2Abuse and Nefarious Use of the Cloud
IAAS (infrastructure-as-a-service) providers are open to abuse with lenient registration processes, “where anyone with a valid credit card can register and immediately begin using cloud services,” said the CSA. By abusing the anonymity of the registrations, cyber-criminals can host exploits and malware. Cloud providers need a strict initial registration and validation process, and should monitor public blacklists and customer network traffic.
The security and availability of general cloud services depend on the security of the APIs customers use to manage and interact with those services. These interfaces must be designed to protect against accidental and malicious attempts to circumvent policy, which means ensuring strong authentication, encryption and access controls are in place.
The risk of a malicious insider is heightened when there’s a lack of transparency into the cloud provider’s processes and procedures. Enterprises should require transparency into the provider’s information security and management practices, enforce strict supply chain management and closely assess the supplier. Also, specify job requirements as part of legal contracts to govern the hiring process of those who are handling your data.
5Shared Technology Issues
Often the underlying components used by IAAS vendors in their infrastructure were not designed to offer strong isolation capabilities in a multitenant architecture. Providers use virtualization to bridge this gap, but due to the possibility of vulnerabilities, businesses should monitor the environment for unauthorized changes or activity, and promote patch management and strong authentication.
6Data Loss or Leakage
7Account or Service Hijacking
If an attacker gets hold of your credentials, they can cause all sorts of trouble, from eavesdropping on your activities and transactions and manipulating data to returning falsified information and redirecting your clients to illegitimate sites. Businesses should block the sharing of account credentials between users and services, and use strong two-factor authentication techniques when possible.
8Unknown Risk Profile
Know your security profile, from versions of software, code updates, security practices, vulnerability profiles, intrusion attempts, and security design. Find out who is sharing your infrastructure, and get information on such aspects as network intrusion logs and redirection attempts. “Security by obscurity may be low effort, but it can result in unknown exposures,” the CSA says.