According to Forrester Research, in 2013 Cloud Computing was a $58 billion industry and is on track to grow into a $191 billion industry by 2020. A 2014 Grant Thornton report indicates that 40 % of global businesses currently do or plan to outsource business processes including their Tax, IT, and HR & Payroll services. One of the big trends in IT is that IT organizations will continue to move their IT services such as managed services, managed hosting, software-as-a-service (SaaS), and cloud solutions to third-party vendors. Cloud computing is one of the top strategic technology trends for the upcoming years. Like all new technology, cloud computing has been transforming businesses and brings with it new security challenges.
The Notorious Nine Cloud Computing Threats
In a 2013 report, the Cloud Security Alliance (CSA) identified Cloud Computing’s top threats known as The Notorious Nine.
The top cloud computing threats ranked in order of their severity, are as follows:
- Data Breaches
- Data Loss
- Account Hijacking
- Insecure APIs
- Denial of Service
- Malicious Insiders
- Abuse of Cloud Services
- Insufficient Due Diligence
- Shared Technology Issues
The top threats are data breaches and data loss.
Shadow IT and Data Governance
The top two notorious nine cloud computing threats are data breaches and data loss. When we discuss data breaches we need to first introduce the topic of Shadow IT and how this leads to enablement of security breaches. Shadow IT is hardware or software existing within an enterprise that is not supported by the organization’s central IT department. There are different drivers behind Shadow IT. The business may believe that the unsupported hardware or software is a necessity and IT may be slow to respond to business’ needs. Whatever the reason is, cloud computing technology, such as SaaS, has made shadow IT systems easy to implement and use.
While data breaches and data loss are nightmares for IT management, an even greater problem is management having no awareness of certain data or knowledge of where specific data resides, therefore, resulting in no plans to protect this data. Organizations need to adopt comprehensive data governance framework policies with regard to data retention and disposal, information leakage, risk assessments, and non-production data. These policies should also include cloud computing and security policies..
Attackers Use Stolen Credentials for Phishing, Fraud and Exploitation
Attackers use stolen credentials for phishing, fraud and exploitation of software vulnerabilities to hijack user accounts or online services exposing organizations to risk. According to a Verizon 2015 Data Breach Investigations Report (Verizon Report), one attack technique known as phishing has been on the rise since 2011, and 23% of the recipients now open phishing email messages and 11% click on attachments, again exposing their organization to risk.
Organizations should be aware of these and other potential attack techniques and they should build in-depth layered security strategies around their IT infrastructure and data. Organizations need to invest in on-going security training while also building controls such as user access policies, identity management, incident management, and event logging/intrusion detection.
A good Segregation of Duties (SOD) practice can greatly reduce the risks of hijacked accounts or services and can help protect organizations from malicious insider threats. Shared accounts should never be used or should be highly restricted.
Application Program Interface (API) Breaches
An Application Program Interface (API) is a program that allows two software programs to communicate with each other. Cloud computing providers expose APIs for consumers to manage and interact with the cloud services. The basic APIs are the foundation of the security and availability of the cloud services. It is true that the customers cannot control the APIs from the providers, but they can influence the providers to ensure security in regard to authentication and access control to encryption and event logging/monitoring.
Virus, Malware and Malicious Attacks
No organization is immune to virus, malware and malicious attacks such as web application attacks and denial of services (ddos) attacks regardless if the IT systems are located in the cloud or on site.
When under a denial of service attack, the attacker sends a large volume of internet traffic to the organizations servers in order to consume all of the business system resources and network bandwidth. Because cloud computing services are normally charged by the amount of system resources consumed, when under a denial of service attack the victims will probably have to pay for the additional processing resources consumed on top of experiencing unavailable services.
Do you know that 99.9% of the compromised and exploited vulnerabilities occured more than a year after the Common Vulnerabilities and Exposures (CVEs) list was published according to the Verizon Report?
Not only do organizations need to have a sound patching process, they also need to understand the nature of their vulnerabilities and exposures and the associated risks. In many cases, organizations need to act swiftly to patch the systems in order to minimize further risk even if the patch is outside the normal patching cycle.
