A number of high-profile security breaches in cloud systems (such as what recently occurred with Lowe's) have reinforced the idea that the cloud is no more secure than any other computer network or system—and may be even more vulnerable.
Cloud systems are also tempting targets for hackers because a single successful breach can steal information from multiple companies or organizations. Today's key security issues that are actively exploited by hackers can be grouped into the following three categories.
Cloud access key leakage: In the context of infrastructure as a service and platform as a service, clients are often provided access keys. Hackers can identify central developers or stakeholders, invite them to a special website through social engineering, and then break into their desktops and steal access keys. Once that access key is identified by a hacker, they have a pathway to all corresponding cloud accounts.
Zero-day vulnerabilities: A zero-day vulnerability is merely a software hole unknown to the vendor or developer. There is sometimes a race between hackers who try to exploit the hole and vendors who want to patch the hole.
Lost systems: Projects in development generate a fair amount of incomplete and insecure drafts. These drafts aren't necessarily destroyed—they can be left unmonitored, unmaintained, and, perhaps more importantly, unpatched within the final cloud environment. These relatively unprotected project components are sweet targets for hackers to enter the rest of the system.
Maintaining and monitoring these drafts is impractical. However, utilizing a central storage system for all log files and keeping them in a protected environment can cut down on a significant security weakness.
To keep one step ahead of hackers, you need to understand what you can protect, where you might lose visibility, and where you need to apply extra security assurance.
As such, not all recommendations are suited for every organization, but these are some controls everyone can and should implement.
For more ideas, the Cloud Security Alliance has a Security, Trust and Assurance Registry (STAR) program that offers a comprehensive set of offerings for cloud provider trust and assurance.
Stay alert, maintain your cloud security, and send me an email or leave a comment if you have any questions.