A report from the Cloud Security Alliance (CSA) explained how the cloud is not as safe as many people think it is based on “nine major categories of threats that face cloud technologies” which organizations “must weigh these threats as part of a rigorous risk assessment, to determine which security controls are necessary.” CDW issued a White Paper entitled “Playbook: Overcoming Cloud Security Concerns” which explained how to deal with the 9 CSA threats and explained the difference between data loss and data breach:
Data loss is sometimes confused with data breach. Unlike a data breach, which always involves an unauthorized party gaining access to sensitive data — an exploitation of confidentiality — data loss simply means that an organization’s data has been deleted or overwritten, a failure of availability.
Here are the 9 CSA Threats with CDW’s comments included:
1. Data Breaches. Major data breaches have been reported at every type of organization: businesses, educational institutions, government agencies and others. Each data breach involves one or more unauthorized parties gaining access to portions of the organization’s sensitive data.
2. Data Loss. Data loss generally occurs when data that has not been properly duplicated and secured to protect its availability is lost, deleted or otherwise made unavailable. Unfortunately, data loss has become more prevalent in cloud environments because many IT managers operate under the false assumption that the cloud inherently provides superior protection for availability.
3. Account or Service Traffic Hijacking. This threat involves the practice of gaining unauthorized access to a user account or service, such as stealing a user’s password and logging into a system as that user, or exploiting vulnerability in a service to gain access to that service. Hijacking is most often performed to gain access to sensitive data to which a user or service has access, or to perform actions under the user’s or service’s privileges.
4. Insecure Interfaces. Software interfaces, such as application programming interfaces (APIs), provide access to cloud-based services by allowing commands to be issued against the service. Generally, some parts of an API allow for service usage, while other parts allow for service management. An insecure API can lead to compromises of both service usage and management, causing data breaches, data loss and other serious problems.
5. Denial of service. Denial of Service (DoS) attacks have been a threat against applications and services for many years. These attacks work by consuming resources, thus preventing legitimate users from accessing those resources.
6. Malicious Insiders. Malicious insiders are authorized personnel — users and administrators — who intentionally violate organizational policy for personal reasons, such as financial gain or revenge. Because they already have access to sensitive data, malicious insiders may readily cause data breaches, data losses and other negative effects. For example, an insider may copy a sensitive database onto a flash drive, then use the information stored on it to commit identity theft.
7. Abuse of Cloud Services. Abuse of cloud services involves parties taking advantage of cloud services to perform malicious acts, such as cracking passwords or launching attacks against other systems. Abuse of cloud services is a threat primarily affecting cloud service providers, not cloud customers.
8. Insufficient Due Diligence. Organizations that are considering the adoption of cloud technologies must fully understand the risks inherent in this step. An enterprise that does not effectively secure its cloud deployment to address the numerous cloud threats faces a significantly increased risk of compromise.
9. Shared Technology Vulnerabilities. Vulnerabilities within the cloud infrastructure itself, such as hypervisor weaknesses or an application or service shared by cloud users from different organizations, also represent a threat. The risk of these vulnerabilities is that an attacker can exploit a weakness in one piece of software to gain unauthorized access to data and services for multiple cloud customers.
Of course with proper planning most of these threats can be eliminated.