Cloud Security Alliance Calls For Standards, Outlines Threats


As cloud computing takes hold, security concerns are still a top worry for potential cloud customers. And a pair of studies released Monday by the Cloud Security Alliance (CSA) have confirmed not only the need for cloud security standards, but also identified the top security threats in the cloud.

According to one study conducted by the CSA and the IEEE, the evolution of cloud computing has increased the need for cloud-specific security standards. The CSA-IEEE survey of hundreds of IT professionals found that 93 percent of respondents said the need for cloud computing security standards is important, while 82 percent said that need is urgent. Meanwhile, 44 percent of those who responded said they are already involved in developing cloud computing standards and 81 percent said they are somewhat or very likely to participate in cloud security standard development over the next year.

And while cloud security standards are top of mind, survey respondents agreed that data privacy, security and encryption comprise the most urgent area of need for standards development and standards like the ISO 27001/27002 Information Security Management Standard, Data Breach Notification, PCI/DSS, EU Data Privacy Legislation, SOX and HIPAA are key regulatory drivers for cloud standards compliance.

Additionally, the CSA-IEEE survey found cloud deployments will continue to grow, further fueling the need for security standards. The survey revealed that public, private and hybrid cloud use will increase over the next 12 months, while private and hybrid implementations gaining traction despite public cloud dominance. The survey also found that platform as a service and infrastructure as a service offerings will grow sharply over the next year, along with software as a service achieving consistent growth.

"It's clear from the survey's findings that enterprises across sectors are eager to adopt cloud computing - but that security standards are needed both to accelerate cloud adoption on a wide scale and to respond to regulatory drivers," said Jim Reavis, founder and executive director of the Cloud Security Alliance, in a statement. "Cloud computing is shaping the future of IT, but, as this study shows in a variety of ways, the absence of a compliance environment is having dramatic impact on cloud computing's growth."

The CSA, a non-profit that promotes the use of best practices around security for cloud computing, released the list of threats to educate the industry. The CSA will continue to monitor cloud security issues and offer mitigation suggestions as it works toward security standards in the cloud. Currently, the CSA comprises industry stakeholders, end users, and cloud service, SaaS and technology providers such as Cisco, Dell, HP, Intel, McAfee, Microsoft, Novell, Rackspace and Symantec, along with individual corporate and governmental representatives.

The recent survey results come on the heels of another CSA report in which the CSA and Hewlett-Packard (HP) detail the six "immediate" security threats to cloud computing services and environments that solution providers should be aware of as they move customers to cloud computing and help them decide whether to move access data, files, applications and compute infrastructure into the cloud.

"To realize the full business value of cloud services, companies must understand the risks involved," HP and the CSA said Monday. "By realizing the latest cloud security threats and ways to address them, companies can implement a security strategy that encompasses assessment, monitoring and management."

According to the report, which asked a cross section of industry experts to identify threats, the top cloud security threats are:

  • Abuse and nefarious use, which can occur when hosted services are accessed by unauthorized users for malicious purposes, like password cracking and other exploits
  • Insecure APIs, which can let ill-intentioned users exploit services to hijack accounts
  • Malicious insider risks, which can increase in the cloud, giving an adversary the ability to take complete control of the infrastructure, which can lead to data leakage, abuse and hijacking of information
  • Shared technology vulnerabilities like attacks on virtual machines, can impact clients by exploiting the local infrastructure for criminal use
  • Data loss and leakage, which can increase due to the open, operations characteristics of cloud environments, leading to financial loss and legal ramifications

HP and the CSA said the threats can be amplified in cloud environments and hamper business growth.

"Cloud services are clearly the next generation of information technology that enterprises must master. We have a shared responsibility to understand the security threats that accompany the cloud and apply the necessary best practices to mitigate them," said Reavis added.