SlideShare ist ein Scribd-Unternehmen logo

Top Cloud Threats

Piyush Mittal
Piyush Mittal
1 von 14
Downloaden Sie, um offline zu lesen
Top Threats to Cloud Computing V1.0 Prepared by the Cloud Security Alliance March 2010
Top Threats to Cloud Computing V1.0 Introduction The permanent and official location for the Cloud Security Alliance Top Threats research is: http://www.cloudsecurityalliance.org/topthreats © 2010 Cloud Security Alliance. All rights reserved. You may download, store, display on your computer, view, print, and link to the Cloud Security Alliance “Top Threats to Cloud Computing” at http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf subject to the following: (a) the Guidance may be used solely for your personal, informational, non-commercial use; (b) the Guidance may not be modified or altered in any way; (c) the Guidance may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Guidance as permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance “Top Threats to Cloud Computing” Version 1.0 (2010). Copyright © 2010 Cloud Security Alliance 2
Top Threats to Cloud Computing V1.0 Table of Contents Introduction................................................................................................................................... 2 Foreword........................................................................................................................................ 4 Executive Summary ...................................................................................................................... 6 Threat #1: Abuse and Nefarious Use of Cloud Computing .......................................................... 8 Threat #2: Insecure Interfaces and APIs ....................................................................................... 9 Threat #3: Malicious Insiders...................................................................................................... 10 Threat #4: Shared Technology Issues ......................................................................................... 11 Threat #5: Data Loss or Leakage ................................................................................................ 12 Threat #6: Account or Service Hijacking.................................................................................... 13 Threat #7: Unknown Risk Profile ............................................................................................... 14 Copyright © 2010 Cloud Security Alliance 3
Top Threats to Cloud Computing V1.0 Foreword Welcome to the Cloud Security Alliance’s “Top Threats to Cloud Computing”, Version 1.0. This is one of many research deliverables CSA will release in 2010. Also, we encourage you to download and review our flagship research, “Security Guidance for Critical Areas of Focus in Cloud Computing”, which you can download at: http://www.cloudsecurityalliance.org/guidance The Cloud Security Alliance would like to thank HP for their assistance in underwriting this research effort. Best Regards, Jerry Archer Dave Cullinane Nils Puhlmann Alan Boehme Paul Kurtz Jim Reavis The Cloud Security Alliance Board of Directors Underwritten by HP Copyright © 2010 Cloud Security Alliance 4
Top Threats to Cloud Computing, Version 1.0 Acknowledgments Working Group Leaders Dan Hubbard, Websence Michael Sutton, Zscaler Contributors Amer Deeba, Qualys Andy Dancer, Trend Micro Brian Shea, Bank of America Craig Balding, CloudSecurity.org Dennis Hurst, HP Glenn Brunette, Oracle Jake Lee, Bank of America Jason Witty, Bank of America Jim Reavis, Cloud Security Alliance John Howie, Microsoft Josh Zachry, Rackspace Ken Biery, Verizon Business Martin Roesler, Trend Micro Matthew Becker, Bank of America Mike Geide, Zscaler Scott Matsumoto, Cigital Scott Morrison, Layer 7 Technologies William Thornhill, Bank of America Wolfgang Kandek, Qualys Advisory Committee Archie Reed, HP Daniele Cattedu, ENISA – European Network and Information Security Agency Dave Cullinane, eBay Giles Hogben, ENISA – European Network and Information Security Agency Gunter Ollmann, Damballa Jens Jensen, Open Grid Forum Joshua Pennell, IOActive Nils Puhlmann, Zynga Rick Howard, VeriSign Copyright © 2010 Cloud Security Alliance 5
Top Threats to Cloud Computing, Version 1.0 Executive Summary Cloud Computing represents one of the most significant shifts in information technology many of us are likely to see in our lifetimes. Reaching the point where computing functions as a utility has great potential, promising innovations we cannot yet imagine. Customers are both excited and nervous at the prospects of Cloud Computing. They are excited by the opportunities to reduce capital costs. They are excited for a chance to divest themselves of infrastructure management, and focus on core competencies. Most of all, they are excited by the agility offered by the on-demand provisioning of computing and the ability to align information technology with business strategies and needs more readily. However, customers are also very concerned about the risks of Cloud Computing if not properly secured, and the loss of direct control over systems for which they are nonetheless accountable. To aid both cloud customers and cloud providers, CSA developed “Security Guidance for Critical Areas in Cloud Computing”, initially released in April 2009, and revised in December 2009. This guidance has quickly become the industry standard catalogue of best practices to secure Cloud Computing, consistently lauded for its comprehensive approach to the problem, across 13 domains of concern. Numerous organizations around the world are incorporating the guidance to manage their cloud strategies. The guidance document can be downloaded at www.cloudsecurityalliance.org/guidance. The great breadth of recommendations provided by CSA guidance creates an implied responsibility for the reader. Not all recommendations are applicable to all uses of Cloud Computing. Some cloud services host customer information of very low sensitivity, while others represent mission critical business functions. Some cloud applications contain regulated personal information, while others instead provide cloud-based protection against external threats. It is incumbent upon the cloud customer to understand the organizational value of the system they seek to move into the cloud. Ultimately, CSA guidance must be applied within the context of the business mission, risks, rewards, and cloud threat environment — using sound risk management practices. The purpose of this document, “Top Threats to Cloud Computing”, is to provide needed context to assist organizations in making educated risk management decisions regarding their cloud adoption strategies. In essence, this threat research document should be seen as a companion to “Security Guidance for Critical Areas in Cloud Computing”. As the first deliverable in the CSA’s Cloud Threat Initiative, the “Top Threats” document will be updated regularly to reflect expert consensus on the probable threats which customers should be concerned about. There has been much debate about what is “in scope” for this research. We expect this debate to continue and for future versions of “Top Threats to Cloud Computing” to reflect the consensus emerging from those debates. While many issues, such as provider financial stability, create significant risks to customers, we have tried to focus on issues we feel are either unique to or greatly amplified by the key characteristics of Cloud Computing and its shared, on-demand nature. We identify the following threats in our initial document:  Abuse and Nefarious Use of Cloud Computing  Insecure Application Programming Interfaces  Malicious Insiders  Shared Technology Vulnerabilities  Data Loss/Leakage  Account, Service & Traffic Hijacking Copyright © 2010 Cloud Security Alliance 6
