Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

The seven deadly sins of cloud security

Warning signs your cloud project is going off the rails

Article comments

A security expert warns organisations making a foray into cloud computing that knowing familiar terms like multi-tenancy and virtualisation doesn't mean they understand everything about putting applications in the cloud.

In the world of cloud computing, those technologies are thrown together to create a new class of applications with their own unique set of governance rules, said Jim Reavis, executive director with the Cloud Security Alliance (CSA).

"This is a new epoch in computing," said Reavis. Even if it all sounds familiar, digging a little deeper will uncover a whole set of new risks.

Organisations will often adopt cloud computing at a much faster rate than that with which security professionals are comfortable, said Reavis. A pragmatic approach is necessary. "Take a risk-based approach to understanding the real risks and mitigating practices, we can leverage to securely adopt the cloud," he said.

CSA, in collaboration with HP, listed what they called the seven deadly sins of cloud security. The research is based on input from security experts across 29 enterprises, technology providers and consulting firms.

  1. Data Loss/Leakage: There is not an acceptable level of security control for data in the cloud, said Reavis. Some applications could be leaking data as a result of weak API access control and key generation, storage and management. And, also data destruction policies may be absent.
  2. Shared Technology Vulnerabilities: In the cloud, a single misconfiguration can be duplicated across an environment where many virtual servers share the same configuration. Enforce service level agreements (SLAs) for patch management and best practices for network and server configuration.
  3. Malicious Insiders: The level of background checks that cloud providers perform on staff may differ compared to how enterprises usually control data centre access, said Reavis. "A lot of them do a good job but it is uneven," he said. Perform a supplier assessment and outline a level of employee screening.
  4. Account, Service and Traffic Hijacking: A lot of data, applications and resources are concentrated in the cloud where, with weak authentication, an intruder can access a user account and get at that customer's virtual machines, said Reavis. Proactive monitoring of threats and two-factor authentication is advised.
  5. Insecure Application Programming Interfaces: It's important to perceive the cloud as a new platform and not merely as outsourcing when it comes to developing applications, said Reavis. There ought to be a vetting process surrounding application lifecycles, where the developer understands and applies certain guidelines regarding authentication, access controls and encryption.
  6. Abuse and Nefarious Use of Cloud Computing: The bad guys are probably more progressive than the good guys in how they use technology, said Reavis. Hackers are seen very quickly applying new threats, combined with the ability to easily scale up and down in the cloud. All it takes is a credit card.
  7. Unknown Risk Profile: Transparency issues persist concerning cloud providers. Account users only interact with the front-end interface and really don't know which platforms or patch levels their provider is employing, said Reavis.

Archie Reed, chief technology officer for cloud security with HP, is careful to note that the list of seven deadly sins in cloud security is not all-encompassing, but high level. "It should guide your approach, not define it," said Reed.

If anything, the seven sins illustrate how rapidly the cloud security situation changes, said Reed. Security technologists should understand the myriad factors that impact their business include government and industry standards, how that fits in the risk analysis approach, and how often the approach is reviewed.

Without a doubt, there are significant opportunities in the cloud, said Reed, but such a nascent market means vendor options and threats will evolve quickly.

Although an organisation may put its trust in the cloud, it can't abdicate all of that security responsibility. "The need to manage that in a way that makes sense to your business is much more critical," said Reed.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *