Before getting too excited about the flexibility and cost savings offered by cloud computing, companies should consider its not-so-silver lining: data security risk. Cloud service providers host multiple tenants who access a single instance of an application, which passes economies of scale to the customer.
However, this type of computing architecture moves data outside the safety of a company's own firewall and puts it within close proximity to other tenants' data, introducing some key risks.
The Cloud Security Alliance (CSA) recently issued a report, underwritten by HP, that identifies the top seven security threats of cloud computing and how to address them. The cloud is rapidly evolving, so these threats will probably expand or change going forward:
1. Cyber crooks never sleep
Cyber criminals are always one step ahead of the latest Internet innovation - and cloud computing is no exception. The threat lies in a cyber criminal's ability to infiltrate cloud providers' networks and run botnets that can wreak havoc within a cloud service. The risk is that users do not know who their neighbour might be, and how those attack vectors might be changing.
Recommended solutions:
* Stricter registration and validation processes for cloud tenants.
* Enhanced credit card fraud monitoring.
* Monitoring public blacklists for one's own network blocks.
2. It is 3am - do you know where your APIs are?
Cloud providers will make a set of application programming interfaces (APIs) available to companies, which they will use to manage and interact with cloud services. If that service, that API, is not secured, the company may be sending data in the clear, meaning that the data is ripe for the picking by those who know how.
Recommended solutions:
* Analyse the security model of cloud provider interfaces.
* Ensure that strong authentication and access controls are implemented along with encrypted transmission.
* Understand the dependency chain associated with the API.
3. Don't always trust the cloud provider's employees
There is no uniform level of assurance or background checks among cloud providers, nor is there often much visibility into hiring standards or practices. Until that changes, companies can protect themselves by:
* Enforcing strict supply-chain management and conducting a comprehensive supplier assessment.
* Specifying human resource requirements as part of legal contracts.
* Requiring transparency into overall information security and management practices, as well as compliance reporting.
* Defining security-breach notification processes.
4. Shared technologies mean shared risk
The most common and best example of shared technologies used in cloud computing is virtualisation technologies. Virtualisation allows multiple companies such as a cloud provider's customers, to share assets and applications across a single piece of hardware - a system that mirrors the concept of cloud computing itself.
When data is not backed up, it gets lost, plain and simple.
Clive Brindley is solution architect and pre-sales manager within the BTO business unit at HP Software + Solutions SA.
Unfortunately, it is yet another way data can get into the wrong hands.
Companies can mitigate this threat by:
* Implementing security best practices for installation/configuration.
* Monitoring the environment for unauthorised changes/activity.
* Promoting strong authentication and access control.
* Enforcing service level agreements (SLAs) for patching and vulnerability remediation.
* Conducting vulnerability scanning and configuration audits.
5. Not backing up is not an option
When data is not backed up, it gets lost, plain and simple. Sending data to the cloud makes it harder to guarantee that it is being backed up. A related risk is data leakage, whereby data that is not secured gets into the wrong hands.
To help mitigate the threat of data loss and/or leakage, companies can:
* Implement strong API access control.
* Encrypt and protect integrity of data in transit.
* Analyse data protection at both design and run time.
* Implement strong key generation, storage and management and destruction practices.
* Contractually demand providers wipe persistent media before it is released into the pool.
* Contractually specify provider backup and retention strategies.
6. Identity theft - it's not just a consumer problem
The CSA calls this threat “account or service hijacking”. It is better known as phishing, when someone might pose as a company's account with a cloud provider, and in so doing, steal information and share it with a malicious party.
To lessen this risk, companies can:
* Prohibit the sharing of account credentials between users and services.
* Use strong two-factor authentication techniques.
* Employ proactive monitoring to detect unauthorised activity.
* Understand cloud provider security policies and SLAs.
7. You do not know what you do not know
The seventh threat is the vast, unknowable risk of threats that may not become crystal-clear until cloud computing goes mainstream, if ever.
Some companies internally tout the business benefits of moving to the cloud without clarifying the risks.
These unknown risks lessen with:
* Disclosure of applicable logs and data.
* Disclosure of infrastructure details (eg, patch levels, firewalls, etc).
* Beefed up monitoring and alerting.
Share