Cloud Security risks its an main concept whether run in the platform as a service (PaaS) or infrastructure as a service (IaaS) deployment model, applications running in a cloud environment may enjoy the same security controls surrounding them as applications that run in a traditional data center environment.
This makes the need for an application risk management program more critical than ever.
Applications that run in a PaaS environment may need security controls baked into them.
For example, encryption may need to be programmed into applications, and logging may be difficult depending on what the cloud service provider can offer your organization.
Application isolation is another component that must be addressed in a cloud environment.
You must take steps to ensure that one application cannot access other applications on the platform unless it’s allowed access through a control.
The Cloud Security Alliance’s Top Threats Working Group has published
The Notorious Nine: Cloud Computing Top Threats in 2013. 10
Top 9 Cloud security risks
Data breaches: If a multitenant cloud service database is not properly designed, a flaw in one client’s application can allow an attacker access not only to that client’s data but to every other client’s data as well.
Data loss: Any accidental deletion by the CSP, or worse, a physical catastrophe such as a fire or earthquake, can lead to the permanent loss of customers’ data unless the provider takes adequate measures to back it up.
Furthermore, the burden of avoiding data loss does not fall solely on the provider’s shoulders.
If a customer encrypts his data before uploading it to the cloud but loses the encryption key, the data is still lost.
Account hijacking: If attackers gain access to your credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites.
Your account or service instances may become a new base for the attacker.
Insecure APIs: Cloud computing providers expose a set of software interfaces or APIs that customers use to manage and interact with cloud services.
Provisioning, management, orchestration, and monitoring are all performed using these interfaces.
The security and availability of general cloud services are dependent on the security of these basic APIs.
From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy.
Denial of service (DoS): By forcing the victim cloud service to consume inordinate amounts of finite system resources such as processor power, memory, disk space, and network bandwidth, the attacker causes an intolerable system slowdown.
Malicious insiders: European Organization for Nuclear Research (CERN) defines an insider threat as A current or former employee, contractor, or another business partner who has or had authorized access to an organization’s network, system.
And Data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.
Abuse of cloud services: It might take attacker years to crack an encryption key using his limited hardware, but using an array of cloud servers, he might be able to crack it in minutes.
Alternatively, he might use that array of cloud servers to stage a distributed denial-of-service (DDoS) attack, serve malware, or distribute pirated software.
Insufficient due diligence: Too many enterprises jump into the cloud without understanding the full scope of the undertaking.
Without a complete understanding of the CSP environment, applications, or services being pushed to the cloud, and operational responsibilities such as incident response, encryption.
And the Security monitoring, organizations are taking on unknown levels of risk in ways they may not even comprehend but that is a far departure from their current Cloud Security risks.
Shared technology issues: Whether it’s the underlying components that make up this infrastructure (central processing unit [CPU] caches, graphics processing units [GPUs], and so on) that were not designed to offer strong isolation properties for a multitenant architecture (IaaS), deployable platforms (PaaS), or multi-customer applications (SaaS), the threat of shared vulnerabilities exists in all delivery models.
A defensive in-depth strategy is recommended and should include computing, storage, network, application, and user security enforcement, and monitoring, whether the service model is IaaS, PaaS, or SaaS.
The key is that a single vulnerability or misconfiguration can lead to a compromise across an entire provider’s cloud.
