The Cloud Security Alliance, a not-for-profit industry organization, has published a report identifying the top cloud security threats to help enterprises better understand and mitigate the risks associated with adopting cloud computing.

The report, which was sponsored by Hewlett-Packard and released at the RSA Conference in San Francisco this week, is careful to note that companies are excited about the benefits that can be delivered by cloud computing. However, it said there are very real vulnerabilities that threaten to hinder cloud offerings from reaching their full potential.

“Cloud services are clearly the next generation of information technology that enterprises must master,” Alliance founder Jim Reavis said in a statement. “The objective of this report was to not only identify the threats which are most germane to IT organizations, but also help organizations understand how to proactively protect themselves.”

The Alliance listed seven top threats which it said represent existing vulnerabilities. It said the threats, listed below, are not listed in any order of severity.

Threat 1: Abuse and Nefarious Use of Cloud Computing

The Alliance noted some Infrastructure-as-a-Service (IaaS) providers do not have strong controls on who may sign up for their services and often offer free limited trials. As a result, spammers, malicious code authors, and other criminals have been able to take advantage of the services to conduct their activities. It noted IaaS providers have been found to be hosts of the Zeus botnet, InfoStealer Trojans, and downloads for Microsoft Office and Adobe exploits.

Threat 2: Insecure Interfaces and APIs

Cloud computing providers expose a set of software interfaces or APIs that customers use to manage and interact with cloud services. Reliance on a weak set of interfaces can expose an organization to a variety of security issues related to confidentiality, availability, and password integrity.

Threat 3: Malicious Insiders

The dangers posed by a malicious insider at any organization are well known, and the same level of risk has to be considered with cloud service providers. For example, a provider may not reveal how it grants employees access to physical and virtual assets, how it monitors employees or how it analyzes and reports on policy compliance. The level of access granted could enable a malicious insider to harvest confidential data or gain control over the cloud services.

Threat 4: Shared Technology Issues

Cloud vendors deliver their services in a scalable way by sharing infrastructure. Virtualization hypervisors provide a means of creating virtual machines or operating systems, but hypervisors have exhibited flaws. The flaws have allowed, for example, a user to gain inappropriate levels of control over the underlying platform, thus impacting other customers on the shared platform.

Threat 5: Data Loss or Leakage

The threat of data compromise increases in the cloud due a number of underlying risks and challenges. Examples include insufficient authentication, authorization or audit controls, operational failures, and data center reliability.

Threat 6: Account or Service Hijacking

Attack methods such as phishing, fraud, and exploitation of software vulnerabilities present a risk for account hijacking. With cloud services, if an attacker gains access to credentials, they can eavesdrop on activities, transactions, and manipulate and falsify data.

Threat 7: Unknown Risk Profile

One of the tenets of cloud computing is a reduction in hardware and software ownership and the associated maintenance. There is a danger, however, that in handing over ownership, responsibility for ensuring security procedures, policies and controls are followed may lapse - out of sight, out of mind. This can result in unknown exposures, particularly over time.

 

 

 

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access