Top Cloud Security Threats and Counters

The Cloud Security Alliance has released their first condensed report on cloud computing security risks.  The list of warnings is intended as a companion to the CSA's larger "Security Guidance for Critical Areas of Focus" guide.  For the top threats report, the CSA condensed the information from their 76 page guide into 7 general threats.  Along with these threat descriptions, the CSA also offered some tactics to minimize the possible damage.  Customers should also check to see if their cloud providers are implementing each threat's solution.  

The list of threats:

Threat #1: Abuse and Nefarious Use of Cloud Computing
Threat #2: Insecure Interfaces and APIs
Threat #3: Malicious Insiders
Threat #4: Shared Technology Issues
Threat #5: Data Loss or Leakage
Threat #6: Account or Service Hijacking
Threat #7: Unknown Risk Profile

Threat #1: Abuse and Nefarious Use of Cloud Computing

Cybercriminals have gotten better at stealing bank passwords and credit card numbers.  Malicious programs like the Zeus bonnet and the InfoStealing trojan will only gain more strength in the cloud.  Spammers and malicious code authors can exploit the relatively anonymous registration and usage models in cloud services to conduct criminal activities.

Solution:
Design stricter initial registration and validation processes, conduct credit card fraud monitoring and coordination, and monitor the public blacklists to see if your own networks are being blocked due to spam and malware.

Threat #2: Insecure Interfaces and APIs

Insecure APIs are usually the result of old code recycling to build applications faster, which damages their quality and security.  Third-party add-ons to an API can also introduce more complexity and increase risk.

Solution:
Understand the dependency chains associated with your APIs and make sure that strong access controls are implemented in addition to encrypted transmissions.

                                       

Threat #3: Malicious Insiders

This is a well known threat in which a person infiltrates an organization and damages the company.  The threat is amplified by the rapid growth of cloud computing because service providers are quickly adding staff with less time to conduct background checks.

Solution:
Slow down and conduct a more thorough screening process.  Specify HR requirements in legal contracts and have a notification plan in the event of a security breach.

Threat #4: Shared Technology Issues

IaaS providers use shared, non-isolated infrastructure, which opens up the entire server pool to possible attacks when an attacker gets inside.  Even with hypervisors, some guest operating systems have been able to gain unacceptable levels of control over the underlying platform.  

Solution:
Develop a strong compartmentalization and defense strategy.  IaaS providers must monitor the environment for unauthorized changes and activities.  

Threat #5: Data Loss or Leakage

The increased number of interactions in the cloud amplifies the risk of data loss because without the proper security controls and data monitoring, it's harder to closely monitor and control what is happening.  This increases the likelihood of misplaced contextual records, loss of encoding keys, and accidental deletion of data.

Solution:
Have a well-defined and well-organized key generation, storage, management, and destruction policy.  

Threat #6: Account or Service Hijacking

Many of the common attack methods can still gain reusable credentials for an attacker.  In the cloud, if an attacker gains access to your credentials, they can see your activities, manipulate data, and cause problems for the provider's clients.  

Solution:
Prohibit credential sharing between users and services, leverage strong two-factor authentication techniques, and proactively check for any unauthorized activity.

Threat #7: Unknown Risk Profile

Security by obscurity is a real danger in the cloud.  Software versions, security practices, code updates, vulnerability research, and intrusion attempts are all important factors to estimate your company's security situation.  Knowing the areas that need more work or investigation is half the battle.

Solution: Examine your security situation and provide transparency for your customers so they know the configuration of the systems or patch levels for the software housing their applications.

The CSA is a group of security professionals and researchers from various technology companies.