Top Threats to Cloud Computing?

When is a threat not a threat? The answer is when it’s selected by someone who does not understand the correct terminology. 
In fact this happens a lot when you ask ordinary business managers to name their top risks. Instead of a list of risks, you often get a bunch of issues, problems or subject areas, rather than risks: things like ‘compliance’ or ‘privacy’. But a risk is an event, not a subject area; something for which we can assign a probability of occurrence within a specific period. 
You don’t expect to see this type of sloppy analysis coming from a collection of leading security experts, especially one that is aiming to teach the rest of us how to go about security. So I was surprised to find that the ‘ Top Threats to Cloud Computing‘ just published by the Cloud Security Alliance contains little about specific threats, but plenty of waffle about general IT security problem areas. 
Some of the threats are vulnerabilities, such as ‘Insecure Application Programming Interfaces’ or ‘Shared Technology Vulnerabilities’. One of them, ‘Unknown Risk Profile’ is not a risk at all but the absence of a risk assessment. The rest too general to be of any use, such as ‘Malicious Insiders’, ‘Data Loss or Leakage’ and ‘Abuse and Nefarious Use of Cloud Computing’. 
This paper can be largely summed up in one sentence: “Cloud Computing presents the same risks of fraud and data breaches as any large, outsourced critical business service. You need to follow good security practices.” Unfortunately, such concise wisdom would not come across as a major advance of the start of the art.  

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Concise? Have you read your recent book lately..... Indeed the concept of cloud being a buzzword many will leap upon to show state of the art / being up with the kids is certainly worring. Cloud computing like you say is similar to outsourcing but I would go beyond that and say that cloud computing is no different to internal hosting. Yes you don't have control over the hardware but if you think that your internal comms room or data center has better physical security controls then I'd be surprised (accepting any mil readers). So why then should we care that it is hosted by a 3rd party that has no vested interests in accessing those assets versus internal people who arguably have more so. Maybe cloud computing is safer! For the ney sayers that then say the controls you can put in place in the cloud are worse/less to when you place them in house I would argue that whilst they are different they require us to alter our approach and nothing more. Storying data, even PCI data, in the cloud should not scare us. Storing keys in the cloud should, but then why would anyone store keys in the cloud? I believe that organisations should look to adopt a hybrid approach where the bulk functionality is occurring in the cloud but the specific aspects of interacting with data in a secure fashion (eg encrypting (well only symmetrically) and decrypting) should be done internally. This big shift would result in a fundamental change to most organisations (and of course be to amazon's benefit!). John
The Security threat in cloud computing is as same as what we face in internet today otherwsie. If we don't follow the security guide lines we are open to hackers. The added threat is the matter of trust between the vendor and service provider. Since cloud works on internet, the security is always questioned when we put more data on cloud. It is the same way we as put data on website for public access and try to protect it. Better way is to make the internet protocol work robustly. Client-server concept needs to changed to address the security issues. When the client -server concept was evoloved initially, probably there was no imagination that the conecpt could be used on internet. There is more work required on the protocols we use on internet, client server architecture, webservers-browsers to make them more stronger in security.