top of page
Search

Cloud Migration Security Risks for NZ SMEs

  • Writer: Joseph Rapley
    Joseph Rapley
  • 3 days ago
  • 8 min read

New Zealand's small and medium-sized enterprises (SMEs) are rapidly adopting cloud infrastructure for its flexibility and scalability. However, this shift brings significant security challenges that many businesses underestimate.

Cloud platforms have become a fruitful hunting ground for threat actors, with nearly one in five cyber incidents at larger NZ businesses now involving cloud platforms. The primary culprit? Human error. A recent study found that 39% of cloud-related incidents were traced to misconfigurations or software vulnerabilities.

Even smaller Kiwi firms have suffered breaches due to simple mistakes. A Wellington property management company inadvertently left an Amazon S3 storage bucket open to the internet, exposing over 31,000 images of passports, driver licenses, and other personal documents. Such cases highlight a crucial point: moving to AWS, Azure, or other cloud providers isn't automatically safer than on-premises IT. While the underlying infrastructure may be secure, it's up to each customer to configure and use it correctly.

Fast Secure Cloud
Fast Secure Cloud

Understanding Cloud Services: Infrastructure vs Software

Not all "cloud" services carry the same security responsibilities. It's essential to distinguish between different service models:

Software as a Service (SaaS) like Microsoft 365 or Google Workspace are delivered as ready-to-use applications. The provider handles most security responsibilities, while customers manage user access and data protection.

Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) offerings such as AWS, Azure, and other offerings give you building blocks to run your own systems. Here, you have more control and significantly more security responsibility.

This article focuses on IaaS/PaaS scenarios, where NZ SMEs rent computing resources from AWS, Azure, or similar providers and must secure their usage of those resources.


The Shared Responsibility Model

Both AWS and Azure emphasise that cloud security is a partnership between provider and customer, each accountable for different layers.

The provider secures the cloud infrastructure itself: physical data centres, servers, networking, and core cloud services.

The customer secures everything they deploy in the cloud: operating systems, applications, configurations, and data.

For example, if you run an EC2 virtual server in AWS, Amazon ensures the physical servers and hypervisor are secure, but you're responsible for patching and configuring your instance's operating system, networking, and user accounts. Similarly, if you use Amazon S3 storage, AWS maintains the underlying hardware and software, but you must manage your data permissions and enable encryption.

Moving to the cloud doesn't eliminate IT security duties, it shifts them and adds more. You no longer worry about physical server hardware, but you must diligently secure your cloud configurations, identity settings, and data exposure.


Key Security Risks for SMEs

1. Resource Misconfiguration

Incorrectly configured cloud services cause most cloud breaches. Simple setup errors like leaving a storage bucket public or a server port open can provide direct access to attackers. Studies show misconfigurations account for 65-70% of cloud security challenges.

The cloud's numerous settings and options can overwhelm teams new to platforms like AWS or Azure. A single oversight, such as failing to disable a default public access setting, can lead to major data leaks. Cloud misconfiguration breaches have cost companies trillions globally in recent years.

2. Weak Identity and Access Management

Cloud providers offer powerful IAM systems, but mismanagement can be catastrophic. Common issues include:

  • Weak passwords or single-factor authentication

  • Not enabling multi-factor authentication

  • Granting overly broad permissions

  • Using root accounts for daily tasks

Microsoft observed that 99.9% of hacked enterprise accounts had no MFA enabled. Stolen cloud credentials provide direct entry to attackers, essentially handing them the "keys to the kingdom."

3. Data Exposure and Unsecured Storage

Cloud storage services hold vast amounts of sensitive business data. A major risk is accidentally exposing data through misconfigured permissions or file-sharing links. In just one case in 2021 researchers found over 1.6 million sensitive files exposed via 86 misconfigured S3 buckets across various organisations.

Unencrypted data compounds the problem. If an attacker gains access to unencrypted customer data, the impact is far worse than if that data were protected.

4. Insufficient Monitoring and Logging

Many SMEs focus on getting cloud services operational but forget to enable audit logs or set up alerts for unusual activity. Without proper logging, security incidents can go undetected for extended periods.

