#its easier to just keep them safe in my inbox as opposed to how i used to do it | Explore Tumblr Posts and Blogs

thehrisworld · 7 years

Text

New Post | The HRIS World | %Excerpt%

New Post has been published on http://bit.ly/2kaabFj

What Have We Learned About Cloud Security? Myth and Threats

About The HRIS World HR Dog Series™ #HRdog

An in depth look at why, metaphorically speaking, the technology tail is STILL wagging the HR dog for more than 30 years.

Today, there are a lot of changes occurring simultaneously and not just in technology and Human Resources -- and unless you know where to go to fully unplug for the rest of your life, the changes are affecting everything we do, everywhere we go, and at all levels

On top of all the changes, the rate of change in technology is the highest of all rates of changes -- if you dont like seeing taillights, then you need to

Learn how to think instead of what to think -- and learn this rather very quickly...

Learn how to discover what are the right questions, not just good questions as well as discover who they should be asking, even if not connected with him or her yet...

Learn how to discern influential and effective differences that will provide the most effective results as oppose to just discerning differences...

Constantly learn what principles create the most effective changes as well as provide the best directions (principles which are not, by the way, taught in the world of academia)...

Constantly discover where to find the most influential and wise counsel they can get, again even if they are not connected yet...

Learn how to find, research and discover the context of a problem, situation, and/or content and not just know the content -- a dying art of which many are not aware is even dying...

Learn what an entity must do to protect itself from misuse of technology at any level

Notice all this has nothing to do with the knowledge anyone needs to apply their trade(s) and/or skill(s)...

There is also a massive confusion over means and ends -- especially within leadership. Though their focus needs to be on the well-being and sustainability of their business, the rate of changes happening in nearly all arenas is forcing even their hands away from the thoughts and practices of the past to something new. Yet most do not know what that new something is, only that they need to change -- resulting in unwise actions that are more than costly.

We highly encourage your participation in this series as it is all about the Future of Work as well as the future of education, technology, leadership, even our personal lives.

Start a conversation in the comments and/or if you have some thoughts to share in the form of a post then just reach out to us by clicking the contact us button on the lower right of any page.

For this series, we use the hashtag #HRdog on twitter, LinkedIn, facebook and Google plus -- just search for this hashtag to see the latest updates we have sent there. Or better yet, register with our blog to receive our daily newsletters straight to your inbox -- as we do not purchase nor sell any lists, your information stays with us confidentially.

For more information about this series, feel free to click the blue contact us button on the lower right of your screen to let us know how we can assist -- or if you are reading this by our newsletter, then hit the reply button to get back to us!

Cloud computing is shaking the technology tail of more than just the HR dog – so this post can be a reference for HR technologists, HRIS administrators as well as your IT department.

And as the tech tail is wagging many dogs in this topic of cloud security, we have elected to have this post as part of our HR Dog Series (#HRdog).

Let’s start off by clarifying some myths first — that will present a better frame of reference on what we have learned about cloud security so far.

We’re also breaking every role in the book of blogging as this post is huge – but it is concise and can be used for future reference when dealing with cloud security.

To make things easier for you, both the myths and the security threats are indexed before both topics with a link to the appropriate section, as well as a link to return you to the list.

We have decided to keep this together in one document instead of making this a series as it keeps you from having to jump through several posts to get all the information.

Due to its length, you may want to consider getting our free membership (just click the LinkedIn Login on the top left of any page for anyone already logged out) and use our MyLibrary feature to readily find this post in the future on any machine at anytime from anywhere location.

And be sure to catch our free offer at the end of this post!

Cloud Computing Myths

Back in 2011, while reporting at the annual information security RSA Conference held in San Francisco, David Spark asked attendees, “What’s the most over-hyped issue in security?”

Universally everyone responded, “The cloud.”

The cloud might have been hype 4 years ago, though today it’s a necessary business driver.

Unfortunately, confusion on its effective use has given rise to a series of industry myths, often imbuing fear in many CIOs.

What are the cloud security myths that keep circulating and what are their realities?

