The cloud has become an important part of every companies IT solution. Whether you are using a third party software as a service or building your our solutions in the cloud, the cloud is not risk free. Just ask Capital One if you have any questions about that.
So what are the things that you need to consider? The Cloud Security Alliance has done a great job of laying that out. Here is what they are saying:
1. Data Breaches – this is the most public negative consequence of not properly securing your cloud infrastructure.
2. Misconfiguration and inadequate change control – this could lead to a breach (see Capital One, again) or it could lead to downtime.
3. Lack of cloud security architecture and strategy – It is a REALLY bad idea to pick up the solution that you have in your data center and drop it in the cloud. In fact, it could be a disaster.
4. Insufficient Identity and Access Management (IAM). Again, See Capital One. Because if you do this wrong, your systems are exposed to anyone, anywhere in the world.
5. Account hijacking – If the security of the service accounts is compromised things can go downhill fast.
6 – Insider threat – The cloud is no different that any other system and if you have a disgruntled or more likely careless internal user, they can easily expose the entire network to attack.
7 – Insecure APIs and Interfaces – Since the systems are inherently much more public in the cloud, all APIs and interfaces need to be very, very secure.
8 – Weak control plane – A weak control plane means the person in charge—either a system architect or a DevOps engineer—is not in full control of the data infrastructure’s logic, security, and verification. Leading to a breach.
9 – Metastructure and applistructure failures – Cloud providers reveal operations and security precautions at the “waterline” – the line between when the provider is responsible and when the customer is responsible. If that is not well implemented and well understood, the result can be a disaster.
10 – Limited cloud usage visability – without adequate usage visibility, the organization can’t tell the difference between authorized use and hackers.
11- Abuse and nefarious use of cloud services – I think this one is obvious. Could be an insider or a hacker, but the cloud service is not being used in an authorized manner.
For a 40 page manual on this subject from the Cloud Security Alliance, check out this article (registration required).