My take and some answers on ithttp://www.cloudsecurityalliance.org/topthreats/

Welcome back folks to a beautiful 2014 and I had an interesting one while going through
a Cloud Solution Design
I came across this document The Notorious Nine Cloud Computing Top Threats
in 2013
and I thought I’d talk through these concerns one by one.

  1. Data Breaches –  this issue can occur on many levels and I don’t
    think it’s just limited to ’Cloud’ per se – it could be your insurance company down
    the road,

    the doctor, dentist etc. and we’ve all seen those TV shows where the ’hustlers’ go
    through someone’s trash to pull out key gems of information to unlock the scam.

    Interestingly in the paper, the university of North Carolina Chapel Hill came up with
    a technique to steal data from a VM running as one of many within the same host, with
    the ’unis VM’ able
    to steal data being transmitted through the other VMs. This was performed through
    a combination of monitoring various known factors of the host,

    such as thread scheduling, L1 cache and power. The paper highlighted that currently
    the virtualisation technologies need to do more about isolation.

  2. Data Loss – Cloud and non-cloud users fall foul of this with Cloud
    typically being a target for hackers. Geo-Replication, backups and Government policies
    on data and it’s storage all help here.
    Encryption could be something that you may want to employ to ensure some protection
    over the copies of data now present.
  3. Account Hijacking – gaining unlawful access to account details such
    as user/pass combination. Amazon in 2010 was foul to a cross site scripting bug that
    allowed 3rd parties to get access
    to user/pass credentials. With the explosion on the Cloud keeping your credentials
    safe becomes that much more important. Also changing passwords frequently would be
    a good habit
    to get into.

    The other interesting point here to note is that if your account is indeed hijacked
    then it maybe sometime until the hackers exploit this.

    Gaining access to someone’s account doesn’t have to be a hi-tech solution either.
    As in the movie Sneakers all that was required was a dinner conversation for the voice
    password
    ”My voice is my passport”

  4. Insecure APIs – Cloud based APIs form the under pinning of many software
    and services available today. Essentially ensure these APIs are secure to the best
    possible effort and

    while they may not be compromised, are they able to stand DDOS attacks for e.g.
  5. Denial of Service – With the advent of the Cloud and cloud services,
    these attacks could for e.g. hit your Cloud based website causing it to be unresponsive,
    but you’re still being
    billed for the usage. Also within Microsoft Azure web site configurations we can now
    add DDOS settings to indicate when the underlying load balancer should throttle the
    requests coming
    from a particular rogue client.
  6. Malicious Insiders – the focus here is both internal, hosted and
    Cloud based solutions. Policies and procedures are more important within the Cloud
    space – what procedures does your

    provider follow? Who can access the encryption keys? where are they stored? etc.
  7. Abuse of Cloud Services – The Cloud possesses many servers, elastic
    scale and dynamic compute power, making it the perfect platform
    for a bot-net to spin up in and get to work. Azure limits default subscriptions to
    20 cores, more are available upon request.
  8. Insufficient Due Diligence – Don’t jump into the Cloud platform without
    examining the offer. Many hosting providers have added the word ’Cloud’ to the front
    of their names as in ’Cloud Hosting Providers’ with the underlying process and infrastructure
    the same, with the same vulnerabilities.

    In this space Azure has many ratified processes that get re-certified each year with
    some of these processes available to military grade specification.

    Cloud is big business for Microsoft and getting things like this wrong would be a
    true achilles heel.

  9. Shared Technology Issues – as Cloud providers share underlying technologies
    from CPUs, Services, Storage and other services. If these are exposed then so is your
    platform potentially.

Talk to you soon.

Mick.


Blog Post by: Mick Badran