1.1 Explain common threats against on-premises, hybrid, and cloud environments
📘CCNP security (350-701)
What is a Data Breach?
A data breach occurs when unauthorized individuals gain access to sensitive cloud data such as customer records, intellectual property, backups, or logs.
How Data Breaches Happen in Cloud IT Environments
Common causes include:
1. Misconfigured Cloud Storage
- For example, an S3 bucket or Azure Blob Storage left open to “public access.”
- Attackers scan the internet for misconfigured cloud storage and download exposed data.
2. Weak Access Controls
- Lack of Identity and Access Management (IAM) policies.
- Overly permissive roles (e.g., “Storage Admin” granted to too many users).
3. Exposed Databases
- Cloud databases (e.g., MongoDB, PostgreSQL, MySQL) left without passwords or restricted firewall rules.
- Attackers connect to the database directly from the internet.
4. Poor Key/Secret Management
- API keys stored in code repositories.
- Cloud access tokens leaked in configuration files.
Impact of Cloud Data Breaches
- Loss of confidential information.
- Financial penalties (GDPR, HIPAA).
- Damage to organizational reputation.
- Possible takeover of cloud resources.
Mitigation Techniques
- Enforce least privilege IAM.
- Use Encryption at Rest and in Transit.
- Enable cloud security posture management (CSPM).
- Apply network access controls, such as VPC firewalls or NSGs.
- Rotate and secure API keys using Key Vaults / Key Management Services (KMS).
- Enable continuous configuration monitoring.
2. Insecure APIs
Cloud environments heavily use APIs to manage services, automation, VM creation, security policies, networking, storage, etc.
If APIs are poorly designed or incorrectly secured, attackers can abuse them.
Why APIs Are Critical in Cloud?
APIs are used for:
- Creating virtual machines
- Managing users and permissions
- Accessing storage
- Controlling firewall rules
This means API security failure = full environment compromise.
Common API Security Issues
1. Lack of Authentication/Authorization
- API endpoints accessible without proper OAuth tokens or credentials.
2. Exposed Management Interfaces
- Publicly exposed cloud management APIs.
- Attackers use automated tools to brute-force API access.
3. Excessive Permissions in API Keys
- API key created for automation but given admin-level access.
4. Unencrypted API Traffic
- If APIs are not using HTTPS/TLS, attackers can intercept credentials.
5. Vulnerable API Code
- Logic flaws that allow access to data belonging to different users (multi-tenant exposure).
Mitigation Techniques
- Require strong authentication, like OAuth 2.0, tokens, or certificates.
- Use API gateways for rate-limiting, validation, and monitoring.
- Limit exposure using private endpoints.
- Apply least privilege for API keys.
- Use WAF (Web Application Firewall) to protect against API abuse.
3. DoS/DDoS Attacks in Cloud
What is a DoS/DDoS Attack?
A Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack floods a cloud service with so much traffic that normal users cannot access it.
In cloud environments, DDoS attacks can target:
- Cloud-hosted websites
- Cloud APIs
- Load balancers
- Virtual machines
- Cloud gateways
How DDoS Attacks Occur in Cloud
1. Botnet-Generated Traffic
Attackers use thousands of infected devices to flood cloud applications.
2. Application-Layer Attacks (L7)
Example: sending large numbers of HTTP requests to a cloud web server.
3. Network-Layer Attacks (L3/L4)
Example: massive UDP floods targeting cloud IP addresses.
4. Resource Exhaustion
Attackers intentionally force the cloud service to autoscale, resulting in high cost for the organization.
Impact
- Service downtime
- Performance degradation
- Increased cloud billing due to scale-out
- Potential SLA violations
Mitigation Techniques
Cloud providers offer built-in DDoS protection such as:
- AWS Shield / Azure DDoS Protection
- Cloud-based WAF
- Auto-scaling with rate limits
- Load balancing
- Traffic scrubbing centers
- Blocking malicious IPs using security groups and firewall rules
4. Compromised Credentials
In cloud environments, credential theft is one of the most dangerous threats.
Cloud credentials often include:
- IAM usernames/passwords
- API keys
- SSH keys
- Cloud admin access tokens
- Federated login credentials (Azure AD, Okta, SAML)
How Credentials Get Compromised
1. Phishing
Users are tricked into entering cloud login details into fake login pages.
2. Leaked API Keys in Repositories
- Uploaded accidentally to GitHub
- Attackers scan public repos for secrets
3. Weak Passwords or No MFA
- Password-only authentication is easily brute-forced.
4. Credential Reuse
- Same password used across multiple systems.
- If one system is breached, cloud accounts are also at risk.
5. Stolen Session Tokens
Attackers steal browser cookies or session tokens to access accounts without knowing the password.
Impact
- Attackers can log in as legitimate cloud administrators.
- Unauthorized creation of VMs for crypto-mining.
- Modifying firewall rules to allow more attacks.
- Downloading or deleting cloud data.
- Disabling backups or security logs.
Mitigation Techniques
- Enforce MFA everywhere.
- Use conditional access (IP/device/location restrictions).
- Apply Zero Trust IAM principles.
- Rotate API keys frequently.
- Store secrets in Key Vault / Secrets Manager.
- Enable Identity Protection and anomaly detection.
- Use privileged identity management (PIM) for temporary admin rights.
Summary Table for CCNP Security Exam
| Threat | Description | How It Happens | Key Mitigation |
|---|---|---|---|
| Data Breaches | Unauthorized access to cloud data | Misconfigurations, exposed storage, weak IAM | Encryption, IAM, CSPM, secure storage |
| Insecure APIs | Vulnerable cloud API access | Weak auth, public exposure, excessive permissions | API gateways, strong auth, WAF |
| DoS/DDoS | Flooding cloud services to cause downtime | Botnets, L3/L4 floods, L7 HTTP floods | Cloud DDoS protection, load balancers |
| Compromised Credentials | Stolen login/API credentials | Phishing, leaked keys, weak passwords | MFA, key rotation, IAM least privilege |
Final Exam Tips
- Understand shared responsibility model → cloud provider secures the infrastructure, customer secures access, data, and configurations.
- Know how IAM, API security, and network controls apply differently in cloud than on-prem.
- Focus on how misconfiguration leads to data breaches and how stolen credentials often lead to full cloud takeover.
- Expect scenario-based questions such as:
- “A cloud bucket becomes publicly readable — what threat is this?”
- “API exposed without authentication — what attack can occur?”
- “Huge spike in traffic causing autoscale — what threat is this?”
