Cloud // Infrastructure as a Service
10:25 AM
Connect Directly
IoT & Insurance: How Big Data May Affect Your Privacy & Premiums
May 06, 2016
Gwenn Bezard is co-founder and research director at Aite Group, where he leads the insurance pract ...Read More>>

9 Worst Cloud Security Threats

Leading cloud security group lists the "Notorious Nine" top threats to cloud computing in 2013; most are already known but defy 100% solution.

Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/25/2014 | 8:13:23 AM
Documentation of compliance with security guidlines and risk mitigation is needed from Cloud providers
Companies are often contractually obligated to protect a client's data and have a very real interest in protecting IP. If one or more Cloud providers are to be a part of a solution, they must be willing to provide actual and sound documentation on how their systems and practices meet stringent security guidelines. 


The same standards that must be met if a cloud provider is not a part of a solution must also be met if a cloud provider is a part of the solution.  Providers must prove and document compliance with standards such as HIPAA compliance or DoD STIGs.

Systems that only read/write keys to clouds and keep actual data on private servers still face an elevated risk.  Before making a cloud provider, Azure, amazon, Google and others an integral part of a solution, make sure that this will be a solution with enough security to cover your liability and contractual obligations to your clients.

Sweat the details on risk mitigation and ask the tough questions. 

Data breaches are almost a mainstay of the weekly news.  A significant and painful cyber event will be required before people take this seriously.




User Rank: Apprentice
3/31/2014 | 7:23:55 PM
API Troubles: Unless one hits the developer in the wallet, security is not baked in by design and default.
The majority of SSL security vulnerabilities came from firms not correctly implementing the standard.   Odds on the thought that went into the API is much greater than the application uses of the API.  

There is no compliance check for API or OAuth tools.  So, the buyer cannot beware, the true costs is not paid by the development team tempted to use fly by night short cuts.  The team that does not do right can afford a better price for its wares.  


Charlie Babcock
Charlie Babcock,
User Rank: Author
3/3/2014 | 9:50:12 PM
Public facing APIs a new software art
Public facing APIs for many companies are a new software experience, one they want to optimize for performance. We're still learning how to craft them and what can go wrong. It's clear too many checks on what's happening interferes with performance. The cost of too few -- that's less clear.
User Rank: Ninja
3/3/2014 | 2:49:13 PM
Re: VM snoops
I think that we all hope API providers are doing their best to protect from hackers. But many of them are not supported by larger organizations. Sure, Google and Dropbox probably do a pretty good job in sealing up problematic holes.

But smaller companies don't have the resources to do that as effectively. That's a big concern and one of the reasons that now the cloud is maturing it will make it harder for cloud startups to gain a foothold into larger organizations.

Except, of course, for shadow IT. 
Charlie Babcock
Charlie Babcock,
User Rank: Author
3/3/2014 | 1:08:53 PM
Is side channel snooping really possible?
If side channel eaves dropping is possible, Laurie, there's no current in-place protections. It's only been done in the lab and some researchers say the initial group's findings are not repeatable. Nevertheless, I do not rule out the possibility it could occur. One VM listens for the physical activity that signals a virtual machine waking up to incoming traffic. If the neighbor can identify the target virtual machine -- a big if, once Amazon stopped numbering them in a predictable sequence -- then it listens for a keystroke pattern that might tell it the sequence of the first data in, the encryption key. Offhand, I would say this is nonsense, you can't accomplish all that. But stranger things have happened, One protection, not in place yet: send one or two initial false pulses of data, resembling a key, followed by the actual key. I think the idea is, by repeated listening to the sequence, a knowledgeable observer might piece together the key from the keystroke pattern. If so, that's a big exposure.
User Rank: Ninja
3/3/2014 | 11:53:36 AM
Re: VM snoops
While these are, perhaps, heightened in the cloud, many of these exist in non-cloud environments. Awareness and due diligence are critical to help make one's environment as safe as it can be. Even then, there's no guarantees.
User Rank: Author
3/3/2014 | 11:17:00 AM
VM snoops
Charlie, re. the VM "side channel timing exposure," no one has reported this happening in the wild yet, right? Just in the lab? How does one protect against it?
Multicloud Infrastructure & Application Management
Multicloud Infrastructure & Application Management
Enterprise cloud adoption has evolved to the point where hybrid public/private cloud designs and use of multiple providers is common. Who among us has mastered provisioning resources in different clouds; allocating the right resources to each application; assigning applications to the "best" cloud provider based on performance or reliability requirements.
Register for InformationWeek Newsletters
White Papers
Current Issue
4 Trends Shaping Digital Transformation in Insurance
Insurers no longer have a choice about digital adoption if they want to remain relevant. A comprehensive enterprise-wide digital strategy is fundamental to doing business today.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of April 24, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week!
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.