The cloud presents security threats that are different from on-premises IT.

Mitch Wagner, Executive Editor, Light Reading

October 20, 2017

4 Min Read
Cloud Security: Beware the 'Treacherous 12'

"Treacherous 12" sounds like what happens to kids just before they become teenagers. But it's actually the title of a new report from the Cloud Security Alliance, describing the top cloud security threats that enterprises need to address.

In the early days of cloud migration, businesses were fearful of moving to the cloud. They perceived safety in controlling their own infrastructure. Now, the pendulum has swung in the opposite direction -- businesses are eager to migrate to the cloud, and let cloud providers solve security problems.

The reality is between the two extremes. The cloud has many advantages, but it also presents security problems different from on-premises infrastructure. Hence the motivation for Treacherous 12: Top Threats to Cloud Computing + Industry Insights, a report from the Cloud Security Alliance.

The report arms enterprises with the information they need "to make educated risk-management decisions regarding cloud adoption strategies," according to the executive summary.

Figure 1:

Keep up with the latest enterprise cloud news and insights. Sign up for the weekly Enterprise Cloud News newsletter.

The report includes up-to-date examples of cloud security problems, to help security professionals make a case that threats are real. "When somebody goes to the boss and says 'this is a problem,' we want them to be armed with the latest and greatest examples of why this is a problem," Jon-Michael C. Brook, Cloud Security Alliance research fellow and working group co-chair, tells Enterprise Cloud News.

Some threats to enterprise security are constant between on-premises infrastructure and the cloud. For example, weak passwords are weak passwords, Brook says.

But weak password problems can be exacerbated by the cloud. An attacker can break into a system that's not configured with multifactor authentication (MFA), steal information, and set up new services in the target's name. The attacker can also change passwords and set up MFA requirements to deny the target access to their own system, Brook says.

Some cloud threats are new. For example, in the cloud, IT doesn't have physical access to servers and can't simply shut things down to block an attack. "You won't be able to shut down access to the system. You don't just have a firewall you can unplug," Brook says.

In the cloud, denial-of-service attacks become economic denial of service, where attackers take advantage of cloud elasticity to overwhelm servers and run up huge bandwidth and compute usage, which maxes out the ability of the attack target to pay the cloud provider for services, Brook says.

"Denial of service changes from 'my server has been overwhelmed' to 'my charge account has been overwhelmed,'" he says.

Shared servers create attack vulnerabilities, Brook says. "We've seen examples where people have been able to pilfer information from one VM to another. That's something that didn't exist prior to virtualization technology. If you had a server, you did not expect your competition would be sharing it," Brook says.

But the cloud also has security advantages. Microservices and containers allow users to simply take down a compromised service and replace it, rather than having to perform forensics and restore it to an uncompromised state, Brook says.

Cloud services are resistant to denial-of-service attacks that swamp bandwidth or compute; cloud providers like Amazon Web Services and Microsoft Azure can resist those sorts of attacks.

And cloud providers are diligent about applying security patches, which can save an enterprise from what happened to Equifax Inc. when that company failed to keep up with security patches. (See Right & Wrong Lessons From the Equifax Breach.)

Related posts:

— Mitch Wagner Follow me on Twitter Visit my LinkedIn profile Visit my blog Follow me on Facebook Editor, Enterprise Cloud News

About the Author(s)

Mitch Wagner

Executive Editor, Light Reading

San Diego-based Mitch Wagner is many things. As well as being "our guy" on the West Coast (of the US, not Scotland, or anywhere else with indifferent meteorological conditions), he's a husband (to his wife), dissatisfied Democrat, American (so he could be President some day), nonobservant Jew, and science fiction fan. Not necessarily in that order.

He's also one half of a special duo, along with Minnie, who is the co-habitor of the West Coast Bureau and Light Reading's primary chewer of sticks, though she is not the only one on the team who regularly munches on bark.

Wagner, whose previous positions include Editor-in-Chief at Internet Evolution and Executive Editor at InformationWeek, will be responsible for tracking and reporting on developments in Silicon Valley and other US West Coast hotspots of communications technology innovation.

Beats: Software-defined networking (SDN), network functions virtualization (NFV), IP networking, and colored foods (such as 'green rice').

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like