CSA: What are 2013’s top cloud security threats?
The Cloud Security Alliance (CSA) has released a new report designed to examine the most pervasive security threats still threatening cloud in 2013.
Called “The Notorious Nine” – presumably using the same nomenclature that Enid Blyton employed for the protagonists of her fabled children’s books – the CSA enlisted the help of industry experts, and is designed to be used in conjunction with other CSA best practice guides; “Security Guidance for Critical Areas in Cloud Computing V.3” and “Security as a Service Implementation Guidance”.
According to the CSA the nine security challenges cloud players face, ranked in order, are:
- Data breaches
- Data loss
- Account hijacking
- Insecure APIs
- Denial of service
- Malicious insiders
- Abuse and nefarious use
- Insufficient due diligence
- Shared technology issues
Most of these seem relatively self-explanatory, with the vast majority making headlines in the cloud computing space.
The dreaded data breach was, perhaps unsurprisingly, the top threat. Calling it “every CIO’s worst nightmare”, the CSA advocates that the cloud increases the chances of data landing in competitors’ hands.
In terms of data loss, look no further than US journalist Mat Honan, whose iCloud, along with his Twitter, Google, and various other iDevices, were broken into back in August. The CSA report cites this, adding that hackers weren’t the only way data could be lost; clerical error from the service provider, or natural disasters. NebuLogic published a five-step guide to cloudy disaster recovery back in December.
The CSA noted that, while data loss and data breach were interlinked, trying to redress the balance of one area – encrypting data, or holding an offline backup – may increase the chances of the other happening.
Looking at denial of service attacks, reports are mixed.
Earlier this year, the eighth annual Worldwide Infrastructure Report from Arbor Networks showed that over three quarters of respondents had suffered DDoS (distributed denial of service) attacks towards their customers and suggested that cloud increases DDoS attacks, whilst a paper from Neustar back in June suggested that “only cloud-based DDoS solutions offer a comprehensive defence against increasing attacks.”
The CSA, however, advises caution and notes that DDoS isn’t the only DoS attack; 81% of survey respondents agree that the threat is still relevant.
“Experiencing a denial of service attack is like being caught in rush-hour traffic gridlock: there’s no way to get to your destination, and nothing you can do about it except sit and wait,” the report notes.
Compared to 2010’s ranking, the threat of malicious insiders had dropped three places to sixth, but still remained an important issue. The CSA likened the example of a sysadmin in an ‘improperly designed cloud scenario’, yet it could be a range of employees; take the recently fired American worker in November who went to a fast food restaurant while he still had access to company data, logged onto the Wi-Fi and deleted everything in sight.
Overall, the research tries to show that clouds are not inherently secure, and there are plenty of ways to get into a company’s pot of gold.
J.R. Santos, CSA global research director, said: “To effectively manage risks in cloud computing, it is essential for companies to understand today’s and tomorrow’s threats specific to the cloud, and that comes with education and proper due diligence.
“Companies are still not yet doing the proper due diligence, which is unfortunate and continues to be a real issue.”
The report can be found here (registration required). Do you agree with the security threats the CSA raises? Which one would you rank most important?
- » A comprehensive guide to selecting SaaS project monitoring tools
- » The state of the MSP in 2019: Why flexibility and further moves to the cloud are key
- » What enterprise IT teams can learn from Google Cloud’s June outage: A guide
- » How public cloud will become the driving force for connected cars
- » What’s in your cloud? Key lessons to learn after the Capital One breach