Top Threats to Cloud Computing, Version 1.0  Unknown Risk Profile The threats are not listed in any order of severity. Our advisory committee did evaluate the threats and each committee member provided a subjective ranking of the threats. The exercise helped validate that our threat listing reflected the critical threat concerns of the industry, however the cumulative ranking did not create a compelling case for a published ordered ranking, and it is our feeling that greater industry participation is required to take this step. The only threat receiving a consistently lower ranking was Unknown Risk Profile, however the commentary indicated that this is an important issue that is simply more difficult to articulate, so we decided to retain this threat and seek to further clarify it in future editions of the report. Selecting appropriate security controls and otherwise deploying scarce security resources optimally require a correct reading of the threat environment. For example, to the extent Insecure APIs (Application Programming Interfaces) is seen as a top threat, a customer’s project to deploy custom line- of-business applications using PaaS (Platform as a Service) will dictate careful attention to application security domain guidance, such as robust software development lifecycle (SDLC) practices. By the same token, to the extent Shared Technology Vulnerabilities is seen as a top threat, customers must pay careful attention to the virtualization domain best practices, in order to protect assets commingled in shared environments. In addition to the flagship CSA guidance and other research in our roadmap, this research should be seen as complimentary to the high quality November 2009 research document produced by ENISA (European Network and Information Security Agency), “Cloud Computing: Benefits, Risks and Recommendations for Information Security”. ENISA’s research provides a comprehensive risk management view of Cloud Computing and contains numerous solid recommendations. The ENISA document has been a key inspiration, and we have leveraged the ENISA risk assessment process to analyze our taxonomy of threats. We encourage readers of this document to also read the ENISA document: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment Our goal is to provide a threat identification deliverable that can be quickly updated to reflect the dynamics of Cloud Computing and its rapidly evolving threat environment. We look forward to your participation on subsequent versions of “Top Threats to Cloud Computing”, as we continue to refine our list of threats, and to your input as we all figure out how to secure Cloud Computing. Copyright © 2010 Cloud Security Alliance 7
Top Threats to Cloud Computing, Version 1.0 Impact Threat #1: Abuse and Nefarious Use of Cloud Criminals continue to leverage Computing new technologies to improve their reach, avoid detection, Description and improve the effectiveness IaaS providers offer their customers the illusion of unlimited compute, of their activities. Cloud network, and storage capacity — often coupled with a ‘frictionless’ Computing providers are registration process where anyone with a valid credit card can register actively being targeted, and immediately begin using cloud services. Some providers even offer partially because their free limited trial periods. By abusing the relative anonymity behind relatively weak registration these registration and usage models, spammers, malicious code authors, systems facilitate anonymity, and other criminals have been able to conduct their activities with and providers’ fraud detection relative impunity. PaaS providers have traditionally suffered most from capabilities are limited. this kind of attacks; however, recent evidence shows that hackers have begun to target IaaS vendors as well. Future areas of concern include CSA Guidance password and key cracking, DDOS, launching dynamic attack points, hosting malicious data, botnet command and control, building rainbow Reference tables, and CAPTCHA solving farms. Domain 8: Data Center Operations Examples Domain 9: Incident Response, IaaS offerings have hosted the Zeus botnet, InfoStealer trojan horses, Notification and Remediation and downloads for Microsoft Office and Adobe PDF exploits. Additionally, botnets have used IaaS servers for command and control Service Models functions. Spam continues to be a problem — as a defensive measure, IaaS PaaS SaaS entire blocks of IaaS network addresses have been publicly blacklist. Remediation  Stricter initial registration and validation processes.  Enhanced credit card fraud monitoring and coordination.  Comprehensive introspection of customer network traffic.  Monitoring public blacklists for one’s own network blocks. References  http://www.malwaredomainlist.com/  http://blogs.zdnet.com/security/?p=5110  http://voices.washingtonpost.com/securityfix/2008/07/amazon_ hey_spammers_get_off_my.html Copyright © 2010 Cloud Security Alliance 8
Top Threats to Cloud Computing, Version 1.0 Impact Threat #2: Insecure Interfaces and APIs While most providers strive to ensure security is well Description integrated into their service Cloud Computing providers expose a set of software interfaces or APIs models, it is critical for that customers use to manage and interact with cloud services. consumers of those services to Provisioning, management, orchestration, and monitoring are all understand the security performed using these interfaces. The security and availability of implications associated with general cloud services is dependent upon the security of these basic the usage, management, APIs. From authentication and access control to encryption and orchestration and monitoring activity monitoring, these interfaces must be designed to protect against of cloud services. Reliance on both accidental and malicious attempts to circumvent policy. a weak set of interfaces and Furthermore, organizations and third parties often build upon these APIs exposes organizations to interfaces to offer value-added services to their customers. This a variety of security issues introduces the complexity of the new layered API; it also increases risk, related to confidentiality, as organizations may be required to relinquish their credentials to third- integrity, availability and parties in order to enable their agency. accountability. Examples Anonymous access and/or reusable tokens or passwords, clear-text CSA Guidance authentication or transmission of content, inflexible access controls or Reference improper authorizations, limited monitoring and logging capabilities, Domain 10: Application unknown service or API dependencies. Security Remediation  Analyze the security model of cloud provider interfaces. Service Models  Ensure strong authentication and access controls are IaaS PaaS SaaS implemented in concert with encrypted transmission.  Understand the dependency chain associated with the API. References  http://www.programmableweb.com  http://securitylabs.websense.com/content/Blogs/3402.aspx Copyright © 2010 Cloud Security Alliance 9
Top Threats to Cloud Computing, Version 1.0 Impact Threat #3: Malicious Insiders The impact that malicious insiders can have on an Description organization is considerable, The threat of a malicious insider is well-known to most organizations. given their level of access and This threat is amplified for consumers of cloud services by the ability to infiltrate convergence of IT services and customers under a single management organizations and assets. domain, combined with a general lack of transparency into provider Brand damage, financial process and procedure. For example, a provider may not reveal how it impact, and productivity grants employees access to physical and virtual assets, how it monitors losses are just some of the these employees, or how it analyzes and reports on policy compliance. ways a malicious insider can To complicate matters, there is often little or no visibility into the hiring affect an operation. As standards and practices for cloud employees. This kind of situation organizations adopt cloud clearly creates an attractive opportunity for an adversary — ranging services, the human element from the hobbyist hacker, to organized crime, to corporate espionage, takes on an even more or even nation-state sponsored intrusion. The level of access granted profound importance. It is could enable such an adversary to harvest confidential data or gain critical therefore that complete control over the cloud services with little or no risk of consumers of cloud services detection. understand what providers are doing to detect and defend Examples against the malicious insider No public examples are available at this time. threat. Remediation  Enforce strict supply chain management and conduct a CSA Guidance comprehensive supplier assessment. Reference  Specify human resource requirements as part of legal contracts. Domain 2: Governance and  Require transparency into overall information security and Enterprise Risk Management management practices, as well as compliance reporting. Domain 7: Traditional  Determine security breach notification processes. Security, Business Continuity, and Disaster Recovery References  http://blogs.bankinfosecurity.com/posts.php?postID=140  http://technicalinfodotnet.blogspot.com/2010/01/tethered- Service Models espionage.html IaaS PaaS SaaS Copyright © 2010 Cloud Security Alliance 10
