Although cloud computing can deliver huge benefits to organizations in terms of reduced capital costs and on-demand resources, it also presents hackers with a rich environment to attack, as huge amounts of data are concentrated in one place. The fact that this data is stored on resources that are shared across many different users amplifies the risks presented by certain kinds of vulnerabilities. However, Cloud Security Alliance research conducted earlier this year in conjunction with Hewlett-Packard didn't identify Internet traffic hijacking as one of the main cloud computing threats.
This is possibly because traffic hijacking is a threat to any type of Internet-based service, not specifically cloud computing. Two of the key protocols that make the Internet work, DNS and Border Gateway Protocol (BGP), can both be used to launch traffic hijacking attacks by using fundamental flaws in the protocols themselves. BGP, for example, which calculates the quickest, most efficient route for Internet traffic to travel in order to reach the destination IP address, can be subverted by abusing the trust relationship established by default between low-level Internet protocols.
When looking at a cloud service provider, I would approach the issue of its security by asking how it tackles some of the issues highlighted in the Top Threats to Cloud Computing report mentioned above. The key issues it can directly tackle are:
- Insecure interfaces and APIs
- Malicious insiders
- Shared technology issues
- Data loss or leakage
The potential for malicious insiders should be taken seriously. The incredible growth of cloud computing has to have led to short cuts by some providers when it comes to checking the credentials of new employees. A malicious or disgruntled employee could try to instigate a traffic hijacking attack or harvest data some other way. If unauthorized users gain access to your credentials, for example, they could monitor your activities and redirect your clients to other sites.
Protecting your account credentials highlights the importance of implementing your own security measures for computing in the cloud, as well as understanding your cloud provider's security policies -- measures such as segregation of duties, service level agreements and overall commitment to security. Much of the remediation advice for the top threats offered by the Cloud Security Alliance is steps you as the client need to take, such as banning the sharing of account credentials between users and services, and using strong two-factor authentication wherever possible for tasks such as administrative access and operations.
When it comes to cloud computing, the threat listed at No. 7 says it all for me: Unknown risk profile. At the end of the day, it's impossible to know for certain how closely your cloud provider follows its internal security procedures and who has access to your data. Yes, there's a shared responsibility with your cloud provider for security, but ultimately it's you who are responsible; that responsibility you can't outsource.
For more information:
- Read more about potential futurecloud computing compliance regulations.
- Get tips on how to justify infosec spending on cloud computing.
This was first published in May 2010