Below are what industry experts had to say – we have indexed them for you so you can pick a topic or topics at your leisure, or feel free to scroll through the entire list; there is a link at the end of each topic to return you to the list.

Cloud Security Threats

The first step in minimizing risk in the cloud is to identify the top security threats.

Fahmida Y. Rashid (InfoWorld) attended the RSA Conference in March 2016, and shares the CSA (Cloud Security Alliance) listing of the “Treacherous 12,” the top 12 cloud computing threats organizations face in 2016.

The CSA released the report to help both cloud customers and providers focus their defensive efforts.

The shared, on-demand nature of cloud computing introduces the possibility of new security breaches that can erase any gains made by the switch to cloud technology, the CSA warned.

As noted in previous CSA reports, cloud services by nature enable users to bypass organization-wide security policies and set up their own accounts in the service of shadow IT projects.

New controls must be put in place.

“The 2016 Top Threats release mirrors the shifting ramification of poor cloud computing decisions up through the managerial ranks,” said J.R. Santos, executive vice president of research for the CSA.

As with the myths of cloud computing, we have indexed them for you so you can pick a topic or topics at your leisure, or feel free to scroll through the entire list; there is a link at the end of each topic to return you to the list.

Listings

List of Myths click on a myth listed below and you will be scrolled to the appropriate section, or feel free to scroll manually

1: The cloud is inherently insecure 2: The cloud security debate is simple 3: There are more breaches in the cloud 4: Physical control of data implies security 5: Cloud security is far too difficult to maintain 6: You can build a perimeter around cloud applications 7: I’m not using the cloud so I’ve got better protection 8: Shadow IT can be stopped 9: Cloud security is solely the cloud provider’s responsibility 10: You don’t need to manage the cloud 11: You can ignore BYOD and be more secure 12: Cloud data isn’t saved on mobile devices 13: Single tenant systems are more secure than multi-tenant 14: Multi-tenant systems are more secure than single tenant 15: You own all your data in the cloud 16: Cloud provider will continuously manage certifications and compliance 17: Cloud security is a product or service 18: A cloud server has unlimited resources 19: There’s no way to check what third party providers are really doing with your data 20: No need to verify big cloud provider CONCLUSION OF MYTHS: Overcoming the cloud myths will allow you to reduce risk

List of Security Threats click on a threat listed below and you will be scrolled to the appropriate section, or feel free to scroll through

1. Data breaches 2. Compromised credentials and broken authentication 3. Hacked interfaces and API’s 4. Exploited system vulnerabilities 5. Account hijacking 6. Malicious insiders 7. The APT parasite 8. Permanent data loss 9. Inadequate diligence 10. Cloud service abuses 11. DoS attacks 12. Shared technology, shared dangers

Myth 1: The cloud is inherently insecure

“The biggest myth, which refuses to die, is that your data is not safe in the cloud,” argued Orlando Scott-Cowley (@orlando_sc), cyber-security specialist, Mimecast. “We’re still dealing with the legions of server huggers who claim their data is safer on their own networks, where they can feel the cold embrace of the tin of their servers and watch the small blinking lights in their server rooms.”

“There is a natural perception to believe that things outside of my control are innately less secure,” said Tim McKellips (@Mckellip), manager of technical services, Softchoice. “I think cloud providers like Microsoft are taking Herculean efforts to secure their environments in a way the average client could never do.”

Dozens of experts brought up this persistent myth, arguing that compared to your organization, cloud providers have greater expertise and more technical staff.

“Cloud companies are beginning to spend at a scale of great magnitude that cannot be matched by a single organization,” said Brennan Burkhart (@LiquidHub), partner, global salesforce practice lead, LiquidHub.

“Cloud providers live, eat, and breathe network security while most other organizations don’t usually list it as one of their core competencies,” continued Leo Reiter (@virtualleo), CTO, Nimbix.

“Cloud computing boosts your security in a way that you will never be able to afford. This is because of the economies of scale,” continued Ian Apperley (@ianapperley), writer and IT consultant, whatisitwellington.

return to list of myths

Myth 2: The cloud security debate is simple

“The biggest myth is that the [cloud security] question is even that simple,” argued Scott Feuless (@ISG_News), principal consultant, ISG.

