ENISA's Cloud Computing Risk Summary

Wednesday, September 15, 2010

K S Abhiraj

634ff692af43fd4dc5dab3b8590c77d6

The ENISA report on Cloud Security identified a number of places where risk elements were identified. The report acknowledged 8 high risk items & 29 medium risk items in the varied areas of Policies & Organizational Risks, Technical Risks, Legal Risks, and Cloud Unspecific Risks.

In summary, the identified elements labeled as *key risk's* are examined below:

1)
Loss Of Governance: It's giving Cloud infrastructure and client control to the cloud provider, and a number of other issues which may effect security. But, at the same time service level agreements may not offer complete commitment to provide such services on the part of cloud provider, thus leaving a gap in the security defenses.

Lack Of Governance's a key issue here.

Vulnerabilities:
  • V34: Unclear Roles and Responsibilities.
  • V35: Poor enforcement of role definitions.
  • V21: Synchronizing responsibilities or contractual obligations to different stakeholders
  • V23: SLA clauses with conflicting promises to different stakeholders
  • V25: Audit or certification not available to consumers
  • V18: Lack of standard technologies and solutions
  • V22: Cross cloud applications creating hidden dependency
  • V29: Storing of data in multiple jurisdiction and lack of transparency about THIS
  • V14: No source escrow agreement
  • V16: No control on vulnerability assessment process
  • V26: Certification schemes not adapted to cloud infrastructures
  • V30: Lack of information on jurisdictions
  • V31: Lack of completeness and transparency in terms of use
  • V44: Unclear assets ownership
Affected Assets:
  • A1: Company reputation
  • A2: Customer trust
  • A3: Employee loyalty and experience
  • A5: Personal sensitive data
  • A6: Personal Data
  • A7: Personal Data: Critical
  • A9: Service delivery- real time services
  • A10: Service delivery

2)Lock In Situation: Also ‘Lock In Situation' has been considered. This can be a little unoffered of the way of tools and procedures from the standard data, from an ‘as a service' interface's that could guarantee data application service portability.

This can make it difficult for customers to migrate from one provider to another, or to migrate data and services back to an inhouse IT environment. It introduces the dependency on particular cloud providers for service provisions, especially if data portability had the most fundamental aspect not enabled.

3) Isolation failure: Which is comfortable because they are working mostly in multi-tenant environment and 'share resources & they are defining characteristics of cloud computing'. This risk category covers the failure of mechanism, server install-age, memory, routing and reputation between different tenants.

However, it should be considered that attacks result in a relational mechanism are still in mere risk and much more difficult for attackers to put in practice as compared to attacks on traditional operating system.

4) Compliance Risks:
Of course one of the key parts is the compliance risks. Investment and saving certificates may pull a risk by migrating to the cloud if the cloud providers don't provide evidence of their own compliance with relevant requirement. And also for cloud provider they will not permit audits by cloud customer.

In certain case it also means that ‘If you are using a public cloud infrastructure' implies a certain kind of compliance cannot be achieved (for example PCI).

Vulnerabilities:
  • V25: Audit or certification not available to consumers
  • V13: Lack of standard technologies and solutions
  • V29: Storage of data in multiple jurisdictions and lack od transparency about this.
  • V26 Certification scheme not adapted to cloud infrastructure
  • V30: Lack of information on jurisdiction
  • V31: lack of completeness and transparency in terms of use
Affected Assets:
  • A20: Certification

5) Management Interface Compromise: Now, it's also a time that management interface compromise (MIC), may be an issue that customer management interfaces of a public cloud provides additional programmed effort's of applications an increased with, especially when combined with remote access and web browser vulnerabilities.

6 & 7) Data protection & Insecure or incomplete data deletion:
Of course Cloud Computing poses several data protection risks. For cloud providers and customers in some cases it may be difficult for the cloud customer to get ‘correct level' of data protection at all and for example if you leave this cloud provider it must be guaranteed that you have a complete data deletion.

When a request to delete cloud resources is made the well merged prevailing system may not result into wiping the data. Adequate, primary data deletion must be or could be impossible; either become extra copies of data for restore; but unavailable.

Vulnerabilities:
  • V30: Lack of information on jurisdiction
  • V29: Storage of data in multiple jurisdictions and lack od transparency about this.
Affected Assets:
  • A1: Company reputation
  • A2: Customer trust
  • A5: Personal sensitive data
  • A6: Personal Data
  • A7: Personal Data: Critical
  • A9: Service delivery- real time services
  • A10: Service delivery

8) Malicious insider: So, and a lot point of testing outbound by an either risk, was malicious insider which vitiates, but lightly. Damage which may be caused by malicious insider is often far greater. Cloud architecture necessitates certain rules over extremely high risks for example: includes Custom Provider System Administrative & Manage Security Service Provider.

Reposted from Sectruni0

Possibly Related Articles:
12975
Cloud Security
Cloud Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.