& cplSiteName &

Cloud Security: Beware the 'Treacherous 12'

Mitch Wagner

"Treacherous 12" sounds like what happens to kids just before they become teenagers. But it's actually the title of a new report from the Cloud Security Alliance, describing the top cloud security threats that enterprises need to address.

In the early days of cloud migration, businesses were fearful of moving to the cloud. They perceived safety in controlling their own infrastructure. Now, the pendulum has swung in the opposite direction -- businesses are eager to migrate to the cloud, and let cloud providers solve security problems.

The reality is between the two extremes. The cloud has many advantages, but it also presents security problems different from on-premises infrastructure. Hence the motivation for Treacherous 12: Top Threats to Cloud Computing + Industry Insights, a report from the Cloud Security Alliance.

The report arms enterprises with the information they need "to make educated risk-management decisions regarding cloud adoption strategies," according to the executive summary.

Keep up with the latest enterprise cloud news and insights. Sign up for the weekly Enterprise Cloud News newsletter.

The report includes up-to-date examples of cloud security problems, to help security professionals make a case that threats are real. "When somebody goes to the boss and says 'this is a problem,' we want them to be armed with the latest and greatest examples of why this is a problem," Jon-Michael C. Brook, Cloud Security Alliance research fellow and working group co-chair, tells Enterprise Cloud News.

Some threats to enterprise security are constant between on-premises infrastructure and the cloud. For example, weak passwords are weak passwords, Brook says.

But weak password problems can be exacerbated by the cloud. An attacker can break into a system that's not configured with multifactor authentication (MFA), steal information, and set up new services in the target's name. The attacker can also change passwords and set up MFA requirements to deny the target access to their own system, Brook says.

Some cloud threats are new. For example, in the cloud, IT doesn't have physical access to servers and can't simply shut things down to block an attack. "You won't be able to shut down access to the system. You don't just have a firewall you can unplug," Brook says.

In the cloud, denial-of-service attacks become economic denial of service, where attackers take advantage of cloud elasticity to overwhelm servers and run up huge bandwidth and compute usage, which maxes out the ability of the attack target to pay the cloud provider for services, Brook says.

"Denial of service changes from 'my server has been overwhelmed' to 'my charge account has been overwhelmed,'" he says.

Shared servers create attack vulnerabilities, Brook says. "We've seen examples where people have been able to pilfer information from one VM to another. That's something that didn't exist prior to virtualization technology. If you had a server, you did not expect your competition would be sharing it," Brook says.

But the cloud also has security advantages. Microservices and containers allow users to simply take down a compromised service and replace it, rather than having to perform forensics and restore it to an uncompromised state, Brook says.

Cloud services are resistant to denial-of-service attacks that swamp bandwidth or compute; cloud providers like Amazon Web Services and Microsoft Azure can resist those sorts of attacks.

And cloud providers are diligent about applying security patches, which can save an enterprise from what happened to Equifax Inc. when that company failed to keep up with security patches. (See Right & Wrong Lessons From the Equifax Breach.)

Related posts:

— Mitch Wagner Follow me on Twitter Visit my LinkedIn profile Visit my blog Follow me on Facebook Editor, Enterprise Cloud News

(2)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
Educational Resources
sponsor supplied content
Educational Resources Archive
More Blogs from Wagner’s Ring
SD-WAN is about more than saving money – it also provides application delivery, insights and reliability. Find out more in this podcast sponsored by Citrix.
Platform is designed to enable enterprises to build big data analytics apps that move easily between public and private clouds.
Buying Evident.io extends Palo Alto's portfolio with API-based security capabilities and compliance automation.
Google wants to win the hearts of enterprise IT for Chrome OS on the desktop, but it has a long way to go.
IBM Cloud gets a security and Kubernetes performance boost.
Featured Video
From The Founder
Light Reading founder Steve Saunders talks with VMware's Shekar Ayyar, who explains why cloud architectures are becoming more distributed, what that means for workloads, and why telcos can still be significant cloud services players.
Flash Poll
Upcoming Live Events
May 14-16, 2018, Austin Convention Center
May 14, 2018, Brazos Hall, Austin, Texas
September 24-26, 2018, Westin Westminster, Denver
October 9, 2018, The Westin Times Square, New York
October 23, 2018, Georgia World Congress Centre, Atlanta, GA
November 7-8, 2018, London, United Kingdom
November 8, 2018, The Montcalm by Marble Arch, London
November 15, 2018, The Westin Times Square, New York
December 4-6, 2018, Lisbon, Portugal
All Upcoming Live Events
Hot Topics
I'm Back for the Future of Communications
Phil Harvey, US News Editor, 4/20/2018
Verizon: Lack of Interoperability, Consistency Slows Automation
Carol Wilson, Editor-at-large, 4/18/2018
AT&T Exec Dishes That He's Not So Hot on Rival-Partner Comcast
Mari Silbey, Senior Editor, Cable/Video, 4/19/2018
Facebook Hearings Were the TIP of the Data Iceberg
Dan Jones, Mobile Editor, 4/20/2018
Pay-for-Play Is a Sticking Point in Congress
Mari Silbey, Senior Editor, Cable/Video, 4/18/2018
Live Digital Audio

A CSP's digital transformation involves so much more than technology. Crucial – and often most challenging – is the cultural transformation that goes along with it. As Sigma's Chief Technology Officer, Catherine Michel has extensive experience with technology as she leads the company's entire product portfolio and strategy. But she's also no stranger to merging technology and culture, having taken a company — Tribold — from inception to acquisition (by Sigma in 2013), and she continues to advise service providers on how to drive their own transformations. This impressive female leader and vocal advocate for other women in the industry will join Women in Comms for a live radio show to discuss all things digital transformation, including the cultural transformation that goes along with it.

Like Us on Facebook
Twitter Feed