Causes and Countermeasures for Information Leaks in Cloud Services
Date: 2022.11.28.
Cloud services are increasingly being used with the introduction of telework by companies. Being able to centrally manage data on the cloud and access it from anywhere has led to its adoption by many companies.
However, despite the convenience of cloud services, some people may be concerned about security and the risk of information leaks.
This article explains the causes of information leaks in cloud services, actual cases that have occurred, the division of responsibilities between users and cloud providers in cloud services, and measures to prevent information leaks.
Table of Contents
- What are the Causes of Information Leaks in Cloud Services?
- Cases of Information Leaks in Cloud Services
- Responsibility Branch Points in Cloud Services
- Measures to Prepare for Information Leaks in Cloud Service Implementations
- Summary
1. What are the Causes of Information Leaks in Cloud Services?
Information leaks in cloud services can be caused by cyber attacks, system failures, human configuration errors, unauthorized logins, and more. Understand the causes and collect information during pre-implementation planning and review the current situation.
1-1. Information Leaks Due to Malicious Cyber Attacks
There is a possibility of information leakage due to external cyber attacks on the servers of the cloud service provider being used. In this case, the cloud service provider needs to take the latest security measures.
Users cannot take direct measures, but they should take measures to prepare for information leaks, such as taking data backups, and carefully consider the level of information to be stored in the cloud.
1-2. Data Loss Due to Failures or Disasters in Servers and Data Centers
Data may be lost due to system failures or equipment failures due to natural disasters in servers and data centers. System failures may occur due to system modifications and maintenance by the cloud service provider, and data loss may occur due to equipment failures or damage due to natural disasters such as earthquakes and fires.
System failures and natural disasters cannot be said to never occur. Therefore, consider data backup methods and alternative cloud services in preparation for data loss.
1-3. Public Disclosure of Access Restriction Information Due to Cloud Configuration Errors
There is a possibility that confidential information may be made public due to human configuration errors in the cloud service being used. With cloud settings, it is possible to set authority management and access control to set the range that can be viewed by each person.
If someone without knowledge of cloud services or security makes a mistake in setting, there is a risk that anyone on the Internet can view confidential information. Provide training to cloud service administrators and personnel to increase their knowledge.
1-4. Unauthorized Login Due to Information Leaks of User Accounts
If the user account of the cloud service you are using is leaked, you will be logged in without permission, leading to information leakage. User account leaks include virus infection when opening links in suspicious emails, reusing user accounts, and peeping at logins outside the company.
Therefore, take measures such as setting up spam filters to prevent suspicious emails from arriving, introducing security software, and setting individual passwords for each service for user accounts.
2. Cases of Information Leaks in Cloud Services
Here are some examples of information leaks that have actually occurred in cloud services.
Let’s learn from actual examples what caused the incident and how far the impact range was.
| Company | JTB Corporation |
|---|---|
| Cause | Incorrect setting of individual access rights to data stored in the cloud service |
| Case Details | JTB used a cloud service with limited login privileges for the relevant parties for the purpose of sharing information with the Tourism Agency and businesses (indirectly subsidized businesses) that apply for and apply for this project, in order to carry out the “Creation of Profitable Signboard Products for Local Areas Utilizing Unique Tourism Resources” project implemented by JTB as a subsidized business of the Tourism Agency. During the operation of the cloud service, it was discovered that information leakage had occurred between indirectly subsidized businesses with login privileges due to incorrect setting of individual access rights to the stored data. The specifications should have been such that the indirectly subsidized businesses to be applied for could not access anything other than their own application forms, but due to incorrect setting of individual access rights to the data stored in the cloud service, application documents and grant applications for this project, including personal information of business operators, were accessible to each other by indirectly subsidized businesses with login privileges. |
| Impact | Information leakage of application forms from 1,698 businesses, and personal information of up to 11,483 people, including application businesses and their partners |
| Recurrence Prevention Measures | Thoroughly strengthen the access permission setting check system and business management system |
3. Responsibility Branch Points in Cloud Services
Cloud services have a “user side” and a “provider (cloud provider) side,” and it is important to note that the scope of responsibility differs depending on the service. Here, we will explain the scope of responsibility in cloud services.
3-1. What is a Responsibility Branch Point?
A responsibility branch point is a boundary line that defines the extent of responsibility for the user and the cloud provider.
There are three types of cloud services: “IaaS,” “PaaS,” and “SaaS.”
Users may be responsible depending on the type of cloud service, so be careful. It is too late to check the scope of responsibility after a problem occurs in the cloud service being used, so check the scope of responsibility in advance.
