9 top cloud storage security issues and how to contain them

Despite advances in cybersecurity technology by cloud service providers, security of cloud storage resources continues to be a challenge.
Cloud storage security issues, such as inadequate management and monitoring, can lead to exposure of enterprise data to unauthorized parties. Get out in front of those problems before they lead to disgruntled customers, unhappy business partners and stakeholders, costly lawsuits and other headaches.

1. Misconfiguration
Misconfiguration typically results from lack of experienced storage security technicians or engineers, complex resource policies or ever-changing UIs. For example, a cloud service provider’s (CSP) storage engineer may examine a security issue but fail to complete the process due to a change in priorities.
Take these actions to mitigate misconfiguration issues:

Create or update a cloud storage security plan.
Have more stringent storage security policies and standards that the CSP must address.
Update controls for storage configuration activities.
Train and educate CSP storage teams to ensure they know the most current storage security configuration methods.
Update configuration monitoring activities using the appropriate tools and logs.

2. Lack of access control and identity management
Insufficient controls that don’t detect security violations can lead to unauthorized access.
Assuming the CSP is using the most current access and authentication tools, periodically review those controls, analyze data access to detect possible anomalies and examine data access outside of the CSP’s domain.

3. Inadequate data management
Data management addresses data from creation to disposal. Improper data management can lead to data corruption or data leakage — two critical cloud storage security issues.
Ensure a data management policy is in place and the CSP understands it. Encrypt data at rest and in motion to enhance protection in all phases of the lifecycle. Consider using third-party data protection tools to supplement the CSP’s services, educate users on data protection activities and control access to data with role-based authentication.

4. Insufficient security controls
Cloud storage security issues can develop from conflicting and overly complex security controls that may require an engineer to resolve.
Users must decide whether they prefer to set their own security rules or leave it to the CSP. An updated cloud security policy can specify the controls. Regularly test security controls as well.

5. Lack of real-time monitoring of security activities
While the CSP probably performs some level of monitoring, users must remember that CSPs are managing hundreds of customers and their storage security activities.
Take a proactive approach to monitoring and log analysis to increase the likelihood of identifying potential breaches before they occur.

6. Lack of a process to back up and recover data from a CSP
Many organizations depend exclusively on a CSP to protect their data from potential attacks. Major CSPs have developed and deployed world-class security for storage requirements. It is also a good strategy, though, to have a way to back up, recover and retrieve mission-critical data if the CSP has a failure or access disruption.
Use HDDs, NAS, other on-site storage arrangements or off-site backup through another CSP.

7. Human error
Something as simple as typing “O” (letter) instead of “0” (number) can affect how a system executes a command. In addition, a fully qualified rogue employee can use that expertise to destroy customer data by introducing malicious code into a customer system.
While the CSP will likely address the above situations, users can help themselves by ensuring service-level agreements (SLAs), for example, have provisions for dealing with CSP error or malicious intent.

8. Inadequate management of data breaches, ransomware attacks
CSPs likely have specific protocols to respond to data breaches or other cyberattacks affecting customer data storage. Users must accept the risk that CSPs may fail to adequately manage and resolve cyberattacks.
An SLA can address the possibility of such events. The SLA must be specific about the circumstances associated with a successful cyberattack and the remedies for the user.

9. Regulatory compliance in question
Considering the current regulatory landscape for data protection, cloud storage security activities must comply with increasingly strict regulations.
The EU’s GDPR, for example, provides specific rules for compliance. Failure to comply with GDPR can result in significant penalties, such as heavy fines.
Editor’s note: This article was updated in 2024 with additional information, including more issues to consider. Technology writer John Edwards wrote the original article.
Paul Kirvan is an independent consultant, IT auditor, technical writer, editor and educator. He has more than 25 years of experience in business continuity, disaster recovery, security, enterprise risk management, telecom and IT auditing.