Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

Securing the Cloud

Home
Industry Insights
Securing the Cloud

Blog Article Published: 07/10/2014

By Robert Clauff, Security Engineer, Solutionary

robert clauff headshot

More and more organizations are moving to the “CLOUD." It seems as though you can't read an article about IT or turn on the TV without seeing someting about the increasingly ubiquitous cloud. Of course, the cloud is more than just an IT buzzword, it's an increasingly important part of IT that requires organizations to consider the security implications of "moving to the cloud."

Moving to the cloud can benefit a lot of organizations. However, you need to know how to keep things secure while you migrate to such an environment. The term cloud is frequently thrown around in discussions; but in reality, a lot of IT professionals do not really know all the downsides of cloud migration, and security issues are often overlooked.

I keep reading and hearing statements like, “The cloud is so much easier to manage and makes your information more secure." These types of blanket statements are just not accurate.

The cloud does mitigate some common security issues, like data resiliency and availability, as well as some physical threats. Yet, when organizations decide to migrate to the cloud there are other layers of security that they need to acknowledge, which are often ignored by companies that do not look at all of the facts.cloud-computing

The reality is that cloud computing opens up new ways in which your security can be compromised, and you have to trust your cloud provider’s security to be up to par. You can improve your overall security posture if you do not let your security posture relax, but, in fact, take this opportunity to tighten it even more. New threats can range from basic to very advanced techniques, and organizations will see some of the issues occur when trying to protect data because there are "Catch-22s."

While data loss and data leakage are both bad, the security measures to mitigate one can exacerbate the other. I personally get an uneasy feeling about concentrations of several organizations in the same physical environment, which happens constantly in the cloud. For example, multi-tenant cloud databases which are improperly designed and flawed applications could allow a hacker to access not only the data of one client, but the host as a whole, and potentially all client data stored by the provider.

As we all know, security issues do not always originate from malicious hackers. User errors will do just as much (if not more) damage. In 2011, the EC2 cloud had data loss because of constant backups and a “re-mirroring storm,” all due to user error. Something as easy as losing encryption keys for the data can cause catastrophic damage to an environment.

We have seen an example where an attacker on a virtual machine listened for activity that signals the arrival of encryption keys from another virtual machine on the same host, using a ‘side channel timing exposure’ technique. However, as far as we know, this advanced technique has not been tied to any large breaches (yet). Cloud environments could help put a large bull's-eye on your organization because compromising an array of cloud servers could make for one heck of a malware server farm or even a nice Denial-of-Service (DoS) attack, all in one easy shot. (Attack the cloud provider, and affect dozens or hundreds, or thousands, of clients). In fact, Solutionary Security Engineering Research Team (SERT) research has shown that leading Internet Service Providers (ISPs) and hosters are a haven for hosted malware.

Among all of the different security issues, the same “oldie but goodie” issues are still present. Account hijacking is and always will be a serious security issue due to phishing, vulnerabilities and buffer overflows. Session hijacking is just as prominent in the cloud and can lead to service hijacking while compromising the confidentiality, integrity and availability of your data. Malicious users and rogue administrators still exist, just as they always have, but there are easier ways like throwing a VM on a flash drive and walking out of the building with it.

DoS attacks are still a very real threat, even in the cloud. If your organization experiences a DoS attack, you could still be charged for resources being used while the services are unavailable. Or, if your servers are compromised at the cloud provider, you could be charged for any bandwidtch used because of a DoS attack. You can probably get those charges cancelled, but chances are you will still have to take action to do so.

A lot of these situations can be mitigated just by using security best practices and having a good sense of security from the ground up when developing your cloud infrastructure. Don’t just trust that cloud providers have a secure infrastructure. Instead, ask them what their practices are, and ensure they are supporting a secure environment. Whenever possible, include two-factor authentication and security-conscious applications when considering what you will be interfacing with.

The provider should be using security best practices, and have an effective application development security program if they are implementing applications for you. A large percentage of compromise in the cloud is due to flaws in applications or Web functionality. Be sure to do your due diligence.

Insecure Application Program Interface (API) can be your worst enemy. APIs could give anonymous users access using third-party authentication for services such as Facebook, Google and Twitter. These authentication methods are often found to be broken and vulnerable to compromise. In general, relying on third-party security practices to secure your applications is bad practice.

Dealing with IT security every day, I see how many bad situations could have been avoided if security was taken into account when the environment was built. While security best practices are a great avenue to keep your data secure, it always helps to have someone watching your back. The Cloud Security Alliance (CSA) is a great resource to have when needing answers for real-world questions.

Having a Managed Security Services Provider (MSSP) watching over your cloud environment is always a great benefit as well. As any IT professional knows, it is impossible to have eyes everywhere while tending to day-to-day operations.

I hope that after reading my little rant you will definitely do your due diligence on the cloud before jumping into something just because upper management starts throwing around buzzwords like “The All Powerful CLOUD!” Just remember that you will need real-world, information security practices, and there is never anything as easy as a special man behind a curtain to solve your problems.

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Enhance your cloud security skills with CSA's online training options.