“The cloud is less secure” argument discounts the many variables that go into making the cloud deployment decision, such as your organization’s size, existing in-house expertise, who your adversaries are, whether you need to do penetration testing for each deployment, and your organization’s need to scale.

The cloud doesn’t need to be seen as a binary decision. “It’s not a ‘yes or no’ or ‘allow or block’world,” said Sanjay Beri (@netskope), CEO and founder, Netskope. “There are now tools and capabilities that allow IT to enable cloud securely in any number of environments specific to unique requirements’ needs thanks to the ubiquitous nature of APIs.”

return to list of myths

Myth 3: There are more breaches in the cloud

Once again, this myth simplifies a very complicated issue. According to the Spring 2014 Alert Logic Cloud Security Report, both on-premise and cloud hosting providers (CHP) saw a dramatic increase in vulnerability scans from 2012 to 2013, with CHP having a slightly greater increase. But depending on the type of attack, such as malware and botnets, on-premise was far more susceptible.

“Internet threats are just as much of a risk for private cloud infrastructures and service provider networks,” said Jason Dover (@jaysdover), director of product line management, KEMP Technologies.

“When the correct security policies for preventing attacks and detecting them are implemented, attacks are no more threatening to the cloud than any other piece of infrastructure,” said Alastair Mitchell (@alimitchell), president and co-founder, Huddle.

“Public cloud vendors typically employ a strong team of security specialists and they also have the economies of scale to acquire cutting edge security appliances,” noted Torsten Volk (@TorstenVolk), vice president of product management, cloud, ASG Software Solutions. “Their reputation rides on it.”

return to list of myths

Myth 4: Physical control of data implies security

“The biggest myth about cloud security is that control is the foundation of security, or lack of security,” said Praveen Rangnath (@splunk), director of Splunk Cloud, Splunk. “The foundation is visibility.”

“The various high profile security breaches over the past few months have served to highlight that the physical location of the data matters less than the access and associated controls,” added NaviSite’s general manager, Sumeet Sabharwal (@sabhas).

Believing in the data location myth diverts focus from the more common attack vectors, such as exploiting human social weaknesses and malware, said David Cope (@DavidJamesCope), executive VP of corporate developer, CliQr, who cited Verizon’s 2014 Data Breach Investigations Report as evidence of this trending security threat.

return to list of myths

Myth 5: Cloud security is far too difficult to maintain

“The top myth we come across about security is that security in the cloud is more difficult to maintain than on-premise,” said Aater Suleman (@FutureChips), CEO, Flux7.

“Ultimately, a ‘cloud’ is just someone else’s network,” noted Corey Nachreiner (@watchguardtech), director of security strategy and research, WatchGuard.

“Believing in this myth leads to companies either compromising security in the name of business requirements or refraining from using the cloud for mission critical applications,” continued Suleman.

The security issues are similar, noted Denny Cherry (@mrdenny), owner & principal consultant, Denny Cherry & Associates Consulting, “SQL injection (the biggest security risk to systems) is still a problem in the cloud and is addressed in exactly the same way as on premise. Firewall configurations, penetration testing, VPNs, etc. are all just as important when working with a cloud provider as they are when working on premise.”

return to list of myths

Myth 6: You can build a perimeter around cloud applications

“With apps strewn across the internet, if a corporation thinks they can build one perimeter around all their apps, then they are nuts,” said Patrick Kerpan (@pjktech), CEO and co-founder, Cohesive Networks.

“People still think in terms network-based security, even when it comes to the cloud,” added Asaf Cidon (@asafcidon), CEO and co-founder, Sookasa. “They’re still trying to protect their network from the cloud with reverse proxies and firewalls.”

“Security should extend down to each individual enterprise application,” Kerpan continued.

“Multiple layers are needed to combat hackers. There isn’t a single silver bullet,” agreed Greg Rayburn (@FlukeNetENT), security analyst, Fluke Networks.

