Cloud // Infrastructure as a Service
News
3/3/2014
10:25 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

9 Worst Cloud Security Threats

Leading cloud security group lists the "Notorious Nine" top threats to cloud computing in 2013; most are already known but defy 100% solution.

Shadow IT is a great thing until it runs into the security of cloud computing. All too often line-of-business users are establishing applications and moving data into the cloud without understanding all the security implications.

The Cloud Security Alliance has put together a list of the nine most prevalent and serious security threats in cloud computing. Many of them relate in one way or another to the weaknesses implicit in Shadow IT.

The alliance bills its list as the "Notorious Nine: Cloud Computing Threats in 2013." The CSA itself was formed in 2008 on the heels of the Information Systems Security Association CISO Forum in Las Vegas. Jim Reavis, a well-known security researcher and author, issued a call for action to secure the cloud at the event, leading to the founding of the organization.

The report was released in February and was composed by a group within the alliance, including co-chairs Rafal Los of HP, Dave Shackleford of Voodoo Security, and Bryan Sullivan of Microsoft. They were assisted by staff members Luciano Santos, research director; Evan Scoboria, webmaster; Kendall Scoboria, graphic designer; Alex Ginsburg, copywriter; and John Yeoh, research analyst.

Here are the CSA's biggest concerns.

1. Data Breaches
The data breach at Target, resulting in the loss of personal and credit card information of up to 110 million individuals, was one of a series of startling thefts that took place during the normal processing and storage of data. "Cloud computing introduces significant new avenues of attack," said the CSA report authors. The absolute security of hypervisor operation and virtual machine operations is still to be proved. Indeed, critics question whether such absolute security can exist. The report's writers said there's lab evidence -- though none known in the wild -- that breaches via hypervisors and virtual machines may occur eventually.

Researchers at the University of Wisconsin, security software firm RSA, and the University of North Carolina cited evidencein November 2012 that it's possible for a user on one virtual machine to listen for activity that signals the arrival of an encryption key on another VM on the same host. It's called the "side channel timing exposure," as was previously reported by InformationWeek.

"It's every CIO's worst nightmare: the organization's sensitive internal data falls into the hands of their competitors," the report said.

[Want to learn more about how cloud security needs to be structured? See Cloud Security Needs More Layers: HyTrust.]

So far, the largest breaches haven't involved any such advanced techniques, which remain for the most part lab experiments. But the possibility still acts as a brake on what is looking like broad enterprise adoption of cloud computing. Clouds represent concentrations of corporate applications and data, and if any intruder penetrated far enough, who knows how many sensitive pieces of information will be exposed. "If a multitenant cloud service database is not properly designed, a flaw in one client's application could allow an attacker access not only to that client's data, but every other client's data as well," the report concluded.

"Unfortunately, while data loss and data leakage are both serious threats to cloud computing, the measures you put in place to mitigate one of these threats can exacerbate the other," the report said. Encryption protects data at rest, but lose the encryption key and you've lost the data. The cloud routinely makes copies of data to prevent its loss due to an unexpected die off of a server. The more copies, the more exposure you have to breaches.

2. Data Loss
A data breach is the result of a malicious and probably intrusive action. Data loss may occur when a disk drive dies without its owner having created a backup. It occurs when the owner of encrypted data loses the key that unlocks it. Small amounts of data were lost for some Amazon Web Service customers as its EC2 cloud suffered "a remirroring storm" due to human operator error on Easter weekend in 2011. And a data loss could occur intentionally in the event of a malicious attack.

The alliance cited the case of Mat Honan, a writer for Wired magazine, who in the summer of 2012 found an intruder had broken into his Gmail, Twitter, and Apple accounts and deleted all the baby pictures of his 18-month old daughter.

"For both consumers and businesses, the prospect of permanently losing one's data is terrifying," the report acknowledged. There are many techniques to prevent data loss. They occur anyway.

3. Account Or Service Traffic Hijacking
Account hijacking sounds too elementary to be a concern in the cloud, but CSA says it is a problem. Phishing, exploitation of software vulnerabilities such as buffer overflow attacks, and loss of passwords and credentials can all lead to the loss of control over a user account. An intruder with control over a user account can eavesdrop on transactions, manipulate data, provide false and business-damaging responses to customers, and redirect customers to a competitor's site or inappropriate sites.

If your account in the cloud is hijacked, it can be used as a base by an attacker to use the power of your reputation to enhance himself at your expense. The CSA said Amazon.com's wireless retail site experienced a cross-site scripting attack in April 2010 that allowed the attackers to hijack customer credentials as they came to the site. In 2009, it said, "numerous Amazon systems were hijacked to run Zeus botnet nodes." The report doesn't detail what the nodes did, but they were known in 2007 for putting malware on the US Department of Transportation website and in 2009 for putting malware on NASA's and the Bank of America's sites. The compromised EC2 nodes were detected by security firm Prevx, which notified Amazon and they were promptly shutdown.

If credentials are stolen, the wrong party has access to an individual's accounts and systems. A service hijacking lets an intruder into critical areas of a deployed service with the possibility of "compromising the confidentiality, integrity, and availability" of those services, the report said.