Without logs, you won't know if an S3 bucket was made public or an admin account was created until it's too late.

5. Inadequate Incident Response

Many SMEs lack clear plans for cloud security incidents. Traditional IT response plans may not cover cloud-specific scenarios. Contributing factors include:

  • No backups of cloud-hosted data

  • Undefined roles or communication plans

  • Lack of practice with cloud recovery procedures

In New Zealand, nearly half of businesses hit by cyber attacks said resolution took over a month, indicating that response processes often lag behind the threat landscape.

6. Compliance and Data Residency Challenges

Cloud migration doesn't exempt businesses from regulatory obligations. NZ's Privacy Act and industry regulations still apply, regardless of where data is stored. Key considerations include:

  • Understanding data jurisdiction and residency requirements

  • Ensuring cloud configurations meet compliance standards

  • Managing customer expectations about data location

  • Implementing proper controls for regulated industries


AWS Security: Common Services and Pitfalls

Amazon S3 (Simple Storage Service)

S3's ease of use can be a double-edged sword. While new buckets are private by default, users can inadvertently make them public or share links that expose data. Key risks include:

  • Not enabling AWS's "Block Public Access" settings

  • Misunderstanding S3's complex permission model

  • Failing to enable encryption at rest

Best practices: Always enable block-public-access unless specifically needed, turn on default encryption for all buckets, limit IAM access, and configure alerts for public bucket changes.

Amazon EC2 (Elastic Compute Cloud)

EC2 virtual servers require the same security diligence as physical servers, plus cloud-specific considerations:

  • Security Group rules that are too permissive (allowing SSH or RDP from anywhere)

  • Failing to patch operating systems and software

  • Not using IAM roles for service access

  • Leaving EBS volumes unencrypted

A critical but often overlooked risk is the Instance Metadata Service (IMDS). AWS EC2 instances can access metadata about themselves via a local HTTP endpoint. The older IMDSv1 is vulnerable to Server-Side Request Forgery (SSRF) attacks and so if your web application has an SSRF vulnerability, attackers can potentially retrieve IAM credentials from the metadata service. This was exploited in the Capital One breach, where attackers used an SSRF flaw to access IAM credentials and then pivot to S3 buckets.


Best practices: Lock down security groups to necessary IPs and ports only, maintain OS updates, use IAM roles instead of hardcoded credentials, enable volume encryption, deploy monitoring agents, and configure EC2 instances to require IMDSv2 (which includes additional security protections against SSRF attacks).


AWS Identity and Access Management (IAM)

IAM controls all permissions but can overwhelm newcomers:

  • Using the root account for daily operations

  • Not enabling MFA on administrative accounts

  • Over-provisioning permissions

  • Setting overly permissive policies

Best practices: Secure root credentials with MFA and use only for initial setup, require MFA for all console access, implement least-privilege policies, and regularly review permissions using AWS tools.


Azure Security: Common Services and Pitfalls

Azure Blob Storage & Azure Files

Similar to S3, Azure storage can be misconfigured to allow unintended access:

  • Enabling public read access and forgetting to disable it

  • Misconfiguring SAS (Shared Access Signature) tokens

  • Not utilising network restrictions

Best practices: Keep containers private unless necessary, use SAS tokens with tight time and IP restrictions, enable soft delete and versioning, and monitor Azure Security Center recommendations.

Azure Virtual Machines

Azure VMs face similar risks to AWS EC2:

  • Misconfigured Network Security Groups (NSGs)

  • Unpatched operating systems and Azure agents

  • Weak authentication methods

Best practices: Use Just-In-Time VM access, keep all software updated, enforce strong authentication with Azure AD integration, and segment VMs across subnets.

Entra ID (Formerly Azure AD)

Entra centralises identity management but becomes a high-value target:

  • Insufficient MFA implementation

  • Overly broad administrative permissions

  • Misconfigured external app integrations

Best practices: Enable MFA for all users (especially admins), use conditional access policies, minimise privileged roles, and regularly review audit logs.


