IT Security & Network Security News & Reviews: Cloud Computing's 7 Deadliest Security Risks

 
 
By Brian Prince  |  Posted 2010-03-08
 
 
 

Cloud Computings 7 Deadliest Security Risks

by Brian Prince

Cloud Computings 7 Deadliest Security Risks

Abuse and Nefarious Use of the Cloud

IAAS (infrastructure-as-a-service) providers are open to abuse with lenient registration processes, "where anyone with a valid credit card can register and immediately begin using cloud services," said the CSA. By abusing the anonymity of the registrations, cyber-criminals can host exploits and malware. Cloud providers need a strict initial registration and validation process, and should monitor public blacklists and customer network traffic.

Abuse and Nefarious Use of the Cloud

Insecure APIs

The security and availability of general cloud services depend on the security of the APIs customers use to manage and interact with those services. These interfaces must be designed to protect against accidental and malicious attempts to circumvent policy, which means ensuring strong authentication, encryption and access controls are in place.

Insecure APIs

Malicious Insiders

The risk of a malicious insider is heightened when there's a lack of transparency into the cloud provider's processes and procedures. Enterprises should require transparency into the provider's information security and management practices, enforce strict supply chain management and closely assess the supplier. Also, specify job requirements as part of legal contracts to govern the hiring process of those who are handling your data.

Malicious Insiders

Shared Technology Issues

Often the underlying components used by IAAS vendors in their infrastructure were not designed to offer strong isolation capabilities in a multitenant architecture. Providers use virtualization to bridge this gap, but due to the possibility of vulnerabilities, businesses should monitor the environment for unauthorized changes or activity, and promote patch management and strong authentication.

Shared Technology Issues

Data Loss or Leakage

Lowering the risk of data leaks means implementing a strong API access control as well as encrypting data in transit. The CSA also recommends implementing strong key generation, storage, management and destruction practices.

Data Loss or Leakage

Account or Service Hijacking

If an attacker gets hold of your credentials, they can cause all sorts of trouble, from eavesdropping on your activities and transactions and manipulating data to returning falsified information and redirecting your clients to illegitimate sites. Businesses should block the sharing of account credentials between users and services, and use strong two-factor authentication techniques when possible.

Account or Service Hijacking

Unknown Risk Profile

Know your security profile, from versions of software, code updates, security practices, vulnerability profiles, intrusion attempts, and security design. Find out who is sharing your infrastructure, and get information on such aspects as network intrusion logs and redirection attempts. "Security by obscurity may be low effort, but it can result in unknown exposures," the CSA says.

Unknown Risk Profile

Rocket Fuel