Web Security Risks: The Top 8 According To ENISA

Cloud Security Risks

Does cloud security risks ever bother you? It would be weird if it didn’t. Cloud computing has a lot of benefits, but also a lot of risks if done in the wrong way.

So what are the most important risks? The European Network Information Security Agency did extensive research on that, and identified 35 risk categories. This analysis is used by a number of players in the industry, including certain banking regulators. From those 35, ENISA has selected 8 as the most relevant ones. This article explains them, not in any particular order. (And by the way: ENISA is pronounced as ‘eniesa’, not ‘enaiza’).

Cloud Security Risks - Isolation Failure

Loss of governance

As a cloud consumer you need to be sufficiently in control of your IT systems. If the cloud service agreement does not give you the proper tools, you have a problem. Example: you should be able to make a backup of your important data and get it out of the cloud provider system.

Lock-in

Can you move your data and processes from one provider to another? It will always take you effort, but how much? On the infrastructure level it may be fairly straightforward to move to a different provider, but it may be significantly more expensive to move to a different CRM (Customer Relationship Management) system. Don’t get too scared though; remember that most companies have gone through similar projects before there was cloud.

Isolation failure

Cloud computing, by definition, is about sharing resources: i.e. processing capacity. Now if one tenant (cloud word for customer) can influence another’s resources that is considered isolation failure. One example is starving a tenant of CPU power. Another is hacking into another tenant’s virtual machine (which is pretty hard, by the way). A third example is leaking information between tenants, which happened to DropBox a while ago.

Compliance risks

A lot of cloud consumers need to demonstrate that they take proper care of their data, for example because it contains credit card numbers. If your cloud provider does not help you with that, you are at risk.

Management interface compromise

This is another of those ‘risk-speak’ jargon expressions. You probably control your cloud usage through some portal over the internet, which potentially allows cloud security risks and a bad guy from anywhere in the world access.

Data protection

This is similar to compliance risks. Can you check that all data is handled in a lawful way? Are you sure that their back end providers do the same? Certification can go a long way towards demonstrating that, by the way.

Insecure or incomplete data deletion

You are asking your cloud provider to store your data safely, which they probably do by making multiple copies. Then you ask them to delete that same data. That might be hard, as it probably is on multiple disks that are shared with other customers, so they cannot simply shred the hard disks. This problem is not very unique to cloud by the way. You may have it with your own servers, printers and copying machines, all of which contain a lot of storage.

Malicious insider risks

In a cloud provider you have a number of people who may have extreme powers because they can look at all data. One well know ridesharing website had implemented and used a ‘God View’, in which one person could look at all the data.

If you are evaluating cloud solutions, it makes great sense to take a look at each of these eight risk categories first, to see how you and your cloud provider would be handling them. In enough cases cloud providers are demonstrably good enough at this, which you can find out by analyzing their documentation and reports.

More cloud security risks are elaborated in the CCSK (Certificate of Cloud Security Knowledge) body of knowledge. The ENISA research is part of that. For more information on that certification you can visit http://www.ccsk.eu.

Peter H.J. van Eijk

Viral Infection Wearabletech
Data Fallout.png
Data Bed.png
The Sticky Note.png
Cloud VPS
Cloud vs. Bare Metal Looking for hosting solutions, you’ve definitely come across VPS and dedicated server hosting many times. But in recent years the probability of coming across some other hosting services, namely cloud hosting ...
Gilad David Maayan
What is Open Source Security? Open source software is now an inseparable part of most software projects. Research has estimated that as much as 90% of enterprise software is made up of open source components ...
Kerry Leigh Harrison
Top Challenges of User Onboarding for Mobile Apps There’s nothing more frustrating than seeing that someone has downloaded your app and then uninstalled it. However, 80% of users will drop an app if they don’t ...
Marcus Schmidt
Microsoft’s Operator Connect Earlier this year, Microsoft announced a new calling service for Microsoft Teams (Teams) users called Operator Connect. IT leaders justifiably want to know how Operator Connect is different from Microsoft’s existing PSTN ...
Gilad David Maayan
Azure Storage Pricing Introduction to Azure Storage Services Azure Storage is a set of cloud storage services provided by Microsoft as part of the Azure public cloud. It offers highly scalable object storage, file systems ...