What’s preventing cloud computing from really taking off? According to the Cloud Security Alliance (CSA), there are seven security issues that need to be resolved before any mass adoption of either the public or private cloud can take place.
IDC recently ranked security concerns as the No. 1 barrier to adoption of cloud computing services.
But, what are these seven deadly cloud threats and what can be done by the channel to help fulfil the business value of cloud services?
The CSA polled 29 information security experts from enterprise, solution providers, and consulting firms with experience in the cloud space were polled to get their opinions on current security threats within this environment. The qualitative peer review was conducted under CSA guidance. The results indicate six primary areas of concern. Archie Reed, distinguished technologist for HP, and a member of the CSA also came up with a bonus concern for the solution provider community.
1. Abuse and nefarious use occurs when hosted services are accessed by unauthorized users for malicious purposes, such as password cracking and other business threatening exploits.
Reed said things such as nefarious use of cloud gets people concern of possible botnet attacks on the Amazon Web Service for example. The service was recently taken down and has become the poster child for the cloud being compromised. “Anyone can sign up, create an account and start using it for bad things. The impact of that is not only are they going out, but the IP addresses are being in blocked and if you are hosting in that same environment you will be blocking services for your clients. This is bigger that one bad guy doing something bad.
“In this case, how do you protect the transmission of data in the cloud? You are using the classic man in the middle attack and what are the cloud providers doing for you? And, what do you have to do yourself to prevent this kind of attack,” Reed added.
2. Insecure Application Programming Interfaces (API’s) allow ill-intentioned users to exploit services to hijack accounts.
According to Reed, insecure APIs is like the wild-west for security threats. There are thousands of Web 2.0 apps up today as developers rush to get their work out. One example of this was the attack on Adobe and Microsoft apps by putting bad loads or cross scripting. These bad loads on injected into a system via email and can compromise your environment. “These are not necessarily attacks specific to the cloud. These are classic attacks to any system. What is really the issue is the tenant of the cloud is a multi-tenancy one,” Reed said.
Another example was how Google got hit by the nation state of China. Reed said no one knows if it was China or a rogue inside the Chinese government, but what this attack, called Operation Aurora, shows is that it can happen inside any bank, power company and the cloud.
3. Malicious insider risks increase within the cloud, giving an adversary the ability to take complete control of the infrastructure, leading to data leakage, abuse and hijacking of sensitive information.Reed said that businesses want to reap the cost, availability and flexibility benefits of the cloud, yet not at the risk of data breach, financial and productivity loss.
4. Shared technology vulnerabilities, such as attacks on virtual machines, impact a greater number of clients by exploiting the local infrastructure for criminal use.
5. Data loss and leakage increases due to the open, operational characteristics of this environment, leading to financial loss and legal ramifications.
6. Account Service and Traffic Hijacking intensifies when an attacker attains an organization’s Infrastructure-as-a-Service credentials which can result in data manipulation and access to all accounts.
The seventh deadly cloud sin is if the solution provider channel does not nothing to help customers be protected on the cloud.
When Reed examines the solution provider community he sees plenty of cases where security of the cloud is of chief concern. The opportunity for the channel is to provide an interface for provisioning and management for the entry to the cloud that includes monitoring, loging, reporting and finding best of bread applications.
Those are some of the basics for small to mid-size business, Reed said. For the enterprise customers, they are concerned cloud security as well, but their risks are much higher. “The risk of exposure of data and exposure of the company’s reputation is ultimate. A solution provider has to go in an put together a portfolio of services that address those concerns and it should go beyond security,” Reed said.