My take and some answers on it – http://www.cloudsecurityalliance.org/topthreats/
Welcome back folks to a beautiful 2014 and I had an interesting one while going through
a Cloud Solution Design
I came across this document The Notorious Nine Cloud Computing Top Threats
in 2013 and I thought I’d talk through these concerns one by one.
-
Data Breaches – this issue can occur on many levels and I don’t
think it’s just limited to ’Cloud’ per se – it could be your insurance company down
the road,
the doctor, dentist etc. and we’ve all seen those TV shows where the ’hustlers’ go
through someone’s trash to pull out key gems of information to unlock the scam.Interestingly in the paper, the university of North Carolina Chapel Hill came up with
a technique to steal data from a VM running as one of many within the same host, with
the ’unis VM’ able
to steal data being transmitted through the other VMs. This was performed through
a combination of monitoring various known factors of the host,
such as thread scheduling, L1 cache and power. The paper highlighted that currently
the virtualisation technologies need to do more about isolation. -
Data Loss – Cloud and non-cloud users fall foul of this with Cloud
typically being a target for hackers. Geo-Replication, backups and Government policies
on data and it’s storage all help here.
Encryption could be something that you may want to employ to ensure some protection
over the copies of data now present. -
Account Hijacking – gaining unlawful access to account details such
as user/pass combination. Amazon in 2010 was foul to a cross site scripting bug that
allowed 3rd parties to get access
to user/pass credentials. With the explosion on the Cloud keeping your credentials
safe becomes that much more important. Also changing passwords frequently would be
a good habit
to get into.The other interesting point here to note is that if your account is indeed hijacked
then it maybe sometime until the hackers exploit this.Gaining access to someone’s account doesn’t have to be a hi-tech solution either.
As in the movie Sneakers all that was required was a dinner conversation for the voice
password
”My voice is my passport” -
Insecure APIs – Cloud based APIs form the under pinning of many software
and services available today. Essentially ensure these APIs are secure to the best
possible effort and
while they may not be compromised, are they able to stand DDOS attacks for e.g. -
Denial of Service – With the advent of the Cloud and cloud services,
these attacks could for e.g. hit your Cloud based website causing it to be unresponsive,
but you’re still being
billed for the usage. Also within Microsoft Azure web site configurations we can now
add DDOS settings to indicate when the underlying load balancer should throttle the
requests coming
from a particular rogue client. -
Malicious Insiders – the focus here is both internal, hosted and
Cloud based solutions. Policies and procedures are more important within the Cloud
space – what procedures does your
provider follow? Who can access the encryption keys? where are they stored? etc. -
Abuse of Cloud Services – The Cloud possesses many servers, elastic
scale and dynamic compute power, making it the perfect platform
for a bot-net to spin up in and get to work. Azure limits default subscriptions to
20 cores, more are available upon request. -
Insufficient Due Diligence – Don’t jump into the Cloud platform without
examining the offer. Many hosting providers have added the word ’Cloud’ to the front
of their names as in ’Cloud Hosting Providers’ with the underlying process and infrastructure
the same, with the same vulnerabilities.In this space Azure has many ratified processes that get re-certified each year with
some of these processes available to military grade specification.Cloud is big business for Microsoft and getting things like this wrong would be a
true achilles heel. -
Shared Technology Issues – as Cloud providers share underlying technologies
from CPUs, Services, Storage and other services. If these are exposed then so is your
platform potentially.
Talk to you soon.
Mick.
Blog Post by: Mick Badran