Cloud Security: Beware the 'Treacherous 12'Cloud Security: Beware the 'Treacherous 12'

"Treacherous 12" sounds like what happens to kids just before they become teenagers. But it's actually the title of a new report from the Cloud Security Alliance, describing the top cloud security threats that enterprises need to address.

In the early days of cloud migration, businesses were fearful of moving to the cloud. They perceived safety in controlling their own infrastructure. Now, the pendulum has swung in the opposite direction -- businesses are eager to migrate to the cloud, and let cloud providers solve security problems.

The reality is between the two extremes. The cloud has many advantages, but it also presents security problems different from on-premises infrastructure. Hence the motivation for Treacherous 12: Top Threats to Cloud Computing + Industry Insights, a report from the Cloud Security Alliance.

The report arms enterprises with the information they need "to make educated risk-management decisions regarding cloud adoption strategies," according to the executive summary.

Figure 1:

Keep up with the latest enterprise cloud news and insights. Sign up for the weekly Enterprise Cloud News newsletter.

The report includes up-to-date examples of cloud security problems, to help security professionals make a case that threats are real. "When somebody goes to the boss and says 'this is a problem,' we want them to be armed with the latest and greatest examples of why this is a problem," Jon-Michael C. Brook, Cloud Security Alliance research fellow and working group co-chair, tells Enterprise Cloud News.

Some threats to enterprise security are constant between on-premises infrastructure and the cloud. For example, weak passwords are weak passwords, Brook says.

But weak password problems can be exacerbated by the cloud. An attacker can break into a system that's not configured with multifactor authentication (MFA), steal information, and set up new services in the target's name. The attacker can also change passwords and set up MFA requirements to deny the target access to their own system, Brook says.

Some cloud threats are new. For example, in the cloud, IT doesn't have physical access to servers and can't simply shut things down to block an attack. "You won't be able to shut down access to the system. You don't just have a firewall you can unplug," Brook says.

In the cloud, denial-of-service attacks become economic denial of service, where attackers take advantage of cloud elasticity to overwhelm servers and run up huge bandwidth and compute usage, which maxes out the ability of the attack target to pay the cloud provider for services, Brook says.

"Denial of service changes from 'my server has been overwhelmed' to 'my charge account has been overwhelmed,'" he says.

Shared servers create attack vulnerabilities, Brook says. "We've seen examples where people have been able to pilfer information from one VM to another. That's something that didn't exist prior to virtualization technology. If you had a server, you did not expect your competition would be sharing it," Brook says.

But the cloud also has security advantages. Microservices and containers allow users to simply take down a compromised service and replace it, rather than having to perform forensics and restore it to an uncompromised state, Brook says.

Cloud services are resistant to denial-of-service attacks that swamp bandwidth or compute; cloud providers like Amazon Web Services and Microsoft Azure can resist those sorts of attacks.

And cloud providers are diligent about applying security patches, which can save an enterprise from what happened to Equifax Inc. when that company failed to keep up with security patches. (See Right & Wrong Lessons From the Equifax Breach.)

Related posts:

— Mitch Wagner Editor, Enterprise Cloud News