12 Top Cloud Security Threats
Published March 30, 2016 1:16 PM
|
Updated March 31, 2016 10:43 AM
1 Min Read
Most organizations now have some presence in the cloud, but data security remains a top concern, especially when business units acquire cloud services independent of the IT department. To help illustrate the problems such practices can create, the Cloud Security Alliance has compiled its list of The Treacherous 12: Cloud Computing Top Threats in 2016. (This slideshow originally appeared on INN sister brand Information Management.)
Data breach
The risk of data breach is not unique to cloud computing, but it consistently ranks as a top concern for cloud customers
Cloud providers are highly accessible and the vast amount of data they host makes them an attractive target.
Weak Identity, Credential and Access Management
Malicious actors masquerading as legitimate users, operators or developers can read/exfiltrate, modify and delete data; issue control plane and management functions; snoop on data in transit or release malicious software that appears to originate from a legitimate source.
Insecure Interfaces and APIs
APIs and UIs are generally the most exposed part of a system, perhaps the only asset with an IP address available outside the trusted organizational boundary. These assets will be the target of heavy attack, and adequate controls protecting them from the Internet are the first line of defense and detection.
System and Application Vulnerability
With the advent of multitenancy in cloud computing, systems from various organizations are placed in close proximity to each other, and given access to shared memory and resources, creating a new attack surface.
Account Hijacking
If an attacker gains access to your credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information and redirect your clients to illegitimate sites. Your account or service instances may become a new base for attackers.
Malicious Insiders
From IaaS to PaaS and SaaS, a malicious insider can have increasing levels of access to more critical systems and eventually to data. Systems that depend solely on the cloud service provider (CSP) for security are at greater risk here.
Advanced Persistent Threats (APTs)
Combating complex APTs may require more advanced security controls, process management, incident response plans and IT staff training, all of which can lead to increased security budgets. This cost should be weighed against the economic damage inflicted by successful APT attacks.
Data Loss
Cloud consumers should review the contracted data loss provisions, ask about the redundancy of a providers solution, and understand which entity is responsible for data loss and under what conditions.
Insufficient Due Diligence
An organization that rushes to adopt cloud technologies and choose CSPs without performing due diligence exposes itself to a myriad of commercial, financial, technical, legal and compliance risks that jeopardize its success.
Abuse and Nefarious Use of Cloud Services
Poorly secured cloud service deployments, free cloud service trials and fraudulent account sign-ups via payment instrument fraud expose cloud computing models such as IaaS, PaaS, and SaaS to malicious attacks.
Denial of Service
Asymmetric application-level DoS attacks take advantage of vulnerabilities in web servers, databases or other cloud resources, allowing a malicious individual to take out an application with a single extremely small attack payloadin some cases less than 100 bytes long.
Shared Technology Issues
A defense indepth strategy is recommended and should include compute, storage, network, application and user security enforcement and monitoring, whether the service model is IaaS, PaaS, or SaaS. The key is that a single vulnerability or misconfiguration can lead to a compromise across an entire providers cloud.