The cloud, like every other technology, was developed to help us do more things faster and more efficiently. It’s a business tool that provides the self-service flexibility of on-demand technological services decoupled from the need to physically deliver hardware and software. Organizations are flocking to leverage this power, but there are nagging questions: Is cloud security getting better or worse? Why does it seem that there are more cloud breaches happening now than before? If an organization moves to the cloud, is it more likely to get hacked?

These questions are understandable. Although many organizations are rushing to the cloud or being driven there by their leadership, no one wants to end up in a headline because of a security fiasco. IT decision makers need to know how to avoid the most likely ways to fail. In part 1 of this article series, we unpack these questions about the prevalence and danger of cloud breaches.

Cloud Services and Deployment Models

First off, there isn’t one definitive type of cloud. The National Institute of Standards and Technology’s (NIST) definition of cloud computing lists three cloud service models—infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS)—and four deployment models: private, community, public, and hybrid.

In F5’s 2019 State of Application Services survey, 87 percent of respondents indicated they operate in a multi-cloud environment, meaning any combination of the above. So far, we don’t have enough detail on many reported breaches to know if the affected assets were stored in the cloud, on premises, or in hybrid environments, nor do we know the kinds of services that were in use. As we unfold this story, we’ll be as specific as possible. That way you can map our individual datapoints back to the kinds of cloud services and deployment models you’re using.

What is a Breach?

When we talk about breaches, we’re specifically talking about the exposure of protected data to unauthorized persons, for example, cybercriminals getting our payment card data. However, in our 2018 Application Protection Report survey, we saw that some industry sectors care as much about availability as other sectors do about the confidentiality of their data. Is an outage—that is, the unexpected failure of availability of service—considered a breach? For some, it could be.

In some cases, major cloud platform outages have not just caused businesses to lose money, but also have had negative effects on cryptocurrency markets. In one case, a cloud outage caused electronic door locks to remain shut, even for the authenticated owners. Looking through the major cloud services, we see all the major players have had outages, including Amazon Web Services (AWS), Microsoft Azure, Rackspace, Alibaba, Salesforce, and Google. The table below is a brief snapshot of major cloud outages since 2017:

Outages do occasionally happen, and this is probably a contributing reason why many organizations adopt a hybrid cloud approach.

The Broad Spectrum of Cloud Breaches

If you don’t consider a cloud outage a breach, let’s talk about the diverse types of cloud data breaches. It’s best to focus on the operational components of the cloud that either strengthen or weaken the security of a deployed solution.

Not a Cloud Breach but a Cloud-Assisted Breach

A case to be aware of involved a malicious insider at the Oregon Department of Revenue who uploaded stolen files to a private cloud account. The cloud is yet another exfiltration path and since cloud resources are encrypted in transit, leakages are hard to spot.