The Costof Cloud
A Civo white paper looking into the complexity of cloud costs
for businesses and alternatives beyond the hyperscalers.
Time and again, we see businesses using hyperscalers face damaging security breaches with hyperscaler complexity a big factor. This complexity is routinely contributing to end-user misconfiguration of their cloud infrastructure, exposing weaknesses in their security.
Yet our research showed that 51% of enterprises still believe that alternative cloud providers outside the Big Three are less secure.
Let's explore a few of the recent data breaches that have impacted users of hyperscalers:
Pfizer Google Cloud breach - October 2020
One of the foundational principles of modern healthcare is that patients give their data to providers on the understanding that they will keep it safe. In 2020, however, pharmaceutical giant Pfizer faced a nightmare. Researchers revealed that Pfizer had exposed the personal records of hundreds of prescription drug takers for over two months. The information (recorded in transcripts between users and the firm's interactive voice response software) included personal details like full names and home and email addresses, along with partial details on an individual's health status.
The cause of the breach? A misconfiguration in a Google Cloud Storage bucket had left the data exposed to potentially be accessed by bad actors.
Cosmolog Kozmetik AWS breach - June 2021
The rise of eCommerce, particularly during the pandemic, has driven a huge acceleration in firms rolling out digital shopping experiences for customers. Many of them rely on cloud infrastructure provided by hyperscalers. This new world poses significant security challenges. In 2021, it was revealed that Turkish beauty products firm Cosmolog Kozmetik had exposed data on 567,000 unique users through a misconfigured Amazon S3 bucket. The 20GB file included a raft of personal information, ranging from customer full names to physical addresses.
Microsoft Azure 'ChaosDB' vulnerability - October 2020
In 2021, Microsoft Azure faced “the worst cloud vulnerability you can imagine”. Researchers discovered a flaw in Microsoft Azure's Cosmos DB database. Dubbed the 'ChaosDB' vulnerability, researchers identified that they were able to access keys that were intended to control access to databases used by thousands of companies on Azure. In effect, this meant a hostile actor could have the ability to view, edit and even delete a database. After being warned by the research team, Microsoft fixed the problem.
Fundamentally, the lesson here is that bigger is rarely better when it comes to choosing a cloud provider. The additional complexity involved in securing public cloud endpoints using the hyperscalers is an ongoing security risk for businesses. We see the cost of this time and again with the recurrent data breaches caused by simple misconfigurations of services like Amazon S3 or Microsoft's Azure Container Instances.
Hyperscalers have lots of unnecessary complexity and more moving parts in their offerings, increasing the chance of issues or bugs for users. In addition, the footprint of hyperscalers across an unwieldy number of products and regions creates a far greater attack surface for bad actors to exploit.
Dashboard and tooling complexity is also a persistent concern when using hyperscaler services. Users often become bogged down coordinating the complex array of services offered, leading to easily solved security vulnerabilities or misconfigurations lingering on unaddressed.