Identifying And Remediating Security Vulnerabilities In The Cloud

Cloud computing can lead to security risks. Here are some insights on tracking them down

[Excerpted from Identifying and Remediating Security Vulnerabilities in the Cloud, a new report published this week on Dark Readings
Insider Threat Tech Center
.]
Not too long ago, cloud computing was just a buzzword -- and a confusing one at that. In a 2008 InformationWeek survey regarding attitudes toward the cloud, 21% of the 456 respondents considered cloud computing a marketing term used haphazardly.
Since that time, adoption of cloud services has ticked upward. According to the 2012 version of the InformationWeek survey, one-third of 511 respondents are already receiving services from a cloud provider. Another 40% said they were in the planning or evaluation stages.
But before an organization pushes all its chips into the center of the cloud computing table, there is the s word to consider -- security. For all the promise of the various cloud delivery models, security is a constant threat to stop cloud computing in its tracks.
Take, for example, the recently reported hack of Zendesk, which sells cloud-based customer service software. According to the company, an investigation revealed that a hacker accessed support information for three of the companys customers and then downloaded the email addresses of people who contacted those customers for support. Zendesk patched the vulnerability and closed the hole the hacker used to access its system, but the damage was done.
How should enterprises decide on a cloud security strategy? The first step is to know your business requirements, the type of cloud service youll be using and your risk tolerance levels, says Jon-Michael C. Brook, senior principal cloud/security architect at Symantec. Every organizations security needs and expectations are different, so its important to understand how the cloud service provider can meet those needs.
Another good starting point is the Security, Trust & Assurance Registry maintained by the Cloud Security Alliance. The registry provides a record of self-assessed security practices of IaaS, SaaS and PaaS vendors, and can give organizations a sense of what the vendors they are considering will offer in terms of security controls.
The CSA has other documents, such as the Consensus Assessments Initiative Questionnaire, that can help organizations with this process as well. This is part of the due diligence that organizations should follow when selecting a cloud vendor.
But thats just the beginning. Securing cloud environments is a sweeping proposition that touches on the topics of virtualization security, access control, data protection and a host of other areas.
Just recently, the Cloud Security Alliance put out its list of the top nine threats to cloud computing. The list covers a substantial amount of ground, from data loss to account hijacking to denial-of-service attacks.
The two vulnerabilities I hear of the most are some kind of Web app vulnerability -- most common is SQL injection -- and the risk posed by email-borne attacks against internal employees of the cloud provider, says Alex Horan, security strategist at penetration testing firm CORE Security. With SQL injection, I potentially have access to all the data in your cloud instance. It is important to point out that sometimes the SQL injection vulnerability is introduced by the user of the cloud service and not the service itself.
To find out more about the types of vulnerabilities introduced by cloud computing -- and how your organization can begin to identify and remediate them --
download the free report on cloud security
.
Have a comment on this story? Please click Add a Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Identifying And Remediating Security Vulnerabilities In The Cloud