Risks in Cloud Computing – Security, Privacy & Compliance
Your photos on Google Drive, work files on Dropbox, money transactions via PhonePe - all in the cloud. But what if someone hacks the cloud? Let's explore the dark side!
Major Cloud Security Risks
Loading stats…
1. Data Breaches
Problem: Unauthorized access to cloud-stored data
Famous Breaches
Loading case study…
Other Major Breaches
1. Dropbox (2012): 68 million passwords leaked 2. iCloud Celebrity Hack (2014): Private photos of celebrities leaked 3. Microsoft Azure (2023): Exposed 38 million records due to misconfigured database
Cause: Weak passwords, misconfigurations, unpatched vulnerabilities
2. Data Loss
Scenarios:
A. Accidental Deletion
- Employee deletes critical files
- If no backup → permanent loss!
B. Provider Shutdown
- MegaUpload (2012): FBI shut down file-hosting service
- 50 million users lost all data overnight!
C. Natural Disasters
- OVH Data Center Fire (2021, France):
- Entire data center burned
- 3.6 million websites went offline
- Customers without backups lost EVERYTHING
D. Ransomware on Cloud
- Attackers encrypt cloud files
- Example: Code Spaces (2014) - ransomware destroyed AWS backups, company shut down permanently
Mitigation: 3-2-1 Backup Rule
- 3 copies of data
- 2 different storage types
- 1 off-site/offline
3. Account Hijacking
How it happens:
- Phishing → Steal cloud credentials
- Weak password (password123)
- Credential stuffing (using leaked passwords from other sites)
Example:
Hacker gets your Gmail password from LinkedIn breach
Uses same password on Google Drive
→ Access to ALL your docs!
Impact:
- Spy on emails, files
- Use account for illegal activities
- Sell access on dark web
Prevention:
- 2-Factor Authentication (2FA)
- Unique passwords for each service
- Password manager (LastPass, 1Password)
4. Insecure APIs
API (Application Programming Interface) = How apps talk to cloud
Problem: Many cloud services have weak APIs
Example:
- Facebook Graph API (2018): Allowed apps to access friend data without consent
- Cambridge Analytica exploited this → 87 million profiles scraped
Risk:
- Unauthorized data access
- DDoS attacks on cloud service
- Injection attacks
5. Insider Threats
Types:
A. Malicious Insider
- Employee steals customer data
- Example: Infosys employee leaked client code to competitor
B. Careless Insider
- Accidentally shares confidential file publicly
- Example: Tesla employee shared production secrets on personal email
C. Cloud Provider Insider
- AWS/Google employee accessing customer data
- Rare but possible
Loading comparison…
6. Lack of Visibility & Control
Problem: "I don't know where my data is!"
Shadow IT
- Employees using unapproved cloud services
- Example: Engineer uses personal Dropbox for work files → Company has no control
Multi-Cloud Chaos
- Company uses AWS + Google Cloud + Azure + private servers
- Challenge: Who's responsible for security?
No Audit Trails
- Can't track who accessed what, when
- Compliance issues for GDPR, HIPAA
Privacy Risks
1. Data Residency
Problem: Your data might be stored in another country
Example:
- Indian user's WhatsApp data on Irish servers
- Government wants data for investigation
- Jurisdiction conflict: Irish law vs Indian law
Solution: Data Localization Law
- India mandating companies store Indian users' data IN India
- Payment data (RBI mandate): MUST be stored in India
2. Government Surveillance
USA PRISM Program:
- NSA accessed data from Microsoft, Google, Facebook servers
- No warrant needed (under FISA)
India:
- IT Act Section 69: Government can demand data from any intermediary
- Pegasus spyware controversy (2021): Government allegedly used it to spy on citizens
3. Data Mining by Providers
Free services aren't free!
- Gmail: Scans emails for targeted ads
- Google Drive: Analyzes docs to improve AI
- Dropbox: Can access files (in terms of service)
You don't own your cloud data - Provider does!
Compliance Risks
Regulations Cloud Providers Must Follow
1. GDPR (Europe)
- Strict data protection
- Right to be forgotten
- Fines: Up to 4% of global revenue!
2. HIPAA (USA - Healthcare)
- Medical records protection
- AWS, Azure offer HIPAA-compliant services
3. PCI-DSS (Payment Card)
- Credit card data security
- Example: Stripe
uses AWS but MUST comply with PCI-DSS
4. India's Data Protection Act 2023
- Data localization
- Consent requirements
- Data Protection Board enforcement
Compliance Challenges
Multi-Tenancy Issue:
- Problem: Your data shares servers with others
- If neighbor's data breached, yours might be too
- Solution: Isolation, encryption
Audit Difficulties:
- How to audit cloud provider?
- Shared responsibility model: Provider secures infrastructure, YOU secure data
Risk Mitigation Strategies
1. Encryption
- Data at rest: Encrypt before uploading
- Data in transit: HTTPS/SSL
- End-to-end: Only you have decryption key (WhatsApp model)
Example: Even if Dropbox hacked, encrypted files are useless to hacker!
2. Access Control
- Least privilege: Give minimum necessary access
- Role-based: Employee sees only what they need
- Regular audits: Who has access to what?
3. Multi-Factor Authentication
- Password + OTP + Biometric
- 99.9% effective against account takeover
4. Regular Backups
- Automated daily backups
- Offline/air-gapped backups
- Test recovery process
5. Security Monitoring
- SIEM tools: Monitor all cloud activity
- Detect anomalies (login from unusual location)
- Incident response plan
6. Vendor Due Diligence
Before choosing cloud provider:
- Certifications: ISO 27001, SOC 2
- SLAs: Uptime guarantees (99.9%+)
- Data location: Where is data stored?
- Breach history: Has provider been hacked before?
Shared Responsibility Model
Loading diagram…
Summary
- Major risks: Data breaches (2,200+ in 2023), data loss, account hijacking, insider threats
- Famous breaches: Capital One ($80M fine), Dropbox (68M passwords), OVH fire (3.6M sites)
- Privacy concerns: Data in foreign country, government surveillance, provider mining data
- Compliance: GDPR, HIPAA, PCI-DSS, India Data Protection Act 2023
- Mitigation: Encryption, 2FA, backups, monitoring, vendor due diligence
- Key stat: 65% breaches from misconfiguration (human error!)
- Shared responsibility: Provider secures infrastructure, YOU secure data
Quiz Time! 🎯
Loading quiz…
🎉 Congratulations! You've completed the Cyber Law course!