Top 7 Threats to Cloud Computing – Part 2

The Cloud Security Alliance released a report on the top security threats to cloud computing. In Part 1 of this blog we reviewed the top 7 threats. In this installment, Part 2, we review the remedial steps you can to take to reduce your risk profile.

Threat #1: Abuse and Nefarious Use of Cloud Computing

Remediation

  • Stricter initial registration and validation processes
  • Enhanced credit card fraud monitoring and coordination
  • Comprehensive introspection of customer network traffic
  • Monitoring public blacklists for one’s own network blocks

Threat #2: Insecure Interfaces and APIs

Remediation

  • Analyze the security model of cloud provider interfaces
  • Ensure strong authentication and access controls are implemented in concert with encrypted transmission
  • Understand the dependency chain associated with the API (application program interface)

Threat #3: Malicious Insiders

Remediation

  • Enforce strict supply chain management and conduct a comprehensive supplier assessment
  • Specify human resource requirements as part of legal contracts
  • Require transparency into overall information security and management practices, as well as compliance reporting
  • Determine security breach notification processes

Threat #4: Shared Technology Issues

Remediation

  • Implement security best practices for installation/configuration
  • Monitor environment for unauthorized changes/activity
  • Promote strong authentication and access control for administrative access and operations
  • Enforce service level agreements for patching and vulnerability remediation
  • Conduct vulnerability scanning and configuration audits

Threat #5: Data Loss or Leakage

Remediation

  • Implement strong API access control
  • Encrypt and protect integrity of data in transit
  • Analyze data protection at both design and run time
  • Implement strong key generation, storage and management, and destruction practices
  • Contractually demand providers wipe persistent media before it is released into the pool
  • Contractually specify provider backup and retention strategies

Threat #6: Account or Service Hijacking

Remediation

  • Prohibit the sharing of account credentials between users and services
  • Leverage strong two-factor authentication techniques where possible
  • Employ proactive monitoring to detect unauthorized activity
  • Understand cloud provider security policies and SLAs

Threat #7: Unknown Risk Profile

Remediation

  • Disclosure of applicable logs and data
  • Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.)
  • Monitoring and alerting on necessary information