Cloud Computing Risks Writeup

Policy and Organizational Risks

A mid-sized healthcare company migrates its patient records system to a proprietary cloud platform, deeply integrating with the vendor's custom APIs and data formats. Two years later, the vendor announces a 40% price increase, and the company discovers that migrating away would require a full system rebuild, effectively locking them in. This is a provider lock-in scenario further affected by compliance pressure, since HIPAA obligations mean they also cannot afford gaps in service during any transition.

General Risks

A regional bank moves its core transaction processing to a major cloud provider, moving all of it's infrastructure that was previously distributed across three on-premises data centers. When the cloud provider experiences a widespread regional outage, the bank's entire customer-facing system goes down simultaneously, a failure mode that would have been isolated to one location before consolidation. The bank now has less direct control over the technical risk that caused the outage and must wait on the provider to remediate.

Virtualization Risks

A DevOps team at a SaaS company routinely takes VM snapshots before major deployments, storing them indefinitely in an internal image repository without access controls. An attacker who gains read access to the image store finds that several old snapshots contain hardcoded database credentials and unencrypted customer PII eg. sensitive data that was never considered after the snapshots were "archived." This is a direct consequence of snapshot security neglect and VM sprawl.

Cloud-Specific Risks

A company's cloud administrator account is compromised through a phishing attack, giving the attacker full access to the cloud management console. From there, the attacker spins up hundreds of compute instances for cryptomining, deletes production databases, and modifies security group rules all before the breach is detected. Because the management plane controls the entire infrastructure, a single credential compromise cascades into a company-wide incident.

Legal Risks

An e-commerce startup stores customer payment and personal data with a global cloud provider whose storage nodes span the US, EU, and Southeast Asia. When the company attempts to achieve PCI-DSS and GDPR compliance, they discover they cannot guarantee that EU customer data remains within EU borders, nor can they obtain sufficient audit evidence from the provider. The lack of jurisdictional control puts them at risk of regulatory fines and potential legal liability.

Non-Cloud-Specific Risks

A cloud-hosted application is breached not through any cloud-specific vulnerability, but because an administrator reused a default password on a management portal that was exposed to the internet. A threat actor discovers the portal through routine scanning, logs in with the default credentials, and exfiltrates weeks of application logs. This is a fundamental security hygiene failure that would have been just as dangerous in an on-premises environment.