“Boundaries that are extended with cloud and boundaries are already broken with mobile and IoT,” said Tim Cuny (@OptimizewithCMI), VP of solutions, CMI. “Remove the old thinking of protecting perimeter boundaries and concentrate on a comprehensive risk management program that focuses on protecting assets from a people, process, and technology perspective.”

return to list of myths

Myth 7: I’m not using the cloud so I’ve got better protection

Even though many might try to fool themselves into believing they’re not using the cloud, we’re all online and susceptible to many of the same threats.

“If your systems are connected to the Internet, then you are already on the cloud,” argued Peter Landau (@harmony_notes), president, Harmony Technologies.

“The biggest security threat is connecting anything (laptops, etc.) to the public internet or deploying any software to the public internet,” added Dave Nielsen (@davenielsen), co-founder, CloudCamp.

return to list of myths

Myth 8: Shadow IT can be stopped

“The security implications of employees procuring their own cloud services cannot be avoided,” said Sarah Lahav (@sysaid), CEO, SysAid Technologies.

Still, while IT can’t control the consumerization of IT, they are still the ones to blame for any technical issues.

“When business users suffer from poor application performance, including those with SaaS applications, IT is on the hook to resolve problems even though IT may not have anything to do with the infrastructure being used,” said Bruce Kosbab (@BruceKosbab), CTO, Fluke Networks. “To avoid this situation IT and the business must work together.”

“A fully representative cross-section of management, including the CEO, must be responsible for the design, deployment, and maintenance of cloud security policy and implementation,” added Steve Prentice (@stevenprentice), senior writer, CloudTweaks.

return to list of myths

Myth 9: Cloud security is solely the cloud provider’s responsibility

“A common misconception is that the cloud provider automatically looks after all the security needs of the customer’s data and process while in the cloud,” said Jeff M. Spivey (@spiveyjms), VP of strategy, RiskIQ.

“Just being provided the tools to create, implement, and enforce security measures for cloud workflows does not inherently defer the business risk associated with an increased level of attack or compromise,” said Scott Maurice (@scottjmaurice), managing partner, Avail Partners.

“Password policies, release management for software patches, management of user roles, security training of staff, and data management policies are all responsibilities of the customers and at least as critical as the security being done by the public cloud provider,” added ASG’s Volk.

While you’re hardening internal security, don’t assume that your cloud provider backs up your data and will be able to restore it in case of a security breach.

“It is instrumental and critical that you implement a backup solution that backs up your data that is hosted on the cloud to an onsite backup or to another cloud provider,” said Bruno Scap (@MaseratiGTSport), president, Galeas Consulting. “In addition, in case of a security breach, you may need to restore your data from backups that you know are clean.”

return to list of myths

Myth 10: You don’t need to manage the cloud

“Many believe that since the cloud infrastructure is often basically just a managed service, that the security of the services is also managed,” said Michael Weiss (@Oildex), VP, software engineering, Oildex. “Many cloud based systems are left inadvertently unsecured because the customer does not know that they need to do something to secure them, as they assume that the provider has done what an in-house security staff would traditionally have done by default.”

“Cloud security requires the same discipline for security of any data center,” said David Eichorn (@Zensar), associate VP and cloud expert with Zensar Technologies. “Cloud data centers are as resilient as any, but the weakness comes if the policies, processes and tools aren’t regularly monitored by the IT operations staff responsible.”

“Understand where that line is drawn. Who is responsible for what,” said Adrian Sanabria (@sawaba), senior analyst, enterprise security practice, 451 Research. “Generally, everything on the cloud provider’s network and in their data centers is covered at a low level. However, everything above the hardware layer and lower network layers is the customer’s responsibility.”

return to list of myths

Myth 11: You can ignore BYOD and be more secure

“Not supporting and implementing a BYOD policy does not mean an enterprise will be less at risk of a data breach,” noted John Zanni (@jzanni_hosting), SVP of cloud and hosting sales, Acronis. “The BYOD movement is here to stay.”

