The Carnegie Mellon University Software Engineering Institute published an article, “12 Threats & Vulnerabilities in Moving to the Cloud,” that stated that cloud computing is ever-evolving, and learning to respond to those threats and vulnerabilities is needed by businesses that use cloud services. Cloud computing has the same vulnerabilities as traditional data centers. Vulnerabilities exist in the software, and many attackers will try to exploit them. Both the cloud service provider (CSP) and the businesses using those services are responsible for knowing vulnerabilities and learning how to address threats.
When using CSP, the CSP is responsible for some infrastructure and policies that may cause businesses to lose control over data and operations. The company and the CSP should monitor and analyze information about the performance of applications, services, users, and data. Identified uses and deployment include on-demand self-service, measured service, broad network access, rapid elasticity for scaling, and resource pooling.
Software as a service, Platform as a service, and infrastructure as a service are service models that can be deployed as either private cloud, community cloud, hybrid cloud, and public cloud services. Despite the lower cost of cloud services and their ease of use, they increase the probability of unauthorized use that could lead to malware infections and the inability of a business to protect its data and control its network. APIs that offer clients easy-to-use cloud services are more vulnerable because data is exposed on the internet. An attacker can compromise a business’s cloud assets through APIs. The attacker gains access and compromises other businesses on a shared platform as well.
Shared clouds have the potential for clients’ data to be leak into other clients. Attacks to a CSP’s applications, platforms, or infrastructure can lead to this failure of separation of tenants. Another vulnerability is that a business can’t ensure that the data they delete is completely destroyed or removed and is no longer available for hackers to exploit. Other threats include stolen credentials, moving to a different CPS, CPS goes out of business, authorized users abuse access, stored data is lost, and if the CPS supply chain is compromised.
Another worthwhile read is “Best Practices for Cloud Security,” which includes businesses doing their due diligence for the life cycle of the systems and applications being deployed to the cloud. Planning for deployment includes deciding on the right system and applications to use. CSP guides and documents best practices for using their service. Cloud computing provides abstract services that are similar to your business hardware, applications, and networks. Use CSP’s guidance and your business’s security policies and security control while implementing in the cloud. Check risks and use security control to mitigate risks. CSP control and provided tools can check for secure, proper use of services.
These blog posts at The Carnegie Mellon University Software Engineering Institute identified threats and risks involved in cloud computing and told of best practices to mitigate them. Businesses can use these posts when deciding how best to proceed with cloud deployment. CSPs can make it easier to face compliance and security threats and vulnerabilities, but businesses must also be on constant guard against potential threats and attacks.