Cloud // Infrastructure as a Service
News
3/3/2014
10:25 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

9 Worst Cloud Security Threats

Leading cloud security group lists the "Notorious Nine" top threats to cloud computing in 2013; most are already known but defy 100% solution.

Twitter, Google, Facebook, and Microsoft. But security experts warn that there is no perfectly secure public API, and OAuth, despite its protections and controls, is subject to breach. Implementation of OAuth-supporting APIs by third party developers can be flawed as well.

"From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy," the report said. Such policies prevent unauthorized users from reaching parts of applications that are not part of the public service or restrict users to operations that match their privilege level. But layers are added to APIs to reach value-added services and increasing complexity adds to the possibility that some exposure exists. Security-conscious APIs offer many protections, but lapses in OAuth use and other API implementations are bound to occur.

"Reliance on a weak set of interfaces and APIs exposes organizations to a variety of security issues related to confidentiality, integrity, availability and accountability," the report said.

5. Denial Of Service
Denial of service attacks are an old disrupter of online operations, but they remain a threat nevertheless. The assault by hundreds of thousands or millions of automated requests for service has to be detected and screened out before it ties up operations, but attackers have improvised increasingly sophisticated and distributed ways of conducting the assault, making it harder to detect which parts of the incoming traffic are the bad actors versus legitimate users.

For cloud customers, "experiencing a denial-of-service attack is like being caught in rush-hour traffic gridlock: there's no way to get to your destination, and nothing you can do about it except sit and wait," according to the report. When a denial of service attacks a customer's service in the cloud, it may impair service without shutting it down, in which case the customer will be billed by his cloud service for all the resources consumed during the attack.

Persistent denial of service attacks may make it "too expensive for you to run [your service] and you'll be forced to take it down yourself," the report said.

6. Malicious Insiders
With the Edward Snowden case and NSA revelations in the headlines, malicious insiders might seem to be a common threat. If one exists inside a large cloud organization, the hazards are magnified. One tactic cloud customers should use to protect themselves is to keep their encryption keys on their own premises, not in the cloud.

"If the keys are not kept with the customer and are only available at data-usage time, the system is still vulnerable to malicious insider attack." Systems that depend "solely on the cloud service provider for security are at great risk" from a malicious insider, the report said.

7. Abuse Of Cloud Services
Cloud computing brings large-scale, elastic services to enterprise users and hackers alike. "It might take an attacker years to crack an encryption key using his own limited hardware. But using an array of cloud servers, he might be able to crack it in minutes," the report noted. Or hackers might use cloud servers to serve malware, launch DDoS attacks, or distribute pirated software.

Responsibility for use of cloud services rests with service providers, but how will they detect inappropriate uses? Do they have clear definitions of what constitutes abuse? How will it be prevented in the future if it occurs once? The report left resolution of the issue up in the air. But clearly, cloud customers will need to assess service provider behavior to see how effectively they respond.

8. Insufficient Due Diligence
"Too many enterprises jump into the cloud without understanding the full scope of the undertaking," said the report. Without an understanding of the service providers' environment and protections, customers don't know what to expect in the way of incident response, encryption use, and security monitoring. Not knowing these factors means "organizations are taking on unknown levels of risk in ways they may not even comprehend, but that are a far departure from their current risks," wrote the authors.

Chances are, expectations will be mismatched between customer and service. What are contractual obligations for each party? How will liability be divided? How much transparency can a customer expect from the provider in the face of an incident?

Enterprises may push applications that have internal on-premises network security controls into the cloud, where those network security controls don't work. If enterprise architects don't understand the cloud environment, their application designs may not function with proper security when they're run in a cloud setting, the report warned.

9. Shared Technology
In a multi-tenant environment, the compromise of a single component, such as the hypervisor, "exposes more than just the compromised customer; rather, it exposes the entire environment to a potential of compromise and breach," the report said. The same could be said other shared services, including CPU caches, a shared database service, or shared storage.

The cloud is about shared infrastructure, and a misconfigured operating system or application can lead to compromises beyond their immediate surroundings. In a shared infrastructure, the CSA recommend an in-depth defensive strategy. Defenses should apply to the use of compute, storage, networking, applications, and user access. Monitoring should watch for destructive moves and behaviors.

Engage with Oracle president Mark Hurd, NFL CIO Michelle McKenna-Doyle, General Motors CIO Randy Mott, Box founder Aaron Levie, UPMC CIO Dan Drawbaugh, GE Power CIO Jim Fowler, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in Las Vegas, March 31 to April 1, 2014. See the full agenda here.