Zanni recommends deploying a mobile content management (MCM) solution, as protecting the data will be what ultimately defines your business’ security and compliance requirements.

return to list of myths

Myth 12: Cloud data isn’t saved on mobile devices

“I still hear people speaking about cloud deployment as if using this service means you are not saving any enterprise data on mobile devices, and that this might make device data protection a moot point,” said Israel Lifshitz (@nubosoftware), CEO, Nubo. “Apps that are connecting to devices are always caching data, and that cached data is stored on your employees’ mobile devices. This data can be breached and hacked and therefore must be protected.”

return to list of myths

Myth 13: Single tenant systems are more secure than multi-tenant

“Multitenant systems offer two security benefits over single-tenant systems,” said Eric Burns (@panopto), CEO and co-founder, Panopto. “They provide an additional layer of content protection, and they ensure that security patches are always up-to-date.”

While cloud hosted systems provide hardware-based and perimeter security, those who choose a multi-tenant solution, noted Burns, get a third layer of protection called logical content isolation, designed to help prevent inside-perimeter attacks.

“Like tenants in an apartment building who use one key to enter the building and another to enter their individual apartment, multitenant systems uniquely require both perimeter and ‘apartment-level’ security,” explained Burns.

It’s a necessary protection layer for the existence of multi-tenant systems.

“Multitenant services secure all assets at all times, since those within the main perimeter are all different clients,” said John Rymer (@johnrrymer), VP, principal analyst, Forrester Research.

In addition, “multitenant systems ensure that software updates, including security patches, are applied to all customers simultaneously,” said Burns. “With single-tenant systems, software vendors are required to update individual customers’ virtual machines.”

return to list of myths

Myth 14: Multi-tenant systems are more secure than single tenant

There are no absolutes in cloud security. The complete opposite statement regarding cloud tenancy can also be viewed as a myth.

For some organizations, forced upgrades and maintenance windows, which happen in a multi-tenancy environment, could be a detriment.

“Make sure your change management requirements can be accommodated and that you will have time to plan for upgrades, which can often be an issue with multi-tenancy systems,” said Boatner Blankenstein (@Bomgar), senior director, solutions engineering, Bomgar. “Single tenancy adds flexibility for scheduling downtime without affecting others.”

return to list of myths

Myth 15: You own all your data in the cloud

“Your data may not always be yours after you’ve uploaded it. And if it is hosted in another country, you could be looking at cross border jurisdictional headaches,” warned Joe Kelly (@legalworkspace), CEO, Legal Workspace. “Many sites retain the right to determine whether data is offensive or violates copyright or IP laws. Other sites will sell ads based on your content – which means your information may not be as private as you think it is.”

return to list of myths

Myth 16: Cloud provider will continuously manage certifications and compliance

“Many cloud providers oversimplify the security posture of their platform and steer the conversation toward compliance and certifications awarded by third parties,” explained Sean Jennings (@VCDX17), co-founder and SVP of solutions architecture, Virtustream. “Security certifications are point-in-time snapshots of the cloud platform and supporting processes… It is entirely possible for results to be outdated before the ink is dry on a certificate.”

“Focus should not necessarily be in implementation [of compliance policies] but rather auditing and reporting to satisfy compliance,” said Dan Chow (@ExpertIncluded), COO, Silicon Mechanics. “If regulations change knowing where the gaps are will be important to stay up-to-date and assure that a business is compliant and conforms to the latest standards.”

return to list of myths

Myth 17: Cloud security is a product or service

“Security is not a product or a service, it is a process,” said Galeas Consulting’s Scap. “Segment your networks based on the purpose of a particular application or service, deploy firewalls, monitor logs, system and network activity, create and follow security procedures and policies, decide who has access to data, and have a plan to follow in case of a security breach.”

return to list of myths

Myth 18: A cloud server has unlimited resources

It may appear that your cloud server has unlimited memory and processing power, but consuming more than you need can lead to performance issues and dramatic price increases.

