The non-profit Cloud Security Alliance has published a report defining the foremost cloud security threats.
Cloud computing is a kind of distributed system whereby all computer resources are provided to the users in the form of Internet services. As the technology becomes more and more popular, criminals use it to improve their reach, avoid detection and increase the effectiveness of their activities. Enterprise and home users need to better understand the risks associated with the adoption of cloud computing.
The authors of the report identified the following seven threats:
1. Abuse and nefarious use of cloud computing
Providers of infrastructure as a service offer their customers the illusion of unlimited compute, network and storage capacity, often coupled with a frictionless registration process where anyone with a valid credit card can register and immediately begin using cloud services. Some providers even offer free limited trial periods. By abusing the relative anonymity behind these registration and usage models, spammers, malicious code authors and other criminals have been able to conduct their activities with relative impunity.
2. Insecure Application Programming Interfaces
Cloud computing providers expose a set of APIs that customers use to manage and interact with cloud services. Provisioning, management, orchestration and monitoring are all performed using these interfaces. The security and availability of general cloud services is dependent upon the security of these basic APIs.
This threat is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure.
4. Shared technology vulnerabilities
Cloud computing vendors deliver their services in a scalable way by sharing infrastructure. Often, the underlying components that make up this infrastructure were not designed to offer strong isolation properties for a multi-tenant architecture. To address this gap, a virtualization hypervisor mediates access between guest operating systems and the physical compute resources. Still, even hypervisors have exhibited flaws that have enabled guest operating systems to gain inappropriate levels of control or influence on the underlying platform.
5. Data loss/leakage
The threat of data compromise increases in the cloud. Examples include insufficient authentication, authorization or audit controls, operational failures and data center reliability.
6. Account, service & traffic hijacking
Cloud solutions add a new threat to the landscape. If an attacker gains access to your credentials in the cloud, they can manipulate data, eavesdrop on your activities and transactions, return falsified information and redirect your clients to illegitimate sites. Your account or service instances may become a new base for the attacker. From here, they may leverage the power of your reputation to launch subsequent attacks
7. Unknown risk profile
One of the ideas of Cloud Computing is the reduction of hardware and software ownership and maintenance to allow companies to focus on their core business. This has clear financial and operational benefits, which must be weighed carefully against the contradictory security concerns — complicated by the fact that cloud deployments are driven by groups who may lose track of the security ramifications.
These threats described are not listed in order of severity.