Clouds Are Not Really Very Safe! – Here are 9 Security Threats Everyone Needs to Understand

24 April 2015 Internet, IT & e-Discovery Blog Blog
Authors: Peter Vogel

A report from the  Cloud Security Alliance (CSA) explained how the cloud is not as safe as many people think it is based on “nine major categories of threats that face cloud technologies” which organizations “must weigh these threats as part of a rigorous risk assessment, to determine which security controls are necessary.” CDW issued a White Paper entitled “Playbook: Overcoming Cloud Security Concerns” which explained how to deal with the 9 CSA threats and explained the difference between data loss and data breach:

Data loss is sometimes confused with data breach. Unlike a data breach, which always involves an unauthorized party gaining access to sensitive data — an exploitation of confidentiality — data loss simply means that an organization’s data has been deleted or overwritten, a failure of availability.

Here are the 9 CSA Threats with CDW’s comments included:

1. Data Breaches. Major data breaches have been reported at every type of organization: businesses, educational institutions, government agencies and others. Each data breach involves one or more unauthorized parties gaining access to portions of the organization’s sensitive data.

2.  Data Loss. Data loss generally occurs when data that has not been properly duplicated and secured to protect its availability is lost, deleted or otherwise made unavailable. Unfortunately, data loss has become more prevalent in cloud environments because many IT managers operate under the false assumption that the cloud inherently provides superior protection for availability.

3.  Account or Service Traffic Hijacking. This threat involves the practice of gaining unauthorized access to a user account or service, such as stealing a user’s password and logging into a system as that user, or exploiting vulnerability in a service to gain access to that service. Hijacking is most often performed to gain access to sensitive data to which a user or service has access, or to perform actions under the user’s or service’s privileges.

4.  Insecure Interfaces. Software interfaces, such as application programming interfaces (APIs), provide access to cloud-based services by allowing commands to be issued against the service. Generally, some parts of an API allow for service usage, while other parts allow for service management. An insecure API can lead to compromises of both service usage and management, causing data breaches, data loss and other serious problems.

5.  Denial of service. Denial of Service (DoS) attacks have been a threat against applications and services for many years. These attacks work by consuming resources, thus preventing legitimate users from accessing those resources.

6.  Malicious Insiders. Malicious insiders are authorized personnel — users and administrators — who intentionally violate organizational policy for personal reasons, such as financial gain or revenge. Because they already have access to sensitive data, malicious insiders may readily cause data breaches, data losses and other negative effects. For example, an insider may copy a sensitive database onto a flash drive, then use the information stored on it to commit identity theft.

7.  Abuse of Cloud Services. Abuse of cloud services involves parties taking advantage of cloud services to perform malicious acts, such as cracking passwords or launching attacks against other systems. Abuse of cloud services is a threat primarily affecting cloud service providers, not cloud customers.

8.  Insufficient Due Diligence. Organizations that are considering the adoption of cloud technologies must fully understand the risks inherent in this step. An enterprise that does not effectively secure its cloud deployment to address the numerous cloud threats faces a significantly increased risk of compromise.

9.  Shared Technology Vulnerabilities. Vulnerabilities within the cloud infrastructure itself, such as hypervisor weaknesses or an application or service shared by cloud users from different organizations, also represent a threat. The risk of these vulnerabilities is that an attacker can exploit a weakness in one piece of software to gain unauthorized access to data and services for multiple cloud customers.

Of course with proper planning most of these threats can be eliminated.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.


Related Services