p1af4160gifcm13peps41pr6jek6.jpg
Most organizations now have some presence in the cloud, but data security remains a top concern, especially when business units acquire cloud services independent of the IT department. To help illustrate the problems such practices can create, the Cloud Security Alliance has compiled its list of “The Treacherous 12: Cloud Computing Top Threats in 2016.” (This slideshow originally appeared on INN sister brand Information Management.)
p1af4160gj135c1nf1a0s1pbtmn07.jpg

Data breach

“The risk of data breach is not unique to cloud computing, but it consistently ranks as a top concern for cloud customers … Cloud providers are highly accessible and the vast amount of data they host makes them an attractive target.”
p1af4160gj16i01u871rvv1drt1ovt8.jpg

Weak Identity, Credential and Access Management

“Malicious actors masquerading as legitimate users, operators or developers can read/exfiltrate, modify and delete data; issue control plane and management functions; snoop on data in transit or release malicious software that appears to originate from a legitimate source.”
p1af4160gk6sf1v38ctc1p7a1ngl9.jpg

Insecure Interfaces and APIs

“APIs and UIs are generally the most exposed part of a system, perhaps the only asset with an IP address available outside the trusted organizational boundary. These assets will be the target of heavy attack, and adequate controls protecting them from the Internet are the first line of defense and detection.”
p1af4160gk1qr01cjg1fm898b72la.jpg

System and Application Vulnerability

With the advent of multitenancy in cloud computing, systems from various organizations are placed in close proximity to each other, and given access to shared memory and resources, creating a new attack surface.”
p1af4160gk1mv81p6712u7j5nhgcb.jpg

Account Hijacking

“If an attacker gains access to your credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information and redirect your clients to illegitimate sites. Your account or service instances may become a new base for attackers.”
p1af4160gkj2f1u3r7661g0i8b7c.jpg

Malicious Insiders

“From IaaS to PaaS and SaaS, a malicious insider can have increasing levels of access to more critical systems and eventually to data. Systems that depend solely on the cloud service provider (CSP) for security are at greater risk here.”
p1af4160gl1030qfeonj133m1u94d.jpg

Advanced Persistent Threats (APTs)

“Combating complex APTs may require more advanced security controls, process management, incident response plans and IT staff training, all of which can lead to increased security budgets. This cost should be weighed against the economic damage inflicted by successful APT attacks.”
p1af4160glrluk1j1sj9i2c15aae.jpg

Data Loss

“Cloud consumers should review the contracted data loss provisions, ask about the redundancy of a provider’s solution, and understand which entity is responsible for data loss and under what conditions.”
p1af4160gl5qm1c0f1fsut1g10lgf.jpg

Insufficient Due Diligence

“An organization that rushes to adopt cloud technologies and choose CSPs without performing due diligence exposes itself to a myriad of commercial, financial, technical, legal and compliance risks that jeopardize its success.”
p1af4160glauh1nec16lck1d4kkg.jpg

Abuse and Nefarious Use of Cloud Services

“Poorly secured cloud service deployments, free cloud service trials and fraudulent account sign-ups via payment instrument fraud expose cloud computing models such as IaaS, PaaS, and SaaS to malicious attacks.”
p1af4160glmak843d171fofcrhh.jpg

Denial of Service

“Asymmetric application-level DoS attacks take advantage of vulnerabilities in web servers, databases or other cloud resources, allowing a malicious individual to take out an application with a single extremely small attack payload—in some cases less than 100 bytes long.”
p1af4160gmo011tmu1ed516ao1duoi.jpg

Shared Technology Issues

“A defense indepth strategy is recommended and should include compute, storage, network, application and user security enforcement and monitoring, whether the service model is IaaS, PaaS, or SaaS. The key is that a single vulnerability or misconfiguration can lead to a compromise across an entire provider’s cloud.”