Cloud computing's no PICNIC*: Yep, biggest security risks down to customer, not provider
*Problem In Chair Not In Computer, says report
Industry nonprofit the Cloud Security Alliance has published a report on the top threats to cloud computing, concluding that the biggest issues are caused by customers, not by the cloud "solution" providers (CSPs).
In the early days of cloud computing, security concerns were centred on the risks of multi-tenancy (sharing computing resources with other customers on the same physical hardware), or that the CSP might not do as good a job as internal IT departments at securing digital assets.
The CSA said it "noticed a drop in ranking of traditional cloud security issues under the responsibility of providers. Concerns such as denial of service, shared technology vulnerabilities, and CSP data loss and system vulnerabilities were now rated so low they have been excluded in this report... instead, we're seeing more of a need to address security issues that are situated higher up the technology stack that are the result of senior management decisions."
No surprise there. But what are the main cloud risks today?
Top of the list is data breaches, caused by a variety of factors ranging from hacked accounts and server vulnerabilities, to data simply being left unprotected on internet-accessible services. One possible cause is listed as a separate risk by the CSA – misconfiguration and inadequate change control. Multi-cloud makes it worse. "Using multiple cloud providers adds complexity, as each provider has unique capabilities which are enhanced and expanded almost daily," the group said. The implication is that companies cannot keep up.
Next up is poor cloud security architecture, and here the CSA points the finger at lift-and-shift migrations. If you prioritise getting a legacy application up and running quickly on a different platform, rather than redesigning it for the cloud, you will probably get it wrong.
Credential and key management is another big one. Not a good idea to put passwords in public GitHub repositories observes the report. File under bleeding obvious, but it happens. Other suggestions include using two-factor authentication, segregating and segmenting accounts based on business need and the principle of least privilege, and removing unused credentials.
CSPs are not entirely let off the hook. Two-factor authentication should be available as standard, said the CSA, while "unfortunately, many CSPs only make two-factor authentication available to their customers as a premium service". The largest CSPs seem to have this right, at least for basic multi-factor authentication, but it may still be a problem for smaller providers.
Another issue is that sometimes organisations do not have enough usage visibility into the cloud services they consume, because of weak policies or shadow IT (projects that take place outside the oversight of the IT department).
Finally, the report notes CSPs have a responsibility to address misuse of their resources by hackers and fraudsters. This can be difficult as CSPs are also expected to observe the confidentiality of customer systems running in the cloud. Every CSP should have incident response framework "to address misuse of resources", argued the CSA.
What we learn then is that enterprises are equally able to screw up security whether its IT systems are on-premises or in the cloud. The cloud has not been the security disaster that some feared, but migrating from on-premises systems will do nothing to fix weak security practices. ®