The media regularly report on data breaches in which personal data is exposed online as a result of incorrectly configured databases or user data or cloud environments with poor security. For instance, there was Facebook in 2019 and then Microsoft a year later, with both breaches unintentionally making millions of user records publicly accessible.
In recent years, there has been a significant shift to the cloud, both for private users and at work. The cloud offers many benefits, such as flexibility, speed, scalability, ease of use – etc. – all of which we now take for granted. But security in the cloud is not so clear-cut. Unless they have a well-thought-out policy and proper measures in place, businesses may be vulnerable to data leaks, configuration errors and compliance risks.
Adoption of the cloud in Belgium and the EU
It would be fair to say that Belgian companies are pioneers when it comes to adopting the cloud. According to the European Commission’s Digital Decade report from 2024, Belgian businesses are at the forefront of digitalisation. In fact the Commission’s research shows that 47.7% of companies use cloud computing. That’s well in excess of the European average of 38.9%.
Cloud computing means that you purchase computing power, storage or even software from a supplier via the internet, so that you don’t need your own servers or computers to store data or run software, etc. Essentially, you lease IT capacity from a cloud provider (such as Microsoft Azure, Amazon Web Services, Google Cloud, etc.) and you only pay for what you use.
‘As an organisation, you need to ask yourself the extent to which you can and want to protect yourself against downtime at your cloud providers.’
In the Benelux, around 42% of organisations use cloud services in which both front-end and back-end applications are migrated. In layman’s terms, this means that both the apps that customers log into to use certain services and the database and computing power required to run those apps are located in the cloud.
Challenges with shared responsibility
This rapid move to the cloud is not without its challenges. Providers of cloud solutions tend to use the ‘shared responsibility model’. This means that companies such as Amazon Web Services, Microsoft Azure, Google, etc. are responsible for making sure their own cloud infrastructure is secure. But, as a customer, you are responsible for what you do in the cloud – that might include configurations, access management, data encryption and so on.
In other words, cybersecurity in the cloud is a shared responsibility and that’s often where the problem lies in organisations. These issues include:
- Shadow IT. Company employees use their own tools and programs without the IT department being aware that they are doing so. Unless there is a strict policy in place, organisations run the risk of allowing “gaps” to open up in their security.
- Poor configuration of access rights. Access Control Lists (ACL) are lists that set out who has access to which files or systems – as well as what they are allowed to do with them (read, write, delete). If the parameters for the ACL are set too broadly, anyone can access sensitive files via the internet.
- Open storage buckets. These are storage containers in the cloud (such as a digital folder). They have no password or access restriction and this makes them accessible to anyone who has the link. So, if someone accessing them has malicious intentions, they can download, modify or delete the contents of the brochure.
However, there is a legal framework in place that requires Belgian companies to comply with rules such as GDPR and the new NIS2 directive. The launch date for the new directive is 17th April 2026, which means we will only be able to see the effect of the new legislation in a few years’ time.
An additional challenge is what is known in the jargon as multi-cloud complexity. As the term implies, we use various systems and platforms from different providers, so keeping everything secure and up to date requires a fair amount of expertise and a clear, consistent strategy.
‘As an organisation, you need to ask yourself the extent to which you can and want to protect yourself against downtime at your cloud providers,’ says Kristof Tuyteleers, security officer at DNS Belgium. ‘The major cloud providers have datacentres in multiple countries, which minimises the impact of any downtime at any specific location. However, a multi-cloud strategy doesn’t necessarily mean that it’s the best solution. Yes, it might reduce the risk of failure or dropouts, but it also increases the complexity – and hence the chance of errors – of your infrastructure. This can sometimes result in the lower net availability of ICT services. Which in turn means that every organisation needs to assess whether it has the necessary resources and expertise to manage and maintain their systems in a sustainable manner.’
Data breach caused by incorrect AWS S3 bucket configuration
Back in the spring, it was discovered that WorkComposer, a tool for monitoring employees’ screens, had accidentally left 21 million screenshots of its users online. This oversight was caused by an incorrect bucket configuration.
Read the article on the Datanews website (Dutch)
Google the terms AWS and S3 bucket configuration data breach and you will find dozens of cases in which data has been leaked from millions of users of all kinds of tools worldwide.
Best practices: what can you do yourself?
Cybersecurity in the cloud starts with having a strong foundation. Fortunately, there are a number of practical steps that your organisation can take to give your digital environment better protection:
- Zero Trust Architecture. Trust is good; verification is better. With a Zero Trust approach, no one is automatically granted access – every user, every device and every request is verified first. This limits the risks of internal and external threats.
- Security of APIs. An API (Application Programming Interface) is a set of rules that enables software applications to communicate with each other. APIs are often the gateway to sensitive data. Ensure strict access control, continuous monitoring and rate limiting to prevent misuse. Also consider authentication via tokens and limiting public endpoints.
- Encryption & key management. Encrypt your data – both when it is being sent and when it is being stored. Combine this with robust key management, preferably centralised, so that you always retain control over who has access to what information.
Cybersecurity Coalition bridges the gap between theory and practice
The Cybersecurity Coalition in Belgium is a public-private collaboration of government bodies, companies and educational institutions. Among other things, DNS Belgium is part of the Coalition’s cloud security focus group. ‘We develop best practices and promote knowledge-sharing,’ says Kristof Tuyteleers, who as security officer at DNS Belgium, is a member of the focus group.
‘In practical terms, we compare the big tech cloud providers, discuss sovereignty in the cloud and look at the real possibility that President Trump will interrupt the services of AWS, Azure, etc.,’ continues Kristof. ‘When you see that recent European fines imposed on Microsoft have been waived and the ones imposed on Google have been reduced, you have to ask yourself how much control you still have.’
- In the next article of Cybersecurity Month, you will discover how children can stay safe online.
With this article, we support the United Nations Sustainable Development Goals.