Microsoft’s Azure CTO Mark Russinovich presented his top ten cloud risks in a 2014 presentation.
1. Shared technology vulnerabilities: The cloud risk
A vulnerability in publicly accessible software enables an attacker to puncture the cloud and expose data of other customers using the same service. Shared technology vulnerability can affect the security of enterprise datacentres too, but the cloud services are at higher risk of exploitation because data from many customers makes it a rich target and the cloud APIs are easier to access than enterprise APIs.
Cloud providers are countering these threats by automating software deployment and rolling out patches quickly and at scale.
2. Insufficient due-diligence and shadow IT
Many companies are side-stepping IT processes and storing data on the cloud – “shadow IT” – even asIT is designing management, auditing, forensics and access control systems for on-premises servers and applications.
Management must take responsibility for the risks this shadow IT exposes them to on the public cloud platform. They must determine how to enable business units while enforcing corporate governance and promote responsible adoption.
3. Abuse of cloud services
Some of the flagship features of cloud computing, such as agility, scalability and flexibility, are useful to attackers too.. Attackers are using infrastructure-as-a-service (IaaS) as malware platform or, for doing tasks such as mining digital currencies, and are using cloud storage to store illegal content. Cloud abuse is possible because of stolen credit cards, hijacked accounts and free cloud trials. Every month Azure shuts down about 70,000 virtual machines for security reasons.
4. Malicious insiders
Showing a picture of NSA surveillance whistleblower Edward Snowden, Russinovich said cloud service provider employees who have access to cloud can be a security threat. Malicious insiders also include developers writing cloud codes that can be exploited by outsiders, operators that deploy code less securely and those who have access to cloud datacenters. Example mitigation steps include employee background checks, and limited or monitored access to servers.
5. Denial of service (DOS)
Cloud outages are a form of DOS, and it is a significant threat to public cloud computing. Cloud providers such as Azure are investing heavily in DDOS prevention by isolating non-public applications from the internet and providing local resiliency against cloud outages.
6. Insecure interfaces and APIs
Cloud is new and rapidly evolving, so lots of new, insecure APIs surface. This includes weak TLS crypto or incomplete verification of encrypted content. The responsibility to address this threat lies with both cloud providers and users. Cloud providers must follow SDL. And uustomers should validate API behavior.
7. Unauthorised access to an enterprise user’s cloud account
The thread of unauthorized access includes weak passwords, stolen passwords and password reuse as the key reason for cloud account hijacks. Cloud use may result in unmanaged credentials and publicly accessible applications or services may allow for brute forcing. Enterprises can mitigate this risk by taking steps such as turning off unneeded endpoints, encouraging the use of strong passwords, creating two-factor authentication and detecting breach at the onset.
8. Data loss
There are multiple ways to lose cloud data. Customer or cloud provider accidentally deletes or modifies it, or attacker deletes or modifies it, or when a natural disaster destroys the cloud datacenter. To mitigate cloud data loss, customers must take steps such as point-in-time backups and geo-redundant storage while cloud providers must have services such as deleted resource tombstoning.
9. Data breach
This represents a collection of threats such as insider threat, vulnerability in shared technology, etc. Ultimately, a company’s main asset is its data. How does a company ensure its data is protected even in the face of successful breach?
Physical threats that result in data breach include attackers gaining access to storage devices removed from datacenter. Cloud providers must establish physical controls on datacentre premises and deploy audit and monitoring tools while users can encrypt data at rest and have third-party certifications.
Data breaches can occur even during data transfer; to mitigate that risk, cloud providers must encrypts inter-datacenter links and customers must encrypt outside of the cloud.
10. Self-awareness or artificial intelligence
As with any new technology, there are new risks. It is our responsibility to educate our businesses and customers and we can also develop tools and processes to mitigate risk, but it is also a shared responsibility of cloud users. CIOs need to get past the hype and check-box mentality and have a strategy to mitigate cloud security risks. They need to come into the cloud in a responsible way.
“They need to come into the cloud in a responsible way.”
SOC reporting takes on a new life with the explosion of cloud computing and its accompanying risks.