What is the nature of the security issues you might face while delivering your solution on Cloud? The Cloud Security Alliance (CSA) has put together a list of the nine most prevalent and serious security threats in cloud computing. While these are generic for cloud computing, their applicability holds good for SaaS products as well.
Threat #1: Data Breach
This one tops the chart for the simple reason that it has made several CIO lose their sleep at nights. In simple terms data breach is a situation where the data is accessed by someone who is not supposed to have access to it in the first place. How safe is your data in cloud . For example, if a multitenant cloud service database is not properly designed, a flaw in one client’s application could allow an attacker access not only to that client’s data, but every other client’s data as well.
Threat #2: Data loss
Data Loss on the other hand can happen both intentionally or accidentally. For example, you may fail to notice that your backup process is failing and one fine day your system could crash taking away the data with it.
Threat #3: Account/Service Traffic Hijacking
Account or service hijacking is not new. Attack methods such as phishing, fraud, and exploitation of software vulnerabilities still achieve results. Cloud solutions add a new threat to the landscape. If an attacker gains access to your credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites.
In April 2010, Amazon experienced a Cross-Site Scripting (XSS) bug that allowed attackers to hijack credentials from the site. In 2009, numerous Amazon systems were hijacked to run Zeus botnet nodes.
Threat #4: Insecure APIs
With the increased adoption of service oriented architecture, diversified set of systems can now communicate to each other, which also opens a threat when service calls that are not properly validated. Again, from a SaaS perspective you may expose several APIs to facilitate integration with customer’s on-premise systems, and therefore, you need to have the right authentication and authorization mechanism in place.
Threat #5: Denial of Service
Simply put, denial-of-service attacks are attacks meant to prevent users of a cloud service from being able to access their data or their applications. Asymmetric application-level DoS attacks take advantage of vulnerabilities in web servers, databases, or other cloud resources, allowing a malicious individual to take out an application using a single extremely small attack payload – in some cases less than 100 bytes long.
Threat #6: Malicious Insiders
A malicious insider threat to an organization is a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.
From IaaS to PaaS and SaaS, the malicious insider has increasing levels of access to more critical systems, and eventually to data. Systems that depend solely on the cloud service provider (CSP) for security are at great risk here.
Threat #7: Abuse of cloud services
This is an interesting one. We know that cloud computing brings large scale, elastic services offering enormous computing power at an extremely lower cost. This is also equally applicable for hackers. Hackers needed huge computing power to crack things, but they were not able to afford it. With cloud what used to take a year with home machines, can now be done in hours on cloud.
Threat #8: Due Diligence
Cloud computing has brought with it a gold rush of sorts, with many organizations rushing into the promise of cost reductions, operational efficiencies and improved security. While these can be realistic goals for organizations that have the resources to adopt cloud technologies properly, too many enterprises jump into the cloud without understanding the full scope of the undertaking.
Threat #9: Shared Technology Vulnerabilities
Some of the SaaS solutions, particularly legacy ones are delivered using virtualization. We all know virtualization works under the concept of multi-tenancy, where the machine is sliced to serve multiple customers. In such scenarios, any compromise at the hypervisor level can lead to severe breaches.
Now that we have seen the impact of security risks, I will discuss about some of the industry best practices to nullify them in my next blog.
- Why enterprises should standardize Digital Application Management - July 17, 2017
- Top 10 Critical NFR for SaaS Applications – Part 2 - May 26, 2016
- Top 10 NFR in Software Architecture – Part 1 - April 29, 2016