Tuesday, July 12, 2011

Security threats posed by public cloud computing

Criminal Use of Cloud Computing: The ease of the registration process for services opens up services to abuse by spammers, malicious code authors, and other criminal elements.
Solution: Strengthen verification process of the registration.

Insecure Application Programming Interfaces: Cloud computing services management and interaction interfaces have very coarse authorization which opens up security hole.
Solution: More granular authorization and multifactor authentication process.

Malevolent Insiders: The threat posed by a malevolent insider is not unique to cloud computing. However, the threat is inflated by the convergence of IT services and customers under a single cloud environment, economic scale and a lack of visibility into the hiring standards and practices of cloud employees.
Solution: Enforce strict supply chain management security and comprehensive background check of cloud employees. Also setting up legal framework to tackle such malicious scenarios.

Shared Technology Vulnerabilities: Cloud computing delivers services by sharing infrastructure. This opens up the entire system to security breaches.
Solution: Defense-in-depth strategy that includes computer, storage, and network security enforcement and monitoring


Data Loss/Leakage: The enhanced risk of destruction or loss of data, whether accidental or intentional, due to increased number of actors and interactions.
Solution: Encrypt data in transit and implement strong data backup and retention strategies. Granular authorization strategy.


Service Disruption: Due to large number of customers on cloud, service disruption or reduced QoS may enhance impact to manifold.
Solution: In-depth replication of infrastructure across location.

Account, Service, and Traffic Hijacking: Account, service, and traffic hijacking, such as phishing, fraud, and exploitation of software vulnerabilities, pose risks to any computer system. With cloud these risks increases due to large number of interactions and actors.
Solution: use strong authentication techniques and unauthorized activity monitoring. Granular Authorization.

Unknown Risk Profile: Due to outsourcing nature of public clouds risk of losing track of the security ramifications of cloud deployments are very true. Security by obscurity may be low effort, but it can result in unknown exposures.
Solution: Maintain detailed information about who is sharing the cloud infrastructure, as well as network intrusion logs, redirection attempts, and other security logs. Deeper engagement with cloud computing provider.

Reference:
  1. https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
  2. http://www.ists.dartmouth.edu/docs/HannaCloudComputingv2.pdf
  3. http://www.privatecloud.com/2011/03/16/5-overlooked-threats-to-cloud-computing
  4. http://en.wikipedia.org/wiki/Cloud_computing_security
  5. http://www.networkworld.com/news/2008/070208-cloud.html

2 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete