Information Technology Reference
In-Depth Information
are derived from this approach should not be underestimated. How many
in-house applications are subject to security auditing, for instance? What are
the implications of executing tested but not audited code on public clouds?
The ability to govern effectively means that an organization must ensure
that it can attribute cause to effect, be flexible in its operations, and have the
capability to accurately monitor its activities.
19.1.2 Security
The first release of the Cloud Security Alliance (CSA) report in 2010 identi-
fied seven top threats to cloud computing:
1.
Abuse of the cloud
refers to the ability to conduct nefarious activities
from the cloud—for instance, using multiple
AWS
instances or appli-
cations supported by
IaaS
to launch Distributed Denial-of-Service
(DDoS) attacks (which prevent legitimate users from assessing cloud
services) or to distribute spam and malware.
2.
Shared technology
considers threats due to multitenant access sup-
ported by virtualization. VMMs can have flaws allowing a guest
operating system to affect the security of the platform shared with
other virtual machines.
3.
Insecure APIs
may not protect users during a range of activities, start-
ing with authentication and access control to monitoring and appli-
cation control during runtime mode.
4.
Malicious insiders
risk arises because the cloud service providers do
not disclose their hiring standards and policies; potential harm due
to this particular form of attack is quite substantial.
5.
Data loss
or
leakage
risks arise because proprietary or sensitive data
maybe permanently lost when cloud data replication fails and is
also followed by a storage media failure; similarly, inadvertent or
unauthorised access to such information by third parties can have
severe consequences. Since, maintaining copies of the data outside
the cloud is often unfeasible due to the sheer volume of data, both of
these risks can have devastating consequences for an individual or
an organization using cloud services.
6.
Account
or service
hijacking refers to stealing of credentials
and is a sig-
nificant threat.
7.
Unknown risk profile
refers to exposure to the ignorance or underesti-
mation of the very risks of cloud computing.
According to this report, the IaaS delivery model can be affected by all
threats. PaaS can be affected by all but the shared technology, whereas SaaS
is affected by all but abuse and shared technology.
Search WWH ::
Custom Search