Leading cloud security group lists the “Notorious Nine” top threats to cloud computing in 2013; most are already known but defy 100% solution.

Shadow this can be a good thing until it runs into the protection of cloud computing. All too often line-of-business users are establishing applications and moving data into the cloud without understanding the entire security implications.

The Cloud Security Alliance has prepare an inventory of the nine most prevalent and serious security threats in cloud computing. A lot of them relate in a single way or another to the weaknesses implicit in Shadow IT.

The alliance bills its list because the “Notorious Nine: Cloud Computing Threats in 2013.” The CSA itself was formed in 2008 at the heels of the tips Systems Security Association CISO Forum in Las Vegas. Jim Reavis, a well-known security researcher and author, issued a choice for action to secure the cloud on the event, resulting in the founding of the organization.

The report was released in February and was composed by a collection throughout the alliance, including co-chairs Rafal Los of HP, Dave Shackleford of Voodoo Security, and Bryan Sullivan of Microsoft. They were assisted by staff members Luciano Santos, research director; Evan Scoboria, webmaster; Kendall Scoboria, graphic designer; Alex Ginsburg, copywriter; and John Yeoh, research analyst.

Here are the CSA’s biggest concerns.

1. Data Breaches
The data breach at Target, leading to the lack of personal and bank card information of as much as 110 million individuals, was one in every of a chain of startling thefts that came about in the course of the normal processing and storage of knowledge. “Cloud computing introduces significant new avenues of attack,” said the CSA report authors. Absolutely the security of hypervisor operation and virtual machine operations continues to be to be proved. Indeed, critics question whether such absolute security can exist. The report’s writers said there’s lab evidence — though none known inside the wild — that breaches via hypervisors and virtual machines may occur eventually.

Researchers on the University of Wisconsin, security software firm RSA, and the University of North Carolina cited evidencein November 2012 that it’s possible for a user on one virtual machine to listen for activity that signals the appearance of an encryption key on another VM at the same host. It’s called the “side channel timing exposure,” as was previously reported by InformationWeek.

“It’s every CIO’s worst nightmare: the organization’s sensitive internal data falls into the hands in their competitors,” the report said.

[Desire to learn more about how cloud security ought to be structured? See Cloud Security Needs More Layers: HyTrust.]

So far, the biggest breaches haven’t involved this sort of advanced techniques, which remain for essentially the most part lab experiments. However the possibility still acts as a brake on what’s looking like broad enterprise adoption of cloud computing. Clouds represent concentrations of corporate applications and information, and if any intruder penetrated far enough, who knows what percentage sensitive pieces of info might be exposed. “If a multitenant cloud service database seriously isn’t properly designed, a flaw in a single client’s application could allow an attacker access not just to that client’s data, but some other client’s data besides,” the report concluded.

“Unfortunately, while data loss and knowledge leakage are both serious threats to cloud computing, the measures you install place to mitigate this kind of threats can exacerbate any other,” the report said. Encryption protects data at rest, but lose the encryption key and you’ve got lost the information. The cloud routinely makes copies of knowledge to avoid its loss attributable to an unexpected die off of a server. The more copies, the more exposure it’s worthwhile to breaches.

2. Data Loss
A data breach is the results of a malicious and possibly intrusive action. Data loss may occur when a disk drive dies without its owner having created a backup. It occurs when the landlord of encrypted data loses the secret that unlocks it. Small amounts of knowledge were lost for some Amazon Web Service customers as its EC2 cloud suffered “a remirroring storm” by means of human operator error on Easter weekend in 2011. And a knowledge loss could occur intentionally within the event of a malicious attack.

The alliance cited the case of Mat Honan, a writer for Wired magazine, who in the summertime of 2012 found an outsider had broken into his Gmail, Twitter, and Apple accounts and deleted the entire baby pictures of his 18-month old daughter.

“For both consumers and businesses, the chance of permanently losing one’s data is terrifying,” the report acknowledged. There are various techniques to stop data loss. They occur anyway.

3. Account Or Service Traffic Hijacking
Account hijacking sounds too elementary to be a priority inside the cloud, but CSA says it’s a problem. Phishing, exploitation of software vulnerabilities resembling buffer overflow attacks, and lack of passwords and credentials can all result in the lack of control over a user account. An outsider with control over a user account can listen in on transactions, manipulate data, provide false and business-damaging responses to customers, and redirect customers to a competitor’s site or inappropriate sites.

If your account within the cloud is hijacked, it is used as a base by an attacker to exploit the ability of your reputation to reinforce himself at your expense. The CSA said Amazon.com’s wireless retail site experienced a cross-site scripting attack in April 2010 that allowed the attackers to hijack customer credentials as they came to the location. In 2009, it said, “numerous Amazon systems were hijacked to run Zeus botnet nodes.” The report doesn’t detail what the nodes did, but they were known in 2007 for placing malware at the US Department of Transportation website and in 2009 for placing malware on NASA’s and the Bank of America’s sites. The compromised EC2 nodes were detected by security firm Prevx, which notified Amazon and that they were promptly shutdown.

If credentials are stolen, the inaccurate party has access to an individual’s accounts and systems. A service hijacking lets an outsider into critical areas of a deployed service with the potential of “compromising the confidentiality, integrity, and availability” of these services, the report said.

The alliance offers tips to practice defense extensive against such hijackings, however the must-do points are to ban the sharing of account credentials between users, including trusted business partners; and to implement strong two-factor authentication techniques “where possible.”

4. Insecure APIs
The cloud era has caused the contradiction of attempting to make services available to millions while limiting any damage these kind of largely anonymous users might do to the service. The solution have been a public facing application programming interface, or API, that defines how a 3rd party connects an application to the service and providing verification that the third party producing the applying is who he says he’s.

Leading web developers, including ones from Twitter and Google, collaborated on specifying OAuth, an open authorization service for web services that controls third party access. OAuth became a web based Engineering Task Force standard in 2010 and Version 2.0 is used for a minimum of some services by

Charles Babcock is an editor-at-large for InformationWeek, having joined the publication in 2003. He’s the previous editor-in-chief of Digital News, former software editor of Computerworld and previous technology editor of Interactive Week. He’s a graduate of Syracuse … View Full Bio

More Insights