Leading cloud security group lists the “Notorious Nine” top threats to cloud computing in 2014; most are already known but defy 100% solution.
Shadow IT is a great thing until it runs into the security of cloud computing. All too often line-of-business users are establishing applications and moving data into the cloud without understanding all the security implications.
Here are the CSA’s biggest concerns.
- Data Breaches
The data breach at Target, resulting in the loss of personal and credit card information of up to 110 million individuals, was one of a series of startling thefts that took place during the normal processing and storage of data. “Cloud computing introduces significant new avenues of attack,” said the CSA report authors. The absolute security of hypervisor operation and virtual machine operations is still to be proved. Indeed, critics question whether such absolute security can exist. The report’s writers said there’s lab evidence — though none known in the wild — that breaches via hypervisors and virtual machines may occur eventually.
“Unfortunately, while data loss and data leakage are both serious threats to cloud computing, the measures you put in place to mitigate one of these threats can exacerbate the other,” the report said. Encryption protects data at rest, but lose the encryption key and you’ve lost the data. The cloud routinely makes copies of data to prevent its loss due to an unexpected die off of a server. The more copies, the more exposure you have to breaches.
- Data Loss
A data breach is the result of a malicious and probably intrusive action. Data loss may occur when a disk drive dies without its owner having created a backup. It occurs when the owner of encrypted data loses the key that unlocks it. Small amounts of data were lost for some Amazon Web Service customers as its EC2 cloud suffered “a remirroring storm” due to human operator error on Easter weekend in 2011. And a data loss could occur intentionally in the event of a malicious attack.
The alliance cited the case of Mat Honan, a writer for Wired magazine, who in the summer of 2012 found an intruder had broken into his Gmail, Twitter, and Apple accounts and deleted all the baby pictures of his 18-month old daughter.
- Account Or Service Traffic Hijacking
Account hijacking sounds too elementary to be a concern in the cloud, but CSA says it is a problem. Phishing, exploitation of software vulnerabilities such as buffer overflow attacks, and loss of passwords and credentials can all lead to the loss of control over a user account. An intruder with control over a user account can eavesdrop on transactions, manipulate data, provide false and business-damaging responses to customers, and redirect customers to a competitor’s site or inappropriate sites.
- Insecure APIs
The cloud era has brought about the contradiction of trying to make services available to millions while limiting any damage all these largely anonymous users might do to the service. The answer has been a public facing application programming interface, or API, that defines how a third party connects an application to the service and providing verification that the third party producing the application is who he says he is.
- Denial Of Service
Denial of service attacks are an old disrupter of online operations, but they remain a threat nevertheless. The assault by hundreds of thousands or millions of automated requests for service has to be detected and screened out before it ties up operations, but attackers have improvised increasingly sophisticated and distributed ways of conducting the assault, making it harder to detect which parts of the incoming traffic are the bad actors versus legitimate users.
For cloud customers, “experiencing a denial-of-service attack is like being caught in rush-hour traffic gridlock: there’s no way to get to your destination, and nothing you can do about it except sit and wait,” according to the report. When a denial of service attacks a customer’s service in the cloud, it may impair service without shutting it down, in which case the customer will be billed by his cloud service for all the resources consumed during the attack.
- Malicious Insiders
With the Edward Snowden case and NSA revelations in the headlines, malicious insiders might seem to be a common threat. If one exists inside a large cloud organization, the hazards are magnified. One tactic cloud customers should use to protect themselves is to keep their encryption keys on their own premises, not in the cloud.
- Abuse Of Cloud Services
Cloud computing brings large-scale, elastic services to enterprise users and hackers alike. “It might take an attacker years to crack an encryption key using his own limited hardware. But using an array of cloud servers, he might be able to crack it in minutes,” the report noted. Or hackers might use cloud servers to serve malware, launch DDoS attacks, or distribute pirated software.
- Insufficient Due Diligence
“Too many enterprises jump into the cloud without understanding the full scope of the undertaking,” said the report. Without an understanding of the service providers’ environment and protections, customers don’t know what to expect in the way of incident response, encryption use, and security monitoring. Not knowing these factors means “organizations are taking on unknown levels of risk in ways they may not even comprehend, but that are a far departure from their current risks,” wrote the authors.
- Shared Technology
In a multi-tenant environment, the compromise of a single component, such as the hypervisor, “exposes more than just the compromised customer; rather, it exposes the entire environment to a potential of compromise and breach,” the report said. The same could be said other shared services, including CPU caches, a shared database service, or shared storage.
The cloud is about shared infrastructure, and a misconfigured operating system or application can lead to compromises beyond their immediate surroundings. In a shared infrastructure, the CSA recommend an in-depth defensive strategy. Defenses should apply to the use of compute, storage, networking, applications, and user access. Monitoring should watch for destructive moves and behaviors.