The 9 Most Dangerous Cloud Security Threats10:00 AM EST Mon. Feb. 25, 2013
The Cloud Security Alliance, a nonprofit industry group that promotes best practices for cloud security, recently updated its list of top threats to cloud computing in a report, "The Notorious Nine: Cloud Computing Top Threats in 2013." The report, according to the CSA, reflects expert consensus about the most significant threats to cloud security and focuses on threats that are specifically related to the shared, on-demand nature of cloud computing.
Released Monday, the study is intended to help both cloud users and providers with their risk mitigation strategies. Continue on to see the group's findings.
For more on cloud security, check out our special report available exclusively on the CRN Tech News App.
Theft of sensitive corporate data is always a fear for companies in any type of environment, but cloud computing introduces "significant new avenues of attack," according to the CSA. "If a multitenant cloud service database is not properly designed, a flaw in one client's application could allow an attacker access not only to that client's data but every other client's data as well," the group said in its report.
Data stored in the cloud can be stolen by malicious attackers or lost for other reasons, the CSA said. Unless a cloud provider implements adequate backup measures, data can be accidentally deleted by the provider or lost in a fire or earthquake. At the same time, a customer that encrypts data before uploading it to the cloud but loses the encryption key will suffer data loss, the group said.
In a cloud environment, an attacker can use stolen credentials to eavesdrop, manipulate data, return fake data, and redirect customers to illegitimate sites, according to the CSA report. Companies should ban the sharing of account credentials between users and services and use strong, two-factor authentication to mitigate the risk, the group advised.
A weak set of software interfaces or APIs, which cloud customers use to manage and interact with cloud services, exposes organizations to a range of security issues, according to the CSA report. These interfaces must be designed properly with authentication, access control and encryption to ensure security and availability of the services.
The CSA also noted that organizations and third parties often build upon cloud interfaces to provide additional services, which introduces complexity and increases risk because cloud customers may need to provide their credentials to third parties to facilitate the services.
Denial of Service attacks can overwhelm a cloud service by forcing it to consume tons of system resources and prevent legitimate users from being able to use the service. Distributed Denial of Service attacks tend to get a lot of media attention, but there are other types of DoS attacks that can affect cloud computing, the CSA said. For example, attackers can launch asymmetric application-level DoS attacks by exploiting vulnerabilities in Web servers, databases or other cloud resources to take down an application with an extremely small payload.
In an IaaS, PaaS or SaaS environment that isn't built with the proper security, a malicious insider such as a system administrator can gain access to sensitive information, according to the report.
Systems that depend solely on the cloud service provider for security are at great risk, the CSA said. "Even if encryption is implemented, if the keys are not kept with the customer, and only available at data-usage time, then the system is still vulnerable to malicious insider attack," the CSA said in its report.
Cloud computing allows organizations of all sizes to access vast amounts of computing power, but not everyone wants to use this power for good, the CSA warned. For example, an attacker could use an array of cloud servers to crack an encryption key in minutes.
Cloud providers need to consider how they can detect people abusing their service, how they define abuse and prevent it, the report advised.
Eager to reap the cost reductions and other benefits of the cloud, some organizations are rushing to adopt cloud technologies without fully understanding the implications, according to the report. Organizations need to perform extensive due diligence of their internal systems and the prospective cloud service provider to fully understand the risks they're adopting with the new cloud model.
The threat of shared vulnerabilities exists in all cloud delivery models, the CSA said. If a key piece of shared technology, such as the hypervisor or a shared platform component, is compromised, it exposes more than just the compromised customer -- it exposes the entire environment.