Best Practices for SME Cloud Security

1. Enable Multi-Factor Authentication Everywhere

Turn on MFA for all cloud account logins. This single step blocks 99.9% of automated attacks. Use app-based authentication, hardware keys, or other secure methods, the slight inconvenience is negligible compared to the security benefit.

2. Implement Least-Privilege Access

Audit who has access to your cloud and restrict it to the minimum needed. Create separate roles for different functions rather than using super-admin accounts for everything. Regularly review and remove excessive permissions.

3. Secure Default Settings

Cloud services often ship with defaults that prioritise usability over security. Always review and harden these settings:

  • Enable block-public-access on storage accounts

  • Configure restrictive firewall rules on VMs

  • Turn on encryption for all data stores

  • Disable unnecessary features or sample accounts

4. Encrypt Data Everywhere

Enable encryption at rest for all storage services and databases. Use HTTPS/TLS for all communications. Both AWS and Azure provide easy-to-use encryption services—there's little reason not to use them.

5. Implement Network Segmentation

Don't place everything in one flat network. Use security groups, network ACLs, and subnets to create barriers. Database servers should sit in private subnets accessible only to application servers, not the entire internet.

6. Enable Comprehensive Logging and Monitoring

Turn on audit logging for all services (AWS CloudTrail, Azure Activity Logs) and use automated threat detection (AWS GuardDuty, Azure Defender). Set up alerts for suspicious activities like policy changes or unusual access patterns.

7. Conduct Regular Security Audits

Schedule quarterly reviews of your cloud security posture using provider tools like AWS Trusted Advisor or Azure Advisor. Consider external vulnerability scans, penetration tests and security configuration reviews to identify blind spots.

8. Prepare for Incidents

Create a cloud-specific incident response plan that covers credential revocation, resource isolation, and data recovery. Practice these procedures and ensure you have tested backups of critical data.

9. Address Compliance Requirements

Understand your data residency obligations and choose appropriate cloud regions. Microsoft's Azure New Zealand North region launched in December 2024, enabling local data storage. AWS has announced an Auckland region but construction delays have pushed the launch beyond their original 2024 timeline—the region remains under development as of early 2025. Implement necessary controls to meet regulatory standards like the Privacy Act.


Real-World Lessons

High-profile incidents provide valuable lessons:

  • Reserve Bank of New Zealand (2021): A breach involving recently migrated cloud systems highlighted the importance of proper configuration during migration.

  • Capital One (2019): A misconfigured web application firewall led to 100+ million compromised records and over $400 million in costs.

  • Various NZ businesses: Open S3 buckets have exposed thousands of personal documents, showing how simple oversights can have serious consequences.

The common thread in these incidents isn't sophisticated hacking—it's preventable configuration mistakes.


Looking Forward

The cloud offers tremendous opportunities for NZ SMEs to innovate and scale efficiently. The security challenges are real but manageable with the right approach. Most cloud incidents result from users not fully utilising available security controls rather than fundamental platform flaws.

Success requires treating cloud security as an ongoing journey rather than a one-time setup task. Build security into every cloud project from day one, continuously educate your team, and adapt as your usage evolves.

With proper planning and the practices outlined above, SMEs can achieve stronger security in the cloud than they had on-premises, taking advantage of enterprise-grade security tools and monitoring capabilities that were previously out of reach.

The cloud can be as secure as you make it. With diligence and pragmatic implementation of security best practices, you can confidently embrace the cloud's benefits while protecting your business and customers from unnecessary risk.


Getting Professional Help

For SMEs lacking internal cloud security expertise, working with specialised security firms can provide valuable assurance. Companies like Cyberoptic offer cloud security configuration reviews and penetration testing specifically for AWS, Azure, and other cloud deployments. These services can identify misconfigurations and vulnerabilities that internal teams might miss, providing an independent assessment of your cloud security posture.

Professional cloud security assessments typically include configuration reviews of IAM policies, storage permissions, network settings, and logging configurations, exactly the areas where SMEs commonly struggle. Penetration testing can simulate real-world attacks to test your defences and incident response procedures.

While not every SME needs external security services, they can be particularly valuable during initial cloud migrations or for businesses handling sensitive data where the cost of a breach would be significant.

 
 
bottom of page