So there’s some definite things cloud-using businesses should be on the lookout for when it comes to security. This comes from a new report by the Cloud Security Alliance and Hewlett-Packard on major things that hinder cloud implementations.
Here are the major impediments, says the report:
Abuse and Nefarious Use: This means hackers gaining access to applications and data by gaining access to passwords.
Insecure APIs: Faulty code used to create hooks between on-premises applications and their cloud-based counterparts that could lead to a breach.
Malicious Insider Risks: Those in the data centers hosting the clouds, in other words, people who you think you can trust, using their credentials and access to manipulate applications and data and steal digital valuables.
Shared Technology Vulnerabilities: This is what happens when malware infecting one virtual machine crosses over partitions through the hypervisor and infects other apps..
Data Loss and Leakage: The unauthorized or accidental release of data to third parties.
Account Service and Traffic Hijacking: In other words – denial of service attacks.
Another survey by PricewaterhouseCoopers listed security concerns inhibiting adoption. They are:
- Poor provider controls
- Inadequate training of service provider personnel
- Inadequate or poor access control
- Poor data disaster recovery and business continuity planning
- Lack of data and resource segmentation
- An inability to audit controls and regulatory compliance
But what I found really fascinating was a story that listed what’s missing from both of these surveys. There were four items altogether. But here’s one that I thought was most important.
- SLA Compliance: Is the service provider delivering the level of service (availability) and security (confidentiality, integrity) as defined by the service contract?
While many cloud providers offer notification services that report issues like downtime or denial of service, when you think of it, it’s really in their best interest to keep these numbers low, yes? I’m not saying they deliberately mislead, but for a truly independent look, companies should consider independent monitoring services – especially of SLAs.