SAN FRANCISCO -- The Cloud Security Alliance and Hewlett-Packard will release research today at RSA Conference that identifies the top threats to cloud computing. The document is a companion to the CSA's "Security Guidance for Critical Areas in Cloud Computing," which was updated in December.
Chris Whitener, HP's chief security strategist, said companies are eager to jump into cloud computing to reduce capital costs, reduce the need to manage computing infrastructure and leverage the on-demand capabilities of utility-type computing offered by the cloud. But they often fail to do so without assessing cloud computing security risks.
"The No. 1 thing you shouldn't do is approach this with complete ignorance," Whitener said. "And unfortunately, this is something that a lot of people do. Understand and limit your risk profile. If you approach this with complete abandon, you're asking for it."
The Top Threats to Cloud Computing document released today ranks seven threats that apply across all of the different cloud computing models: infrastructure as a service, platform as a service and software as a service.
"The research brings out the fact that there are certain characteristics that the cloud is especially good at in terms of either being used as a platform for attacking, or in some cases, having amplified certain kinds of vulnerabilities," Whitener said.
Abuse and nefarious use of cloud computing is the top threat identified by the CSA. We're already seeing this in action with the use of botnets to spread spam and malware. Attackers can infiltrate a public cloud, for example, and find a way to upload malware to thousands of computers and use the power of the cloud infrastructure to attack other machines.
The CSA also cautions against insure application programming interfaces (APIs) that are used between applications for interoperability. Whitener used the example of a user logging in to a banking or tax program hosted in the cloud. Tokens are created that pass log-in information between applications using APIs that are often open to attack. "The interfaces passing these tokens don't always make sure that the programs passing them are legitimate," Whitener said.
"The API interfaces are vulnerable to people giving them a blunt call and asking them to bring up tax information, for example. We haven't been programming as a technology in one of these environmentss where it's just completely open; we've always written applications with the assumption that our own IT organizations would run them and we wouldn't have all this stuff happening in the background."
Organizations also need to assess the risk on the service provider's end, and demand segregation of duties and that no one person has root access to your data, for example. Otherwise, a malicious insider would have too much access and power to view and abuse data.
Cloud users also have to be aware of vulnerabilities in shared technologies, such as virtual machines, communications systems or key management technologies. A zero-day attack could quickly spread across a public cloud and expose all data within it, Whitener said.
The CSA suggests that organizations be aware of technologies that aggregate data such as credit card numbers and other personal, sensitive customer and employee information to simplify management of that data. Any vulnerabilities in those systems could lead to data loss and compliance violations that could lead to expensive notification mandates and repairs to systems.
Account service and traffic hijacking is another issue that cloud users need to be aware of. These threats range from man-in-the-middle attacks, to phishing and spam campaigns, to denial-of-service attacks.
Finally, the CSA cautions organizations to be aware of their providers' risk profile. Some providers will say their cloud services are not PCI compliant for example, and yet some users will put sensitive personal or customer records into the cloud and expose it to attack.
Whitener said companies cannot jump into the cloud without a proper risk assessment. The CSA recommends starting with non-sensitive data, and carefully evaluate a service-level agreement; be aware of which are general purpose services, and which make some statements about security and what can be expected.
"There are plenty of motivations for startups and ordinary businesses to use the cloud. Four out of five use the cloud because they don't have to go to their VC and ask for startup money for IT," Whitener said. "There's a lot of power in the cloud, and with that power comes the ability to quickly get lost. Limit your risk profile so that it makes the most sense for your organization."