My take and some answers on it– http://www.cloudsecurityalliance.org/topthreats/
Welcome back folks to a beautiful 2014 and I had an interesting one while going through a Cloud Solution Design
I came across this document The Notorious Nine Cloud Computing Top Threats in 2013 and I thought I’d talk through these concerns one by one.
- Data Breaches - this issue can occur on many levels and I don’t think it’s just limited to ‘Cloud’ per se – it could be your insurance company down the road,
the doctor, dentist etc. and we’ve all seen those TV shows where the ‘hustlers’ go through someone’s trash to pull out key gems of information to unlock the scam.
Interestingly in the paper, the university of North Carolina Chapel Hill came up with a technique to steal data from a VM running as one of many within the same host, with the ‘unis VM’ able
to steal data being transmitted through the other VMs. This was performed through a combination of monitoring various known factors of the host,
such as thread scheduling, L1 cache and power. The paper highlighted that currently the virtualisation technologies need to do more about isolation. - Data Loss – Cloud and non-cloud users fall foul of this with Cloud typically being a target for hackers. Geo-Replication, backups and Government policies on data and it’s storage all help here.
Encryption could be something that you may want to employ to ensure some protection over the copies of data now present. - Account Hijacking – gaining unlawful access to account details such as user/pass combination. Amazon in 2010 was foul to a cross site scripting bug that allowed 3rd parties to get access
to user/pass credentials. With the explosion on the Cloud keeping your credentials safe becomes that much more important. Also changing passwords frequently would be a good habit
to get into.
The other interesting point here to note is that if your account is indeed hijacked then it maybe sometime until the hackers exploit this.
Gaining access to someone’s account doesn’t have to be a hi-tech solution either. As in the movie Sneakers all that was required was a dinner conversation for the voice password
”My voice is my passport” - Insecure APIs – Cloud based APIs form the under pinning of many software and services available today. Essentially ensure these APIs are secure to the best possible effort and
while they may not be compromised, are they able to stand DDOS attacks for e.g. - Denial of Service – With the advent of the Cloud and cloud services, these attacks could for e.g. hit your Cloud based website causing it to be unresponsive, but you’re still being
billed for the usage. Also within Microsoft Azure web site configurations we can now add DDOS settings to indicate when the underlying load balancer should throttle the requests coming
from a particular rogue client. - Malicious Insiders – the focus here is both internal, hosted and Cloud based solutions. Policies and procedures are more important within the Cloud space – what procedures does your
provider follow? Who can access the encryption keys? where are they stored? etc. - Abuse of Cloud Services – The Cloud possesses many servers, elastic scale and dynamic compute power, making it the perfect platform
for a bot-net to spin up in and get to work. Azure limits default subscriptions to 20 cores, more are available upon request. - Insufficient Due Diligence – Don’t jump into the Cloud platform without examining the offer. Many hosting providers have added the word ‘Cloud’ to the front of their names as in ‘Cloud Hosting Providers’ with the underlying process and infrastructure the same, with the same vulnerabilities.
In this space Azure has many ratified processes that get re-certified each year with some of these processes available to military grade specification.
Cloud is big business for Microsoft and getting things like this wrong would be a true achilles heel. - Shared Technology Issues – as Cloud providers share underlying technologies from CPUs, Services, Storage and other services. If these are exposed then so is your platform potentially.
Talk to you soon.
Mick.
Blog Post by: Mick Badran