informa
6 min read
article

Why Cloud Service Providers Are a Single Point of Failure

In a matter of days, a large-scale outage of cloud and other online services could cause $15 billion in losses.

Cloud computing has been a global megatrend for the past decade and enjoyed skyrocketing adoption, and there is no end in sight. As this transition continues, cloud services will assume a dominant position as IT innovators produce more efficient, flexible, and faster products. A forecast by analyst firm IDC estimates that total worldwide spending on cloud services will reach $1.3 trillion by 2025.

Digital transformation is happening more quickly than it otherwise might have because the COVID-19 pandemic has forced organizations everywhere to speed up their efforts and make remote working and collaboration a routine part of doing business. IT analyst firm Gartner notes that "simply put, the pandemic served as a multiplier for CIOs' interest in the cloud."

Consequently, the remote-work paradigm demands that global IP networks are constantly available and that companies safeguard their IT infrastructure and data assets from unauthorized access. However, a study conducted by insurance company Munich Re reveals that although almost everyone in the corporate world claims to be a fan of digitization, 81% of C-level respondents doubt their organization is adequately protected against cyber threats.

Systemic Risk
The use of cloud computing services is expanding, so it's no surprise that the number and complexity of cyberattacks are also on the rise. Making matters worse is the fact that the global cloud market is essentially an oligopoly with a handful of providers dominating the space, creating systemic risk.

As organizations around the world turn to the cloud, the impact of a massive cloud failure is keeping IT managers awake at night. If a major cloud service provider suffers sustained downtime, the damage inflicted on its clients and partners could generate catastrophic financial losses. To cite an example of a non-digital disaster, the fire that crippled OVH's data center in Strasbourg, France, caused more than $120 million in damages, affected more than 65,000 customers, and knocked off some 3.6 million websites worldwide. Another area of concern sits within the content delivery network space, where the centralization of Internet traffic in the hands of a few large providers can result in wide-ranging outages.

Denial of Service
There are multiple ways to attack a cloud service provider (CSP), and some of them combine multiple attack techniques (e.g., a distributed denial-of-service, or DDoS, attack, with malware and a ransom demand thrown in for good measure). As the name suggests, DDoS attacks are breaches designed to render resources or systems unavailable to users, often by bombarding them with excess traffic via botnets. Such attacks can result in crashes or error messages that leave servers inoperable. The reasons for launching these attacks vary. High-profile DDoS attackers like Armada Collective have employed this technique to extort banks and other institutions, but even a garden-variety hacker wannabe can purchase an attack for as little as $1 a minute and wreak online havoc.

DDoS attacks aren't new, but they have evolved in complexity and grown in size. The website of the US Department of Homeland Security (DHS) states that "over the past five years the scale of attacks has increased tenfold. It is not clear if current network infrastructure could withstand future attacks if they continue to increase in scale."

Usually, before a major attack, the adversaries unleash a small-scale demonstration attack against the target entity's services. Recently, attackers have started to claim they're affiliated with state-sponsored advanced persistent threat groups such as Fancy Bear and Lazarus to reinforce their ransom demands. Refusing to pay is a gamble. Sometimes, the promised big attack doesn't happen, but the threat actors might follow through. As reported by the BBC, a DDoS attack on the New Zealand Stock Exchange caused an outage that lasted for several days.

Up to $15 Billion in Losses Within Days
The downside of a huge cloud uptake is that the providers turn into a single point of failure. While the losses associated with the disruption of a CSP vary and depend on how long downtime lasts, the consequences can be significant. In 2018, Lloyd's of London estimated that a cyber incident that takes out a top-three cloud provider in the US for three to six days would result in financial damages between $6.9 billion and $14.7 billion and between $1.5 billion and $2.8 billion in industry-insured losses. Fortune 1000 companies will bear 37% of the ground-up losses and 43% of the insured losses arising from a three- to six-day downtime event. And remember, these are 2018 numbers. Adoption of loud computing has skyrocketed since then, so the numbers probably have risen, too.

FBI: Cyber Threats up 300%
Because of the pandemic, an unprecedented volume of Internet traffic has led to as much as a 300% rise in cyberattacks, as reported by the FBI. Meanwhile, Europol's IOCTA 2021 report, law enforcement, and the private sector are seeing a resurgence of DDoS attacks combined with ransom demands, and more high-volume attacks compared with the previous year. Cybercriminals have been hitting Internet service providers, financial institutions, and small and midsize businesses, public institutions, and critical infrastructure.

Going Forward
With increased reliance on IT services and real-time connectivity comes vulnerability to cyber threats. The interdependence of IT infrastructures spans sectors and industries, involves virtual and physical spaces, and crosses national boundaries.

Despite all the benefits that come along when utilizing the cloud, there's a downside too. With the providers growing in size and dominating the market, they become a single point of failure and turn into prime targets for cyber actors, including hostile nation-states. A successful attack on a single vulnerable entity could disrupt or destroy multiple vital systems in the host country and cause ripple effects around the world. Such a supply chain attack can cause heavy spillover effects toward downstream clients, as seen in the recent Kaseya attack.

Organizations must be aware that the cloud remains a shared responsibility model. There are gray areas and limitations of the shared responsibility model, especially when it comes to infrastructure-as-a-service deployments. Moreover, the end user's risk exposure can be minimized by leveraging multiple availability zones of any given CSP, and by embracing a multivendor strategy across multiple CSPs. Additional independent security layers should be used where appropriate to ensure that no single point of failure is present. Cloud computing is here to stay, but so is cybercrime.