“Cloud servers have processor, memory and I/O limitations, normally defined when the request is made. These resources are shared with the rest of the cloud environment and are moved between the cloud servers as needed,” explained Abdul Jaludi (@tagmcllc), president, TAG-MC. “A cloud server will use whatever it needs, up to the configured amount and nothing more. In many shops, users are allowed to exceed their allotted resources at a much higher cost, much like the way mobile phone plans work.”

return to list of myths

Myth 19: There’s no way to check what third party providers are really doing with your data

“‘Malicious insiders’ is one of the most interesting and under-represented issues when people discuss public cloud security,” said Yuri Sagalov (@yuris), CEO and co-founder, AeroFS. “By outsourcing your storage and compute to third party vendors, you now need to trust not only your own employees, but also the employees of the vendor you’re using to store and process the data.”

“Some cloud providers mine enterprise data in ways that one might not want or that might invade the privacy of employees in ways that can or should not be allowed,” added Nicko van Someren (@good_technology), CTO, Good Technology. “Ensure that the cloud provider will be able to furnish the customer with audit logs to identify everyone who might ever have access to corporate data and possibly show that they have had suitable background checks and clearance.”

return to list of myths

Myth 20: No need to verify big cloud providers

It may seem logical to go with a large provider with huge networks, dispersed worldwide data centers, and enormous industry recognition. It’s easy to trust them right. They’re too big to collapse.

Don’t fall into the “trust-but-don’t-bother-to-verify” situation, advised Adam Stern (@iv_cloudhosting), CEO and founder, Infinitely Virtual, “While their businesses may not fail, yours might. An ill-timed outage or glitch could do some serious damage.”

Stern advises you to fully understand your support relationship with your provider: “When a supposedly secure environment suddenly springs a leak who’s going to listen and who will actually help?”

return to list of myths

CONCLUSION OF MYTHS: Overcoming the cloud myths will allow you to reduce risk

“When the CIA and the NASDAQ begin deploying workloads to the cloud, the debate about whether the cloud can be secured is over,” argued Avail Partners’ Maurice.

Getting hung up on the myths surrounding the cloud will only prevent your organization from realizing the benefits.

Lauren Nelson (@lauren_e_nelson), senior analyst, Forrester Research, explained, “Public cloud is actually an opportunity to minimize financial risk for a net-new project or investment.”

Part of overcoming your fears of the cloud is knowing what not to do when you make that move. For expert advice on a successful cloud migration read 20 Cloud Deployment Mistakes to Avoid.

return to list of myths

source for myths: CIO

1: Data breaches

Cloud environments face many of the same threats as traditional corporate networks, but due to the vast amount of data stored on cloud servers, providers become an attractive target. The severity of potential damage tends to depend on the sensitivity of the data exposed. Exposed personal financial information tends to get the headlines, but breaches involving health information, trade secrets, and intellectual property can be more devastating.

When a data breach occurs, companies may incur fines, or they may face lawsuits or criminal charges. Breach investigations and customer notifications can rack up significant costs. Indirect effects, such as brand damage and loss of business, can impact organizations for years.

Cloud providers typically deploy security controls to protect their environments, but ultimately, organizations are responsible for protecting their own data in the cloud. The CSA has recommended organizations use multifactor authentication and encryption to protect against data breaches.

return to list of threats

2: Compromised credentials and broken authentication

Data breaches and other attacks frequently result from lax authentication, weak passwords, and poor key or certificate management. Organizations often struggle with identity management as they try to allocate permissions appropriate to the user’s job role. More important, they sometimes forget to remove user access when a job function changes or a user leaves the organization.

Multifactor authentication systems such as one-time passwords, phone-based authentication, and smartcards protect cloud services because they make it harder for attackers to log in with stolen passwords. The Anthem breach, which exposed more than 80 million customer records, was the result of stolen user credentials. Anthem had failed to deploy multifactor authentication, so once the attackers obtained the credentials, it was game over.

Many developers make the mistake of embedding credentials and cryptographic keys in source code and leaving them in public-facing repositories such as GitHub. Keys need to be appropriately protected, and a well-secured public key infrastructure is necessary, the CSA said. They also need to be rotated periodically to make it harder for attackers to use keys they’ve obtained without authorization.

Organizations planning to federate identity with a cloud provider need to understand the security measures the provider uses to protect the identity platform. Centralizing identity into a single repository has its risks. Organizations need to weigh the trade-off of the convenience of centralizing identity against the risk of having that repository become an extremely high-value target for attackers.

return to list of threats

3: Hacked interfaces and API’s

Practically every cloud service and application now offers APIs. IT teams use interfaces and APIs to manage and interact with cloud services, including those that offer cloud provisioning, management, orchestration, and monitoring.

The security and availability of cloud services — from authentication and access control to encryption and activity monitoring — depend on the security of the API. Risk increases with third parties that rely on APIs and build on these interfaces, as organizations may need to expose more services and credentials, the CSA warned. Weak interfaces and APIs expose organizations to security issues related to confidentiality, integrity, availability, and accountability.

APIs and interfaces tend to be the most exposed part of a system because they’re usually accessible from the open Internet. The CSA recommends adequate controls as the “first line of defense and detection.” Threat modeling applications and systems, including data flows and architecture/design, become important parts of the development lifecycle. The CSA also recommends security-focused code reviews and rigorous penetration testing.

return to list of threats

4: Exploited system vulnerabilities

System vulnerabilities, or exploitable bugs in programs, are not new, but they’ve become a bigger problem with the advent of multitenancy in cloud computing. Organizations share memory, databases, and other resources in close proximity to one another, creating new attack surfaces.

Fortunately, attacks on system vulnerabilities can be mitigated with “basic IT processes,” says the CSA. Best practices include regular vulnerability scanning, prompt patch management, and quick follow-up on reported system threats.

According to the CSA, the costs of mitigating system vulnerabilities “are relatively small compared to other IT expenditures.” The expense of putting IT processes in place to discover and repair vulnerabilities is small compared to the potential damage. Regulated industries need to patch as quickly as possible, preferably as part of an automated and recurring process, recommends the CSA. Change control processes that address emergency patching ensure that remediation activities are properly documented and reviewed by technical teams.

return to list of threats

5: Account hijacking

Phishing, fraud, and software exploits are still successful, and cloud services add a new dimension to the threat because attackers can eavesdrop on activities, manipulate transactions, and modify data. Attackers may also be able to use the cloud application to launch other attacks.

Common defense-in-depth protection strategies can contain the damage incurred by a breach. Organizations should prohibit the sharing of account credentials between users and services, as well as enable multifactor authentication schemes where available. Accounts, even service accounts, should be monitored so that every transaction can be traced to a human owner. The key is to protect account credentials from being stolen, the CSA says.

return to list of threats

6: Malicious insiders

The insider threat has many faces: a current or former employee, a system administrator, a contractor, or a business partner. The malicious agenda ranges from data theft to revenge. In a cloud scenario, a hellbent insider can destroy whole infrastructures or manipulate data. Systems that depend solely on the cloud service provider for security, such as encryption, are at greatest risk.

The CSA recommends that organizations control the encryption process and keys, segregating duties and minimizing access given to users. Effective logging, monitoring, and auditing administrator activities are also critical.

As the CSA notes, it’s easy to misconstrue a bungling attempt to perform a routine job as “malicious” insider activity. An example would be an administrator who accidentally copies a sensitive customer database to a publicly accessible server. Proper training and management to prevent such mistakes becomes more critical in the cloud, due to greater potential exposure.

return to list of threats

7: The APT parasite

The CSA aptly calls advanced persistent threats (APTs) “parasitical” forms of attack. APTs infiltrate systems to establish a foothold, then stealthily exfiltrate data and intellectual property over an extended period of time.

APTs typically move laterally through the network and blend in with normal traffic, so they’re difficult to detect. The major cloud providers apply advanced techniques to prevent APTs from infiltrating their infrastructure, but customers need to be as diligent in detecting APT compromises in cloud accounts as they would in on-premises systems.

Common points of entry include spear phishing, direct attacks, USB drives preloaded with malware, and compromised third-party networks. In particular, the CSA recommends training users to recognize phishing techniques.

