CIOZone.com | Cloud Computing | The Cloud's Biggest Risks

Network for IT Leadership

Cloud Computing

The Cloud's Biggest Risks

November 24, 2009

By Michael Eggebrecht

The benefits of cloud computing have been much heralded, but the risks have drawn nearly as much attention. Seeking to help organizations get the benefits of the cloud without putting themselves at risk, the European Union's European Network and Information Security Agency (ENISA) last week issued a report designed to help them decide whether a cloud services provider is as security-conscious as it should be.

In its study, ENISA highlights 35 key security risks, creating a checklist to assist customers in asking vendors the right questions. We'll focus here on 23 risks that are specific to the cloud.

Lock-In

Probability: High

Impact: Medium

Risk: High

"There is currently little on offer in the way of tools, procedures or standard data formats or services interfaces that could guarantee data and service portability," says ENISA, which makes it hard for customers to move data and services from one provider to another, or to and from in-house environments.

The report points to the risk of a "run on the bank," where a crisis of confidence in the cloud provider's financial position causes a mass exodus of customers. "In a situation where a provider limits the amount of 'content' … which can be 'withdrawn' in a given timeframe, some customers will never be able to retrieve their data and applications."

Loss of Governance

Probability: Very High

Impact: Very High

Risk: High

When you use a vendor's cloud infrastructure, you cede control to that company on several fronts. For cloud customers, that loss of control and governance can cause difficulties in areas including confidentiality, data integrity and availability, quality of service and, particularly, security. Some contracts prohibit customers from doing port scans, vulnerability assessment and penetration testing, notes ENISA.

Compliance Challenges

Probability: Very High

Impact: High

Risk: High

"Certain organizations migrating to the cloud have made considerable investments in achieving certification either for competitive advantage or to meet industry standards or regulatory requirements," says the report. If a cloud vendor can't provide evidence that it complies with those regulations, or won't allow an audit, that investment can go out the window.

Reputational Damage Due to Co-tenant Activities

Probability: Low

Impact: High

Risk: Medium

Sharing of resources means that bad behavior on the part of one cloud customer can affect the reputation of its co-tenants. If one tenant is spamming, port scanning or sending out malicious content, it can lead not only to another tenant's IP address getting blocked, but it can potentially damage the reputation of innocent organizations.

Cloud Service Termination or Failure

Probability: N/A

Impact: Very High

Risk: Medium

If a cloud provider goes under or has to restructure, it could lead to services being terminated. For customers, that could obviously mean a deterioration of service delivery performance. In addition, says ENISA, service failures "may have a significant impact on the cloud customer's ability to meet its duties and obligations to its own customers. The customer of the cloud provider may thus be exposed to contractual and tortuous liability to its customers based on its provider's negligence."

Cloud Provider Acquisition

Probability: N/A

Impact: Medium

Risk: Medium

"Acquisition of the cloud provider could increase the likelihood of a strategic shift and may put non-binding agreements at risk (e.g., software interfaces, security investments, non-contractual security controls)," says the report.

Supply Chain Failure

Probability: Low

Impact: Medium

Risk: Low

When a cloud provider outsources some of the tasks in its production chain, the level of security and service can be affected by the strength of each third-party vendor involved. Transparency is a big concern, says ENISA. "If a provider does not declare which core IT services are outsourced … the customer is not in a position to properly evaluate the risk he is facing."

Resource Exhaustion

Probability: Inability to provide additional capacity -- Low; Inability to provide current agreed capacity -- Medium

Impact: Inability to provide additional capacity -- Low/Medium; Inability to provide current agreed capacity -- High

Risk: Medium

Because cloud providers rely on statistical projections, there is always a level of calculated risk in their allocation of resources, notes ENISA. Bad modeling of resources usage, or inadequate provisioning or infrastructure investments, could cause problems for customers, including downtime, compromised access-control systems, and reputational risk -- when, for example, a cloud customer can't meet heavy seasonal demand from its own customers.

Isolation Failure

Probability: Private Cloud -- Low; Public Cloud -- Medium

Impact: Very High

Risk: High

Not a likely risk for private cloud users, isolation failure can pose a serious threat to customers of public cloud services. "This class of risks includes the failure of mechanisms separating storage, memory, routing and even reputation between different tenants of the shared infrastructure (e.g., so-called guest-hopping attacks, SQL injection attacks exposing multiple customers' data stored in the same table, and side channel attacks," explains ENISA. Customers could lose sensitive data and experience service interruptions.

Malicious Insider

Probability: Medium

Impact: Very High

Risk: High

A malicious insider at a cloud vendor could wreak havoc for customers, particularly because a cloud computing architecture necessitates high-risk roles, including system administrators and auditors. And as cloud usage picks up, employees of cloud providers are increasingly becoming targets for criminal gangs, says the report.

Management Interface Compromise

Probability: Medium

Impact: Very High

Risk: Medium

Since a public cloud vendor's customer management interfaces are Web-based and mediate access to larger sets of resources than traditional hosting providers, they pose an increased risk, says the report. "Of course," it adds, "this risk may be mitigated by more investment in security by providers."

