Cloud security’s seven deadly sins

Data Loss/Leakage

There isn’t currently an acceptable level of security controls surrounding data in the cloud. Some applications could be leaking data as a result of weak API access control and key generation, storage and management. And, data destruction policies may also be absent.

Shared Technology Vulnerabilities

In the cloud, a single misconfiguration can be duplicated across an environment where many virtual servers share the same configuration. Enforce service level agreements (SLAs) for patch management and best practices for network and server configuration.

Malicious Insiders

The level of background checks that cloud providers perform on staff may differ compared to how enterprises would prefer to control data centre access. Many providers may do a good job but it’s largely uneven. Perform a supplier assessment and outline a level of employee screening.

Account, Service & Traffic Hijacking

A lot of data, applications and resources are concentrated in the cloud where, with weak authentication, an intruder can access a single user account and ultimately get at that customer’s virtual machines. Proactive monitoring of threats and two-factor authentication is advised.

Insecure Application Programming Interfaces

It’s important to perceive the cloud as a new platform and not merely as outsourcing when it comes to developing applications. There ought to be a vetting process surrounding application lifecycles, where the developer understands and applies certain guidelines regarding authentication, access controls and encryption.

Abuse and Nefarious Use of Cloud Computing

The bad guys are probably more progressive than the good guys in how they use technology. Hackers are seen very quickly applying new threats combined with the ability to easily scale up and down in the cloud. All it takes is a single credit card to open up the floodgates.

Unknown Risk Profile

Transparency issues continue to persist concerning cloud providers. Account users only interact with the front-end interface and really don’t know what goes on in the backend. Who knows which platforms or patch levels the provider is employing?