Centralized cloud storage doesn’t seem as secure as it used to. That isn’t to say that cloud storage providers like Microsoft, Amazon, and Google haven’t improved their security measures and developed world-class security teams. Rather, more sophisticated cyberattacks have had success exposing vulnerabilities of cloud storage. Centralization of your data still leads to a "honey pot" problem where attackers have an outsized incentive to attack the few places where everyone's data is. The main security risks that developers now worry about in a centralized cloud storage environment are that it creates a single point of failure, it’s susceptible to tampering, ransomware and bitrot, and it creates a broader threat surface between multiple regions. And of course, there is always the worry of human error in misconfiguration or an insider threat.
‍
This paper provides details on the most significant security risks of centralized cloud storage and offers ways to mitigate those risks with zero trust cloud storage models as the way forward to fight against security threats, and how decentralization can help you have the security of the hyperscalers without the compromise of placing your data alongside all of the other targets.

Despite the world-class security measures that centralized cloud storage providers have in place to protect data, there’s still a long list of cloud storage security risks that have resulted in data breaches. According to research by global intelligence firm IDC, 79% of companies experienced a cloud data breach over the past 18 months, with 43% experiencing ten or more breaches. The top three concerns with cloud storage security listed by the 300 CISOs included in the study were:
‍

The 2021 Verizon Data Breach Investigations Report stated that “Compromised external cloud assets were more common than on-premises assets in both incidents and breaches.“ The attacker's focus on cloud storage is understandable as data encryption at rest is not a standard offering by cloud storage providers. Data in flight is encrypted, but at rest, encryption is often an upcharge companies often don’t know about or don’t pay for— this makes cloud storage a ripe target for cyber attackers to peruse looking for misconfigurations and under-secured buckets.

The commonality among these breaches is the nature of dependency between applications and data in the cloud. Many of these breaches involved connections between partners, suppliers, or cloud products that put a secondary company at risk. No matter how great the security of one company is, it’s very difficult for them to ensure that all of their business partners and applications they interact with share that same security model. While centralized cloud storage yields incredible business benefits, it’s not a zero trust environment. And that means that there is a serious threat of data breach when utilizing cloud storage.
‍
Another frequent occurrence in these breaches is misconfiguration. Securing the data in the cloud can be overly complex or might be ignored altogether if a developer prioritizes convenience over protection. With the way that companies develop offerings as they grow, it’s understandable that the priorities for security may not be the same over time. Yet, many won’t take the time to go back and add protection measures to early projects. 
‍
Bottom line, centralized cloud storage providers do not have a zero trust architecture and don’t provide inherent security measures by default, like at-rest encryption, to keep your data protected. This places a large burden on companies to add security measures in a complex environment. Large enterprises have the resources to do this yet still make mistakes. Smaller companies often don’t have these security resources so they are even more at risk when using cloud storage—particularly if they are seen as a gateway to a larger business partner. 

As powerful and innovative as the cloud is, it’s also complex and ever-changing. From a security standpoint, this creates lots of challenges and loopholes. There have been many surveys where CISO’s are asked what their biggest security concerns are, and often the results follow what gets the most attention in the media—large-scale ransomware attacks and data breaches. But the reality is that the biggest threat to security is human error. Particularly in cloud storage where misconfiguring a cloud-related system, tool, or asset endangers the system and exposes it to a potential attack or data leak.
‍
As companies embrace hybrid or fully cloud environments, it is important to consider the top security threats for cloud storage and how to protect your data best.
‍

Zero trust is a concept founded by Forrester analyst John Kindervag in 2009 that centers on the belief that trust is a vulnerability, and security must be designed with the strategy, “Never trust, always verify.”  Kindervag developed this concept after realizing that the traditional security models weren’t working. Security strategies before zero trust operated under the assumptions that everything inside an organization’s network could be trusted, that a user’s identity is not compromised, and that all users act responsibly and can be trusted. Clearly, this was a broken model that has been proven ineffective by the thousands of breaches and cyber attacks happening every year.
‍
Zero trust, as it’s defined today, is a security framework that assumes the user and their device can’t be trusted. Zero trust in application requires user authentication, authorization, and configuration validation for access to be granted to your data or infrastructure. Fundamentally, it is about eliminating the need to put trust in your people and systems.
‍
Organizations have been rapidly implementing zero-trust security measures that require strict identity verification for every user and device when attempting to access resources on a network, even if the user or device is already within the network perimeter. Multi-factor authentication has even gone from internal networks to end-users of cloud applications. Most end users have experienced a login that requires them to input a security code texted to their mobile device. 
‍
One area where security teams have yet to implement zero trust is cloud storage. The basic premise of centralized cloud storage does not fully support zero trust as the storage providers always have access. Specifically, cloud storage providers are “trusted” in this model. Additionally, measures such as data encryption at rest are not standard features of cloud storage offerings. Ultimately, centralized cloud storage still allows for the compromise of a single entity, such as a user device or a storage system. Certainly, cloud storage offers additional security measures, such as creating air-gapped immutable copies of data, useful for disaster recovery. But centralized cloud storage is not a fully zero trust architecture.

There is a fully zero trust option for cloud object storage, which is called decentralized cloud storage. Unlike centralized cloud storage, where data is stored in a data center, decentralized storage is a system where files are stored on many different computers on a decentralized network. Because there is no defined perimeter to protect and since it’s a network of many unaffiliated entities, decentralized systems had to be architected using end-to-end, zero trust strategies.
‍
Before data gets uploaded to a decentralized network, it’s encrypted and preferably encrypted with keys that are only held by the customer, not by anybody operating the network. The data is then broken up into lots of pieces in a redundant way, either using erasure coding or replication. Each of those pieces is distributed to a different Node operated by a different person on the network. 

The decentralized model does many great things for performance and durability. But from a security perspective, it has eliminated the biggest vulnerability of centralized cloud storage—there's no centralized treasure trove of data. If a hacker wanted to get at a file, they would have to find lots and lots of different drives worldwide, compromise each one of them, which are run by different people with different security protocols, just to recreate a portion of a single file. And then they'd only have an encrypted portion of a single file. And for the next file that they wanted to compromise, they'd have to do that all over again.

The combination of erasure coding, encryption, and access management techniques takes decentralized cloud storage beyond zero trust to zero knowledge. Zero knowledge security architecture is when none of the individual storage Nodes nor the company providing the network can view the actual data. Each data chunk is erasure coded, compressed, and encrypted with private keys at the client before being stored across different nodes (not disks) in decentralized cloud storage. This effectively protects the data from bad actors directly attacking individual nodes in this network and protects against insider threats from the storage provider. 

For organizations adopting a zero trust security framework, it makes sense to extend that architecture to cloud storage. Decentralized cloud storage offers the highest possible levels of security. It allows developers to truly own their data and control its use, integrity, and access. And it's much less expensive and quite easy to use.

The same attributes that keep data secure also make data highly private. Decentralized cloud storage isn’t just securing the data; it is also securing the metadata—the data about your data. That means no partners or external actors can access metadata unless you give them permission to. This is incredibly important to developers today who are questioning the motives of centralized cloud storage providers like Amazon, Google, and Microsoft, who also have business models that feed off metadata to learn about user behavior. 

The fact that decentralized cloud storage is highly secure and highly private is a winning combination for organizations looking to comply with data protection and privacy regulations. But there are also many other benefits to this new option for object storage.

We continue to evolve security tactics and strategies to attempt to stay ahead of attackers and have come a long way thanks to the shift to zero trust thinking. Digital-first organizations now need to consider cloud storage security risks and adopt strategies and technologies that better protect their data from current and future threats.