Many security concerns have been addressed with tools and processes in the previous section addressing risk. These tools and processes include concepts such as privacy and access control, business process risk, and operational risk. There is also security-specific risk that is not necessarily unique to the cloud, but that is amplified by its use. The Cloud Security Alliance (CSA) conducted a survey,7 which resulted in a report of likely cloud risks:
• Abuse and nefarious use of cloud computing—A problem for both the CSP and
the cloud client, abuse of the cloud has the potential to monopolize resources and negatively impact cloud users. Providers offer customers unlimited computing, network and storage capacity, often through an easy-access registration process. Anyone with a valid credit card can register and immediately begin using these cloud services. Some providers even offer free limited trial periods. The lack of control in registration permits anonymity in the cloud. This has provided many with malicious intent a platform to conduct (with relative impunity) activities such as finding vulnerabilities and writing malicious code in the cloud. PaaS providers have traditionally suffered most from this kind of attack, although hackers have begun to target IaaS vendors as well.
• Insecure APIs—CSPs expose a set of APIs allowing customers to manage
and interact with cloud services. Provisioning, management, orchestration and monitoring are all performed using these interfaces. The security and availability of general cloud services are dependent upon the security of these basic APIs. From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy. Furthermore, enterprises and third parties often build on these interfaces to offer value-added services to their customers. Since this introduces the complexity of a new layered API, it also increases risk because enterprises may be required to relinquish their credentials to third parties.
While most CSPs strive to integrate security into their service models, it is critical for client risk managers to understand fully the security implications associated with the usage, management, orchestration and monitoring of cloud services. Reliance on a weak set of APIs exposes enterprises to a variety of security issues related to confidentiality, integrity, availability and accountability.
• Malicious insiders—The threat of a malicious insider is well known to most
enterprises. While it is a familiar risk in traditional IT enterprises, it is even further amplified for clients of cloud services. Instead of dealing with its own employees, who were likely screened and chosen by the enterprise, the client now has to trust the CSP and its employees. There is often little to no visibility into the hiring standards and practices for cloud employees. The impact that malicious insiders can have on an enterprise is considerable, given their level of access. Brand damage, financial impact and productivity losses are just some of the ways a malicious insider can affect an operation. As enterprises adopt cloud services, the human element takes on an even more profound importance.
7 CSA, Top Threats to Cloud Computing V1.0, USA, 2010,
• Shared technology vulnerabilities—IaaS vendors deliver their services in a
scalable way, sharing infrastructure. Often, the underlying components making up this infrastructure (e.g., CPU caches, graphics processing units [GPUs]) are not designed to offer strong isolation properties for multitenant architectures. To address this gap, a virtualization hypervisor mediates access between guest OSs computers and the physical computer resources. Still, as noted previously, hypervisors have exhibited flaws, enabling guest OSs to gain inappropriate levels of control or influence on the underlying cloud platform.
Attacks have surfaced in recent years that target the shared technology inside cloud computing environments. Disk partitions, CPU caches, GPUs and other shared elements were never designed for strong compartmentalization. As a result, attackers focus on how to impact the operations of other cloud customers and how to gain unauthorized access to data.
• Data loss/leakage—As in traditional IT operations, there are many ways for data
to be compromised in the cloud. Deletion or alteration of records without a backup is an obvious example. For encrypted data in an IaaS cloud, the loss of an encoding key could effectively mean data destruction. Access in public cloud environments (again, multitenant environments) can result in hundreds or more of possible users just one level of security away from the sensitive data of other cloud clients.
• Account, service and traffic hijacking—Account or service hijacking is
not new, but as it does with many types of risk, cloud computing adds new dimensions. When attackers gain access to cloud client user credentials, they are able to “eavesdrop” on activities and transactions, manipulate data, return falsified information, and redirect cloud client e-commerce customers to illegitimate sites. IaaS applications can become new bases for an attacker. From here, the attacker may leverage the use of the cloud client’s brand recognition to launch attacks on the cloud client’s unsuspecting e-commerce customers.
• Unknown risk profiles—A tenet of cloud computing is the reduction of expenses to
cloud users of IT hardware, software and maintenance. The cloud is intended to allow enterprises to focus on their core competencies, remotely outsourcing a portion or most of their IT. The financial and operational benefits have been promoted by cloud promoters and IT experts since the emergence of this technology.
With this promise of better, cheaper and faster IT, the security ramifications of virtual computing, outside the traditional physical IT enterprise, can become minimized. This is especially true as increasing numbers of organizational decision makers have personal virtual backgrounds (online social networking, shopping, entertainment, etc.). They see cloud computing as accepted and used extensively in culture and wonder why this is not the case for business and commerce as well.
Data, which may be widely dispersed among many cloud-based servers, is often described as a security asset. Security by obscurity may result in unknown exposures. It definitely impairs the in-depth analysis required for highly controlled or regulated business process.