The Cloud Security Alliance and HP have presented today new research findings that detail the potential threats linked to the use of cloud services.
The report, titled “Top Threats to Cloud Computing V1.0”, is aimed at helping customers and cloud providers alike form a good understanding of the current situation and to help them with the weighing of the risks and benefits when it comes to deciding whether or not – or to what extent – embrace “the cloud”.
The threats are as follows (and are not listed in any order of severity):
1. Abuse and nefarious use of cloud computing
The easiness of registering for IaaS solutions and the relative anonymity they offer attracts many a cyber criminal. IaaS offerings have been known to host botnets and/or their command and control centers, downloads for exploits, Trojans, etc. There is a myriad of ways in which in-the-cloud capabilities can be misused – possible future uses include launching dynamic attack points, CAPTCHA solving farms, password and key cracking and more. To remediate this, IaaS providers should toughen up the weakest links: the registration process and the monitoring of customer network traffic.
2. Insecure interfaces and APIs
As software interfaces or APIs are what customers use to interact with cloud services, those must have extremely secure authentication, access control, encryption and activity monitoring mechanisms – especially when third parties start to build on them. The keys to solving those problems are a thorough analysis of the interfaces and quality implementation of the security mechanisms.
3. Malicious insiders
The malicious insider threat is one that gains in importance as many providers still don’t reveal how the hire people, how they grant them access to assets or how they monitor them. Transparency is, in this case, vital to a secure cloud offering, along with compliance reporting and breach notification.
4. Shared technology issues
Sharing infrastructure is a way of life for IaaS providers. Unfortunately, the components on which this infrastructure is based were not designed for that. To ensure that customers don’t thread on each other’s “territory”, monitoring and strong compartmentalization is required, not to mention scanning for and patching of vulnerabilities that might jeopardize this coexistence.
5. Data loss or leakage
Be it by deletion without a backup, by loss of the encoding key or by unauthorized access, data is always in danger of being lost or stolen. This is one of the top concerns for businesses, because they not only stand to lose their reputation, but are also obligated by law to keep it safe. There are a number of things that can be done to prevent such occurrences: from consistent use of encryption and quality disaster recovery to contractual specifications regarding backup and secure destruction practices.
6. Account or service hijacking
If you think that the hijacking of your email account is disastrous, wait until your “cloud” account is compromised! The attacker can gather information, change data, falsify transactions, and also redirect your clients to illegitimate sites. In this day and age, it only takes a credible phishing site or a good social engineering approach, and the keys to your castle have changed hands. Strong authentication techniques, security policies and monitoring should prevent this from happening.
7. Unknown risk profile
Security should always in the upper portion of the priority list. Code updates, security practices, vulnerability profiles, intrusion attempts – all things that should always be kept in mind. Never do just the “bare minimum” to keep your boat afloat – be ready to go the extra (security) mile.
To read the report, go here.