March 24, 2015

Web Security Risks: The Top 8 According To ENISA

By Peter HJ van Eijk

Cloud Security Risks

Does cloud security risks ever bother you? It would be weird if it didn’t. Cloud computing has a lot of benefits, but also a lot of risks if done in the wrong way.

So what are the most important risks? The European Network Information Security Agency did extensive research on that, and identified 35 risk categories. This analysis is used by a number of players in the industry, including certain banking regulators. From those 35, ENISA has selected 8 as the most relevant ones. This article explains them, not in any particular order. (And by the way: ENISA is pronounced as ‘eniesa’, not ‘enaiza’).

Cloud Security Risks - Isolation Failure

Loss of governance

As a cloud consumer you need to be sufficiently in control of your IT systems. If the cloud service agreement does not give you the proper tools, you have a problem. Example: you should be able to make a backup of your important data and get it out of the cloud provider system.

Lock-in

Can you move your data and processes from one provider to another? It will always take you effort, but how much? On the infrastructure level it may be fairly straightforward to move to a different provider, but it may be significantly more expensive to move to a different CRM (Customer Relationship Management) system. Don’t get too scared though; remember that most companies have gone through similar projects before there was cloud.

Isolation failure

Cloud computing, by definition, is about sharing resources: i.e. processing capacity. Now if one tenant (cloud word for customer) can influence another’s resources that is considered isolation failure. One example is starving a tenant of CPU power. Another is hacking into another tenant’s virtual machine (which is pretty hard, by the way). A third example is leaking information between tenants, which happened to DropBox a while ago.

Compliance risks

A lot of cloud consumers need to demonstrate that they take proper care of their data, for example because it contains credit card numbers. If your cloud provider does not help you with that, you are at risk.

Management interface compromise

This is another of those ‘risk-speak’ jargon expressions. You probably control your cloud usage through some portal over the internet, which potentially allows cloud security risks and a bad guy from anywhere in the world access.

Data protection

This is similar to compliance risks. Can you check that all data is handled in a lawful way? Are you sure that their back end providers do the same? Certification can go a long way towards demonstrating that, by the way.

Insecure or incomplete data deletion

You are asking your cloud provider to store your data safely, which they probably do by making multiple copies. Then you ask them to delete that same data. That might be hard, as it probably is on multiple disks that are shared with other customers, so they cannot simply shred the hard disks. This problem is not very unique to cloud by the way. You may have it with your own servers, printers and copying machines, all of which contain a lot of storage.

Malicious insider risks

In a cloud provider you have a number of people who may have extreme powers because they can look at all data. One well know ridesharing website had implemented and used a ‘God View’, in which one person could look at all the data.

If you are evaluating cloud solutions, it makes great sense to take a look at each of these eight risk categories first, to see how you and your cloud provider would be handling them. In enough cases cloud providers are demonstrably good enough at this, which you can find out by analyzing their documentation and reports.

More cloud security risks are elaborated in the CCSK (Certificate of Cloud Security Knowledge) body of knowledge. The ENISA research is part of that. For more information on that certification you can visit http://www.ccsk.eu.

Peter H.J. van Eijk

Peter HJ van Eijk

Peter HJ van Eijk develops and delivers cloud computing training programs. He has delivered these programs dozens of times in the US, Europe, Middle-East and Asia to a wide variety of participants.

He has worked for Deloitte Consulting, IT supplier EDS, internet providers, and at the University of Twente, where he received his PhD in 1988. He is a board member of the Dutch Cloud Security Alliance Chapter.
Cloud Computing Humor

The Competitive Edge: Leveraging AI Assistant Sales Tools for Market Dominance

Leading AI Sales Assistant Tools As we navigate the ever-evolving landscape of sales technology, AI [...]
Read more

Leading Container Security Services for Cloud-Native Environments

Leading Container Security Services In today’s rapidly evolving digital landscape, container security has become a [...]
Read more
Michael Kleef

Akamai’s Michael Kleef Reveals Key Shifts in Cloud Computing Landscape

Welcome to a conversation with Michael Kleef, Vice President of Product Marketing, Developer Advocacy, and [...]
Read more
Arman Borghem

Exploring Digital Sovereignty with Arman Borghem: A Dive into Privacy and Compliance

Exploring Digital Sovereignty with Arman Borghem Welcome to today’s enlightening conversation on digital sovereignty and [...]
Read more

Innovative Solutions Ensuring Cybersecurity in Cloud-Native Deployments

Innovative Solutions Ensuring Cybersecurity The digital landscape is evolving at a breakneck pace, and organizations [...]
Read more
Lex Hegt

How Can Organizations Effectively Monitor and Analyze Their Azure Billing Data?

Monitor and Analyze Azure Billing Data With the ever-increasing investments in Azure, many organizations struggle [...]
Read more

SPONSOR PARTNER

Unlock the power of Google Cloud with a $350 signup credit. Experience enhanced scalability, security, and innovation for your projects today!
© 2024 CloudTweaks. All rights reserved.