Good practices to defend against attacks include:
- Knowing where your services are and how to secure them (application security)
- Establishing a good baseline
- Blocking known botnet C2 servers
- Active monitoring and logging and Incident management
These recommended practices should be exercised regularly.
Malicious Insiders cause 55% of all Security Breaches
According to the Verizon Report, “the top security breach action was privilege abuse – at 55% of incidents – where internal actors abuse the access they have been entrusted with.”
A malicious insider could be a disgruntled current or former employee or other business partners. CSA believes that the level of malicious insider threat is left to debate, however, systems that depend solely on the cloud provider for security are at greatest risk.
To protect itself from Malicious Insider and Security Breaches, Organizations should have:
- Physical and logical access controls
- Establish data owners and data security classifications
- Regularly perform access reviews
- Establish clear roles and responsibilities and segregation of duties
- Conduct background checks when hiring
- Perform third party audits, network segmentation, and use encryption
- Implement other factors to reduce the risk of these threats.
Abuse of Cloud Services
The abuse of cloud service threat is more a service provider issue more than it is a cloud consumer issue; however, it remains one of the top threats.
In this threat, attackers use social media channels to abuse cloud computing environments such as Software as a Service (SaaS) and Platform as a Service (PaaS). Cloud computing provides tens-of-thousands of servers and computing power to its consumers (basically the computing horse power of supercomputers). This same computing power could be and sometimes is maliciously and illegally used for attacks such as botnet comment and control, password and key cracking, hosting malicious data, and denial of service, etc.
The cloud service providers should have:
- Security controls for acceptable use such as a stricter initial registration and validation process.
- System event and network traffic monitoring and logging which can help with the early detection of suspicious activities.
- An incident response process which can help organizations reinstate normal service as fast as possible when under attack.
Security controls, suspicious activity detection and quicker normal service reinstatement can help mitigate the negative impact attacks have on business operations.
Insufficient Due Diligence and Shared Technology Issues
The last two Notorious Nine threats can be discussed together.
Reducing cost and improving efficiencies are the top drivers many organizations consider when joining the cloud computing trend. However, many security and risk questions need to be asked and answered before making the cloud computing solution decision.
Companies must have a clear set of goals in mind and develop a clear sense of the benefits and risks involved with Cloud Computing.
There are security concerns anytime technology is shared with third parties outside your organization. For example, a hypervisor is a virtual machine manager. A hypervisor is a program that allows multiple operating systems to share a single hardware host. A service provider could provide your organization virtual systems on the same hypervisor shared with other customers’ virtual systems. In other words, your company’s systems are sharing hardware resources with other company’s systems. Maybe sharing hardware resources with other companies is ok for less critical systems, but this may not be suited for business systems deemed “highly critical”.
Whatever the business decision is, consumers need to understand the implication of the technology and the benefits and risks involved with shared technology. This requires organizations to perform:
- Due diligence covering risk assessment and risk management
- Baseline requirements
- Consumption and resource planning
- Business continuity planning
- Application and data security
- Network configuration and security.
Conducting due diligence helps organizations understand the risks of adopting cloud computing technology and can provide organizations a better understanding of their capacity and consumption needs, therefore, prevent over buying services.
Download System Access Controls Effectiveness Checklist
Cloud computing provides tremendous potential efficiency and cost savings for business. However, there are also security and data integrity concerns.
To successfully protect your systems and data in a cloud computing environment, organizations need to:
- Invest in data governance, application and network security
- Maintain the regular patching process
- Have active event logging and monitoring processes
- Include incident management and recovery practices and procedures.
Protecting systems and data from various threats is a continuous effort regardless of the system and data location and the method of service delivery. In addition to security threats, organizations also face legal challenges such as data ownership rights, data processing by third party, transferring personal data abroad, and contractual issues with service providers etc. A good understanding of the benefits and risks of cloud computing solutions is required for organizations to mitigate the Notorious Nine threats and to make sound decisions and to minimize risks.