Shadow IT is a great thing until it runs into the security of cloud computing. All too often line-of-business users are establishing applications and moving data into the cloud without understanding all the security implications.
The Cloud Security Alliance has put together a list of the nine most prevalent and serious security threats in cloud computing. Many of them relate in one way or another to the weaknesses implicit in Shadow IT.
The alliance bills its list as the “Notorious Nine: Cloud Computing Threats in 2013.” The CSA itself was formed in 2008 on the heels of the Information Systems Security Association CISO Forum in Las Vegas. Jim Reavis, a well-known security researcher and author, issued a call for action to secure the cloud at the event, leading to the founding of the organization.
The report was released in February and was composed by a group within the alliance, including co-chairs Rafal Los of HP, Dave Shackleford of Voodoo Security, and Bryan Sullivan of Microsoft. They were assisted by staff members Luciano Santos, research director; Evan Scoboria, webmaster; Kendall Scoboria, graphic designer; Alex Ginsburg, copywriter; and John Yeoh, research analyst.
Here are the CSA’s biggest concerns.
1. Data Breaches
The data breach at Target, resulting in the loss of personal and credit card information of up to 110 million individuals, was one of a series of startling thefts that took place during the normal processing and storage of data. “Cloud computing introduces significant new avenues of attack,” said the CSA report authors. The absolute security of hypervisor operation and virtual machine operations is still to be proved. Indeed, critics question whether such absolute security can exist. The report’s writers said there’s lab evidence — though none known in the wild — that breaches via hypervisors and virtual machines may occur eventually.
Researchers at the University of Wisconsin, security software firm RSA, and the University of North Carolina cited evidencein November 2012 that it’s possible for a user on one virtual machine to listen for activity that signals the arrival of an encryption key on another VM on the same host. It’s called the “side channel timing exposure,” as was previously reported by InformationWeek.
“It’s every CIO’s worst nightmare: the organization’s sensitive internal data falls into the hands of their competitors,” the report said.
[Want to learn more about how cloud security needs to be structured? See Cloud Security Needs More Layers: HyTrust.]
So far, the largest breaches haven’t involved any such advanced techniques, which remain for the most part lab experiments. But the possibility still acts as a brake on what is looking like broad enterprise adoption of cloud computing. Clouds represent concentrations of corporate applications and data, and if any intruder penetrated far enough, who knows how many sensitive pieces of information will be exposed. “If a multitenant cloud service database is not properly designed, a flaw in one client’s application could allow an attacker access not only to that client’s data, but every other client’s data as well,” the report concluded.
“Unfortunately, while data loss and data leakage are both serious threats to cloud computing, the measures you put in place to mitigate one of these threats can exacerbate the other,” the report said. Encryption protects data at rest, but lose the encryption key and you’ve lost the data. The cloud routinely makes copies of data to prevent its loss due to an unexpected die off of a server. The more copies, the more exposure you have to breaches.
2. Data Loss
A data breach is the result of a malicious and probably intrusive action. Data loss may occur when a disk drive dies without its owner having created a backup. It occurs when the owner of encrypted data loses the key that unlocks it. Small amounts of data were lost for some Amazon Web Service customers as its EC2 cloud suffered “a remirroring storm” due to human operator error on Easter weekend in 2011. And a data loss could occur intentionally in the event of a malicious attack.
The alliance cited the case of Mat Honan, a writer for Wired magazine, who in the summer of 2012 found an intruder had broken into his Gmail, Twitter, and Apple accounts and deleted all the baby pictures of his 18-month old daughter.
Read the entire story here – http://www.informationweek.com/cloud/infrastructure-as-a-service/9-worst-cloud-security-threats/d/d-id/1114085