This document discusses various risks associated with cloud computing including availability risks if a major cloud provider experiences downtime, security risks from attacks on user credentials or APIs, and confidentiality risks from data being shared across tenants or potentially accessed by cloud provider employees. While cloud providers are responsible for security of the cloud itself, businesses still bear responsibility for their own data security and need to carefully consider things like data encryption, access controls, and disaster recovery when using cloud services.

1. Risk Management in
the Cloud
How secure is your data? How securely is it disposed of?
Thursday, April 26, 2018
By David X Martin
Imagine the Cloud as a huge vault in the sky. The walls are made of hardened steel and
the door is opened only at certain times for multiple tenants to put certain things in or
take them out. Inside the vault are shared services for access and processing of whatever
is in individual tenants’ storage bins.

2. A number of risk management concerns are implicit in this model . . .
What if the door of the vault cannot be opened? Reliance on a handful of tech
companies that provide cloud services is a systematic risk for all businesses using them.
For instance, in the event of prolonged downtime of a single, top cloud service provider,
simultaneous damage for all its clients and dependents could result in large financial
losses.
How secure is the safe when the door is open? All the traffic between your network
and whatever service you are accessing in the Cloud must travel though the Internet.
Problems can arise if your data, or another tenant’s data, is not traveling on a secure
channel or not encrypted or not authenticated using industry standard protocols to protect
Internet traffic.
Security issues arise concerning confidentiality, integrity, availability, and accountability
if you rely on a weak set of interfaces to interact with Cloud services. A few examples:
Attackers now have the ability to use your (or your employees’) login information to
remotely access sensitive data stored on the Cloud; or falsify and manipulate data through
hijacked credentials; or inject malware which gets imbedded in the Cloud servers; and if
operating in tandem, attackers can eavesdrop, compromise the integrity of sensitive
information, and even steal data.
Many predict the cloud will soon be subject to ransomware attacks that force the targeted
Cloud service to consume inordinate amounts of finite resources – such as processor
power, memory, disk space, or network bandwidth – that would cause a system
slowdown, leaving all legitimate service users without access to services.
The vault has multiple tenants sharing the same services. The sharing of resources can
violate the confidentiality of a tenant’s IT assets. As is true within a hospital or airplane,
if there is a bug, you are more likely to catch it because you’re using the same service in a
confined area.
Also, the services provided are elastic – in that there are different degrees or levels of
service and security – which fosters an inconsistent security model. Concerns arise: How
secure is your data while it is in transit within the Cloud, on the Cloud’s servers, accessed
by Cloud-based applications? How securely is your data disposed of, including the
deletion of the encryption key?
For example, Application Programming Interfaces (API) give users the opportunity to
customize features of their Cloud services to fit business needs – but they also
authenticate, provide access, and effect encryption.
The vulnerability of an API is in the communication that takes place between
applications – creating exploitable security risks and new attack surfaces. Case in point:
In January, researchers revealed a design feature common in most modern
microprocessors that could allow content, including encrypted data, to be read from

3. memory using malicious JavaScript code. Two variations of this issue, called Meltdown
and Spectre, permit side-channel attacks because they break down the isolation between
applications.
Individual tenants’ storage bins can be compromised. In recent years, there have been
attacks on the Hypervisor software that is used to create virtual containers that the Cloud
provider’s hardware maintains for each of its customers.
In addition, data stored on a Cloud provider’s server could potentially be accessed by an
employee of that company – and you have none of the usual personnel controls over
those people. Data on Cloud services can also be lost by an erroneous data wipe by the
service provider – which has already happened at Amazon. Making matters worse, most
businesses do not have recovery plans for data stored in the Cloud.
A business decision to move to the Cloud does not mean that all risks are off-loaded to
the service provider. Yes, these providers are generally responsible for security “of the
Cloud”, which includes storage, networking and computing. And yes, they do have
security advantages with scale and automation. But they also represent much bigger,
more enticing, more strategic targets for bad actors.
Ultimately, businesses are still responsible for their own data, as well as certain shared
security aspects, depending on the Cloud service model being used. Risk managers need
to get their heads into the Cloud!
David X Martin (dxm@cybxsecure.com) is a former chief risk officer and was founding
chair of the Investment Company Institute’s Risk Committee. He is an adjunct professor,
author, expert witness, and co-managing director of cybX. His previous contributions to
GARP Risk Intelligence include For Corporate Boards, a Cyber Security Top 10; and,
with Roel C. Campos, How Do Directors Cope with Their Obligations to Oversee
Cybersecurity?