Top Threats to Cloud Computing, Version 1.0 Impact Threat #4: Shared Technology Issues Attacks have surfaced in Description recent years that target the IaaS vendors deliver their services in a scalable way by sharing shared technology inside infrastructure. Often, the underlying components that make up this Cloud Computing infrastructure (e.g., CPU caches, GPUs, etc.) were not designed to offer environments. Disk partitions, strong isolation properties for a multi-tenant architecture. To address CPU caches, GPUs, and other this gap, a virtualization hypervisor mediates access between guest shared elements were never operating systems and the physical compute resources. Still, even designed for strong hypervisors have exhibited flaws that have enabled guest operating compartmentalization. As a systems to gain inappropriate levels of control or influence on the result, attackers focus on how underlying platform. A defense in depth strategy is recommended, and to impact the operations of should include compute, storage, and network security enforcement and other cloud customers, and monitoring. Strong compartmentalization should be employed to ensure how to gain unauthorized that individual customers do not impact the operations of other tenants access to data. running on the same cloud provider. Customers should not have access to any other tenant’s actual or residual data, network traffic, etc. CSA Guidance Examples Reference  Joanna Rutkowska’s Red and Blue Pill exploits Domain 8: Data Center  Kortchinksy’s CloudBurst presentations. Operations Remediation Domain 13: Virtualization  Implement security best practices for installation/configuration.  Monitor environment for unauthorized changes/activity. Service Models  Promote strong authentication and access control for administrative access and operations. IaaS PaaS SaaS  Enforce service level agreements for patching and vulnerability remediation.  Conduct vulnerability scanning and configuration audits. References  http://theinvisiblethings.blogspot.com/2008/07/0wning-xen-in- vegas.html  http://www.blackhat.com/presentations/bh-usa- 09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst- PAPER.pdf  http://www.microsoft.com/technet/security/Bulletin/MS10- 010.mspx  http://blogs.vmware.com/security/2010/01/announcing- vsphere-40-hardening-guide-public-draft-release.html Copyright © 2010 Cloud Security Alliance 11
Top Threats to Cloud Computing, Version 1.0 Impact Threat #5: Data Loss or Leakage Data loss or leakage can have a devastating impact on a Description business. Beyond the damage There are many ways to compromise data. Deletion or alteration of to one’s brand and reputation, records without a backup of the original content is an obvious example. a loss could significantly Unlinking a record from a larger context may render it unrecoverable, impact employee, partner, and as can storage on unreliable media. Loss of an encoding key may result customer morale and trust. in effective destruction. Finally, unauthorized parties must be prevented Loss of core intellectual from gaining access to sensitive data. property could have The threat of data compromise increases in the cloud, due to the competitive and financial number of and interactions between risks and challenges which are implications. Worse still, either unique to cloud, or more dangerous because of the architectural depending upon the data that or operational characteristics of the cloud environment. is lost or leaked, there might be compliance violations and Examples legal ramifications. Insufficient authentication, authorization, and audit (AAA) controls; inconsistent use of encryption and software keys; operational failures; persistence and remanence challenges: disposal challenges; risk of CSA Guidance association; jurisdiction and political issues; data center reliability; and Reference disaster recovery. Domain 5: Information Remediation Lifecycle Management  Implement strong API access control. Domain 11: Encryption and Key Management  Encrypt and protect integrity of data in transit. Domain 12: Identity and  Analyzes data protection at both design and run time. Access Management  Implement strong key generation, storage and management, and destruction practices.  Contractually demand providers wipe persistent media before it Service Models is released into the pool.  Contractually specify provider backup and retention strategies. IaaS PaaS SaaS References  http://en.wikipedia.org/wiki/Microsoft_data_loss_2009  http://news.cnet.com/8301-13846_3-10029707-62.html  http://nylawblog.typepad.com/suigeneris/2009/11/does-cloud- computing-compromise-clients.html Copyright © 2010 Cloud Security Alliance 12
Top Threats to Cloud Computing, Version 1.0 Impact Threat #6: Account or Service Hijacking Account and service hijacking, usually with stolen credentials, Description remains a top threat. With Account or service hijacking is not new. Attack methods such as stolen credentials, attackers phishing, fraud, and exploitation of software vulnerabilities still can often access critical areas achieve results. Credentials and passwords are often reused, which of deployed cloud computing amplifies the impact of such attacks. services, allowing them to Cloud solutions add a new threat to the landscape. If an attacker gains compromise the access to your credentials, they can eavesdrop on your activities and confidentiality, integrity and transactions, manipulate data, return falsified information, and redirect availability of those services. your clients to illegitimate sites. Your account or service instances may Organizations should be aware become a new base for the attacker. From here, they may leverage the of these techniques as well as power of your reputation to launch subsequent attacks. common defense in depth protection strategies to contain Examples the damage (and possible No public examples are available at this time. litigation) resulting from a breach. Remediation  Prohibit the sharing of account credentials between users and services. CSA Guidance  Leverage strong two-factor authentication techniques where Reference possible. Domain 2: Governance and  Employ proactive monitoring to detect unauthorized activity. Enterprise Risk Management  Understand cloud provider security policies and SLAs. Domain 9: Incident Response, Notification and Remediation References Domain 12: Identity and  http://www.infoworld.com/d/cloud-computing/hackers-find- Access Management home-in-amazons-ec2-cloud-742  http://vmetc.com/2009/03/12/virtual-machine-sniffer-on-esx- Service Models hosts/ IaaS PaaS SaaS Copyright © 2010 Cloud Security Alliance 13
Top Threats to Cloud Computing, Version 1.0 Impact Threat #7: Unknown Risk Profile When adopting a cloud Description service, the features and One of the tenets of Cloud Computing is the reduction of hardware and functionality may be well software ownership and maintenance to allow companies to focus on advertised, but what about their core business strengths. This has clear financial and operational details or compliance of the benefits, which must be weighed carefully against the contradictory internal security procedures, security concerns — complicated by the fact that cloud deployments configuration hardening, are driven by anticipated benefits, by groups who may lose track of the patching, auditing, and security ramifications. logging? How are your data Versions of software, code updates, security practices, vulnerability and related logs stored and profiles, intrusion attempts, and security design, are all who has access to them? What important factors for estimating your company’s security posture. information if any will the Information about who is sharing your infrastructure may be pertinent, vendor disclose in the event of in addition to network intrusion logs, redirection attempts and/or a security incident? Often such successes, and other logs. questions are not clearly Security by obscurity may be low effort, but it can result in unknown answered or are overlooked, exposures. It may also impair the in-depth analysis required highly leaving customers with an controlled or regulated operational areas. unknown risk profile that may Examples include serious threats.  IRS asked Amazon EC2 to perform a C&A; Amazon refused. http://news.qualys.com/newsblog/forrester-cloud-computing- CSA Guidance qa.html Reference  Heartland Data Breach: Heartland’s payment processing Domain 2: Governance and systems were using known-vulnerable software and actually Enterprise Risk Management infected, but Heartland was “willing to do only the bare Domain 3: Legal and minimum and comply with state laws instead of taking the Electronic Discovery extra effort to notify every single customer, regardless of law, Domain 8: Data Center about whether their data has been stolen.” Operations http://www.pcworld.com/article/158038/heartland_has_no_hea Domain 9: Incident Response, rt_for_violated_customers.html Notification and Remediation Remediation  Disclosure of applicable logs and data. Service Models  Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.). IaaS PaaS SaaS  Monitoring and alerting on necessary information. References  http://searchsecurity.techtarget.com/magazineFeature/0,296894 ,sid14_gci1349670,00.html  http://chenxiwang.wordpress.com/2009/11/24/follow-up-cloud- security/  http://www.forrester.com/cloudsecuritywebinar  http://www.cerias.purdue.edu/site/blog/post/symposium_summ ary_security_in_the_cloud_panel/ Copyright © 2010 Cloud Security Alliance 14

