Slideshow

Seven deadly sins of cloud security

8 Photos IDG Online Staff (IDG News Service)

Hewlett-Packard Co. and the Cloud Security Alliance list seven deadly sins you ought to be aware of

  • Account, Service & Traffic Hijacking: A lot of data, applications and resources are concentrated in the cloud where, with weak authentication, an intruder can access a single user account and ultimately get at that customer's virtual machines. Proactive monitoring of threats and two-factor authentication is advised.

  • Unknown Risk Profile: Transparency issues continue to persist concerning cloud providers. Account users only interact with the front-end interface and really don't know what goes on in the backend. Who knows which platforms or patch levels the provider is employing?

  • Abuse and Nefarious Use of Cloud Computing: The bad guys are probably more progressive than the good guys in how they use technology. Hackers are seen very quickly applying new threats combined with the ability to easily scale up and down in the cloud. All it takes is a single credit card to open up the floodgates.

  • Insecure Application Programming Interfaces: It's important to perceive the cloud as a new platform and not merely as outsourcing when it comes to developing applications. There ought to be a vetting process surrounding application lifecycles, where the developer understands and applies certain guidelines regarding authentication, access controls and encryption.

  • Shared Technology Vulnerabilities: In the cloud, a single misconfiguration can be duplicated across an environment where many virtual servers share the same configuration. Enforce service level agreements (SLAs) for patch management and best practices for network and server configuration.

  • Hewlett-Packard Co. and the Cloud Security Alliance list seven deadly sins you ought to be aware of before putting applications in the cloud. Have you or your provider committed these sins?

  • Malicious Insiders: The level of background checks that cloud providers perform on staff may differ compared to how enterprises would prefer to control data centre access. Many providers may do a good job but it's largely uneven. Perform a supplier assessment and outline a level of employee screening.

  • Data Loss/Leakage: There isn't currently an acceptable level of security controls surrounding data in the cloud. Some applications could be leaking data as a result of weak API access control and key generation, storage and management. And, data destruction policies may also be absent.

Show Comments
Security Watch
Back to top

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?