3-2. IaaS
IaaS is a service that allows you to use only infrastructure functions such as storage, CPU, and memory. It is used when you want to develop your own applications but do not have a place to set up servers.
The responsibility branch points for IaaS are as follows:
<User Side>
Data, Applications, Middleware, OS
<Cloud Provider>
Virtualization Infrastructure, Hardware
Users are responsible for any failures caused by applications or middleware.
3-3. PaaS
PaaS is a service that allows you to use a platform for developing applications. Since the OS and middleware are provided by the cloud provider, users can focus on application development.
The responsibility branch points for PaaS are as follows:
<User Side>
Data, Applications
<Cloud Provider>
Virtualization Infrastructure, Hardware, Middleware, OS
Users are responsible for the applications they develop.
3-4. SaaS
SaaS is a service that allows you to use applications provided by a cloud provider. Users can use the service by preparing the application settings and their own data.
The responsibility branch points for SaaS are as follows:
<User Side>
Data
<Cloud Provider>
Virtualization Infrastructure, Hardware, Middleware, OS, Applications
Users are responsible for application configuration errors and data management.
4. Measures to Prepare for Information Leaks in Cloud Service Implementations
Measures to prevent information leaks when implementing cloud services include:
Formulating telework work rules, selecting backup methods, vulnerability countermeasures, developing processes to prepare for information leaks, training security personnel, and introducing security software.
Let’s check each measure to prevent information leaks.
4-1. Formulation of Telework Work Rules
With the introduction of cloud services, information can be accessed from outside the company, such as telework. While there are benefits to being able to use the service anywhere, the risk of information leaks increases due to being able to use it anywhere.
If you do not have telework work rules, there is a possibility that an employee working in a cafe may be peeped at and information leaked. Setting rules that restrict the location to home or co-working spaces when using it outside the company is one way to prevent information leaks.
4-2. Distribute Backups to Hard Disks and the Cloud
Let’s take regular backups of cloud data. By taking backups frequently, it is possible to minimize damage in the event of data loss.
If backups are only taken on the cloud service, there is a possibility of data loss due to cloud service failures or administrator errors. By taking backups on a hard disk as well, you can reduce the impact on business even if cloud data is lost.
Also, by setting a backup retention period, you can reduce the pressure on the capacity of cloud servers and hard disks.
4-3. Take Action When Vulnerabilities in OS and Apps are Discovered
Information leaks can also be caused by vulnerabilities in OS and applications. If there are vulnerabilities, there are various risks, such as infection with malware and other viruses, leakage of files and password information in the computer, and spam emails being sent in large quantities, which slows down the computer and makes it unusable.
To avoid risks, we recommend that you regularly perform vulnerability diagnostics and virus scans, and consider introducing security software.
4-4. Process Improvement in Case of Information Leakage
If information is leaked, companies are required to respond quickly. Under the revised Personal Information Protection Act, which came into effect in April 2022, businesses handling personal information are required to report when personal information is leaked.
Companies are required to improve not only information leak countermeasures but also processes up to the reporting deadline.
First, check the level of information leakage that requires reporting, and check the reporting deadlines for both the “preliminary report” and the “final report” that are subject to reporting obligations. Next, you need two axes: the internal reporting route and the route to the Personal Information Protection Commission. By establishing a reporting route, you can respond quickly.
4-5. Security Staff Training
The cause of information leaks was the configuration errors of cloud services by the person in charge. Information leaks can occur due to a single mistake in operation. The causes of configuration errors include a lack of understanding of cloud services and a lack of knowledge related to security.
Therefore, providing training to security personnel can prevent information leaks such as configuration errors. To understand cloud services, you can supplement your lack of knowledge by having the service provider you are using hold seminars or having the sales representative set up briefings, or by participating in security-related training.
4-6. Introduction of Security Software
We recommend introducing security software to prevent information leaks. By introducing security software, you can protect against malware infections and block access to suspicious sites.
People will inevitably open links in suspicious emails at times, so you can rest assured by introducing security software.
When introducing security software, it is important to check that it is easy to introduce and that the user interface is easy for anyone to operate. Introduce security software that can be used even by personnel without specialized IT knowledge.
Summary
This article explained the causes and countermeasures for information leaks in cloud services, and actual cases that have occurred.
If you are considering implementing cloud services, consider which operations and data to cloudify. If you have already implemented cloud services, please double-check whether there are any omissions or vulnerabilities in your current countermeasures.
If you do not have an information systems department in your company, why not introduce security software that protects your company’s information from the latest malware and other viruses? Among them, we recommend software that is easy to install and has a user interface that is easy for anyone to use.
For inquiries, please contact globalsupport@jiran.com
