Identifying And Remediating Security Vulnerabilities In The Cloud

[Excerpted from "Identifying and Remediating Security Vulnerabilities in the Cloud," a new report published this week on Dark Reading's Insider Threat Tech Center.]

Not too long ago, cloud computing was just a buzzword -- and a confusing one at that. In a 2008 InformationWeek survey regarding attitudes toward the cloud, 21% of the 456 respondents considered cloud computing a "marketing term used haphazardly."

Since that time, adoption of cloud services has ticked upward. According to the 2012 version of the InformationWeek survey, one-third of 511 respondents are already receiving services from a cloud provider. Another 40% said they were in the planning or evaluation stages.

But before an organization pushes all its chips into the center of the cloud computing table, there is the "s" word to consider -- security. For all the promise of the various cloud delivery models, security is a constant threat to stop cloud computing in its tracks.

Take, for example, the recently reported hack of Zendesk, which sells cloud-based customer service software. According to the company, an investigation revealed that a hacker accessed support information for three of the company's customers and then downloaded the email addresses of people who contacted those customers for support. Zendesk patched the vulnerability and closed the hole the hacker used to access its system, but the damage was done.

How should enterprises decide on a cloud security strategy? "The first step is to know your business requirements, the type of cloud service you'll be using and your risk tolerance levels," says Jon-Michael C. Brook, senior principal cloud/security architect at Symantec. "Every organization's security needs and expectations are different, so it's important to understand how the cloud service provider can meet those needs."

Another good starting point is the Security, Trust & Assurance Registry maintained by the Cloud Security Alliance. The registry provides a record of self-assessed security practices of IaaS, SaaS and PaaS vendors, and can give organizations a sense of what the vendors they are considering will offer in terms of security controls.

The CSA has other documents, such as the Consensus Assessments Initiative Questionnaire, that can help organizations with this process as well. This is part of the due diligence that organizations should follow when selecting a cloud vendor.

But that's just the beginning. Securing cloud environments is a sweeping proposition that touches on the topics of virtualization security, access control, data protection and a host of other areas.

Just recently, the Cloud Security Alliance put out its list of the top nine threats to cloud computing. The list covers a substantial amount of ground, from data loss to account hijacking to denial-of-service attacks.

"The two vulnerabilities I hear of the most are some kind of Web app vulnerability -- most common is SQL injection -- and the risk posed by email-borne attacks against internal employees of the cloud provider," says Alex Horan, security strategist at penetration testing firm CORE Security. "With SQL injection, I potentially have access to all the data in your cloud instance. It is important to point out that sometimes the SQL injection vulnerability is introduced by the user of the cloud service and not the service itself."

To find out more about the types of vulnerabilities introduced by cloud computing -- and how your organization can begin to identify and remediate them -- download the free report on cloud security.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.