Page Banner

Seven Security Considerations For Cloud Computing

One of the biggest barriers to adopting cloud computing has been concerns over security. At a recent Innovise ESM seminar, ServiceNow's Security Consultant gave this advice on what areas to focus on and how the risks can be reduced.

1. Abuse of Cloud Computing Resources

IaaS & PaaS platforms provide huge computing resources and can provide a very simple registration process to adopt. However these can be open to abuse and to combat this there should be:

  • Stricter initial registration and validation processes
  • Enhanced credit card fraud monitoring and coordination
  • Comprehensive introspection of customer network traffic
  • Monitoring public blacklists for one's own network blocks

2. Insecure Interfaces and APIs

Cloud Providers offer a set of APIs for interacting customers to manage their data and interact with 3rd party applications for integrations. To ensure security these need strict controls are needed:

  • Analyze the security model of cloud provider interfaces
  • Ensure strong authentication and access controls are implemented in concert with encrypted transmission
  • Understand the dependency chain associated with the API

3. Malicious Insiders

This is a well-known threat for most organisations. The threat is amplified for consumers of cloud services by the convergence of IT Services under single management. To help prevent acts by malicious insiders companies should:

  • Enforce strict supply chain management and conduct a comprehensive supplier assessment
  • Require transparency into overall information security and management practices, as well as compliance reporting
  • Determine the security breach notification processes

4. Shared Technology Issues

IaaS and some SaaS vendors deliver their services in a scalable way by sharing resources. Multi-tenant environment share hardware resources through hyper-visors / virtualization and can expose the underlying operating system. To ensure that you are not compromised by shared resources organisations should:

  • Implement security best practices for installation/configuration
  • Monitor environment for unauthorized changes/activity
  • Promote strong authentication and access control for administrative access and operations
  • Enforce service level agreements for patching and vulnerability remediation
  • Conduct vulnerability scanning and configuration audits

5. Data Loss or Leakage

There are many ways to compromise data, such as deletion / alteration of records without backup, loss of encryption key, insufficient authorization controls etc. To prevent data loss or leakage you should:

  • Implement strong API access control
  • Encrypt and protect integrity of data in transit
  • Analyse data protection at both design and run time
  • Contractually specify provider backup and retention strategies

6. Account or Service Hijacking

This is not a new concept and phishing, fraud and exploitation of software vulnerabilities are still achieving results. Attackers could eavesdrop on your activities and transactions and manipulate data. To reduce the likelihood of this:

  • Prohibit the sharing of account credentials between users and services
  • Leverage strong two-factor authentication techniques where possible
  • Employ proactive monitoring to detect unauthorized activity
  • Understand cloud provider security policies and SLAs

7. Unknown Risk Profile

The benefits of using cloud computing resources should be measured against the security concerns. Versions of software, code updates, security practices, vulnerability profiles and security design of the cloud vendor must be understood. Furthermore legal jurisdiction and local legislation requirements need to be considered eg. EU Privacy Laws, PCI Compliance, HIPAA etc. Areas to consider in relation to this are:

  • Disclosure of applicable logs and data
  • Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.)
  • Monitoring and alerting on necessary information

For more information on how ServiceNow can help you combat these issues click here.

To register for future Innovise ESM events email Sharon.holland@innovise.com

Not Logged-In

  Login
  Shopping Cart