Empfohlen

Avoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesAvoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesMighty Guides, Inc.
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesMighty Guides, Inc.
 
Avoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to SecurityAvoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to SecurityMighty Guides, Inc.
 
A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...Manimaran A
 
Are you ready for the private cloud? [WHITEPAPER]
Are you ready for the private cloud? [WHITEPAPER]Are you ready for the private cloud? [WHITEPAPER]
Are you ready for the private cloud? [WHITEPAPER]KVH Co. Ltd.
 
Zimory White Paper: Security in the Cloud pt 2/2
Zimory White Paper: Security in the Cloud pt 2/2Zimory White Paper: Security in the Cloud pt 2/2
Zimory White Paper: Security in the Cloud pt 2/2Zimory
 
BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...Dana Gardner
 
Cloud Computing IT Lexicon's Latest Hot Spot
Cloud Computing IT Lexicon's Latest Hot SpotCloud Computing IT Lexicon's Latest Hot Spot
Cloud Computing IT Lexicon's Latest Hot SpotTech Mahindra
 

Empfohlen

Avoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesAvoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesMighty Guides, Inc.
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesMighty Guides, Inc.
 
Avoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to SecurityAvoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to SecurityMighty Guides, Inc.
 
A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...Manimaran A
 
Are you ready for the private cloud? [WHITEPAPER]
Are you ready for the private cloud? [WHITEPAPER]Are you ready for the private cloud? [WHITEPAPER]
Are you ready for the private cloud? [WHITEPAPER]KVH Co. Ltd.
 
Zimory White Paper: Security in the Cloud pt 2/2
Zimory White Paper: Security in the Cloud pt 2/2Zimory White Paper: Security in the Cloud pt 2/2
Zimory White Paper: Security in the Cloud pt 2/2Zimory
 
BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...Dana Gardner
 
Cloud Computing IT Lexicon's Latest Hot Spot
Cloud Computing IT Lexicon's Latest Hot SpotCloud Computing IT Lexicon's Latest Hot Spot
Cloud Computing IT Lexicon's Latest Hot SpotTech Mahindra
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security StrategyCapgemini
 
OWASP Cloud Top 10
OWASP Cloud Top 10OWASP Cloud Top 10
OWASP Cloud Top 10Ludovic Petit
 
Csaguide
CsaguideCsaguide
Csaguideณชเล จันทร์สีเงิน
 
Cloud Security: Perception VS Reality
Cloud Security: Perception VS RealityCloud Security: Perception VS Reality
Cloud Security: Perception VS RealityKVH Co. Ltd.
 
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Acrodex
 
Review on Security Aspects for Cloud Architecture
Review on Security Aspects for Cloud Architecture Review on Security Aspects for Cloud Architecture
Review on Security Aspects for Cloud Architecture IJECEIAES
 
Protecting What Matters...An Enterprise Approach to Cloud Security
Protecting What Matters...An Enterprise Approach to Cloud SecurityProtecting What Matters...An Enterprise Approach to Cloud Security
Protecting What Matters...An Enterprise Approach to Cloud SecurityInnoTech
 
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMMCloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMMHector Del Castillo, CPM, CPMM
 
Cloud Data Protection for the Masses
Cloud Data Protection for the MassesCloud Data Protection for the Masses
Cloud Data Protection for the MassesIRJET Journal
 
Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011Atlantic Security Conference
 
Ea33762765
Ea33762765Ea33762765
Ea33762765IJERA Editor
 
VIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareVIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareGFI Software
 
Csathreats.v1.0
Csathreats.v1.0Csathreats.v1.0
Csathreats.v1.0vivek_kale27
 
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...Troy Marshall
 
Resetting Your Security Thinking for the Public Cloud
Resetting Your Security Thinking for the Public CloudResetting Your Security Thinking for the Public Cloud
Resetting Your Security Thinking for the Public CloudMighty Guides, Inc.
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...HyTrust
 
Patch management
Patch managementPatch management
Patch managementGFI Software
 
Hybrid Technology
Hybrid TechnologyHybrid Technology
Hybrid TechnologyGFI Software
 
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...GFI Software
 
Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Dashti Abdullah
 
Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...csandit
 
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...cscpconf
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security StrategyCapgemini
 
Cloud Security: Perception VS Reality
Cloud Security: Perception VS RealityCloud Security: Perception VS Reality
Cloud Security: Perception VS RealityKVH Co. Ltd.
 
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Acrodex
 
Review on Security Aspects for Cloud Architecture
Review on Security Aspects for Cloud Architecture Review on Security Aspects for Cloud Architecture
Review on Security Aspects for Cloud Architecture IJECEIAES
 
Protecting What Matters...An Enterprise Approach to Cloud Security
Protecting What Matters...An Enterprise Approach to Cloud SecurityProtecting What Matters...An Enterprise Approach to Cloud Security
Protecting What Matters...An Enterprise Approach to Cloud SecurityInnoTech
 
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMMCloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMMHector Del Castillo, CPM, CPMM
 
Cloud Data Protection for the Masses
Cloud Data Protection for the MassesCloud Data Protection for the Masses
Cloud Data Protection for the MassesIRJET Journal
 
Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011Atlantic Security Conference
 
VIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareVIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareGFI Software
 
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...Troy Marshall
 
Resetting Your Security Thinking for the Public Cloud
Resetting Your Security Thinking for the Public CloudResetting Your Security Thinking for the Public Cloud
Resetting Your Security Thinking for the Public CloudMighty Guides, Inc.
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...HyTrust
 
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...GFI Software
 
Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Dashti Abdullah
 

Was ist angesagt? (20)

Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security Strategy
 
OWASP Cloud Top 10
OWASP Cloud Top 10OWASP Cloud Top 10
OWASP Cloud Top 10
 
Csaguide
CsaguideCsaguide
Csaguide
 
Cloud Security: Perception VS Reality
Cloud Security: Perception VS RealityCloud Security: Perception VS Reality
Cloud Security: Perception VS Reality
 
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
 
Review on Security Aspects for Cloud Architecture
Review on Security Aspects for Cloud Architecture Review on Security Aspects for Cloud Architecture
Review on Security Aspects for Cloud Architecture
 
Protecting What Matters...An Enterprise Approach to Cloud Security
Protecting What Matters...An Enterprise Approach to Cloud SecurityProtecting What Matters...An Enterprise Approach to Cloud Security
Protecting What Matters...An Enterprise Approach to Cloud Security
 
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMMCloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
 
Cloud Data Protection for the Masses
Cloud Data Protection for the MassesCloud Data Protection for the Masses
Cloud Data Protection for the Masses
 
Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011
 
Ea33762765
Ea33762765Ea33762765
Ea33762765
 
VIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of BloatwareVIPRE Business Takes a Bite out of Bloatware
VIPRE Business Takes a Bite out of Bloatware
 
Csathreats.v1.0
Csathreats.v1.0Csathreats.v1.0
Csathreats.v1.0
 
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
 
Resetting Your Security Thinking for the Public Cloud
Resetting Your Security Thinking for the Public CloudResetting Your Security Thinking for the Public Cloud
Resetting Your Security Thinking for the Public Cloud
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
 
Patch management
Patch managementPatch management
Patch management
 
Hybrid Technology
Hybrid TechnologyHybrid Technology
Hybrid Technology
 
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
When Less is More: Why Small Companies Should Think Outside the(Red/Yellow) B...
 
Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)Comparative Study of Mod Security (Autosaved)
Comparative Study of Mod Security (Autosaved)
 

Ähnlich wie Top Cloud Threats

Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...csandit
 
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...cscpconf
 
What is the future of cloud security linked in
What is the future of cloud security linked inWhat is the future of cloud security linked in
What is the future of cloud security linked inJonathan Spindel
 
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...white paper
 
Big data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceBig data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceInformation Security Awareness Group
 
SECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURESECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTUREacijjournal
 
MIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the CloudMIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the CloudKumar Goud
 
Presentation copy
Presentation copyPresentation copy
Presentation copyAdel Zalok
 
cloud of things paper
cloud of things papercloud of things paper
cloud of things paperAssem mousa
 
Trusted Cloud Initiative: Identity Management Research
Trusted Cloud Initiative: Identity Management ResearchTrusted Cloud Initiative: Identity Management Research
Trusted Cloud Initiative: Identity Management Researchguestba832ad
 
Security cloud forum_2011
Security cloud forum_2011Security cloud forum_2011
Security cloud forum_2011Mauricio Godoy
 
Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]LinkedIn
 
Ijaprr vol1-1-1-5dr tejinder
Ijaprr vol1-1-1-5dr tejinderIjaprr vol1-1-1-5dr tejinder
Ijaprr vol1-1-1-5dr tejinderijaprr
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
 
Cloud computing seminar report
Cloud computing seminar reportCloud computing seminar report
Cloud computing seminar reportshafzonly
 
Iirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environmentIirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environmentIaetsd Iaetsd
 

Ähnlich wie Top Cloud Threats (20)

Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...
 
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
 
What is the future of cloud security linked in
What is the future of cloud security linked inWhat is the future of cloud security linked in
What is the future of cloud security linked in
 
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
 
Big data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceBig data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security Alliance
 
SECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURESECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURE
 
MIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the CloudMIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the Cloud
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Presentation copy
Presentation copyPresentation copy
Presentation copy
 
cloud of things paper
cloud of things papercloud of things paper
cloud of things paper
 
Trusted Cloud Initiative: Identity Management Research
Trusted Cloud Initiative: Identity Management ResearchTrusted Cloud Initiative: Identity Management Research
Trusted Cloud Initiative: Identity Management Research
 
J3602068071
J3602068071J3602068071
J3602068071
 
Cloud security
Cloud security Cloud security
Cloud security
 
Security cloud forum_2011
Security cloud forum_2011Security cloud forum_2011
Security cloud forum_2011
 
Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]
 
Ijaprr vol1-1-1-5dr tejinder
Ijaprr vol1-1-1-5dr tejinderIjaprr vol1-1-1-5dr tejinder
Ijaprr vol1-1-1-5dr tejinder
 
Ad4502189193
Ad4502189193Ad4502189193
Ad4502189193
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
 
Cloud computing seminar report
Cloud computing seminar reportCloud computing seminar report
Cloud computing seminar report
 
Iirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environmentIirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environment
 

Mehr von Piyush Mittal

Design pattern tutorial
Design pattern tutorialDesign pattern tutorial
Design pattern tutorialPiyush Mittal
 
Intro to parallel computing
Intro to parallel computingIntro to parallel computing
Intro to parallel computingPiyush Mittal
 
Cuda toolkit reference manual
Cuda toolkit reference manualCuda toolkit reference manual
Cuda toolkit reference manualPiyush Mittal
 
Matrix multiplication using CUDA
Matrix multiplication using CUDAMatrix multiplication using CUDA
Matrix multiplication using CUDAPiyush Mittal
 
Basics of Coding Theory
Basics of Coding TheoryBasics of Coding Theory
Basics of Coding TheoryPiyush Mittal
 
Google app engine cheat sheet
Google app engine cheat sheetGoogle app engine cheat sheet
Google app engine cheat sheetPiyush Mittal
 
oracle 9i cheat sheet
oracle 9i cheat sheetoracle 9i cheat sheet
oracle 9i cheat sheetPiyush Mittal
 

Mehr von Piyush Mittal (20)

Power mock
Power mockPower mock
Power mock
 
Design pattern tutorial
Design pattern tutorialDesign pattern tutorial
Design pattern tutorial
 
Reflection
ReflectionReflection
Reflection
 
Gpu archi
Gpu archiGpu archi
Gpu archi
 
Cuda Architecture
Cuda ArchitectureCuda Architecture
Cuda Architecture
 
Intel open mp
Intel open mpIntel open mp
Intel open mp
 
Intro to parallel computing
Intro to parallel computingIntro to parallel computing
Intro to parallel computing
 
Cuda toolkit reference manual
Cuda toolkit reference manualCuda toolkit reference manual
Cuda toolkit reference manual
 
Matrix multiplication using CUDA
Matrix multiplication using CUDAMatrix multiplication using CUDA
Matrix multiplication using CUDA
 
Channel coding
Channel codingChannel coding
Channel coding
 
Basics of Coding Theory
Basics of Coding TheoryBasics of Coding Theory
Basics of Coding Theory
 
Java cheat sheet
Java cheat sheetJava cheat sheet
Java cheat sheet
 
Google app engine cheat sheet
Google app engine cheat sheetGoogle app engine cheat sheet
Google app engine cheat sheet
 
Git cheat sheet
Git cheat sheetGit cheat sheet
Git cheat sheet
 
Vi cheat sheet
Vi cheat sheetVi cheat sheet
Vi cheat sheet
 
Css cheat sheet
Css cheat sheetCss cheat sheet
Css cheat sheet
 
Cpp cheat sheet
Cpp cheat sheetCpp cheat sheet
Cpp cheat sheet
 
Ubuntu cheat sheet
Ubuntu cheat sheetUbuntu cheat sheet
Ubuntu cheat sheet
 
Php cheat sheet
Php cheat sheetPhp cheat sheet
Php cheat sheet
 
oracle 9i cheat sheet
oracle 9i cheat sheetoracle 9i cheat sheet
oracle 9i cheat sheet
 

