Threats to Cloud Computing

---

• face many of the same threats as traditional IT environments
• the following threats are examined in relation to private, public, community, and hybrid clouds

Threats

• Malware
  • less likely in SaaS environment
    • customer doesn’t install software
    • possible for browser extensions and add-ons to bring malicious code
  • e.g., FiarFox extension in FireFox allowed takeover of Gmail accounts
• Internal Threats
  • malicious or unintentional insiders
• External Threats
  • same sore of external attackers apply to cloud
  • e.g., rogue employees
• Man-in-the-Middle Attack
  • attacker inserts themselves between sender and receiver
  • remote access capability of cloud enhances the exposure to this attack
• Theft/Loss of Device
  • enhanced risk due to remote access
  • BYOD environments mean user devices can lead to unauthorized access and exploitation
• Regulatory Violation
  • same regulatory risks apply to cloud
  • private cloud adds greater risk of noncompliance
  • increased opportunity and efficiency for disseminating information increases likelihood of violating regulations
• Natural Disasters
  • no geographical region is free from this risk
    • just differ in location
    • flood vs hurricane vs earthquake, etc.
• Loss of Policy Control
  • ownership is distributed in the cloud
    • centralized policy promulgation and enforcement is not usually viable
  • leads to adoption of cloud access security brokers (CASB) for centralized policy enforcement
• Loss of Physical Access Control
  • relative decrease in physical security
  • enhanced threat in community clouds due to distributed ownership
• Lack of Audit Access
  • Tied to physical loss of control
  • can be impractical or impossible to conduct audits in distributed environment
• Rogue Administrator
  • enhanced form of insider threat
  • public cloud enhances risk
    • third party manages your systems and data
• Escalation of Privilege
  • extension of insider threat category
  • authorized user tries to increase level of access
  • can be malicious or unintentional
  • risk increases in cloud because users are faced with two sets of governance
    • own organization
    • provider organization
    • can cause delays in requests to modify access/permissions
      • lead to circumventing policy
• Contractual Failure
  • poorly crafted contract can lead to:
    • vendor lock-in
    • unfavorable terms
    • lack of necessary services
    • etc.

Risk Mitigation Strategies

• Countermeasures to address the threats for cloud models
• Malware
  • host-based and network-based anti-malware applications and agents
  • training users on how malware gets introduced into systems
  • continual monitoring of network traffic and baseline configuration
    • detect anomalous activity and performance degradation
  • regular updates and patches
• Internal Threats
  • conduct aggressive background checks
  • establish appropriate personnel policies
    • recurring training
    • mandatory vacation policies
    • job rotation
    • two-person integrity
  • workflow policies
    • separation of duties
    • least privilege
  • active surveillance and monitoring programs
    • physical and electronic
  • Data masking
  • Egress monitoring (DLP)
• External Attackers
  • hardened physical devices, hypervisors, and VMs
    • Virtual Machine Introspection (VMI)
  • solid secure baselines
  • strong access controls
    • can outsource to CASB
  • threat intelligence
• Man-in-the-Middle Attacks
  • encrypt data in transit
  • use secure session technology and enforcement
• Social Engineering
  • frequent security awareness training
  • incentive programs
• Data Loss from Theft/Loss of Devices
  • Encryption of stored material
  • strict access controls
  • limited or no USB functionality
  • inventory control and monitoring
  • remote wipe or kill switch for portable devices
• Regulatory Violations
  • Hire knowledgeable, trained personnel
  • defer to general counsel in planning and managing of systems
  • implement IRM solutions
  • encryption and data obfuscation
• Natural Disasters
  • cloud provider should ensure multiple redundancies
  • disaster backup
  • DRPs and BCP
• Loss of Policy Control
  • Strong contractural terms to ensure provider adheres to a security program
    • as effective or greater as the customer
  • detailed and extensive audits by customer or trusted third-party
• Loss of Physical Access Control
  • same as internal threats, theft/loss of devices, and loss of policy control
• Lack of Audit Access
  • use a trusted third-party to audit
    • if cannot audit yourself
  • insist on contractual protections to transfer financial liability for security failures to provider
    • including additional punitive damages
• Rogue Administrator
  • same controls as in internal threats
  • physical, logical, and administrative controls of all privileged accounts and personnel
    • thorough and secure logging of all administrative activities
    • locked racks
    • monitoring of physical access to devices
    • video surveillance
    • financial monitoring of privileged personnel
      • if legally allowed
• Escalation of Privilege
  • access control and authentication tools
  • analysis and review of all log data by trained personnel on frequent basis
  • automated SIEM tools
• Contractual Failure
  • protect against vendor lock-in/lock-out:
    • full offsite backups
      • secured and kept by customer or trusted third-party
• Legal Seizure
  • encryption of data
  • data dispersion (spread data across locations)
  • BIA should take this into account