InfoGuard Cyber Security and Cyber Defence Blog

Secure Cloud Computing: How to Avoid Compliance Violations

Written by Michael Fossati | 10 Feb 2025

But what happens if data ends up being stored outside Switzerland or the European Union due to a configuration error? What steps can be taken to prevent such unintentional violations of Swiss or European data protection law (nDSG, GDPR)? We’ve analysed the causes of known compliance violations and investigated why cloud providers alone cannot guarantee full compliance.

A closer look at the most common stumbling blocks

Compliance violations in the cloud can have various causes: incorrect configurations, inadequate access controls and human error (based on the shared responsibility model where the user organisation takes charge), to name but a few.

An overview of notable examples, including an analysis of the cause, is provided below:

Cause

Problem

Analysis

Misconfiguration of security systems

A misconfiguration of the security systems allowed unauthorised access to phone numbers and personal data of millions of users due to incorrectly configured access rights in the database (Facebook 2019).

The main cause was the incorrect configuration of access rights – i.e. human error.

Data scraping* 

A software developer extracted information about millions of users from the Alibaba website due to inadequately protected API access (Alibaba 2019). 

Inadequate implementation of rate limits and access controls made this scraping possible.

Data of millions of Linkedin users was extracted from publicly accessible profiles (LinkedIn 2021).

This was due to insufficient monitoring of API access and a lack of mechanisms to detect and defend against automated queries.

Inadequate access controls

Several data leaks have occurred at Amazon Web Services (AWS).

This happened because publicly accessible S3 buckets remained unprotected due to a lack of standard security settings and incorrectly implemented access controls. 

A data leak occurred at the provider FlexBooker.

The data leak affected the data of over three million users. This was due to weak access controls and inadequate encryption, which allowed unauthorised access to the database.

Unauthorised publication of data

Data from 538 million users (Sina Weibo 2020) was published on the darknet. 

This incident is due to inadequate internal controls and a lack of monitoring of data access. Internal security vulnerabilities and human error were identified as the main causes.

Incorrect configuration of data storage locations

Incorrect geographical configurations of data storage locations have resulted in violations of data protection laws such as nDSG and GDPR.

This is due to data being stored in the incorrect geographic location, which is not permitted.

Misconfigured, public cloud storage buckets

A misconfigured cloud storage bucket resulted in sensitive data being publicly accessible. 

This is due to the incorrect configuration of cloud resources, including the implementation of strict access controls and regular security checks.


* Data scraping refers to the use of automated programs or scripts to extract information from websites.

The lessons learnt for secure cloud computing

Analysing past breaches provides valuable insights for improving security measures and preventing future incidents. It emphasises the need for a proactive and comprehensive security strategy to prevent cyber security incidents:

  • Reliable configuration management and regular audits to detect misconfiguration.
  • Robust data protection mechanisms and monitoring of unusual patterns of access to company data.
  • Internal controls and monitoring of publicly available information.
  • Mindful geolocation management is required when selecting countries for storing data.
  • Public and private resources must be configured correctly and securely.

Although cloud providers guarantee robust security measures, the final responsibility for compliance lies with the company.

To ensure secure cloud computing, it is crucial that companies develop their own security strategies and measures and implement them carefully.

We recommend considering the following aspects to ensure compliance:

  • Shared responsibility model: Cloud security is based on a shared responsibility model. The provider secures the infrastructure, while the company (customer) is responsible for securing its data, applications and configurations.
  • Adaptation and control: Organisations adapt cloud environments to their specific needs, making it difficult for providers to enforce uniform security and compliance measures for all customers.
  • Knowledge of regulatory requirements: Compliance requirements vary depending on the industry and region. Cloud providers may not be able to fulfil all the specific regulatory requirements of every customer. The company needs to obtain the necessary overview of the sector-specific regulations.
  • Human error: Many breaches are caused by user misconfigurations or errors that cloud providers cannot always prevent. Organisations should implement control mechanisms to prevent human error.

Seven recommendations for successfully avoiding compliance violations

Preventing compliance violations requires a proactive approach that includes robust security measures, continuous monitoring and adherence to best practices:

  1. Careful configuration of security systems: Ensuring that security systems are configured correctly, in particular access rights and authorisations. Regularly checking and adjusting the configurations can prevent unauthorised access.
  2. Robust API security measures: Implementing strict access controls and monitoring mechanisms for APIs. Volume limits and security protocols can reduce the risk of data scraping.
  3. Strong access controls and IAM policies: Using strong access controls and identity and access management (IAM) policies to ensure that only authorised users have access to sensitive data. Regular monitoring and audits are essential.
  4. Internal controls and monitoring measures: Establishing comprehensive internal controls and monitoring measures to prevent unauthorised posting or leaking of data. This includes regularly reviewing employee access.
  5. Compliance with data protection laws: Ensuring that the storage and processing of data complies with legal requirements, in particular with regard to geographical location. Avoiding misconfigurations through clear guidelines and training.
  6. Security checks of cloud resources: Regular security checks and audits of cloud resources to avoid misconfigurations. Implementing clear separation between public and private data areas and using encryption to protect sensitive information.
  7. Automated configuration check: Monitoring the settings and alerting those responsible of deviations from the defined status (baseline). The configuration is usually monitored via direct interfaces to the cloud provider via API or with a slight time delay by analysing log files (audit logs including configured changes). This enabled inadvertent misconfigurations to be quickly identified and rectified.

Top eleven dangers in cloud computing in 2025: Report by the Cloud Security Alliance (CSA)

The Cloud Security Alliance (CSA) lists its top eleven threats in the area of cloud computing for 2024. This list is consistent with our experience with our customers and is thus also worth mentioning here:

  1. Misconfiguration and inadequate change control
  2. Identity and access management
  3. Insecure interfaces and APIs
  4. Insufficient selection/implementation of a cloud security strategy
  5.  Insecure third-party resources
  6. Insecure software development
  7. Inadvertent disclosure of the cloud
  8. System vulnerabilities
  9. Limited visibility of cloud resources
  10. Unauthenticated resource sharing
  11. Advanced persistent threats

Our lessons learnt for your compliance strategy

Compliance breaches in cloud environments can often be prevented through careful configuration management, strong access controls, regular security checks and continuous monitoring.

Lessons learnt from past breaches can contribute to the development of more robust security practices. While cloud providers offer basic security measures, the ultimate responsibility for compliance lies with the organisation.

A proactive and informed approach to cloud security is therefore important to minimise the risk of compliance breaches, protect sensitive data and maintain the trust of customers and regulators.

By integrating these practices into your cloud strategy, you can minimise the risk of compliance breaches, protect sensitive data and secure the trust of customers and regulators.

Securely compliant: Recommendations for action to eliminate compliance risks

Ultimately, your goal is to use cloud-based services in your company with a clear conscience because compliance violations can be reliably ruled out. Do you want to be sure that you’ve taken all the necessary steps? Let our team of experts run a cloud security assessment to identify any risks in your security setup despite all the security measures.

And there’s more: our specialists will also provide you with specific technical, organisational and personnel recommendations for action and suggestions for implementing quick wins.

Support implementing specific measures

Are you planning to migrate your company’s IT to the cloud? A team of over 350 InfoGuard experts will support you. Whether with our Risk Management & Compliance Services or 24/7 Cyber Defence & Incident Response Services from our ISO 27001-certified Cyber Defence Center (CDC), we’ll support you with the implementation.

 

Caption: with AI generated image
View full post