Your company has moved its most critical data to the cloud. You have a well-established security infrastructure, firewalls, multi-factor authentication, and you're keeping an eye on the security metrics that matter. However, there's a gap in your defense that most IT departments tend to ignore.
Clearly, these aren't the cloud providers' doing. High-quality cloud providers and storage solutions spend a fortune in developing cutting-edge security solutions and controls around their systems, which is why it often falls to organisations to manage and maintain how the cloud is used and protected.
Let's see what threats cloud storage security brings and how to handle them.
Permission Creep
All organizations start with the best intentions: they grant access to their cloud accounts to new employees who need it. So far, so good. But after 6 months, when the person switches departments, his access to the cloud storage remains unchanged.
That pattern continues throughout the average company for over 18 to 24 months. At some point, people have access to the data that they no longer need:
- A marketing person can download documentation related to engineering.
- The finance department is still holding credentials for budgets.
It may not be a malicious practice, but it poses significant risks in case of any security incident.
In case of a compromised cloud account, an attacker gets all these permissions and visibility to customer data, proprietary algorithms, budget details, and other sensitive information.
The biggest oversight is that many IT departments treat their cloud storage infrastructure differently from the on-premises infrastructure.
If you would allow file server access to someone that no longer needs it, you would take appropriate measures. But in the case of cloud storage, many organizations tend to overlook such permission problems.
Lack of Audit Logging
There's another aspect that is often overlooked by the teams in charge of cloud storage security – the audit logging.
Let's imagine a scenario where somebody starts downloading 50,000 files in the middle of the night.
It does get logged, right? But if you're not tracking these logs and setting alerts for suspicious activities, you will discover the breach only after several months.
That's not because of inability – it's a problem of scale.
Every busy company gets tons of logs daily: millions of logs per week. Detecting real threats here requires an automated system or special employees.
Moreover, the default logging settings offered by most cloud service providers are not enough.
Cloud platforms log all actions, but they don't track any strange patterns or keep logs for longer to conduct a thorough investigation.
Encryption of Data at Rest and in Transit
There are cases when IT departments understand what should be done regarding encryption, but they assume that everything is already being taken care of by the cloud provider.
Major cloud storage services provide a lot of encryption services, but the responsibility is divided here.
They provide you with encryption for the data that is stored on their infrastructure. But the keys that allow you to decrypt that information are still in your hands.
While it means that even the provider can't access your data, losing these keys or mismanaging them leads to another kind of disaster.
More often, many organizations neglect the step of encrypting the data before uploading it to the cloud.
Employees upload the files via convenient file sync services or a web interface. Thus, while these files get encrypted by the cloud provider later, there's a period when they get unprotected.
Moreover, the copy of your encryption keys in possession of the cloud provider can be accessed by many kinds of cyberattacks.
And it concerns the regulatory requirements.
For example, HIPAA, PCI-DSS, and other data protection regulation frameworks have their own encryption requirements that are interpreted differently by companies in the cloud environment.
The specific actions that many IT departments oversee:
- End-to-end encryption of sensitive data categories
- Encryption key rotation
- Encryption key backups
- Key recovery test procedure
Shadow Cloud Services
There's been a threat of shadow IT for many years, and cloud storage services made it much worse.
Employees want to collaborate effectively.
When the solution chosen by the company is inefficient or incompatible with their workflow, they start looking for alternatives:
- Personal file synchronization services
- Different collaboration software that includes file sync service
- Separate customer portals where salespeople exchange documents
All these services look innocent, but the thing is that they are not covered by your:
- Backup procedures
- Retention policies
- Compliance frameworks
- Security controls
Moreover, in many cases, shadow cloud storage services provide users with a better experience than official ones.
Limiting access to these services doesn't help: they will still choose the shadow service.
The major mistake that many IT departments make is that they treat shadow services as a problem itself, not as a symptom of a greater issue.
Perhaps, your cloud storage solution doesn't meet all the needs of your organization.
It's essential to investigate this matter.
Lack of Disaster Recovery and Backup
The company probably has backup procedures in place.
But it's not enough for cloud storage – there are some situations when standard backup procedures aren't effective anymore.
First of all, many organizations assume that the redundancy provided by the cloud provider is enough.
Indeed, major cloud platforms make backups of their infrastructure in multiple data centers. It helps to survive infrastructure failures.
But how about:
- A ransomware attack that encrypts all your data on the cloud?
- Accidental data deletion?
- The need to restore your data due to a compliance hold?
All these situations require backup procedures that are independent of your cloud storage accounts.
Your company needs separate and offline backup solutions.
But many IT departments think that the redundancy provided by the cloud platform is enough.
Secondly, there's an issue with the retention period of deleted data.
Typically, cloud storage keeps backups of deleted data for a certain period of time before deleting them permanently.
But this retention period is too short in many cases or is not configured at all.
Finally, organizations tend to forget about testing disaster recovery procedures.
You have backups in place, but if you haven't tested them yet, you wouldn't know whether they work in real-life situations or not.
Testing takes lots of time; it doesn't produce results immediately, and so many organizations put it off forever.
Then, when the company actually needs to restore the lost data, it finds out that it's impossible.
Compliance Failures in Cloud Environment
Regulatory frameworks, such as GDPR, CCPA, and HIPAA, get complicated in cloud environments.
But many IT departments still think that cloud storage is just a neutral infrastructure, and compliance procedures will work the same way.
One of the problems with compliance is data residency.
Many regulations require specific data to be stored in certain geographic regions.
Using cloud storage makes global synchronization of files easy, but it doesn't comply with regulations.
For example, your backup solution can sync data automatically with the wrong geographic region, making you a violator of the regulations.
Also, many regulations require providing data subjects with particular rights regarding their personal data, including the right to deletion.
In a cloud environment, where data replication and versioning occur, it becomes much more difficult to implement the process.
There are other compliance problems, for example, the need for data governance.
Organizations should know:
- All their data
- Where it is stored
- Who can access it
- The retention period
But in the cloud environment, there's usually a lack of:
- Data classification
- Retention policies
- Strict access control measures
Your Way Ahead
Cloud storage can bring significant benefits to modern companies.
The security threats described above are not reasons to avoid using this technology.
Instead, they should make you take the right approach to the cloud infrastructure.
Start with an audit of the current state of your cloud storage.
Then, based on the risks assessment, you should fix the problems.
First of all, you should pay attention to permissions management: it is the key for cloud storage security.
You should also:
- Implement audit logging and monitoring
- Enforce encryption standards
- Eliminate shadow services
- Build disaster recovery and backup solutions
- Solve problems with compliance requirements
Most of these measures can be implemented without special, expensive tools and large budgets.
The thing is that you should treat cloud storage as a solution that requires ongoing management, and not as a "set it and forget it" technology.
Your team has plenty of experience with the security of IT infrastructure, permissions management, backup and compliance procedures.
Cloud storage is not a new technology that requires a completely new approach to security.
Organizations that succeed in using cloud storage infrastructure treat it this way.
Take action now and identify the first threat from this article that is relevant to your organization.
Make a plan to fix it and proceed to the next one.
In several months, you will transform your cloud storage security from liability into asset.

