3 Top Cloud Security Threats and How to Combat Them

When it comes to using the Cloud, most organizations appear to have a Jekyll and Hyde relationship. A recent report on the future of cloud computing revealed that three out of every four respondents said they were using the Cloud in some way. The same report showed that nearly half of those surveyed still felt security was the main reason for not using cloud resources.  So how to explain the apparent contradiction?

The two seemingly opposite statistics are easily reconciled: the Cloud has become a key component of nearly every company’s IT infrastructure, but in most cases for less sensitive data. IT operations is driving more of its not-as-critical applications and systems into the Cloud while keeping mission critical and company sensitive data processing activity on premises. The bottom line is that security is still a major concern when making a decision on placing workload in the Cloud.

The Cloud Security Alliance Organization (CSA), a member driven group working to promote best practices for security assurance in Cloud Computing, released a report on the topic titled The Notorious Nine – Cloud Computing Top Threats in 2013. The paper discusses the top security risks in the Cloud and some ideas on how best to keep them under control. Here are three of them.

Data Loss

Obviously losing any customer or company data can be devastating. Data stored anywhere is at risk whether located on premises in a data center or in the Cloud. The CSA report points out that data can be lost for any number of reasons from accidental deletion by a cloud service provider, to a natural disaster like a fire, flood, or earthquake. Efforts at protecting data before uploading to the Cloud can backfire as well. Losing a key to encrypted data before sending it to the Cloud can have the same affect as if the data was erased.

The best defense against Data Loss is a comprehensive back up program that should be a part of a larger business continuity plan. In addition, the CSA controls include reviewing your records retention program, the location of your equipment, and other environmental risks.

Account or Service Traffic Hijacking

Companies are exposed to this threat every day through unscrupulous phishing expeditions and attempts to find security holes in popular software applications. The Cloud increases the potential risk in this area by placing applications and systems outside a company’s specific security wall. The CSA report points out that this threat causes even greater problems when hackers reuse stolen passwords to set up a new base of attack.

The CSA recommends tightly monitored user access controls as the major defense to this threat. The policy should strictly define user authorizations, access reviews, user ID’s, and user revocations. Companies should also meticulously manage incidents of breach. Probably the most effective defense is multi-factor authentication for both on site and remote users. Using this system, users must present two of three pieces of evidence as defined by the government to access federal systems. These are:

• Something only the user knows – password, PIN etc.

• Something only the user has – card, mobile phone etc.

• Something only the user is – biometric characteristic, such as a fingerprint

Shared Technology Vulnerabilities

Cloud computing by definition relies on sharing infrastructure, platforms, and applications to deliver computing power and data storage to multiple customers. The CSA asserts that underlying components not designed to isolate multiple tenant architecture (IaaS), re-deployable platforms (PaaS), and multi-customer applications (SaaS) all present security vulnerabilities.

CSA says this threat can be addressed through stringent user access policies, data encryption and segmentation, audit logging and intrusion detection. Other defensive tactics include ongoing scanning for vulnerabilities, complete deletion of user’s data after usage, and evaluating the unauthorized environment.

The benefits of the Cloud guarantee that it will remain a key piece of IT operations going forward. Security will continue to be an issue, but strong user access controls, improvements in hardware technology, and ongoing process audits will go a long way toward minimizing the threat.