Web Security Risks: The Top 8 According To ENISA

Cloud Security Risks

Does cloud security risks ever bother you? It would be weird if it didn’t. Cloud computing has a lot of benefits, but also a lot of risks if done in the wrong way.

So what are the most important risks? The European Network Information Security Agency did extensive research on that, and identified 35 risk categories. This analysis is used by a number of players in the industry, including certain banking regulators. From those 35, ENISA has selected 8 as the most relevant ones. This article explains them, not in any particular order. (And by the way: ENISA is pronounced as ‘eniesa’, not ‘enaiza’).

Cloud Security Risks - Isolation Failure

Loss of governance

As a cloud consumer you need to be sufficiently in control of your IT systems. If the cloud service agreement does not give you the proper tools, you have a problem. Example: you should be able to make a backup of your important data and get it out of the cloud provider system.

Lock-in

Can you move your data and processes from one provider to another? It will always take you effort, but how much? On the infrastructure level it may be fairly straightforward to move to a different provider, but it may be significantly more expensive to move to a different CRM (Customer Relationship Management) system. Don’t get too scared though; remember that most companies have gone through similar projects before there was cloud.

Isolation failure

Cloud computing, by definition, is about sharing resources: i.e. processing capacity. Now if one tenant (cloud word for customer) can influence another’s resources that is considered isolation failure. One example is starving a tenant of CPU power. Another is hacking into another tenant’s virtual machine (which is pretty hard, by the way). A third example is leaking information between tenants, which happened to DropBox a while ago.

Compliance risks

A lot of cloud consumers need to demonstrate that they take proper care of their data, for example because it contains credit card numbers. If your cloud provider does not help you with that, you are at risk.

Management interface compromise

This is another of those ‘risk-speak’ jargon expressions. You probably control your cloud usage through some portal over the internet, which potentially allows cloud security risks and a bad guy from anywhere in the world access.

Data protection

This is similar to compliance risks. Can you check that all data is handled in a lawful way? Are you sure that their back end providers do the same? Certification can go a long way towards demonstrating that, by the way.

Insecure or incomplete data deletion

You are asking your cloud provider to store your data safely, which they probably do by making multiple copies. Then you ask them to delete that same data. That might be hard, as it probably is on multiple disks that are shared with other customers, so they cannot simply shred the hard disks. This problem is not very unique to cloud by the way. You may have it with your own servers, printers and copying machines, all of which contain a lot of storage.

Malicious insider risks

In a cloud provider you have a number of people who may have extreme powers because they can look at all data. One well know ridesharing website had implemented and used a ‘God View’, in which one person could look at all the data.

If you are evaluating cloud solutions, it makes great sense to take a look at each of these eight risk categories first, to see how you and your cloud provider would be handling them. In enough cases cloud providers are demonstrably good enough at this, which you can find out by analyzing their documentation and reports.

More cloud security risks are elaborated in the CCSK (Certificate of Cloud Security Knowledge) body of knowledge. The ENISA research is part of that. For more information on that certification you can visit http://www.ccsk.eu.

Peter H.J. van Eijk

Ronald van Loon

Accelerating AI, Cloud, 5G, and IoT Innovation

Artificial Intelligence (AI), Cloud, 5G, and IoT are continuously advancing innovation that extends across business development all the way down to the consumer level. Critical innovations are emerging from the escalation of new technologies, including ...
Thomas Franklin

Future of Stock Markets : Raising Capital Through ICO is 10x cheaper and 20x easier

Future of Stock Markets: Raising Capital Through ICO How blockchain will replace the stock markets as we know them today. Welcome to the future. It’s a beautiful Monday morning of 5th June, 2023. Jane wants ...
Kash Shaikh

A Clairvoyant Look Back on 2021

In a lookback from the future, here is what happened in 2021 as reported on January 1, 2022. 2021 was the year that our world worked its way out of the 2020 pandemic and back ...
Simplifying and Streamlining Cloud Management with AI

Simplifying and Streamlining Cloud Management with AI

AI Cloud Management Software with artificial intelligence capabilities layered with cloud computing can allow businesses to improve their data management, visualize insights that represent patterns in information, deliver a better customer experience, and optimize their ...
Gilad David Maayan

Accessing (HPC) High Performance Computing

HPC in the Cloud Big data and Machine Learning (ML) can provide businesses with incredible insights and an innovative edge. However, to properly analyze the data collected or to train your ML models, you need ...
Tej Redkar

How AI Monitoring Can Make Your Business Smarter and Better

Business AI Monitoring When issues arise with digital technology—as they invariably do—companies must have the ability to fix them before they create any business impact. These days, more and more companies are discovering that the ...