The top threats facing companies using the cloud are hacking, insecure application programming interfaces (APIs), malicious insiders, shared technology vulnerabilities, data loss/leakage, and account, service and traffic hijacking, according to a report by the Cloud Security Alliance.
While the cloud is described as "one of the most significant shifts in IT many of us are likely to see in our lifetimes", the findings make clear its risks, the CSA said.
The report says by understanding the value and sensitivity of the system being relocated and making a correct assessment of the threat, organisations can put the most appropriate security controls in place.
Unauthorised access: There is a need for stricter registration and validation of cloud users. Free trial periods and poor monitoring of credit card fraud and public blacklists allow abuse with relative impunity.
APIs: Application programming interfaces, including ones adapted by third parties, must be designed to protect against accidental and malicious use with strong authentication and access controls.
Malicious insiders: Assess providers, specify employment policy and demand transparency of information security and management practices.
Shared technology: Customers should not have access to any other tenant's data. Cloud users should conduct vulnerability scanning, monitor for unauthorised use and enforce patchwork agreements.
Data loss/leakage: Data can be lost through deletion and failure to back up, and leaked through poor authentication. CSA recommends strong API control, back-up strategies and data encryption.
Hijacking: Phishing, fraud and exploitation of software can be limited by prohibiting account sharing, monitoring and detecting unauthorised use and understanding cloud provider security policies.
The US-based non-profit organisation's research, funded by HP and informed by 29 experts from across the industry, follows CSA's 2009 document, Security Guidance for Critical Areas in Cloud Computing.