Top Threats to Cloud Computing
The CSA (Cloud Security Alliance) report, “Top Threats to Cloud Computing” was released in March 2010 to assist organizations interested in moving to the cloud make informed decisions and be aware of potential risks. The research presented in the CSA report is meant to be applied within the context of an organization's mission, rewards, risks and cloud environment. The brief report was based on a more developed ENISA (European Network and Information Security Agency) research paper titled “Cloud Computing: Benefits, Risks and Recommendations for Information Society,” published in November, 2009.
The CSA Advisory Committee responsible for the report acknowledged that while there were many threats involved in cloud computing, the report needed to focus on those threats that were unique to the shared and on-demand nature of cloud computing. Recommended actions to address such threats were also offered in the report. As a result, the Committee identified seven threats, not in any order of severity. The threats are briefly outlined below.
Threat #1: Abuse & Nefarious Use of Cloud Computing
Description: Spammers, hackers and other criminals take advantage of the convenient registration, simple procedures and relatively anonymous access to cloud services to launch various attacks. Examples of such attacks include: password and key cracking; DDOS; malicious data hosting; launching dynamic attack points; building rainbow tables; botnet command/control; and CAPTCHA-solving farms.
Targets: IaaS (Infrastructure as a Service), PaaS (Platform as a Service)
Threat #2: Insecure Interfaces & APIs
Description: Customers manage and interact with cloud services through interfaces or APIs. Providers must ensure that security is integrated into their service models, while users must be aware of security risks in the use, implementation, management, and monitoring of such services. Examples of such risks include: API dependencies; limited monitoring/logging capabilities; inflexible access controls; anonymous access; reusable tokens/passwords; clear-text authentication and/or transmission of content; and improper authorizations.
Targets: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), SaaS (Software as a Service)
Threat #3: Malicious Insiders
Description: Malicious insiders pose a greater threat in a cloud computing environment, since customers do not have a clear view of provider policies and procedures. For instance, employee access, employee monitoring, policy compliance and hiring standards/practices are generally not transparent to customers. Malicious insiders can gain unauthorized access into organizations and their assets. Some threats include brand damage, financial impact and loss of productivity.
Targets: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), SaaS (Software as a Service)
Threat #4: Shared Technology Issues
Description: IaaS is based on shared infrastructure (e.g. disk partitions, CPU caches, GPUs, etc.), which is often not designed to accommodate a multi-tenant architecture. Overlooked flaws have allowed guest operating systems to gain unauthorized levels of control and/or influence on the platform. Examples of such issues include Rutkowska's Red and Blue Pill exploits and Kortchinsky's CloudBurst presentations.
Targets: IaaS (Infrastructure as a Service)
Threat #5: Data Loss or Leakage
Description: Compromised data may include: deleted or altered data without first making a backup; unlinking a record from a larger context; loss of an encoding key; and unauthorized access of sensitive data. The possibility of data compromise significantly increases in cloud computing, due to the architecture and operations. Examples of data loss/leakage issues include: insufficient authentication, authorization and audit (AAA) controls; inconsistent encryption; inconsistent software keys; operational failures; disposal challenges; risk of association; jurisdiction/political issues; persistence and remanence challenges; data center reliability; and disaster recovery.
Targets: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), SaaS (Software as a Service)
Threat #6: Account or Service Hijacking
Description: Account or service hijacking is usually carried out with stolen credentials. Such attacks include phishing, fraud and exploitation of software vulnerabilities. Using stolen credentials, attackers can access critical areas of cloud computing services and compromise the confidentiality, integrity and availability (CIA) of such services. Examples of such attacks include: eavesdropping on transactions/sensitive activities; manipulation of data; returning falsified information; redirection to illegitimate sites.
Targets: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), SaaS (Software as a Service)
Threat #7: Unknown Risk Profile
Description: Cloud services mean that organizations are less involved with hardware and software ownership and maintenance. Although this offers significant advantages, organizations should be aware that issues such as internal security procedures, security compliance, configuration hardening, patching, auditing and logging may be overlooked.
Targets: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), SaaS (Software as a Service)
What the critics are saying...
Some critics of the CSA report point out that it confuses risks with issues, problems and subject areas. It also mixes up threats with vulnerabilities. It appears as though the report takes a managerial perspective, rather than a security perspective. For instance, IT security blogger, David Lacey, says:
“[The CSA's Top Threats to Cloud Computing report] can be largely summed up in one sentence: "Cloud Computing presents the same risks of fraud and data breaches as any large, outsourced critical business service. You need to follow good security practices." Unfortunately, such concise wisdom would not come across as a major advance of the start of the art.”
Summary
This article takes a look at the CSA's March 2010 report, “Top Threats to Cloud Computing.” The report lists seven key threats specific to cloud environments. These threats include: abuse and nefarious use of cloud computing; insecure application programming interfaces (APIs); malicious insiders; shared technology vulnerabilities; data loss/leakage; account, service and traffic hijacking; and unknown risk profiles. The CSA released the report in order to enable organizations make informed decisions before selecting a cloud service provider.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Governance & Enterprise Risk Management (Domain 2)
- Legal & Electronic Discovery (Domain 3)
- Information Lifecycle Management (Domain 5)
- Traditional Security, Business Continuity & Disaster Recovery (Domain 7)
- Data Center Operations (Domain 8)
- Incident Response, Notification and Remediation (Domain 9)
- Application Security (Domain 10)
- Encryption & Key Management (Domain 11)
- Identity & Access Management (Domain 12)
- Virtualization (Domain 13)
