1) "The facets from which the security threat might be introduced into a cloud environment are numerous ranging from database, virtual servers, and network to operating systems, load balancing, memory management and concurrency control (Hamlen et al., 2010). Data segregationand session hijacking are two potential and unavoidable security threats for cloud users. One of the challenges for cloud computing is in its level of abstraction as well as dynamism in scalability which results in poorly defined security or infrastructural boundary. Privacy and its underlying concept might significantly vary in different regions and thus it may lead to security breach for cloud services in specific contexts and scenarios (Chen & Zhao, 2012). Data loss and various botnets can come into action to breach security of cloud servers. Besides, multi-tenancy model is also an aspect that needs to be given attention (Kuyoro et al., 2011; Ogigau-Neamtiu, 2012) when it comes to security. Security in the data-centres of cloud providers are also within the interests of security issues, as a single physical server would hold many clients’ data (Okuhara, Shiozaki & Suzuki, 2010) making it a common shared platform in terms of physical server or operating system. The storage security at the cloud service providers data centres are also directly linked with the security of the cloud services (Mircea, 2012). All the traditional security risks are thus applicable with added degree of potency in a cloud infrastructure which makes the ongoing success of cloud computing a quite challenging one. Confidentiality, availability and integrity are the generalized categories into which the security concerns of a cloud environment falls. Threats for a cloud infrastructure are applicable both to data and infrastructure."
Source: Cloud Computing and Security Issues in the Cloud
2) Cloud Computing Threats
i: :Malicious users can exploit weaknesses in the data security model to gain unauthorized access to data.
ii: Malicious users can exploit weaknesses in network security configuration to sniff network packets.
iii: Data Integrity
The lack of integrity controls at the data level (or, in the case of existing integrity controls, bypassing the application logic to access the database directly) could result in profound problems.
iv: Architects and developers need to approach this danger cautiously, making sure they do not compromise databases’ integrity in their zeal to move to cloud computing.
v: Multi-tenancy
A malicious user can use application vulnerabilities to handcraft parameters that bypass security checks and access sensitive data of other tenants.vi: Data Access
The SAAS model must also be able to provide organizational boundary within the cloud because multiple organizations will be deploying their business processes within a single cloud environment.
Source: White Paper
3) CIOs should not assume service providers will be able to support electronic discovery, or internal investigations of inappropriate or illegal activity. Cloud services are especially difficult to investigate because logs and data for multiple customers may be either co-located or spread across an ill-defined and changing set of hosts.
Evaluate the long-term viability of any cloud provider. They should consider the consequences to service should the provider fail or be acquired, since there will be far fewer readily identifiable assets that can easily be transferred in-house or to another provider.
Management definitions
i: Updated security policy
Amendments to the organisation’s overarching security policy.
ii: Cloud security strategy
The organisation’s strategy for security with respect to cloud. This should complement or be part of the organisation’s existing overarching security strategy.
iii: Cloud security governance
The process for ensuring cloud security strategy and policy updates are adhered to.
iv: Cloud security processes
The security processes associated specifically with cloud and/or the amendments required to existing security processes in order to incorporate cloud.
v: Security roles & responsibilities
Who is responsible for what with respect to ensuring the different elements of cloud security are implemented effectively.
vi:Cloud security guidelines
Advice and guidance provided to both business and IT teams regarding all aspects of security that affect them.
vii: Cloud security assessment
The ability to objectively measure the effectiveness of a given cloud service provider’s security.
viii: Service integration
The integration of several cloud services at a management level.
ix: IT & procurement security requirements. Specific cloud security requirements that would need to be included in any procurement and/or IT project’s overall requirements.
x: Cloud security management
The overall day-to-day management of cloud security
Remember
None of an organisation’s legal and regulatory compliance responsibilities are transferred to a provider when the organisation adopts cloud services.
While the provider might be obliged to operate in conformance with particular requirements, responsibility for data, service levels, infrastructure, uptime and so on remains with the buyer. Organisations must therefore ensure:
They understand how the service will be provided
They conduct due diligence investigations into the provider’s stability
Providers’ reporting is adequate. (E.g. are the tools appropriate? Are the dashboards fit for purpose?)
Have you thought about:
Data security
Network security
Data locality
Data integrity
Data segregation
Data access
Authentication and authorization
Data confidentiality
Web application security
Data breaches
Virtualization vulnerability
Availability
Backup
Identity management and sign-on process.
Source: The Cloud Security White Book