Cloud's risks spur 'notorious nine' threats for 2013

Summary:Data breaches top the list, up from No. 5 just two years ago, in Cloud Security Alliance report.

It's shared and it's on-demand, but the cloud comes with a number of threats that the Cloud Security Alliance (CSA) outlined Monday with the release of its "Notorious Nine" for 2013.

The top three threats this year are data breaches, data loss and account hijacking. In 2010, the top three were abuse of cloud services, insecure interfaces and APIs, and malicious insiders. Those three are still on the list but have fallen (7, 4, 6, respectively) in 2013.

At its annual Summit at the RSA Conference, CSA released the list compiled by its Top Threats Working Group, which seeks to aid companies with their risk-management decisions.

The CSA Top Threats Working Group, which conducted a cloud threats survey with a grop of industry experts, is led by Rafal Los, senior security strategist for HP Software, Dave Shackleford, founder and principal consultant at Voodoo Security, and Bryan Sullivan, senior security program manager at Microsoft.

Here are 2013's nine top threats for cloud computing:

 1. Data Breaches

We all know data breaches like an annoying old acquaintance, but cloud computing brings with it new paths to aggravation. Here's one that's not so nice to contemplate. A poorly designed multitenant cloud service database allows an attacker not only entrance into one account, but to every other account associated with the service.
2010 ranking: 5

2. Data Loss

This is epic hack story where all your data is either stolen or wiped from your devices. Ouch. An accidental deletion or act of God (think Hurricane Sandy) could lead to permanent data loss unless the provider has backup (don't assume they do or be sure to ask just how they do it). Also, if an enterprise encrypts data before uploading it to the cloud, they better protect the encryption keys or the data is as good as gone.
2010 ranking: 5

3. Account or Service Traffic Hijacking

Enterprises know the drill, hackers social engineer credentials out of innocent end-users with phishing, fraud or by exploiting software vulnerabilities. The credentials typically offer access not to one but to many accounts because end-users re-use those passwords on multiple sites. For providers, the cloud adds a twist if stolen credentials can be used to eavesdrop, manipulate data, return bogus information, or redirect users of the service to fraudulent sites. Not only can attackers pull those tricks, the can use your reputation as another tool for social engineering user behavior.
2010 ranking: 6

4. Insecure interfaces and APIs

APIs allow any number of interactions in the cloud - provisioning, management and monitoring to name a few - and they can be a weak link in overall security. APIs are controlled via policy, and developers must take care to design in quality and security that can't be circumvented. And the problem gets more complex as APIs are layered across domains.
2010 ranking: 2

5. Denial of Service

Knocking out a cloud service is one method of attack that robs users of access to their resources and data, and introduces a latency that can mean death to online services. Other forms of attack, such as the asymmetric application-level DoS attacks can exploit weaknesses in web servers, databases and other cloud resources to target and take down a specific application without gobbling up a lot of resources.
2010 ranking: NA

6. Malicious insiders

The inside job is a reality, the risk is something that every organization must weigh. It's different across the board, but when it hits , it hurts. Wtih IaaS, PaaS and SaaS, the insiders in the cloud come along with the providers you hire, but you have little idea who they are and what axes they have to grind. CSA says systems that depend solely on the cloud service provider for security are at the greatest risk. 
2010 ranking: 3

7. Abuse of cloud services

Cloud services democratize computing power, it is available to anyone, even those who seek resources for cracking your encryption, launching a denial of service attack (see No 5), serving server malware or distributing pirated software.
2010 ranking: 1

8. Insufficient due diligence

The benefits of the cloud can be sweet music to some organizations - cost reductions, efficiencies, better security - but the risks are there for those who don't do enough to assess the risks. Not understanding cloud service environments; application or services pushed to the cloud; operational responsibilities such as incident response, encryption, security monitoring can lead to creating unknown levels of risk in ways not previously considered behind corporate walls.
2010 ranking: 7

9. Share technology vulnerabilities

All delivery models show these characteristics brought on by sharing infrastructure, platforms and applications. A defensive in-depth strategy is recommended by CSA and should include compute, storage, network, application and user security enforcement along with monitoring for IaaS, PaaS or SaaS. One fault can be felt across a service provider's cloud.
2010 ranking: 4

The entire report is available from CSA and includes full explanations and links to information on controls and other details on methods to combat these nine gotchas for 2013.

Do you have a No. 10 to round out the list? What is another top threat of cloud computing?

Topics: Cloud, Security

About

John Fontana is a journalist focusing on access control, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he writes and edits a blog, as well as, directs several social media channels and represents Yubico at the FIDO Alliance. Prior to Yubico, John spent five y... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.