Top Cloud Threats

  • 1. Top Threats to Cloud Computing V1.0 Prepared by the Cloud Security Alliance March 2010
  • 2. Top Threats to Cloud Computing V1.0 Introduction The permanent and official location for the Cloud Security Alliance Top Threats research is: http://www.cloudsecurityalliance.org/topthreats © 2010 Cloud Security Alliance. All rights reserved. You may download, store, display on your computer, view, print, and link to the Cloud Security Alliance “Top Threats to Cloud Computing” at http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf subject to the following: (a) the Guidance may be used solely for your personal, informational, non-commercial use; (b) the Guidance may not be modified or altered in any way; (c) the Guidance may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Guidance as permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance “Top Threats to Cloud Computing” Version 1.0 (2010). Copyright © 2010 Cloud Security Alliance 2
  • 3. Top Threats to Cloud Computing V1.0 Table of Contents Introduction................................................................................................................................... 2 Foreword........................................................................................................................................ 4 Executive Summary ...................................................................................................................... 6 Threat #1: Abuse and Nefarious Use of Cloud Computing .......................................................... 8 Threat #2: Insecure Interfaces and APIs ....................................................................................... 9 Threat #3: Malicious Insiders...................................................................................................... 10 Threat #4: Shared Technology Issues ......................................................................................... 11 Threat #5: Data Loss or Leakage ................................................................................................ 12 Threat #6: Account or Service Hijacking.................................................................................... 13 Threat #7: Unknown Risk Profile ............................................................................................... 14 Copyright © 2010 Cloud Security Alliance 3
  • 4. Top Threats to Cloud Computing V1.0 Foreword Welcome to the Cloud Security Alliance’s “Top Threats to Cloud Computing”, Version 1.0. This is one of many research deliverables CSA will release in 2010. Also, we encourage you to download and review our flagship research, “Security Guidance for Critical Areas of Focus in Cloud Computing”, which you can download at: http://www.cloudsecurityalliance.org/guidance The Cloud Security Alliance would like to thank HP for their assistance in underwriting this research effort. Best Regards, Jerry Archer Dave Cullinane Nils Puhlmann Alan Boehme Paul Kurtz Jim Reavis The Cloud Security Alliance Board of Directors Underwritten by HP Copyright © 2010 Cloud Security Alliance 4
  • 5. Top Threats to Cloud Computing, Version 1.0 Acknowledgments Working Group Leaders Dan Hubbard, Websence Michael Sutton, Zscaler Contributors Amer Deeba, Qualys Andy Dancer, Trend Micro Brian Shea, Bank of America Craig Balding, CloudSecurity.org Dennis Hurst, HP Glenn Brunette, Oracle Jake Lee, Bank of America Jason Witty, Bank of America Jim Reavis, Cloud Security Alliance John Howie, Microsoft Josh Zachry, Rackspace Ken Biery, Verizon Business Martin Roesler, Trend Micro Matthew Becker, Bank of America Mike Geide, Zscaler Scott Matsumoto, Cigital Scott Morrison, Layer 7 Technologies William Thornhill, Bank of America Wolfgang Kandek, Qualys Advisory Committee Archie Reed, HP Daniele Cattedu, ENISA – European Network and Information Security Agency Dave Cullinane, eBay Giles Hogben, ENISA – European Network and Information Security Agency Gunter Ollmann, Damballa Jens Jensen, Open Grid Forum Joshua Pennell, IOActive Nils Puhlmann, Zynga Rick Howard, VeriSign Copyright © 2010 Cloud Security Alliance 5
  • 6. Top Threats to Cloud Computing, Version 1.0 Executive Summary Cloud Computing represents one of the most significant shifts in information technology many of us are likely to see in our lifetimes. Reaching the point where computing functions as a utility has great potential, promising innovations we cannot yet imagine. Customers are both excited and nervous at the prospects of Cloud Computing. They are excited by the opportunities to reduce capital costs. They are excited for a chance to divest themselves of infrastructure management, and focus on core competencies. Most of all, they are excited by the agility offered by the on-demand provisioning of computing and the ability to align information technology with business strategies and needs more readily. However, customers are also very concerned about the risks of Cloud Computing if not properly secured, and the loss of direct control over systems for which they are nonetheless accountable. To aid both cloud customers and cloud providers, CSA developed “Security Guidance for Critical Areas in Cloud Computing”, initially released in April 2009, and revised in December 2009. This guidance has quickly become the industry standard catalogue of best practices to secure Cloud Computing, consistently lauded for its comprehensive approach to the problem, across 13 domains of concern. Numerous organizations around the world are incorporating the guidance to manage their cloud strategies. The guidance document can be downloaded at www.cloudsecurityalliance.org/guidance. The great breadth of recommendations provided by CSA guidance creates an implied responsibility for the reader. Not all recommendations are applicable to all uses of Cloud Computing. Some cloud services host customer information of very low sensitivity, while others represent mission critical business functions. Some cloud applications contain regulated personal information, while others instead provide cloud-based protection against external threats. It is incumbent upon the cloud customer to understand the organizational value of the system they seek to move into the cloud. Ultimately, CSA guidance must be applied within the context of the business mission, risks, rewards, and cloud threat environment — using sound risk management practices. The purpose of this document, “Top Threats to Cloud Computing”, is to provide needed context to assist organizations in making educated risk management decisions regarding their cloud adoption strategies. In essence, this threat research document should be seen as a companion to “Security Guidance for Critical Areas in Cloud Computing”. As the first deliverable in the CSA’s Cloud Threat Initiative, the “Top Threats” document will be updated regularly to reflect expert consensus on the probable threats which customers should be concerned about. There has been much debate about what is “in scope” for this research. We expect this debate to continue and for future versions of “Top Threats to Cloud Computing” to reflect the consensus emerging from those debates. While many issues, such as provider financial stability, create significant risks to customers, we have tried to focus on issues we feel are either unique to or greatly amplified by the key characteristics of Cloud Computing and its shared, on-demand nature. We identify the following threats in our initial document:  Abuse and Nefarious Use of Cloud Computing  Insecure Application Programming Interfaces  Malicious Insiders  Shared Technology Vulnerabilities  Data Loss/Leakage  Account, Service & Traffic Hijacking Copyright © 2010 Cloud Security Alliance 6
