The cloud-related threats of 2013 are still around today. “The Notorious Nine; Cloud Computing Top Threats in 2013” was published by the Cloud Security Alliance (CSA) and is updated regularly, according to the CSA website. This document is touted as a way to assist companies in making risk management decisions about their cloud strategies. As recently as February 2015, with the theft of data by an employee of a major lending institution, data security remains at the forefront of many businesses, and with the advent and use of cloud computing, organizations are perhaps even more aware of the need for security.
While cloud has allowed businesses to take advantage of more IT services and lowered IT costs while making businesses more flexible, data protection is the number one cloud concern. Remember that the cloud environment is essentially shared infrastructure with sophisticated “insiders” who are capable of viewing your company’s sensitive data if your company is without adequate internal controls and adequate protection by third-party providers.
The Notorious Nine
The CSA has identified cloud security threats as: 1) data breaches, 2) data loss, 3) account hijacking, 4) insecure APIs, 5) denial of service, 6) malicious insiders, 7) abuse of cloud services, 8) insufficient due diligence and 9) shared technology.
Data breaches remain the number one security threat on the CSA’s list. This is because of the shared tenancy of cloud servers. If a multi-tenant cloud service database has design flaws, one single flaw in any one client’s application could allow a malicious insider to gain access to every client’s data. Encryption seems to be the answer, but keeping the encryption key is the key, so to speak. If the key is lost, so are your data. This leads to the second greatest threat; data loss.
Data loss comes from many sources, but the main ones are the activities of a hacker and a natural disaster. This may be an unavoidable consequence from, say, a fire, but your company should perform a thorough check of the cloud service’s strategy for data loss (as well as your company’s own internal controls) before implementing a cloud service.
Account or Service Hijacking
The third security risk on the CSA list is account or service hijacking. If your account is hijacked, an attacker may gain access to your company’s credentials, can eavesdrop on activities and transactions, manipulate data, falsify information and return it or redirect your clients to illegitimate websites. One way to defend against this security risk is to prohibit sharing of account credentials between users and services and to have two-factor authentication techniques, according to the CSA.
Fourth on the list is insecure interfaces and APIs, which are integral to security. Some organizations and third parties build on these interfaces, introducing a whole new complexity of layers to the API. This increases risk as companies release credentials to these third parties, potentially exposing confidential information and risking the integrity of the system. Advice from the CSA is for companies to understand security implications.
Denial of Service
This security threat is number five on the CSA list, which centers around 24/7 availability of one or more services. Outages can cause an increase in prices, or hackers may succeed in causing your company to consume too much processing time and thus increase expense.
Although number six on the list, companies tend to be very concerned with this breach of data protection. The insider could be an employee (current or former), contractor or other person who gains access to your company’s system, network or data. Encryption is probably the best way to deter a malicious insider, as long as the key is kept away from the potential malicious insider(s).
This could mean different things, but prime examples are someone using the cloud to break encryption keys or using the servers to propagate malware.
Insufficient Due Diligence
It is imperative that your company fully understand the cloud environment with which you are thinking of dealing and its associated risks. Not only are contractual issues important, but also operational and architectural issues. Make sure the cloud service has sufficient resources for your company’s needs.
This security threat is one of vulnerability. This is simply because cloud service providers share infrastructure, platforms and applications. As a result, if something is compromised within the cloud service system, there is potential threat of breach. The CSA recommends as a defense coming up with an in-depth strategy including, for example, storage and constant monitoring, in the event a cloud problem is detected.
The Notorious Nine are still alive and well in cloud life, and defensive strategies should be implemented prior to moving your company’s data onto the cloud server. Included in your list of defensive strategies should be a thorough due diligence of both the cloud service controls and your company’s internal controls. The key is to take all steps to protect your company’s sensitive data, before you engage a cloud service.