Web Security Risks: The Top 8 According To ENISA

Cloud Security Risks

Does cloud security risks ever bother you? It would be weird if it didn’t. Cloud computing has a lot of benefits, but also a lot of risks if done in the wrong way.

So what are the most important risks? The European Network Information Security Agency did extensive research on that, and identified 35 risk categories. This analysis is used by a number of players in the industry, including certain banking regulators. From those 35, ENISA has selected 8 as the most relevant ones. This article explains them, not in any particular order. (And by the way: ENISA is pronounced as ‘eniesa’, not ‘enaiza’).

Cloud Security Risks - Isolation Failure

Loss of governance

As a cloud consumer you need to be sufficiently in control of your IT systems. If the cloud service agreement does not give you the proper tools, you have a problem. Example: you should be able to make a backup of your important data and get it out of the cloud provider system.

Lock-in

Can you move your data and processes from one provider to another? It will always take you effort, but how much? On the infrastructure level it may be fairly straightforward to move to a different provider, but it may be significantly more expensive to move to a different CRM (Customer Relationship Management) system. Don’t get too scared though; remember that most companies have gone through similar projects before there was cloud.

Isolation failure

Cloud computing, by definition, is about sharing resources: i.e. processing capacity. Now if one tenant (cloud word for customer) can influence another’s resources that is considered isolation failure. One example is starving a tenant of CPU power. Another is hacking into another tenant’s virtual machine (which is pretty hard, by the way). A third example is leaking information between tenants, which happened to DropBox a while ago.

Compliance risks

A lot of cloud consumers need to demonstrate that they take proper care of their data, for example because it contains credit card numbers. If your cloud provider does not help you with that, you are at risk.

Management interface compromise

This is another of those ‘risk-speak’ jargon expressions. You probably control your cloud usage through some portal over the internet, which potentially allows cloud security risks and a bad guy from anywhere in the world access.

Data protection

This is similar to compliance risks. Can you check that all data is handled in a lawful way? Are you sure that their back end providers do the same? Certification can go a long way towards demonstrating that, by the way.

Insecure or incomplete data deletion

You are asking your cloud provider to store your data safely, which they probably do by making multiple copies. Then you ask them to delete that same data. That might be hard, as it probably is on multiple disks that are shared with other customers, so they cannot simply shred the hard disks. This problem is not very unique to cloud by the way. You may have it with your own servers, printers and copying machines, all of which contain a lot of storage.

Malicious insider risks

In a cloud provider you have a number of people who may have extreme powers because they can look at all data. One well know ridesharing website had implemented and used a ‘God View’, in which one person could look at all the data.

If you are evaluating cloud solutions, it makes great sense to take a look at each of these eight risk categories first, to see how you and your cloud provider would be handling them. In enough cases cloud providers are demonstrably good enough at this, which you can find out by analyzing their documentation and reports.

More cloud security risks are elaborated in the CCSK (Certificate of Cloud Security Knowledge) body of knowledge. The ENISA research is part of that. For more information on that certification you can visit http://www.ccsk.eu.

Peter H.J. van Eijk

Martin Mendelsohn
The Colonial Pipeline Dilemma The Colonial Pipeline is one of a number of essential energy and infrastructure assets that have been recently targeted by the global ransomware group DarkSide, and other aspiring non-state actors, with ...
Maxim Melamedov
Trouble is Brewing Cloud Paradise - 2023 Will Determine Company's Long-Term Plans for Cloud Use The relationship between developers and the cloud was practically love at first sight. For years, migration to the cloud in ...
10 Leading Open Source Business Intelligence Tools
Open Source Business Intelligence Tools It’s impossible to take the right business decisions without having insightful information to back up the decision-making process. Open Source Business Intelligence Tools make it easier to have our raw ...
Richard Duffy
Overcoming IT Infrastructure Disaster (Updated: 03.24.2023) One of the least considered benefits of cloud computing in the average small or mid-sized business manager’s mind is the aspect of disaster recovery. Part of the reason for ...
Steve Prentice
The Era of Microlearning Becoming employable and then staying employable requires ongoing, up to date knowledge, and this can become something of a dilemma. Many of us grew up with a traditional understanding of the ...
Gary Bernstein
WordPress Website Security You've spent time, effort, and money building your website, so don't let it become outdated and run-down by not taking proper care of it. Here are tips on WordPress Website security, speed, ...
Frank Suglia
Migrating Microsoft Office 2013 As of April 11, 2023, Microsoft will stop supporting Office 2013. The decision to end support for Office 2013 should come as no surprise. Over the past several years, Microsoft has ...
Sofia Jaramillo
Augmented Reality in Architecture Augmented reality (AR) is a growing field of study and application in the world of architecture. This useful tool can help us visualize architectural designs by superimposing them onto real-world scenes ...
The Report.png
Answer To Everything.png
Cloud For Dummies.png
Twitbook.png

PLURALSITE

Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization. 

(ISC)²

(ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees.

CYBRARY

CYBRARY Open source Cyber Security learning. The world's largest cyber security community. Cybrary provides free IT training certificates. Courses for beginners, intermediates, and advanced users are available.