Regularly reinforced awareness programs keep users alert and less likely to be tricked into letting an APT into the network — and IT departments need to stay informed of the latest advanced attacks. Advanced security controls, process management, incident response plans, and IT staff training all lead to increased security budgets. Organizations should weigh these costs against the potential economic damage inflicted by successful APT attacks.

return to list of threats

8: Permanent data loss

As the cloud has matured, reports of permanent data loss due to provider error have become extremely rare. But malicious hackers have been known to permanently delete cloud data to harm businesses, and cloud data centers are as vulnerable to natural disasters as any facility.

Cloud providers recommend distributing data and applications across multiple zones for added protection. Adequate data backup measures are essential, as well as adhering to best practices in business continuity and disaster recovery. Daily data backup and off-site storage remain important with cloud environments.

The burden of preventing data loss is not all on the cloud service provider. If a customer encrypts data before uploading it to the cloud, then that customer must be careful to protect the encryption key. Once the key is lost, so is the data.

Compliance policies often stipulate how long organizations must retain audit records and other documents. Losing such data may have serious regulatory consequences. The new EU data protection rules also treat data destruction and corruption of personal data as data breaches requiring appropriate notification. Know the rules to avoid getting in trouble.

return to list of threats

9: Inadequate diligence

Organizations that embrace the cloud without fully understanding the environment and its associated risks may encounter a “myriad of commercial, financial, technical, legal, and compliance risks,” the CSA warned. Due diligence applies whether the organization is trying to migrate to the cloud or merging (or working) with another company in the cloud. For example, organizations that fail to scrutinize a contract may not be aware of the provider’s liability in case of data loss or breach.

Operational and architectural issues arise if a company’s development team lacks familiarity with cloud technologies as apps are deployed to a particular cloud. The CSA reminds organizations they must perform extensive due diligence to understand the risks they assume when they subscribe to each cloud service.

return to list of threats

10: Cloud service abuses

Cloud services can be commandeered to support nefarious activities, such as using cloud computing resources to break an encryption key in order to launch an attack. Other examples including launching DDoS attacks, sending spam and phishing emails, and hosting malicious content.

Providers need to recognize types of abuse — such as scrutinizing traffic to recognize DDoS attacks — and offer tools for customers to monitor the health of their cloud environments. Customers should make sure providers offer a mechanism for reporting abuse. Although customers may not be direct prey for malicious actions, cloud service abuse can still result in service availability issues and data loss.

return to list of threats

11: DoS attacks

DoS attacks have been around for years, but they’ve gained prominence again thanks to cloud computing because they often affect availability. Systems may slow to a crawl or simply time out. “Experiencing a denial-of-service attack is like being caught in rush-hour traffic gridlock; there is one way to get to your destination and there is nothing you can do about it except sit and wait,” the report said.

DoS attacks consume large amounts of processing power, a bill the customer may ultimately have to pay. While high-volume DDoS attacks are very common, organizations should be aware of asymmetric, application-level DoS attacks, which target Web server and database vulnerabilities.

Cloud providers tend to be better poised to handle DoS attacks than their customers, the CSA said. The key is to have a plan to mitigate the attack before it occurs, so administrators have access to those resources when they need them.

return to list of threats

12: Shared technology, shared dangers

Vulnerabilities in shared technology pose a significant threat to cloud computing. Cloud service providers share infrastructure, platforms, and applications, and if a vulnerability arises in any of these layers, it affects everyone. “A single vulnerability or misconfiguration can lead to a compromise across an entire provider’s cloud,” the report said.

If an integral component gets compromised — say, a hypervisor, a shared platform component, or an application — it exposes the entire environment to potential compromise and breach. The CSA recommended a defense-in-depth strategy, including multifactor authentication on all hosts, host-based and network-based intrusion detection systems, applying the concept of least privilege, network segmentation, and patching shared resources.

return to list of threats

source for threats: InfoWorld

Stay Updated!

To stay updated conveniently with what is going on with our content by subscribing to our newsletter.

We keep all your information confidential – we never buy nor sell lists.

You control what you receive as well – both when you subscribe as well as afterwards through a link in the footer of the newsletters.

Subscribe NOW!

Discover More From Our HR Dog Series

Open to Discover More