Cloud computing continues to transform the way organizations use, store, and share data, applications, and workloads. It has also introduced a host of new security threats and challenges. With so much data going into the cloud—and into public cloud services in particular—these resources become natural targets for bad actors.
“The volume of public cloud utilization is growing rapidly, so that inevitably leads to a greater body of sensitive stuff that is potentially at risk,” says Jay Heiser, vice president and cloud security lead at Gartner, Inc.
Contrary to what many might think, the main responsibility for protecting corporate data in the cloud lies not with the service provider but with the cloud customer. “We are in a cloud security transition period in which focus is shifting from the provider to the customer,” Heiser says. “Enterprises are learning that huge amounts of time spent trying to figure out if any particular cloud service provider is ‘secure’ or not has virtually no payback.”
To provide organizations with an up-to-date understanding of cloud security concerns so they can make educated decisions regarding cloud adoption strategies, the Cloud Security Alliance (CSA) has created the latest version of its Treacherous 12 Top Threats to Cloud Computing Plus: Industry Insights report.
The report reflects the current consensus among security experts in the CSA community about the most significant security issues in the cloud. While there are many security concerns in the cloud, CSA says, this list focuses on 12 specifically related to the shared, on-demand nature of cloud computing.
To identify the top concerns, CSA conducted a survey of industry experts to compile professional opinions on the greatest security issues within cloud computing. Here are the top cloud security issues (ranked in order of severity per survey results):
1. Data breaches
A data breach might be the primary objective of a targeted attack or simply the result of human error, application vulnerabilities, or poor security practices, CSA says. It might involve any kind of information that was not intended for public release, including personal health information, financial information, personally identifiable information, trade secrets, and intellectual property. An organization’s cloud-based data may have value to different parties for different reasons. The risk of data breach is not unique to cloud computing, but it consistently ranks as a top concern for cloud customers.
2. Insufficient identity, credential, and access management
Bad actors masquerading as legitimate users, operators, or developers can read, modify, and delete data; issue control plane and management functions; snoop on data in transit or release malicious software that appears to originate from a legitimate source, CSA says. As a result, insufficient identity, credential, or key management can enable unauthorized access to data and potentially catastrophic damage to organizations or end users.
3. Insecure interfaces and application programming interfaces (APIs)
Cloud providers expose a set of software user interfaces (UIs) or APIs that customers use to manage and interact with cloud services. Provisioning, management, and monitoring are all performed with these interfaces, and the security and availability of general cloud services depends on the security of APIs, CSA says. They need to be designed to protect against accidental and malicious attempts to circumvent policy.
4. System vulnerabilities
System vulnerabilities are exploitable bugs in programs that attackers can use to infiltrate a system to steal data, taking control of the system or disrupting service operations. Vulnerabilities within the components of the operating system put the security of all services and data at significant risk, CSA says. With the advent of multi-tenancy in the cloud, systems from various organizations are placed close to each other and given access to shared memory and resources, creating a new attack surface.
5. Account hijacking
Account or service hijacking is not new, CSA notes, but cloud services add a new threat to the landscape. If attackers gain access to a user’s credentials, they can eavesdrop on activities and transactions, manipulate data, return falsified information and redirect clients to illegitimate sites. Account or service instances might become a new base for attackers. With stolen credentials, attackers can often access critical areas of cloud computing services, allowing them to compromise the confidentiality, integrity, and availability of those services.
6. Malicious insiders
While the level of threat is open to debate, the fact that insider threat is a real adversary is not, CSA says. A malicious insider such as a system administrator can access potentially sensitive information, and can have increasing levels of access to more critical systems and eventually to data. Systems that depend solely on cloud service providers for security are at greater risk.
7. Advanced persistent threats (APTs)
APTs are a parasitical form of cyber attack that infiltrates systems to establish a foothold in the IT infrastructure of target companies, from which they steal data. APTs pursue their goals stealthily over extended periods of time, often adapting to the security measures intended to defend against them. Once in place, APTs can move laterally through data center networks and blend in with normal network traffic to achieve their objectives, CSA says.
8. Data loss
Data stored in the cloud can be lost for reasons other than malicious attacks, CSA says. An accidental deletion by the cloud service provider, or a physical catastrophe such as a fire or earthquake, can lead to the permanent loss of customer data unless the provider or cloud consumer takes adequate measures to back up data, following best practices in business continuity and disaster recovery.
9. Insufficient due diligence
When executives create business strategies, cloud technologies and service providers must be considered, CSA says. Developing a good roadmap and checklist for due diligence when evaluating technologies and providers is essential for the greatest chance of success. Organizations that rush to adopt cloud technologies and choose providers without performing due diligence expose themselves to a number of risks.
10. Abuse and nefarious use of cloud services
Poorly secured cloud service deployments, free cloud service trials, and fraudulent account sign-ups via payment instrument fraud expose cloud computing models to malicious attacks, CSA says. Bad actors might leverage cloud computing resources to target users, organizations, or other cloud providers. Examples of misuse of cloud-based resources include launching distributed denial-of-service attacks, email spam, and phishing campaigns.
11. Denial of service (DoS)
DoS attacks are designed to prevent users of a service from being able to access their data or applications. By forcing the targeted cloud service to consume inordinate amounts of finite system resources such as processor power, memory, disk space, or network bandwidth, attackers can cause a system slowdown and leave all legitimate service users without access to services.
12. Shared technology vulnerabilities
Cloud service providers deliver their services scalably by sharing infrastructure, platforms or applications, CSA notes. Cloud technology divides the “as-a-service” offering without substantially changing the off-the-shelf hardware/software—sometimes at the expense of security. Underlying components that comprise the infrastructure supporting cloud services deployment may not have been designed to offer strong isolation properties for a multi-tenant architecture or multi-customer applications. This can lead to shared technology vulnerabilities that can potentially be exploited in all delivery models.
13. Bonus cloud threat for 2018: Spectre and Meltdown
Both Spectre and Meltdown permit side-channel attacks because they break down the isolation between applications. An attacker that is able to access a system through unprivileged log in can read information from the kernel, or attackers can read the host kernel if they are a root user on a guest virtual machine (VM).
This is a huge issue for cloud service providers. While patches are becoming available, they only make it harder to execute an attack. The patches might also degrade performance, so some businesses might choose to leave their systems unpatched. The CERT Advisory is recommending the replacement of all affected processors—tough to do when replacements don’t yet exist.
So far, there are no known exploits that have taken advantage of Meltdown or Spectre, but experts agree that they are likely and relatively soon. The best advice for cloud providers to guard against them is to make sure all the latest patches are in place. Customers should demand information on how their cloud providers are responding to Meltdown and Spectre.