9 Things You Need to Know Before Moving to the Cloud

Agenda

Cloud computing has emerged and paved its way forward at an

unprecedented pace. It has managed to simultaneously transform
business and government giving rise to new security challenges.
The emergence of the cloud service model provides business
supporting technology with an increased efficiency than ever before.
The paradigm shift from server to service has revolutionized the way
IT departments think, design, and provide computing solutions and
applications. Yet, these revolutions have given birth to new security
challengesthe full impact of which is yet to be determined.

The cloud shift proves to be more affordable and prompt, but by

taking that route, it undermines the necessity of enterprise level
security policies, principles, and best practices. In the event of
these, businesses have made themselves vulnerable to breaches
that can as easily nullify any gains that have made as a result of the
cloud shift.

Cloud Security Alliance (CSA) has identified nine such risks or

threats associated with cloud computing. In view of this they
have created industry-wide standards for cloud security. In order
to safeguard themselves in the cloud environment, businesses
should understand these risksaptly named as The notorious
nine by CSA.

These Notorious Nine are;

1
2
3
4
5
6
7
8
9

Data Breaches
Data Loss
Account Hijacking
Insecure APIs
Denial of Service
Malicious Insiders
Abuse of Cloud Services
Insufficient Due Diligence
Shared Technology Issues

Data Breach
Data Breach is a serious threat that most CIOs are concerned
about. In November 2012, researchers at the University of
Carolina published a paper which described how an automated
machine was able to use side channel timing information to
access private cryptographic keys on another machine located on
the same physical server.
Security breaches are inevitable. Service providers may claim that
they adopt best practices, however, we all know that theres no
way to completely eliminate risks associated with it. The best way
for businesses is to be on the defensive and work with the
vendors, providers, and lawyers to prepare Data Breach
Response in advanceto reduce the risks and liabilities when data
breach incident happens.

Data Loss
It is a petrifying thought to lose data for both businesses and
consumers alike. The data in the cloud is in complete possession
of the cloud service provider. Any accidental deletion through
human error, a physical catastrophe like fire or earthquake, may
lead to a permanent loss of all data. This risk can be mitigated by
keeping an adequate backup of the data. A backup on a separate
server still is open to a data breach or data loss on losing the
encryption key. However, many companies are required to deal
with compliance standards for record keeping. If physical records
are kept, then data loss may not have that big an impact on the
enterprise.

count or Service Traffic Hijacking

This threat is not a new one. Phishing, exploitation, fraud have
found a place in cyber space for a long time. Passwords are reused
often amplifying the impact. Cloud just adds to the landscape. All
attackers have to do is gain access to your account, which is not
hard if password and credentials are not strong enough. Attackers
can then falsify, manipulate, or even redirect data. They may also
make your account a base for their activities and leverage their
subsequent attacks. This has been and still remains one of the top
threats. Stolen credentials give the attackers power over all critical
information. The enterprise data then falls into his hands and he
may gain access to all cloud computing services deployed, thereby
compromising the integrity and confidentiality of those services.

nsecure Interface and APIs

Cloud computing essentially works by exposing a set of APIs or
software interfaces that allow consumers to remotely access data.
Delivery, Management, adaptation, and monitoring services are all
performed by way of these interfaces. The overall security of the
cloud depends on the security of these interfaces. From credible
access control to encoding and activity overview, these interfaces
must be secured against accidental or purposeful efforts to
circumvent policy.
These interfaces are further used by cloud users to build upon and
provide value-added services to their customers. This introduces an
additional layer of risk and exposure to the security breach at the
API level.
The responsibility of grasping the depth of security at the API level
lies with both, the service provider and the consumer as reliance on
a poorly orchestrated API would lead to security issues related to
integrity, confidentiality, accountability and availability.

enial of Service (DoS)

Essentially, DoS is preventing the consumers of the cloud to

access their own data. This attack tends to corner the victim into
consuming inordinate amounts of limited system resources,
memory, processor power, and network bandwidth or disk space.
This leads to a network slow down, much like getting
bottlenecked in rush hour traffic. This is a case of cant go
through, cant get out. What results is excessive use of
bandwidth. And the service providers charge based on the disk
space consumed. Therefore, the increased processing time would
lead to high costs.

Malicious Insiders
The backbone of the entire cloud technology is storing data with a
third party. Where there is trust, there is also a breach of trust.This
is much like data breach, except it comes fromthe different sources
and purposes.
CERN, the European Organization for Nuclear Research, defines an
insider threat as:
A malicious insider threat to an organization is a current or former
employee, contractor, or other business partner who has or had
authorized access to an organizations network, system, or data
and intentionally exceeded or misused that access in a manner that
negatively affected the confidentiality, integrity, or availability of
the organizations information or information systems.

buse of Cloud Services

Cloud computing has made a name for itself as it gives large

computing capabilities to even small organizations. These
capabilities can even fall into the wrong hands. With such
computing power, an attacker can easily crack an encryption key in
no time. He may even employ these servers to plan and
orchestrate a DoS attack. This threat is a risk to the service
providers. They have to identify abusers and service breach from
their end.

sufficient Due Diligence

Cloud computing has made its presence felt with a bang. All the
organizations want a piece of the cloud. The promise of reduced
cost, efficiency in operations and improved security has baited
the organizations well. By pushing to the cloud, organizations
may be minimizing their risk at the operational and
departmental front but they are adopting risk associated with
the cloud. These risk, if not assessed diligently can pose a threat
and impact organization making it difficult for them recoup for
the lack of capable resources.

ared Technology Vulnerabilities

Cloud services are third party services. Service providers scale

their resources by sharing platforms, Infrastructure, and
applications. Whether its the hardware components that make up
the infrastructure (CPU, Servers, Caches etc.) or the software
( Saas, PaaS, IaaS etc.) The risk of shared vulnerability exists in all
service models. A compromise of a critical component may lead to
an overall compromise of data stored on the cloud.

Conclusion

Having an equal understanding of both the promise that cloud

computing offers and the risk that it brings is a crucial step for
enterprises before adopting and transitioning their IT
environment onto the cloud.

Lets Talk!

Kairos partners with the leading

technology providers in cloud, mobile
and social space. Our team of experts
has helped organizations migrate to
cloud seamlessly. Write us today
(info@kairostech.com) for your cloud
computing requirements and security
assessment.

THANK YOU
http://www.kairostech.com