The Cloud Security Alliance released a report on the top security threats to cloud computing. In Part 1 of this blog we review the top 7 threats. In Part 2 we’ll review the remedial steps you can to take to reduce your risk profile.
Threat #1: Abuse and Nefarious Use of Cloud Computing
IaaS (Infrastructure as a Service) providers offer their customers immediate access to cloud services. The anonymity afforded in registration has attracted spammers, malicious code authors, and other criminals. PaaS providers (Platform as a Service) have traditionally suffered most from this kind of attacks; however, recent evidence shows that hackers have begun to target IaaS vendors as well.
Threat #2: Insecure Interfaces and APIs
Cloud computing providers expose a set of software interfaces or APIs that customers use to manage and interact with cloud services. Provisioning, management, orchestration, and monitoring are all performed using these interfaces. The security and availability of general cloud services is dependent upon the security of these basic APIs. Increased risk occurs as organizations may be required to relinquish their credentials to third parties in order to enable certain functionality.
Threat #3: Malicious Insiders
The threat of a malicious insider is well-known to most organizations. This threat is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure. For example, a provider may not reveal how it grants employees access to physical and virtual assets, how it monitors these employees, or how it analyzes and reports on policy compliance. The level of access granted could enable workers with malicious intent to operate with little or no risk of detection.
Threat #4: Shared Technology Issues
IaaS vendors deliver their services in a scalable way by sharing infrastructure. Often, the underlying components that make up this infrastructure (e.g., CPU caches, GPUs, etc.) were not designed to offer strong isolation properties for a multi-tenant architecture. To address this gap, a virtualization hypervisor mediates access between guest operating systems and the physical compute resources. Still, even hypervisors have exhibited flaws that have enabled guest operating systems to gain inappropriate levels of control or influence on the underlying platform.
Threat #5: Data Loss or Leakage
The threat of data compromise increases in the cloud due to the number of interactions which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment.
Threat #6: Account or Service Hijacking
Account or service hijacking is not new. Attack methods such as phishing, fraud, and exploitation of software vulnerabilities still achieve results. Cloud solutions add a new threat to the landscape. If an attacker gains access to your credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites.
Threat #7: Unknown Risk Profile
One of the tenets of cloud computing is the reduction of hardware and software ownership and maintenance to allow companies to focus on their core business strengths. This has clear financial and operational benefits, which must be weighed carefully against the hidden security posture of the provider. Security by obscurity may be low effort, but it can result in unknown exposures.