What to do if your public cloud is breached

system breach

It's tempting to think that public cloud services are immune to data breaches, but unfortunately this isn't the case. Whether it's a large-scale hack affecting multiple customers or a targeted attack on your business, attackers can get at your data no matter where it is.

Averting this sort of incident means having good security in place is a must. But if the worst should happen and a breach occurs, what should an organisation do in the immediate aftermath?

The initial breach

The first thing is to figure out what was actually compromised. Was it the systems or applications which hold critical information and is that information company critical (for example, intellectual property) or sensitive/regulated information (personally identifiable information, payment card information and so on).

"If it's PII or PCI information, then you need to work out who (which individuals) are impacted and which categories of individual, such as employees, customers or partners. Depending on the outcome of the initial investigation, this determines who should be notified," says Guy Bunker, senior vice president of products at Clearswift. He adds that companies should have a cyber breach plan in place which lays out the steps required to deal with a cyber breach, including the all-important communication plan.


If you believe your public cloud has been hacked, the first port of call should be the cloud provider, they may well have protective monitoring capabilities that will be invaluable moving forward.

The incoming General Data Protection Regulation (GDPR) makes it quite clear that the "Data controllers are required to report a personal data breach to the competent Supervisory Authority (SA) without undue delay and, where feasible, not later than 72 hours after becoming aware of it."

"Depending on the nature of hack / breach, the police should also be contacted," says Lawrence Munro, worldwide VP at Trustwave SpiderLabs.

As far as initial notification, senior leadership of the organisation should be notified immediately as well as legal counsel, says John Bambenek, manager of threat systems at Fidelis Cybersecurity. "They should have already established contacts with the cloud provider so they can begin working with them, as necessary, to help remediate the breach."


The strategy a firm has in place for when a breach of their public cloud occurs is broadly the same as any other type of breach. However, there is one complicating factor, as much of the infrastructure and evidence is in the hands of the provider, not the victim organisation.

"This makes the preparation phase crucial; the end-user organisation must understand what their limits are in responding to a breach and develop a plan to respond within those constraints," says Bambenek.

"If access needs to be negotiated during a breach, precious time is lost that could have been spent containing the damage. Having responders trained in the nuances of cloud forensics is also important as there are key differences in how those situations are handled."

Boundaries of responsibility are one common point of confusion. Typically, cloud providers manage the security of the infrastructure they provide to organisations and it's the responsibility of each organisation to ensure the security of the applications and data they put into these cloud services, according to Greg Day, VP & chief security officer for EMEA, at Palo Alto Networks.

"Some provide additional value-add security services, either as a cost or as a value-add. Be clear on where the boundaries of responsibility lie so you understand what and where security controls are being applied, otherwise you leave gaps in your security defences," he says.

The role of the public cloud provider

A public cloud provider should be accountable for the security of any data that is stored in its environments and provide a safeguard against a successful attack, says Terry Storrar, director of managed services at MCSA.

"It's important that providers are transparent and open about the risks of their public cloud offering so that an organisation can decide if it's viable for them," he says.

"Big providers will have much more exposure to multiple security threats and, therefore, they should be advising clients proactively of any process or systematic changes which might help prevent a breach."

Rich Campagna, CEO at cloud security company Bitglass, says that under the shared responsibility model of cloud security, public cloud vendors' role is to protect their infrastructure and applications so that customers can use them without worrying about fundamental security flaws.

"Responsibility for data stored in these applications and for access to that data, however, falls to the organisation; for example, preventing unauthorised data access resulting from credential compromise. Vendor involvement in a breach usually occurs when weaknesses in underlying infrastructure are exploited - Amazon would likely take remedial action if it were hacked in a way that exposed AWS customers.' He adds.

The aftermath

Following the clean-up operation, what should an organisation do in the aftermath? David Boardman, senior product manager at Skybox Security says that a complete top-down analysis of the breach will help to show how the breach occurred and whether it was an anomaly, lack of security policy or a broken process. Additionally, post-mortems help to improve the overall integrity of the security program.

"Tools should then be introduced to improve end-to-end visibility, segmentation, threat intelligence gathering and risk management. Tools that can help identify vulnerabilities throughout your hybrid infrastructure and current exploits in the threat landscape are a must," he says.

Boardman says that looking back at artefacts of the attack, such as indicators of compromise, only goes so far in a constantly changing threat landscape and an environment as dynamic as a public cloud.

"Organisations also need to be examining their indicators of exposure early warning signs of where an attack is mostly likely to occur. These include exposed vulnerabilities or those with active or available exploits, as well as unsecure device configurations and risky access rules. Having insights to these types of security issues will enable a more proactive, holistic approach to security management," he adds.

Nigel Hawthorn, chief European spokesperson at Skyhigh Networks, says it's essential for businesses to grow and learn from the past.

"While they may survive the reputational damage of one data breach, two may be the final nail in the coffin," he says.

Hawthorn adds that organisations should define policies for users to improve security and reduce the impact of any breach and ensure users are aware of the trusted and recommended cloud services, which may help reduce the use of trusted services. "They can deploy technologies such as SSO and MFA to reduce potential problems."

Main image credit: Bigstock

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.