The alliance offers tips on how to practice defense in depth against such hijackings, but the must-do points are to prohibit the sharing of account credentials between users, including trusted business partners; and to implement strong two-factor authentication techniques "where possible."

4. Insecure APIs
The cloud era has brought about the contradiction of trying to make services available to millions while limiting any damage all these largely anonymous users might do to the service. The answer has been a public facing application programming interface, or API, that defines how a third party connects an application to the service and providing verification that the third party producing the application is who he says he is.

Leading web developers, including ones from Twitter and Google, collaborated on specifying OAuth, an open authorization service for web services that controls third party access. OAuth became an Internet Engineering Task Force standard in 2010 and Version 2.0 is used for at least some services by

Charles Babcock is an editor-at-large for InformationWeek, having joined the publication in 2003. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive Week. He is a graduate of Syracuse ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MDKDPRA
50%
50%
MDKDPRA,
User Rank: Apprentice
7/25/2014 | 8:13:23 AM
Documentation of compliance with security guidlines and risk mitigation is needed from Cloud providers
Companies are often contractually obligated to protect a client's data and have a very real interest in protecting IP. If one or more Cloud providers are to be a part of a solution, they must be willing to provide actual and sound documentation on how their systems and practices meet stringent security guidelines. 

 

The same standards that must be met if a cloud provider is not a part of a solution must also be met if a cloud provider is a part of the solution.  Providers must prove and document compliance with standards such as HIPAA compliance or DoD STIGs.

Systems that only read/write keys to clouds and keep actual data on private servers still face an elevated risk.  Before making a cloud provider, Azure, amazon, Google and others an integral part of a solution, make sure that this will be a solution with enough security to cover your liability and contractual obligations to your clients.

Sweat the details on risk mitigation and ask the tough questions. 

Data breaches are almost a mainstay of the weekly news.  A significant and painful cyber event will be required before people take this seriously.

 

 

 

 
DonT733
50%
50%
DonT733,
User Rank: Apprentice
3/31/2014 | 7:23:55 PM
API Troubles: Unless one hits the developer in the wallet, security is not baked in by design and default.
The majority of SSL security vulnerabilities came from firms not correctly implementing the standard.   Odds on the thought that went into the API is much greater than the application uses of the API.  

There is no compliance check for API or OAuth tools.  So, the buyer cannot beware, the true costs is not paid by the development team tempted to use fly by night short cuts.  The team that does not do right can afford a better price for its wares.  

 

 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
3/3/2014 | 9:50:12 PM
Public facing APIs a new software art
Public facing APIs for many companies are a new software experience, one they want to optimize for performance. We're still learning how to craft them and what can go wrong. It's clear too many checks on what's happening interferes with performance. The cost of too few -- that's less clear.
danielcawrey
50%
50%
danielcawrey,
User Rank: Ninja
3/3/2014 | 2:49:13 PM
Re: VM snoops
I think that we all hope API providers are doing their best to protect from hackers. But many of them are not supported by larger organizations. Sure, Google and Dropbox probably do a pretty good job in sealing up problematic holes.

But smaller companies don't have the resources to do that as effectively. That's a big concern and one of the reasons that now the cloud is maturing it will make it harder for cloud startups to gain a foothold into larger organizations.

Except, of course, for shadow IT. 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
3/3/2014 | 1:08:53 PM
Is side channel snooping really possible?
If side channel eaves dropping is possible, Laurie, there's no current in-place protections. It's only been done in the lab and some researchers say the initial group's findings are not repeatable. Nevertheless, I do not rule out the possibility it could occur. One VM listens for the physical activity that signals a virtual machine waking up to incoming traffic. If the neighbor can identify the target virtual machine -- a big if, once Amazon stopped numbering them in a predictable sequence -- then it listens for a keystroke pattern that might tell it the sequence of the first data in, the encryption key. Offhand, I would say this is nonsense, you can't accomplish all that. But stranger things have happened, One protection, not in place yet: send one or two initial false pulses of data, resembling a key, followed by the actual key. I think the idea is, by repeated listening to the sequence, a knowledgeable observer might piece together the key from the keystroke pattern. If so, that's a big exposure.
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
3/3/2014 | 11:53:36 AM
Re: VM snoops
While these are, perhaps, heightened in the cloud, many of these exist in non-cloud environments. Awareness and due diligence are critical to help make one's environment as safe as it can be. Even then, there's no guarantees.
Laurianne
50%
50%
Laurianne,
User Rank: Author
3/3/2014 | 11:17:00 AM
VM snoops
Charlie, re. the VM "side channel timing exposure," no one has reported this happening in the wild yet, right? Just in the lab? How does one protect against it?
Multicloud Infrastructure & Application Management
Multicloud Infrastructure & Application Management
Enterprise cloud adoption has evolved to the point where hybrid public/private cloud designs and use of multiple providers is common. Who among us has mastered provisioning resources in different clouds; allocating the right resources to each application; assigning applications to the "best" cloud provider based on performance or reliability requirements.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek - September 2, 2014
Avoiding audits and vendor fines isn't enough. Take control of licensing to exact deeper software discounts and match purchasing to actual employee needs.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
In in-depth look at InformationWeek's top stories for the preceding week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.