department. Because these assets exist outside the organization’s "security perimeter," they bypass critical defensive layers like automated patching, multi-factor authentication, and data loss prevention (DLP) tools. This creates significant "blind spots" where sensitive company data can be leaked, or unpatched vulnerabilities can serve as hidden backdoors for attackers. Furthermore, when dealing with infrastructure owned by a third-party provider, organizations are limited to the telemetry and logs provided by that vendor; if the provider’s logging is insufficient or the "Shared Responsibility" boundaries are unclear, a breach can occur and persist for months before the organization even realizes its data has been compromised

    


    

        
9. Shared Technology Vulnerabilities

        
Flaws in the underlying hardware (CPUs) that could allow one customer to access another's data on the same physical server. 

        
Example: Spectre and Meltdown vulnerabilities. Spectre and Meltdown are critical hardware vulnerabilities that exploit a performance-optimization technique in modern processors called speculative execution. To speed up processing, a CPU "guesses" which path a program will take and executes those instructions in advance. While the CPU eventually discards the results of a wrong guess, these temporary computations leave "breadcrumbs" in the processor's cache (fast temporary memory). Attackers use side-channel attacks to time how fast the CPU accesses certain data; if the data is accessed quickly, it means it was cached during a speculative guess, allowing the attacker to "read" secrets—like passwords or encryption keys—that should have been protected by security boundaries. In cloud environments, these flaws are particularly dangerous because they could theoretically allow a malicious program in one virtual machine to "peek" at the memory of another customer sharing the same physical hardware, effectively "melting" the security walls between them

    


    

        
10. Compliance Violations

        
Failing to meet legal standards (GDPR, HIPAA), resulting in massive fines and legal action.

        
Example: Storing EU citizen data on non-compliant servers leading to GDPR penalties.

    


    

        
11. Zero-day Exploits

        
Attacks targeting previously unknown software flaws for which no patch currently exists.

        
Case Study: The MOVEit Transfer vulnerability (2023-2024) affected over 2,000 organizations globally.

    


    

        
12. Advanced Persistent Threats (APTs)

        
Organized, state-sponsored groups that stay hidden in a network for long-term espionage.

        
Case Study: "Midnight Blizzard" breached Microsoft's corporate cloud in 2024 to access senior leadership communications. The Midnight Blizzard (also known as APT29) breach of Microsoft’s corporate systems in early 2024 began with a successful password spray attack on a legacy, non-production test tenant account. Because this test account lacked Multi-Factor Authentication (MFA), the state-sponsored threat actors were able to gain an initial foothold and then exploit the account's over-privileged permissions to access a legacy "OAuth" application with high-level access to Microsoft’s corporate environment. By leveraging these broad permissions, the attackers were able to move laterally and target the email accounts of senior leadership and cybersecurity personnel, exfiltrating communications to gain intelligence on what Microsoft knew about their own hacking operations. This incident highlighted the extreme risk of "dormant" legacy systems and the dangers of "app-to-app" permission sets, which can allow an attacker to stay hidden and move through a cloud environment without ever needing to crack a second user password.

    






    
Risk Management in Cloud Computing: Comprehensive Overview

    
Risk management in cloud computing is an elaborate, multi-phased process designed to identify and neutralize threats stemming from shared infrastructure and third-party reliance.


    

        
1. Risk Identification

        
This initial stage involves cataloging all cloud assets and identifying potential vulnerabilities.

        
    
            
  • Asset Inventory: This includes listing and categorizing every piece of data, application, and service hosted in the cloud.
    • 
            
  • Vendor Risks: Organizations must assess risks unique to their Cloud Service Provider (CSP), such as vendor lock-in, specific CSP security practices, and limitations within the Service-Level Agreement (SLA).
    • 
            
  • Threat Identification: Recognizing common cloud-specific threats like data breaches, DDoS attacks, and misconfigurations is critical.
    • 
        

    


    

        
2. Risk Assessment

        
This phase quantifies the identified risks to prioritize mitigation efforts.

        
    
            
  • Vulnerability Analysis: This involves scanning for technical weaknesses, such as unpatched systems or insecure APIs.
    • 
            
  • Threat & Impact Evaluation: Experts evaluate the likelihood of threats (like cyberattacks or natural disasters) and the potential damage they could cause to business operations or data integrity.
    • 
            
  • Prioritization: Risks are ranked as high, medium, or low to ensure critical threats are addressed first.
    • 
        

    


    

        
3. Risk Mitigation

        
Mitigation involves implementing controls to reduce or manage the prioritized risks.

        
    
            
  • Technical Controls: This includes Data Encryption (both at rest and in transit) and robust Identity and Access Management (IAM) with multi-factor authentication (MFA).
    • 
            
  • Auditing and Testing: Periodic penetration tests and security audits are conducted to verify that security policies are being followed effectively.
    • 
            
  • Security Automation: Organizations use automated tools for real-time monitoring and incident response to reduce manual oversight and human error.
    • 
        

    


    

        
4. Risk Monitoring and Review

        
Risk management is not a one-time event; it requires continuous oversight.

        
    
            
  • Real-Time Monitoring: Solutions track cloud resources and traffic patterns to detect anomalies that might indicate a breach.
    • 
            
  • Cloud Security Posture Management (CSPM): These tools automatically detect and fix misconfigurations to ensure ongoing adherence to security policies.
    • 
            
  • Compliance Checks: Regular reviews ensure the organization remains aligned with external regulations like GDPR or HIPAA.
    • 
        

    


    

        
5. Risk Transfer and Acceptance

        
Not all risks can be technically eliminated; some must be managed legally or financially.

        
    
            
  • Risk Transfer: This involves shifting liability through Cloud SLAs that define the provider's responsibility for uptime or by purchasing Cyber Insurance to cover financial losses from breaches.
    • 
            
  • Risk Acceptance: If the cost of mitigating a risk outweighs its potential impact, an organization may choose to accept it. This decision must be formally documented with a clear cost-benefit analysis.
    • 
        

    


    

        
6. Incident Response Planning

        
Despite mitigation efforts, incidents can still occur, necessitating a prepared response.

        
    
            
  • CSIRT: Organizations establish a Computer Security Incident Response Team (CSIRT) to assess and manage cybersecurity emergencies.
    • 
            
  • Four-Phase Model: Incident response typically follows four stages: Preparation, Detection & Analysis, Containment/Recovery, and Post-incident Activity.
    •