Interception of Data in Transit

Probability: Medium

Impact: High

Risk: Medium

Cloud computing requires more movement of data than a traditional infrastructure, with information being transferred to synchronize multiple distributed machine images and images distributed across multiple physical machines, between cloud infrastructure and remote web clients. And while data center hosting is implemented using a secure VPN-like connection, says the report, cloud vendors don't always follow that practice.

"Moreover," says ENISA, "in some cases the [cloud provider] does not offer a confidentiality or non-disclosure clause, or these clauses are not sufficient to guarantee respect for the protection of the customer's secret information and 'know-how' that will circulate in the cloud."

Data Leakage on Up/Download

Probability: Medium

Impact: High

Risk: Medium

Much like the risk of data interception, but this risk applies to the transfer of data between the cloud provider and the cloud customer.

Insecure or Ineffective Data Deletion

Probability: Medium

Impact: Very High

Risk: Medium

When a provider is changed, resources are scaled down or hardware is reallocated, data can sometimes live longer than established in the security policy. And because full deletion of data is only possible by destroying a disk that also stores data from other clients, customers' requests to have resources deleted might not be truly carried out. But if the service provider uses effective encryption, the risk involved may be much lower, points out ENISA.

Economic Denial of Service

Probability: Medium

Impact: High

Risk: Medium

ENISA identifies several scenarios in which a cloud customer's resources could be used by other parties in a malicious way, inflicting economic harm. Through identity theft, attackers can use an account -- and its resources -- for their own gain or to hurt the organization. An attacker could also use a public channel to use up a customer's metered resources -- "for example, where the customer pays per HTTP request, a DDoS attack can have this effect," says the report.

Companies can also suffer, notes ENISA, when they don't set effective limits on the use of paid resources and see an unexpected load on these resources, even without malicious actions.

Loss of Encryption Keys

Probability: Low

Impact: High

Risk: Medium

Among the issues grouped under this risk are disclosure of secret keys -- SSL, file encryption or customer private keys -- or passwords to malicious parties, the loss or corruption of those keys, or their unauthorized use for authentication and non-repudiation.

Malicious Probes or Scans

Probability: Medium

Impact: Medium

Risk: Medium

Malicious probes or scanning, as well as network mapping, can be used to collect information during a hacking attack, notes ENISA, adding that the impact can include a loss of confidentiality, integrity and availability of service and data.

Compromised Service Engine

Probability: Low

Impact: Very High

Risk: Medium

The service engine -- the software layer that sits above a cloud's hardware resources and manages customer resources -- can have vulnerabilities in its code and is prone to attacks or unexpected failure, says the report. An attacker can compromise the service engine by hacking it from inside a virtual machine (infrastructure-as-a-service clouds), the runtime environment (platform-as-a-service), the application pool (software-as-a-service), or through its APIs. Through the service engine, the hacker can gain access to a cloud customer's data and monitor or modify it.

Lack of Customer Hardening

Probability: Low

Impact: Medium

Risk: Low

Yes, cloud providers must isolate their customers' data, but if customers fail to secure their environments, they can pose a danger to the cloud platform. "In some cases cloud customers have inappropriately assumed that the cloud provider was responsible for, and was conducting, all activities required to ensure security of their data," says the report. "This assumption by the customer, and/or a lack of clear articulation by the cloud provider, placed unnecessary risk on the customer's data."

ENISA recommends that cloud vendors clearly set out the minimum actions their customers must undertake, articulate their isolation mechanisms, and provide best practice guidelines to help customers secure their resources.

Subpoena and E-discovery

Probability: High

Impact: Medium

Risk: High

"In the event of the confiscation of physical hardware as a result of subpoena by law-enforcement agencies or civil suits," says the report, "the centralization of storage as well as shared tenancy of physical hardware means many more clients are at risk of the disclosure of their data to unwanted parties. At the same time, it may become impossible for the agency of a single nation to confiscate 'a cloud' given pending advances around long-distance hypervisor migration."

Multiple Jurisdictions

Probability: Very High

Impact: High

Risk: High

Customer data can be held in multiple jurisdictions, and some of those jurisdictions are riskier than others, notes ENISA. A data center located in a country that has an unpredictable legal framework and enforcement or a police state, for example, "could be raided by local authorities and data or systems subject to enforced disclosure or seizure."

Data Protection

Probability: High

Impact: High

Risk: High

The cloud model presents several data protection risks, says ENISA. If a cloud vendor doesn't provide information on their data processing procedures (some offer certification summaries of their data processing and data security activities and their data controls), it can be hard for a customer to check how they're carrying out that processing. And cloud providers could experience data breaches without notifying the customer.

Licensing

Probability: Medium

Impact: Medium

Risk: Medium

"Licensing conditions, such as per-seat agreements, and online licensing checks may become unworkable in a cloud environment," explains the study. "For example, if software is charged on a per instance basis every time a new machine is instantiated, then the cloud customer's licensing costs may increase exponentially even though they are using the same number of machine instances for the same duration."