Fortinet Blog | News and Threat Research

A new survey of industry experts from the Cloud Security Alliance (CSA) finds data breach and data loss at the top of nine critical threats to cloud security.

Cloud computing is more mainstream among businesses and government now than ever before. CSA’s “The Notorious Nine: Cloud Computing Top Threats in 2013” report details the development of the cloud service model and how it delivers business-supporting technology more efficiently. The shift from server to service-based thinking is transforming the way technology departments think about, design and deliver computing technology and applications.

Yet, the authors of the report acknowledge, these advances have created security vulnerabilities, some of whose full impact is still emerging. CSA committee members note that, among the most significant security risks associated with cloud computing is the tendency to bypass IT departments and information officers.

Although shifting to exclusively cloud technologies is affordable and fast, the report’s authors caution that doing so undermines important business-level security policies, processes and best practices. In the absence of these standards, businesses are vulnerable to security breaches that can quickly erase any gains made by the switch to software-as-a-service (SaaS).

“To effectively manage risks in cloud computing, it is essential for companies to understand today’s and tomorrow’s threats specific to the cloud, and that comes with education and proper due diligence,” said J.R. Santos, global research director of the CSA, in releasing the February 2013 report.

Companies are still not doing their proper due diligence – a real issue, said Santos. CSA notes the report reflects the consensus among experts about the most significant threats to cloud security. The focus: threats specifically related to the shared, on-demand nature of cloud computing.

The top spot goes to data breaches. CSA authors call it every CIO’s worst nightmare: the organization’s sensitive internal data falling into the hands of competitors. While the scenario isn’t new, cloud computing introduces a significant avenue of attack. For instance, if a multi-tenant cloud service database is not properly designed, a flaw in one client’s application could allow an attacker access not only to that client’s data, but every other client’s data as well.

Unfortunately, say CSA experts, while data loss and data leakage are serious threats to cloud computing, the measures to mitigate one of these threats can exacerbate the other. For instance, you may encrypt your data to reduce the impact of a data breach, but if you lose your encryption key, you’ll lose your data. Conversely, you may decide to keep offline backups to reduce the impact of a catastrophic data loss, but this increases your exposure to data breaches.

In the number two spot is data loss – not just at the hands of malicious attackers, though. CSA experts caution any accidental deletion by the cloud service provider – or worse, a physical catastrophe such as a fire – could lead to the permanent loss of customers’ data unless adequate measures are taken to back it up. It’s important to remember the burden of avoiding data loss is a shared responsibility between providers and businesses.

Here is a full list of the report’s critical threats to cloud security:

1. Data Breaches

2. Data Loss

3. Account Hijacking

4. Insecure APIs

5. Denial of Service

6. Malicious Insiders

7. Abuse and Nefarious Use

8. Insufficient Due Diligence

9. Shared Technology Issues

For more information on the survey and more details about these critical threats, check CSA’s complete Top Threats Working Group report “The Notorious Nine: Cloud Computing Top Threats in 2013.”