Security Concerns
Many security concerns have been addressed with tools and processes in the previous section addressing risk. These tools and processes include concepts such as privacy and access control, business process risk, and operational risk. There is also security-specific risk that is not necessarily unique to the cloud, but that is amplified by its use. The Cloud Security Alliance (CSA) conducted a survey,7 which resulted in a report of likely cloud risks: • Abuse and nefarious use of cloud computing—A problem for both the CSP and the cloud client, abuse of the cloud has the potential to monopolize resources and negatively impact cloud users. Providers offer customers unlimited computing, network and storage capacity, often through an easy-access registration process. Anyone with a valid credit card can register and immediately begin using these cloud services. Some providers even offer free limited trial periods. The lack of control in registration permits anonymity in the cloud. This has provided many with malicious intent a platform to conduct (with relative impunity) activities such as finding vulnerabilities and writing malicious code in the cloud. PaaS providers have traditionally suffered most from this kind of attack, although hackers have begun to target IaaS vendors as well. • Insecure APIs—CSPs expose a set of APIs allowing customers to manage and interact with cloud services. Provisioning, management, orchestration and monitoring are all performed using these interfaces. The security and availability of general cloud services are dependent upon the security of these basic APIs. From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy. Furthermore, enterprises and third parties often build on these interfaces to offer value-added services to their customers. Since this introduces the complexity of a new layered API, it also increases risk because enterprises may be required to relinquish their credentials to third parties.
While most CSPs strive to integrate security into their service models, it is critical for client risk managers to understand fully the security implications associated with the usage, management, orchestration and monitoring of cloud services. Reliance on a weak set of APIs exposes enterprises to a variety of security issues related to confidentiality, integrity, availability and accountability. • Malicious insiders—The threat of a malicious insider is well known to most enterprises. While it is a familiar risk in traditional IT enterprises, it is even further amplified for clients of cloud services. Instead of dealing with its own employees, who were likely screened and chosen by the enterprise, the client now has to trust the CSP and its employees. There is often little to no visibility into the hiring standards and practices for cloud employees. The impact that malicious insiders can have on an enterprise is considerable, given their level of access. Brand damage, financial impact and productivity losses are just some of the ways a malicious insider can affect an operation. As enterprises adopt cloud services, the human element takes on an even more profound importance.