Security risks for cloud computing is become increases from last decade, Because information technology (IT) is typically deployed to serve the interests of the organization, the goals, and management practices in that organization are an important source of guidance to cloud risk management.
From the perspective of the enterprise, cloud computing represents outsourcing, and it becomes part of the IT supply chain.
Cloud risk management should therefore be linked to corporate governance and enterprise risk management.
Top principles for Security Risks For Cloud Computing
Corporate governance is a broad area describing the relationship between the shareholders and other stakeholders in the organization versus the senior management of the corporation.
These stakeholders need to see that their interests are taken care of and that the management has a structure and a process to ensure that they execute the goals of the organization.
This requires, among other things, transparency on costs and risks. In the end, risks relating to cloud computing should be judged about corporate goals.
It makes sense to develop any IT governance processes in alignment with existing corporate governance processes.
For example, corporate governance pays attention to supply chains, management structure, compliance, financial transparency, and ownership.
All these are relevant for any cloud computing consumer provider relationship that is significant to the corporation.
Enterprise risk management is the set of processes and structures to systematically manage all risks to the enterprise.
This explicitly covers supply chain risks and third-party risks, the biggest of which is typically the failure of an external provider to deliver the services that are contracted.
Risk Assessment and Analysis
There are several lists of risks maintained and published by industry organizations.
These lists can be a source of valuable insight and information, but in the end, every cloud-consuming or cloud-providing organization remains responsible for its risk assessment.
Policy and Organization Risks
Policy and organization risks are related to the choices that the cloud service consumer makes about the CSP.
To some extent, they are the natural consequence of outsourcing IT services. Outside the IT industry, these are often called third-party risks.
A few of the most noteworthy are provider lock-in, loss of governance, compliance challenges, and provider exit.
Provider lock-in: This refers to the situation in which the consumer has made significant vendor-specific investments.
These can include adaptation to data formats, procedures, and feature sets.
These investments can lead to high costs of switching between providers.
Loss of governance: This refers to the consumer not being able to implement all required controls.
This can lead to the consumer not realizing her required level of security and potential compliance risks.
Compliance risks: Consumers often have significant compliance obligations, such as when handling payment card information, health data, or other PII.
A specific cloud vendor and solution may not be able to fulfill all those obligations, for example, when the location of stored data is insufficiently under control.
Provider exit: In this situation, the provider is no longer willing or capable of providing the required service.
This could be triggered by bankruptcy or a need to restructure the business.
General Security Risks For Cloud Computing
A risk exists if there is a potential failure to meet any requirement that can be expressed in technical terms, such as performance, operability, integration, and protection.
Generally speaking, CSPs have a larger technology scale than cloud customers and traditional IT departments.
This has three effects on risk, the net result of which depends on the actual situation:
- The consolidation of IT infrastructure leads to consolidation risks, where a single point of failure can have a bigger impact.
- A larger-scale platform requires the CSP to bring to bear more technical skills to manage and maintain the infrastructure.
- Control over technical risks shifts toward the provider.
Virtualization Security Risks For Cloud Computing
Virtualization risks include but are not limited to the following:
- Guest breakout: This occurs when there is a breakout of a guest OS so that it can access the hypervisor or other guests.
This is presumably facilitated by a hypervisor flaw.
- Snapshot and image security: The portability of images and snapshots makes people forget that images and snapshots can contain sensitive information and need protecting.
- Sprawl: This occurs when you lose control of the amount of content on your image store
Cloud Specific Security Risks For Cloud Computing
Cloud-specific risks include but are not limited to the following:
- Management plane breach: Arguably, the most important risk is a management plane (management interface) breach.
- Malicious users, whether internal or external, can affect the entire infrastructure that the management interface controls.
- Resource exhaustion: Because cloud resources are shared by definition, resource exhaustion represents a risk to customers.
- This can play out as being denied access to resources already provisioned or as the inability to increase resource consumption.
- Examples include sudden lack of CPU or network bandwidth, which can be the result of overprovisioning to tenants by the CSP.
Related to resource exhaustion are the following:
- Denial-of-service (DoS) attacks, where a common network or other resource is saturated, leading to starvation of users
- Traffic analysis
- Manipulation or interception of data in transit
- Isolation control failure: Resource sharing across tenants typically requires the CSP to realize isolation controls.
- Isolation failure refers to the failure or nonexistence of these controls.
- Examples include one tenant’s VM instance accessing or affecting instances of another tenant, failure to limit one user’s access to the data of another user (in a software as a service [SaaS] solution), and entire IP address blocks being blacklisted as the result of one tenant’s activity.
- Insecure or incomplete data deletion: Data erasure in most OSs is implemented by just removing directory entries rather than by reformatting the storage used.
- This places sensitive data at risk when that storage is reused due to the potential for recovery and exposure of that data.
- Control conflict risk: In a shared environment, controls that lead to more security for one stakeholder (blocking traffic) may make it less secure for another (loss of visibility).
- Software-related risks: Every CSP runs software, not just the SaaS providers. All software has potential vulnerabilities.
- From the customer’s perspective, control is transferred to the CSP, which can mean an enhanced security and risk awareness, but the ultimate accountability for compliance still falls to the customer.
Cloud computing brings several new risks from a legal perspective.
These risks can be grouped broadly into data protection, jurisdiction, law enforcement, and licensing.
- Data protection: Cloud customers may have legal requirements about the way that they protect data—in particular, PII. The controls and actions of the CSP may not be sufficient for the customer.
- Jurisdiction: CSPs may have data storage locations in multiple jurisdictions, which can affect other risks and their controls.
- Law enforcement: As a result of law enforcement or civil legal activity, it may be required to hand over data to authorities. The essential cloud characteristic of shared resources may make this process hard to do and may result in exposure risks to other tenants.
- Licensing: Finally, when customers want to move existing software into a cloud environment, any licensing agreements on that software might make this legally impossible or prohibitively expensive. An example could be licensing fees that are tied to the deployment of software based on a per-CPU licensing model.
Of course, most IT risks still play out in the cloud environment as well: natural disasters, unauthorized facility access, social engineering, network attacks on the consumer and on the provider side, default passwords, and other malicious or nonmalicious actions.
Cloud Attack Vectors
Cloud computing brings additional attack vectors that need to be considered in addition to new technologies and governance risks.
Cloud computing uses new technology such as virtualization, federated identity management, and automation through a management interface.
Cloud computing introduces external service providers
New attack vectors in Cloud Computing
- Guest breakout
- Identity compromise, either technical or social (for example, through employees of the provider)
- API compromise, such as by leaking API credentials
- Attacks on the provider’s infrastructure and facilities (for example, from a third-party administrator that may be hosting with the provider)
- Attacks on the connecting infrastructure (cloud carrier)