  • 7. Top Threats to Cloud Computing, Version 1.0  Unknown Risk Profile The threats are not listed in any order of severity. Our advisory committee did evaluate the threats and each committee member provided a subjective ranking of the threats. The exercise helped validate that our threat listing reflected the critical threat concerns of the industry, however the cumulative ranking did not create a compelling case for a published ordered ranking, and it is our feeling that greater industry participation is required to take this step. The only threat receiving a consistently lower ranking was Unknown Risk Profile, however the commentary indicated that this is an important issue that is simply more difficult to articulate, so we decided to retain this threat and seek to further clarify it in future editions of the report. Selecting appropriate security controls and otherwise deploying scarce security resources optimally require a correct reading of the threat environment. For example, to the extent Insecure APIs (Application Programming Interfaces) is seen as a top threat, a customer’s project to deploy custom line- of-business applications using PaaS (Platform as a Service) will dictate careful attention to application security domain guidance, such as robust software development lifecycle (SDLC) practices. By the same token, to the extent Shared Technology Vulnerabilities is seen as a top threat, customers must pay careful attention to the virtualization domain best practices, in order to protect assets commingled in shared environments. In addition to the flagship CSA guidance and other research in our roadmap, this research should be seen as complimentary to the high quality November 2009 research document produced by ENISA (European Network and Information Security Agency), “Cloud Computing: Benefits, Risks and Recommendations for Information Security”. ENISA’s research provides a comprehensive risk management view of Cloud Computing and contains numerous solid recommendations. The ENISA document has been a key inspiration, and we have leveraged the ENISA risk assessment process to analyze our taxonomy of threats. We encourage readers of this document to also read the ENISA document: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment Our goal is to provide a threat identification deliverable that can be quickly updated to reflect the dynamics of Cloud Computing and its rapidly evolving threat environment. We look forward to your participation on subsequent versions of “Top Threats to Cloud Computing”, as we continue to refine our list of threats, and to your input as we all figure out how to secure Cloud Computing. Copyright © 2010 Cloud Security Alliance 7
  • 8. Top Threats to Cloud Computing, Version 1.0 Impact Threat #1: Abuse and Nefarious Use of Cloud Criminals continue to leverage Computing new technologies to improve their reach, avoid detection, Description and improve the effectiveness IaaS providers offer their customers the illusion of unlimited compute, of their activities. Cloud network, and storage capacity — often coupled with a ‘frictionless’ Computing providers are registration process where anyone with a valid credit card can register actively being targeted, and immediately begin using cloud services. Some providers even offer partially because their free limited trial periods. By abusing the relative anonymity behind relatively weak registration these registration and usage models, spammers, malicious code authors, systems facilitate anonymity, and other criminals have been able to conduct their activities with and providers’ fraud detection relative impunity. PaaS providers have traditionally suffered most from capabilities are limited. this kind of attacks; however, recent evidence shows that hackers have begun to target IaaS vendors as well. Future areas of concern include CSA Guidance password and key cracking, DDOS, launching dynamic attack points, hosting malicious data, botnet command and control, building rainbow Reference tables, and CAPTCHA solving farms. Domain 8: Data Center Operations Examples Domain 9: Incident Response, IaaS offerings have hosted the Zeus botnet, InfoStealer trojan horses, Notification and Remediation and downloads for Microsoft Office and Adobe PDF exploits. Additionally, botnets have used IaaS servers for command and control Service Models functions. Spam continues to be a problem — as a defensive measure, IaaS PaaS SaaS entire blocks of IaaS network addresses have been publicly blacklist. Remediation  Stricter initial registration and validation processes.  Enhanced credit card fraud monitoring and coordination.  Comprehensive introspection of customer network traffic.  Monitoring public blacklists for one’s own network blocks. References  http://www.malwaredomainlist.com/  http://blogs.zdnet.com/security/?p=5110  http://voices.washingtonpost.com/securityfix/2008/07/amazon_ hey_spammers_get_off_my.html Copyright © 2010 Cloud Security Alliance 8
  • 9. Top Threats to Cloud Computing, Version 1.0 Impact Threat #2: Insecure Interfaces and APIs While most providers strive to ensure security is well Description integrated into their service Cloud Computing providers expose a set of software interfaces or APIs models, it is critical for that customers use to manage and interact with cloud services. consumers of those services to Provisioning, management, orchestration, and monitoring are all understand the security performed using these interfaces. The security and availability of implications associated with general cloud services is dependent upon the security of these basic the usage, management, APIs. From authentication and access control to encryption and orchestration and monitoring activity monitoring, these interfaces must be designed to protect against of cloud services. Reliance on both accidental and malicious attempts to circumvent policy. a weak set of interfaces and Furthermore, organizations and third parties often build upon these APIs exposes organizations to interfaces to offer value-added services to their customers. This a variety of security issues introduces the complexity of the new layered API; it also increases risk, related to confidentiality, as organizations may be required to relinquish their credentials to third- integrity, availability and parties in order to enable their agency. accountability. Examples Anonymous access and/or reusable tokens or passwords, clear-text CSA Guidance authentication or transmission of content, inflexible access controls or Reference improper authorizations, limited monitoring and logging capabilities, Domain 10: Application unknown service or API dependencies. Security Remediation  Analyze the security model of cloud provider interfaces. Service Models  Ensure strong authentication and access controls are IaaS PaaS SaaS implemented in concert with encrypted transmission.  Understand the dependency chain associated with the API. References  http://www.programmableweb.com  http://securitylabs.websense.com/content/Blogs/3402.aspx Copyright © 2010 Cloud Security Alliance 9
  • 10. Top Threats to Cloud Computing, Version 1.0 Impact Threat #3: Malicious Insiders The impact that malicious insiders can have on an Description organization is considerable, The threat of a malicious insider is well-known to most organizations. given their level of access and This threat is amplified for consumers of cloud services by the ability to infiltrate convergence of IT services and customers under a single management organizations and assets. domain, combined with a general lack of transparency into provider Brand damage, financial process and procedure. For example, a provider may not reveal how it impact, and productivity grants employees access to physical and virtual assets, how it monitors losses are just some of the these employees, or how it analyzes and reports on policy compliance. ways a malicious insider can To complicate matters, there is often little or no visibility into the hiring affect an operation. As standards and practices for cloud employees. This kind of situation organizations adopt cloud clearly creates an attractive opportunity for an adversary — ranging services, the human element from the hobbyist hacker, to organized crime, to corporate espionage, takes on an even more or even nation-state sponsored intrusion. The level of access granted profound importance. It is could enable such an adversary to harvest confidential data or gain critical therefore that complete control over the cloud services with little or no risk of consumers of cloud services detection. understand what providers are doing to detect and defend Examples against the malicious insider No public examples are available at this time. threat. Remediation  Enforce strict supply chain management and conduct a CSA Guidance comprehensive supplier assessment. Reference  Specify human resource requirements as part of legal contracts. Domain 2: Governance and  Require transparency into overall information security and Enterprise Risk Management management practices, as well as compliance reporting. Domain 7: Traditional  Determine security breach notification processes. Security, Business Continuity, and Disaster Recovery References  http://blogs.bankinfosecurity.com/posts.php?postID=140  http://technicalinfodotnet.blogspot.com/2010/01/tethered- Service Models espionage.html IaaS PaaS SaaS Copyright © 2010 Cloud Security Alliance 10
