Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Understanding The Cloud Threat Surface
Newest First  |  Oldest First  |  Threaded View
Catherine Hudson
50%
50%
Catherine Hudson,
User Rank: Apprentice
5/17/2017 | 8:28:06 AM
Measures to reduce the threats
To address the threats you mentioned, one should turn to SAM tools as well, such as Binadox. You can use it to monitor what SaaS (cloud) services were subscribed to/used by your employees and analyze the corresponding terms of service to determine risks.
ChopperDan64
50%
50%
ChopperDan64,
User Rank: Apprentice
4/11/2016 | 12:18:48 AM
Generalizations of threat don't = new threat vectors
I would challenge you in your article, every place you reference the cloud assuming public cloud, replace it with corporate IT and see if there is anything new. Unlikely you will find any differences. Generalizing all IT vulnerabilities to say they are cloud vulnerabilities just because an organization connects to a SaaS services does not mean all IT vulnerabilities are now cloud specific. As an example your research, reference states, "Nearly one in four users (25%) own data that violates corporate security policy". The issues you bring up which are good ones, are unlikely cloud specific, just IT general vulnerabilities.
RonZalkind
50%
50%
RonZalkind,
User Rank: Author
4/8/2016 | 2:28:26 PM
Re: The Public vs Private Cloud

The public cloud is not as scary and dark a place as you imagine, WilliamM801. It just takes user education to ensure the data is kept secure. There are downsides and upsides to each — public and private. Ultimately  it's up to the organization to decides what's right for them.

RonZalkind
50%
50%
RonZalkind,
User Rank: Author
4/8/2016 | 2:28:16 PM
Re: The Public vs Private Cloud

The public cloud is not as scary and dark a place as you imagine, WilliamM801. It just takes user education to ensure the data is kept secure. There are downsides and upsides to each — public and private. Ultimately  it's up to the organization to decides what's right for them.

RonZalkind
50%
50%
RonZalkind,
User Rank: Author
4/8/2016 | 2:27:29 PM
Re: Moving from a house to a hotel.....

Good point, Nathanwburke. They way I look at it is security can be a reason to move to the cloud from on-premises. The cost savings, highly flexible and scalable, elastic nature are why we've seen this exponential growth in cloud adoption.

RonZalkind
50%
50%
RonZalkind,
User Rank: Author
4/8/2016 | 2:27:29 PM
Re: Moving from a house to a hotel.....

Good point, Nathanwburke. They way I look at it is security can be a reason to move to the cloud from on-premises. The cost savings, highly flexible and scalable, elastic nature are why we've seen this exponential growth in cloud adoption.

WilliamM801
50%
50%
WilliamM801,
User Rank: Apprentice
4/6/2016 | 5:30:40 PM
The Cloud dare to compare
Cloud technologies have conquered vast IT territories and keep marching in all directions. How do cloud solutions compare to the old fashioned Server solution in small business environments? The simplest, most accurate answer is rather ambiguous: "it all depends". For some businesses, cloud technologies can play a very limited role, while others should embrace it at once in order to enjoy a savings, support simplicity, and longevity of a cloud solution.

www.alloraconsulting.com/it-solutions/93-cloud-technologies-vs-server-solutions-for-small-business
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
4/6/2016 | 4:18:27 PM
The threat surface actually shrinks
The cloud environment is no scarier than the existing enterprise environment, which contains its own liabilities. Ron Zalkind's analysis is a good one and points out what issues to try to address. In the long run, I think the cloud environment represents the one that can be made most secure.
nathanwburke
100%
0%
nathanwburke,
User Rank: Author
4/6/2016 | 3:10:29 PM
Moving from a house to a hotel.....
Ron,

Good points, and your article makes me think of a few things:

The cloud isn't just a "different on-prem". In the early days, companies saw their move to the cloud as simply a matter of location...instead of having a server room in the building, they used someone else's. 

It's almost like moving from a house into a hotel and expecting everything to remain exactly the same. 

You store all your stuff in your house, and you're responsible for keeping it all safe. You do that by only giving out keys to people you trust, and you get a service like ADT as an extra layer of defense. 

When you move into the Mariott, you still want to keep your stuff safe, but now it's different.
  • You have a couple of keys, but they belong to the front desk, and they can create any number of copies at a moment's notice.
  • Although you still only give your keys to people you trust, the hotel has master keys that they give to the cleaning staff and others. In essence, they control access. Not you. 
  • You can ask the front desk if you can install ADT in just your room, but that's probably not going to happen. Even if they agreed (they won't), you'd still have to give them the access codes. 
  • If someone breaks in to the hotel's security system, they now have access to your stuff as well as every other guest. 

But it's not all bad. You could be staying at a hotel that has better security than you could possibly have at home. Not only that, you have access to the pool, the gym, a free paper, a concierge, and maybe even breakfast is thrown in. You now have capabilities that wouldn't be available at home. 

It's not necessarily better or worse, just different. And with that, you can't take the same approach to security. You have to adapt to protect yourself against different threats. And perhaps giving the front desk a $5 handshake every now and then could significantly increase your security posture. Worth a shot. 
WilliamM801
50%
50%
WilliamM801,
User Rank: Apprentice
4/6/2016 | 1:41:19 PM
The Public vs Private Cloud
The public cloud is a scary dark cloud...when you never meet who holds your data

 

A private cloud like in this article here is the safe bet in my opinion

www.alloraconsulting.com/it-services/managed-cloud-domain-controller


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41127
PUBLISHED: 2021-10-21
Rasa is an open source machine learning framework to automate text-and voice-based conversations. In affected versions a vulnerability exists in the functionality that loads a trained model `tar.gz` file which allows a malicious actor to craft a `model.tar.gz` file which can overwrite or replace bot...
CVE-2021-41169
PUBLISHED: 2021-10-21
Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade.
CVE-2021-27746
PUBLISHED: 2021-10-21
"HCL Connections Security Update for Reflected Cross-Site Scripting (XSS) Vulnerability"
CVE-2021-36869
PUBLISHED: 2021-10-21
Reflected Cross-Site Scripting (XSS) vulnerability in WordPress Ivory Search plugin (versions <= 4.6.6). Vulnerable parameter: &post.
CVE-2021-39352
PUBLISHED: 2021-10-21
The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrat...