By: Michael Sutton

Help Contribute To The Cloud Security Alliance 'Top Threats' V2.0

Cloud


In March of this year, at RSA 2010, the Cloud Security Alliance, officially unveiled the Top Threats to Cloud Computing. This was a collaborative effort that drew upon the expertise of some of the finest minds in the security industry to compile a list of threats facing both enterprises deploying cloud based solutions and the vendors providing the infrastructure. The original list took several months to compile with input from cloud vendors, consumers and researchers. In the end, the Top Threats to Cloud Computing v1.0 guidance was released, but it was always meant to be a starting point, not the end of the journey.

We're now working toward updating the Top Threats and plan to release the v2.0 list at the RSA Europe 2010 conference in October, but we need your help. You may have read v1.0 and thought "why did/didn't they include this particular threat", well now it's your chance to ensure that your voice heard. Whereas v1.0 was compiled by a closed group in the interest of 'putting a stake in the ground', we want v2.0 and future revisions to be a true open, collaborative effort with submissions from all those concerned.

Here's our plan:

 

  1. Starting now, you have the ability to propose the inclusion of new threats to the Top Threats list by submitting them online.
  2. We'll compile and summarize all submissions and present them to a judging panel
  3. The panel will ultimately select the final v2.0 list, which will be released at RSA Europe 2010.

 

A summary of the v1.0 Top Threats to Cloud Computing is below, but please also see the detailed guidance, which is available here.
  1. Abuse and Nefarious Use of Cloud Computing
    • Service Models - IaaS & PaaS
    • Description -  By abusing the relative anonymity behind these registration and usage models, spammers, malicious code authors, and other criminals have been able to conduct their activities with relative impunity.
  2. Insecure Interfaces and APIs
    • Service Models - IaaS, PaaS & SaaS
    • Description - The security and availability of general cloud services is dependent upon proprietary APIs that may not have been adequately scrutinized.
  3. Malicious Insiders
    • Service Models - IaaS, PaaS & SaaS
    • Description - The threat of a malicious insider is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure.
  4. Shared Technology Issues
    • Service Models - IaaS
    • Description -  Vulnerabilities within components of the underlying cloud architecture or the virtualization hypervisor could lead to inappropriate levels of control or influence on the underlying platform and/or unauthorized data stores.
  5. Data Loss or Leakage
    • Service Models - IaaS, PaaS & SaaS
    • Description -  The threat of data compromise increases in the cloud, due to the number of and interactions between risks and challenges which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment.
  6. Account or Service Hijacking
    • Service Models - IaaS, PaaS & SaaS
    • Description -  If an attacker gains access to the credentials of a cloud based platform, they can eavesdrop on activities and transactions, manipulate data, return falsified information, and redirect clients to illegitimate sites.
  7. Unknown Risk Profile
    • Service Models - IaaS, PaaS & SaaS
    • Description -  When adopting a cloud service, details or compliance of the internal security procedures, configuration hardening, patching, auditing, and logging are often unknown, leaving customers with an unknown risk profile that may include serious threats.
See something you don't agree with? Then do something about it! Contribute to the v2.0 list.
 
- michael

Learn more about Zscaler.