  • 11. Top Threats to Cloud Computing, Version 1.0 Impact Threat #4: Shared Technology Issues Attacks have surfaced in Description recent years that target the IaaS vendors deliver their services in a scalable way by sharing shared technology inside infrastructure. Often, the underlying components that make up this Cloud Computing infrastructure (e.g., CPU caches, GPUs, etc.) were not designed to offer environments. Disk partitions, strong isolation properties for a multi-tenant architecture. To address CPU caches, GPUs, and other this gap, a virtualization hypervisor mediates access between guest shared elements were never operating systems and the physical compute resources. Still, even designed for strong hypervisors have exhibited flaws that have enabled guest operating compartmentalization. As a systems to gain inappropriate levels of control or influence on the result, attackers focus on how underlying platform. A defense in depth strategy is recommended, and to impact the operations of should include compute, storage, and network security enforcement and other cloud customers, and monitoring. Strong compartmentalization should be employed to ensure how to gain unauthorized that individual customers do not impact the operations of other tenants access to data. running on the same cloud provider. Customers should not have access to any other tenant’s actual or residual data, network traffic, etc. CSA Guidance Examples Reference  Joanna Rutkowska’s Red and Blue Pill exploits Domain 8: Data Center  Kortchinksy’s CloudBurst presentations. Operations Remediation Domain 13: Virtualization  Implement security best practices for installation/configuration.  Monitor environment for unauthorized changes/activity. Service Models  Promote strong authentication and access control for administrative access and operations. IaaS PaaS SaaS  Enforce service level agreements for patching and vulnerability remediation.  Conduct vulnerability scanning and configuration audits. References  http://theinvisiblethings.blogspot.com/2008/07/0wning-xen-in- vegas.html  http://www.blackhat.com/presentations/bh-usa- 09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst- PAPER.pdf  http://www.microsoft.com/technet/security/Bulletin/MS10- 010.mspx  http://blogs.vmware.com/security/2010/01/announcing- vsphere-40-hardening-guide-public-draft-release.html Copyright © 2010 Cloud Security Alliance 11
  • 12. Top Threats to Cloud Computing, Version 1.0 Impact Threat #5: Data Loss or Leakage Data loss or leakage can have a devastating impact on a Description business. Beyond the damage There are many ways to compromise data. Deletion or alteration of to one’s brand and reputation, records without a backup of the original content is an obvious example. a loss could significantly Unlinking a record from a larger context may render it unrecoverable, impact employee, partner, and as can storage on unreliable media. Loss of an encoding key may result customer morale and trust. in effective destruction. Finally, unauthorized parties must be prevented Loss of core intellectual from gaining access to sensitive data. property could have The threat of data compromise increases in the cloud, due to the competitive and financial number of and interactions between risks and challenges which are implications. Worse still, either unique to cloud, or more dangerous because of the architectural depending upon the data that or operational characteristics of the cloud environment. is lost or leaked, there might be compliance violations and Examples legal ramifications. Insufficient authentication, authorization, and audit (AAA) controls; inconsistent use of encryption and software keys; operational failures; persistence and remanence challenges: disposal challenges; risk of CSA Guidance association; jurisdiction and political issues; data center reliability; and Reference disaster recovery. Domain 5: Information Remediation Lifecycle Management  Implement strong API access control. Domain 11: Encryption and Key Management  Encrypt and protect integrity of data in transit. Domain 12: Identity and  Analyzes data protection at both design and run time. Access Management  Implement strong key generation, storage and management, and destruction practices.  Contractually demand providers wipe persistent media before it Service Models is released into the pool.  Contractually specify provider backup and retention strategies. IaaS PaaS SaaS References  http://en.wikipedia.org/wiki/Microsoft_data_loss_2009  http://news.cnet.com/8301-13846_3-10029707-62.html  http://nylawblog.typepad.com/suigeneris/2009/11/does-cloud- computing-compromise-clients.html Copyright © 2010 Cloud Security Alliance 12
  • 13. Top Threats to Cloud Computing, Version 1.0 Impact Threat #6: Account or Service Hijacking Account and service hijacking, usually with stolen credentials, Description remains a top threat. With Account or service hijacking is not new. Attack methods such as stolen credentials, attackers phishing, fraud, and exploitation of software vulnerabilities still can often access critical areas achieve results. Credentials and passwords are often reused, which of deployed cloud computing amplifies the impact of such attacks. services, allowing them to Cloud solutions add a new threat to the landscape. If an attacker gains compromise the access to your credentials, they can eavesdrop on your activities and confidentiality, integrity and transactions, manipulate data, return falsified information, and redirect availability of those services. your clients to illegitimate sites. Your account or service instances may Organizations should be aware become a new base for the attacker. From here, they may leverage the of these techniques as well as power of your reputation to launch subsequent attacks. common defense in depth protection strategies to contain Examples the damage (and possible No public examples are available at this time. litigation) resulting from a breach. Remediation  Prohibit the sharing of account credentials between users and services. CSA Guidance  Leverage strong two-factor authentication techniques where Reference possible. Domain 2: Governance and  Employ proactive monitoring to detect unauthorized activity. Enterprise Risk Management  Understand cloud provider security policies and SLAs. Domain 9: Incident Response, Notification and Remediation References Domain 12: Identity and  http://www.infoworld.com/d/cloud-computing/hackers-find- Access Management home-in-amazons-ec2-cloud-742  http://vmetc.com/2009/03/12/virtual-machine-sniffer-on-esx- Service Models hosts/ IaaS PaaS SaaS Copyright © 2010 Cloud Security Alliance 13
  • 14. Top Threats to Cloud Computing, Version 1.0 Impact Threat #7: Unknown Risk Profile When adopting a cloud Description service, the features and One of the tenets of Cloud Computing is the reduction of hardware and functionality may be well software ownership and maintenance to allow companies to focus on advertised, but what about their core business strengths. This has clear financial and operational details or compliance of the benefits, which must be weighed carefully against the contradictory internal security procedures, security concerns — complicated by the fact that cloud deployments configuration hardening, are driven by anticipated benefits, by groups who may lose track of the patching, auditing, and security ramifications. logging? How are your data Versions of software, code updates, security practices, vulnerability and related logs stored and profiles, intrusion attempts, and security design, are all who has access to them? What important factors for estimating your company’s security posture. information if any will the Information about who is sharing your infrastructure may be pertinent, vendor disclose in the event of in addition to network intrusion logs, redirection attempts and/or a security incident? Often such successes, and other logs. questions are not clearly Security by obscurity may be low effort, but it can result in unknown answered or are overlooked, exposures. It may also impair the in-depth analysis required highly leaving customers with an controlled or regulated operational areas. unknown risk profile that may Examples include serious threats.  IRS asked Amazon EC2 to perform a C&A; Amazon refused. http://news.qualys.com/newsblog/forrester-cloud-computing- CSA Guidance qa.html Reference  Heartland Data Breach: Heartland’s payment processing Domain 2: Governance and systems were using known-vulnerable software and actually Enterprise Risk Management infected, but Heartland was “willing to do only the bare Domain 3: Legal and minimum and comply with state laws instead of taking the Electronic Discovery extra effort to notify every single customer, regardless of law, Domain 8: Data Center about whether their data has been stolen.” Operations http://www.pcworld.com/article/158038/heartland_has_no_hea Domain 9: Incident Response, rt_for_violated_customers.html Notification and Remediation Remediation  Disclosure of applicable logs and data. Service Models  Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.). IaaS PaaS SaaS  Monitoring and alerting on necessary information. References  http://searchsecurity.techtarget.com/magazineFeature/0,296894 ,sid14_gci1349670,00.html  http://chenxiwang.wordpress.com/2009/11/24/follow-up-cloud- security/  http://www.forrester.com/cloudsecuritywebinar  http://www.cerias.purdue.edu/site/blog/post/symposium_summ ary_security_in_the_cloud_panel/ Copyright © 2010 Cloud Security Alliance 14