Cloud Security's Seven Deadly Sins

A new study, Top Threats to Cloud Computing V1.0, conducted by the Cloud Security Alliance, identifies seven types of security risks present in cloud computing. Many of the threats also apply to corporate networks, but can be exacerbated by both the openness and scale of cloud services. The study was released at the RSA Conference 2010. Hewlett-Packard funded the study and is using its release to promote its Secure Advantage services, which help businesses sort through the myriad security products and services on the market, including HP's and other vendors.

The first threat outlined by the study is misuse of cloud computing, where the cloud itself is used to host attacks. Clouds have been infected with the Zeus botnet and the InfoStealer Trojan horse, for instance. Because people can access cloud computing services with just a credit card, or even a free trial period, criminals can spam and spread malware in relative anonymity. The study recommends stricter registration and validation, better credit card fraud detection and data traffic monitoring.

The second threat is unsecured APIs. Poorly written APIs can contain exploitable loopholes, says Chris Whitener, chief security strategist for HP. "This isn't new; people write bad applications all the time. But when you expand it to, say, 10,000 instances to handle 100,000 employees, you really make a big mess out of the thing." The study recommends closer analysis of API security. It also recommends strong authentication, access controls and encryption.

Malicious insiders are identified as the third threat. This threat is well known in corporate networks, but with the cloud, Whitener explains, you don't have control over who works at the cloud vendor and what they might be up to. The study recommends a comprehensive supplier assessment as well as contract specifications around how the vendor must screen workers.

Shared technology is a fourth area of concern. In an environment where multiple virtual servers have the same configuration, a single bug or misconfiguration can be replicated across a broad patch of a cloud provider's infrastructure. Companies should make sure their cloud vendor follows best practices for network and server configuration and should enforce service level agreements for patch management and vulnerability remediation.

Fifth is data leakage, another common concern that is magnified in the cloud. "There are so many more applications floating around on a cloud so chances are one of them has got to be screwed up and has to be leaking data," says Whitener. Among the study's recommendations are specifying strong API access control and implementing strong key generation, storage and management, and data destruction practices.

Account or service hijacking is the sixth threat. If an attacker can hijack a legitimate customer's account, he or she can gain control of that customer's virtual machines. The study recommends two-factor authentication and proactive monitoring to detect unauthorized activity.

The seventh threat is the unknown. Cloud vendors and their customers may think they've covered every possible risk, yet something may still happen that they weren't aware of. Whitener says there are companies who don't think through security risks because they think it won't happen to them. "They say 'I'm not going to think about all the issues that are associated with cloud computing, I'm just going to try it,'" Whitener says. "There are an awful lot of people out there who are doing that."

The CSA includes such companies as Dell, Intel, McAfee, Microsoft, Symantec and VMware. Notably, HP rival IBM, also is active in cloud computing, is not a member.