Businesses have a great deal of experience developing and implementing data protection strategies that allow them to recover from attacks on their on-premise IT environments. However, increasingly, enterprises need to begin considering a new threat to their IT environments. This threat is malicious actors using “zero-day” vulnerabilities—vulnerabilities that are so new, they cannot be patched before they are exploited—to attack and bring down the major cloud providers that organizations are increasingly relying on to host critical applications and data.
For years, U.S., U.K., and other government cybersecurity agencies and major cloud provider security teams have worked to discover and fix these zero-day vulnerabilities as quickly as possible, allowing them to fend off these types of zero-day attacks. Doing so has required them to invest large amounts of time and money. For example, governments have expanded the size of their cybersecurity departments, while major cloud providers have launched security rewards programs and hired ethical hackers. Cloud providers have also augmented traditional cybersecurity solutions with their own in-house developed security technologies. To date, this work has prevented a successful zero-day attack on any major cloud provider.
However, the threat of successful zero-day attack continues to grow. For example, if the current intense cyber “cold war” taking place between countries gets hotter, an effective zero-day attack could be launched by a rogue state or other nation. Moreover, it is common knowledge that some western security agencies find and exploit security flaws for their own means, and don’t necessarily notify technology vendors, based on their own value-to-risk index. In addition, as the number of major cloud providers and the amount of data stored by these providers continues to grow, so do the financial and reputation rewards that would accrue to cybercriminals who were able to takedown a major cloud provider.
Given this reality, enterprises need to ask themselves—are they prepared for a successful malicious zero-day attack on their cloud providers? Enterprises are increasingly using hybrid cloud, SaaS or cloud-only environments to run their applications and store their data, and a successful attack could disable or even destroy these applications and data. Despite this risk, the high-availability of the cloud has created a deep sense of security regarding the safety of cloud-based applications and data. In many cases, this feeling of security has led many companies to fail to account for the protection of their cloud data from a zero-day attack or other cloud outage or disaster. Yet, somewhere in the fine print, every cloud provider’s contract puts the ultimate responsibility for data protection on their customers. Whatever promises these providers make regarding their security, their customers need to remember that they are ultimately responsible for protecting their own data. And the evidence shows that, when it comes to implementing cloud data protection best practices, it is customers who have been the weakest link.
Enterprises can take steps to minimize the risk that a successful zero-day attack or other cloud outage will disrupt or damage their business. Specifically, they can ensure that their data protection strategy provides them with a comprehensive understanding of what data they have in the cloud and set appropriate recovery objectives for this cloud data that reflects its value. They also need to test the plan they have in place to recover cloud data if a zero-day attack or other outage were to occur.
The Hidden Risk: Zero-Day Attacks on Cloud Providers
Today, it is easy for enterprises to become complacent regarding protection of cloud data. AWS, Microsoft, Google and other major cloud services and SaaS providers have built cloud platforms that are extremely secure, leading many enterprises to assume that just because they haven’t been broken into yet, they can’t be. Yet, nothing ever made by a human is completely secure. Existing back-doors and security holes can be missed and software updates can introduce new vulnerabilities—vulnerabilities which malicious actors can find and exploit. Moreover, whether cloud data is available and whether it is backed up are two completely different things. If a zero-day attack or other outage ends up corrupting the primary copy of an enterprise’s cloud data, the cloud service provider’s replication tools might mean that availability copies are also corrupted. So, if an enterprise fails to plan for such an event, they could find themselves in similar circumstances to companies that were hit by malware attacks on their on-premises infrastructure in recent years, but without a secure and recoverable backup.
Know What Data Is In the Cloud
Companies in risk-averse sectors such as finance or healthcare have been at the forefront of integrating cloud recovery readiness into their data protection strategies. What they have found is, in order to be successful, they need to first make sure they fully understand exactly what data they have in the cloud. This means eliminating shadow IT practices that allow departments to spin-up cloud services without informing data protection staff. However, this needs to be done without forcing these departments to jump through so many hoops that they find themselves forced to resort to shadow IT in order to get anything done. It also means adopting automated data discovery technologies with indexing capabilities that can provide a view of an enterprise’s data—wherever it is located.