Cloud security's seven deadly sins

A security expert warns organizations making a foray into cloud computing may know familiar terms like multi-tenancy and virtualization, but that doesn't mean they understand everything about putting applications in the cloud.

In the world of cloud computing, those technologies are thrown together to create a new class of applications with their own unique set of governance rules, said Jim Reavis, executive director with the Cloud Security Alliance (CSA).

"This is a new epoch in computing," said Reavis. Even if it all sounds familiar, digging a little deeper will uncover a whole set of new risks.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

A security expert warns organizations making a foray into cloud computing may know familiar terms like multi-tenancy and virtualization, but that doesn't mean they understand everything about putting applications in the cloud.

In the world of cloud computing, those technologies are thrown together to create a new class of applications with their own unique set of governance rules, said Jim Reavis, executive director with the Cloud Security Alliance (CSA).

"This is a new epoch in computing," said Reavis. Even if it all sounds familiar, digging a little deeper will uncover a whole set of new risks.

Organizations will often adopt cloud computing at a much faster rate than that with which security professionals are comfortable, said Reavis. A pragmatic approach is necessary. "Take a risk-based approach to understanding the real risks and mitigating practices, we can leverage to securely adopt the cloud," he said.

CSA, in collaboration with Palo Alto, Calif.-based Hewlett-Packard Co., listed what they called the seven deadly sins of cloud security. The research is based on input from security experts across 29 enterprises, technology providers and consulting firms.

1. Data Loss/Leakage: There is not an acceptable level of security control for data in the cloud, said Reavis. Some applications could be leaking data as a result of weak API access control and key generation, storage and management. And, also data destruction policies may be absent.

2. Shared Technology Vulnerabilities: In the cloud, a single misconfiguration can be duplicated across an environment where many virtual servers share the same configuration. Enforce service level agreements (SLAs) for patch management and best practices for network and server configuration.

3. Malicious Insiders: The level of background checks that cloud providers perform on staff may differ compared to how enterprises usually control data centre access, said Reavis. "A lot of them do a good job but it is uneven," he said. Perform a supplier assessment and outline a level of employee screening.

4. Account, Service and Traffic Hijacking: A lot of data, applications and resources are concentrated in the cloud where, with weak authentication, an intruder can access a user account and get at that customer's virtual machines, said Reavis. Proactive monitoring of threats and two-factor authentication is advised.

5. Insecure Application Programming Interfaces: It's important to perceive the cloud as a new platform and not merely as outsourcing when it comes to developing applications, said Reavis. There ought to be a vetting process surrounding application lifecycles, where the developer understands and applies certain guidelines regarding authentication, access controls and encryption.

6. Abuse and Nefarious Use of Cloud Computing: The bad guys are probably more progressive than the good guys in how they use technology, said Reavis. Hackers are seen very quickly applying new threats, combined with the ability to easily scale up and down in the cloud. All it takes is a credit card.