Charles Babcock is an editor-at-large for InformationWeek, having joined the publication in 2003. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive Week. He is a graduate of Syracuse ... View Full Bio

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MDKDPRA
50%
50%
MDKDPRA,
User Rank: Apprentice
7/25/2014 | 8:13:23 AM
Documentation of compliance with security guidlines and risk mitigation is needed from Cloud providers
Companies are often contractually obligated to protect a client's data and have a very real interest in protecting IP. If one or more Cloud providers are to be a part of a solution, they must be willing to provide actual and sound documentation on how their systems and practices meet stringent security guidelines. 

 

The same standards that must be met if a cloud provider is not a part of a solution must also be met if a cloud provider is a part of the solution.  Providers must prove and document compliance with standards such as HIPAA compliance or DoD STIGs.

Systems that only read/write keys to clouds and keep actual data on private servers still face an elevated risk.  Before making a cloud provider, Azure, amazon, Google and others an integral part of a solution, make sure that this will be a solution with enough security to cover your liability and contractual obligations to your clients.

Sweat the details on risk mitigation and ask the tough questions. 

Data breaches are almost a mainstay of the weekly news.  A significant and painful cyber event will be required before people take this seriously.

 

 

 

 
DonT733
50%
50%
DonT733,
User Rank: Apprentice
3/31/2014 | 7:23:55 PM
API Troubles: Unless one hits the developer in the wallet, security is not baked in by design and default.
The majority of SSL security vulnerabilities came from firms not correctly implementing the standard.   Odds on the thought that went into the API is much greater than the application uses of the API.  

There is no compliance check for API or OAuth tools.  So, the buyer cannot beware, the true costs is not paid by the development team tempted to use fly by night short cuts.  The team that does not do right can afford a better price for its wares.  

 

 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
3/3/2014 | 9:50:12 PM
Public facing APIs a new software art
Public facing APIs for many companies are a new software experience, one they want to optimize for performance. We're still learning how to craft them and what can go wrong. It's clear too many checks on what's happening interferes with performance. The cost of too few -- that's less clear.
danielcawrey
50%
50%
danielcawrey,
User Rank: Ninja
3/3/2014 | 2:49:13 PM
Re: VM snoops
I think that we all hope API providers are doing their best to protect from hackers. But many of them are not supported by larger organizations. Sure, Google and Dropbox probably do a pretty good job in sealing up problematic holes.

But smaller companies don't have the resources to do that as effectively. That's a big concern and one of the reasons that now the cloud is maturing it will make it harder for cloud startups to gain a foothold into larger organizations.

Except, of course, for shadow IT. 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
3/3/2014 | 1:08:53 PM
Is side channel snooping really possible?
If side channel eaves dropping is possible, Laurie, there's no current in-place protections. It's only been done in the lab and some researchers say the initial group's findings are not repeatable. Nevertheless, I do not rule out the possibility it could occur. One VM listens for the physical activity that signals a virtual machine waking up to incoming traffic. If the neighbor can identify the target virtual machine -- a big if, once Amazon stopped numbering them in a predictable sequence -- then it listens for a keystroke pattern that might tell it the sequence of the first data in, the encryption key. Offhand, I would say this is nonsense, you can't accomplish all that. But stranger things have happened, One protection, not in place yet: send one or two initial false pulses of data, resembling a key, followed by the actual key. I think the idea is, by repeated listening to the sequence, a knowledgeable observer might piece together the key from the keystroke pattern. If so, that's a big exposure.
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
3/3/2014 | 11:53:36 AM
Re: VM snoops
While these are, perhaps, heightened in the cloud, many of these exist in non-cloud environments. Awareness and due diligence are critical to help make one's environment as safe as it can be. Even then, there's no guarantees.
Laurianne
50%
50%
Laurianne,
User Rank: Author
3/3/2014 | 11:17:00 AM
VM snoops
Charlie, re. the VM "side channel timing exposure," no one has reported this happening in the wild yet, right? Just in the lab? How does one protect against it?
Multicloud Infrastructure & Application Management
Multicloud Infrastructure & Application Management
Enterprise cloud adoption has evolved to the point where hybrid public/private cloud designs and use of multiple providers is common. Who among us has mastered provisioning resources in different clouds; allocating the right resources to each application; assigning applications to the "best" cloud provider based on performance or reliability requirements.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.