The seven deadly sins of cloud security
Warning signs your cloud project is going off the rails
By Kathleen Lau | ComputerWorld Canada | Published: 14:20, 01 April 2010
A security expert warns organisations making a foray into cloud computing that knowing familiar terms like multi-tenancy and virtualisation doesn't mean they understand everything about putting applications in the cloud.
In the world of cloud computing, those technologies are thrown together to create a new class of applications with their own unique set of governance rules, said Jim Reavis, executive director with the Cloud Security Alliance (CSA).
"This is a new epoch in computing," said Reavis. Even if it all sounds familiar, digging a little deeper will uncover a whole set of new risks.
Related Articles on Techworld
Organisations will often adopt cloud computing at a much faster rate than that with which security professionals are comfortable, said Reavis. A pragmatic approach is necessary. "Take a risk-based approach to understanding the real risks and mitigating practices, we can leverage to securely adopt the cloud," he said.
CSA, in collaboration with HP, listed what they called the seven deadly sins of cloud security. The research is based on input from security experts across 29 enterprises, technology providers and consulting firms.
- Data Loss/Leakage: There is not an acceptable level of security control for data in the cloud, said Reavis. Some applications could be leaking data as a result of weak API access control and key generation, storage and management. And, also data destruction policies may be absent.
- Shared Technology Vulnerabilities: In the cloud, a single misconfiguration can be duplicated across an environment where many virtual servers share the same configuration. Enforce service level agreements (SLAs) for patch management and best practices for network and server configuration.
- Malicious Insiders: The level of background checks that cloud providers perform on staff may differ compared to how enterprises usually control data centre access, said Reavis. "A lot of them do a good job but it is uneven," he said. Perform a supplier assessment and outline a level of employee screening.
- Account, Service and Traffic Hijacking: A lot of data, applications and resources are concentrated in the cloud where, with weak authentication, an intruder can access a user account and get at that customer's virtual machines, said Reavis. Proactive monitoring of threats and two-factor authentication is advised.
- Insecure Application Programming Interfaces: It's important to perceive the cloud as a new platform and not merely as outsourcing when it comes to developing applications, said Reavis. There ought to be a vetting process surrounding application lifecycles, where the developer understands and applies certain guidelines regarding authentication, access controls and encryption.
- Abuse and Nefarious Use of Cloud Computing: The bad guys are probably more progressive than the good guys in how they use technology, said Reavis. Hackers are seen very quickly applying new threats, combined with the ability to easily scale up and down in the cloud. All it takes is a credit card.
- Unknown Risk Profile: Transparency issues persist concerning cloud providers. Account users only interact with the front-end interface and really don't know which platforms or patch levels their provider is employing, said Reavis.
Archie Reed, chief technology officer for cloud security with HP, is careful to note that the list of seven deadly sins in cloud security is not all-encompassing, but high level. "It should guide your approach, not define it," said Reed.
If anything, the seven sins illustrate how rapidly the cloud security situation changes, said Reed. Security technologists should understand the myriad factors that impact their business include government and industry standards, how that fits in the risk analysis approach, and how often the approach is reviewed.
Without a doubt, there are significant opportunities in the cloud, said Reed, but such a nascent market means vendor options and threats will evolve quickly.
Although an organisation may put its trust in the cloud, it can't abdicate all of that security responsibility. "The need to manage that in a way that makes sense to your business is much more critical," said Reed.