The following is an excerpt from The Official (ISC)2 Guide to the CCSP CBK, Second Edition, by Adam Gordon, CISSP-ISSAP, ISSMP, SSCP. This section from Domain 3 describes the different categories of threats to consider in cloud risk management.
Because information technology (IT) is typically deployed to serve the interests of the organization, the goals and management practices in that organization are an important source of guidance to cloud risk management. From the perspective of the enterprise, cloud computing represents outsourcing, and it becomes part of the IT supply chain.
Cloud risk management should therefore be linked to corporate governance and enterprise risk management. That means that the same principles should be applied. Corporate governance is a broad area describing the relationship between the shareholders and other stakeholders in the organization versus the senior management of the corporation. These stakeholders need to see that their interests are taken care of and that the management has a structure and a process to ensure that they execute the goals of the organization. This requires, among other things, transparency on costs and risks.
In the end, risks relating to cloud computing should be judged in relation to the corporate goals. It makes sense to develop any IT governance processes in alignment with existing corporate governance processes.
For example, corporate governance pays attention to supply chains, management structure, compliance, financial transparency, and ownership. All these are relevant for any cloud computing consumer provider relationship that is significant to the corporation.
Enterprise risk management is the set of processes and structure to systematically manage all risks to the enterprise. This explicitly covers supply chain risks and third-party risks, the biggest of which is typically the failure of an external provider to deliver the services that are contracted -- an important consideration in cloud risk management.
There are several lists of risks maintained and published by industry organizations. These lists can be a source of valuable insight and information, but in the end, every cloud-consuming or cloud-providing organization remains responsible for its own risk assessment.
Policy and organization risks
Policy and organization risks are related to the choices that the cloud service consumer makes about the CSP. To some extent, they are the natural consequence of outsourcing IT services. Outside the IT industry, these are often called third-party risks. A few of the most noteworthy in the context of cloud risk management are provider lock-in, loss of governance, compliance challenges, and provider exit.
Provider lock-in: This refers to the situation in which the consumer has made significant vendor-specific investments. These can include adaptation to data formats, procedures and feature sets. These investments can lead to high costs of switching between providers.
Loss of governance: This refers to the consumer not being able to implement all required controls. This can lead to the consumer not realizing their required level of security and potential compliance risks.
Compliance risks: Consumers often have significant compliance obligations, such as when handling payment card information, health data, or other personally identifiable information (PII). A specific cloud vendor and solution may not be able to fulfill all those obligations, for example, when the location of stored data is insufficiently under control.
Provider exit: in this situation, the provider is no longer willing or capable of providing the required service. This could be triggered by bankruptcy or a need to restructure the business.
A risk exists if there is the potential failure to meet any requirement that can be expressed in technical terms, such as performance, operability, integration, and protection. Generally speaking, CSPs have a larger technology scale than cloud customers and traditional IT departments. This has three effects on cloud risk management, the net result of which depends on the actual situation:
- The consolidation of IT infrastructure leads to consolidation risks, where a single point of failure can have a bigger impact.
- A larger-scale platform requires the CSP to bring to bear more technical skills to manage and maintain the infrastructure.
- Control over technical risks shifts toward the provider.
Virtualization risks include but are not limited to the following:
- Guest breakout: This occurs when there is a breakout of a guest OS so that it can access the hypervisor or other guests. This is presumably facilitated by a hypervisor flaw.
- Snapshot and image security: The portability of images and snapshots makes people forget that images and snapshots can contain sensitive information and need protecting.
- Sprawl: This occurs when you lose control of the amount of content on your image store.
Cloud-specific risks include but are not limited to the following:
- Management plane breach: Arguably, the most important risk is a management plane (management interface) breach, malicious users, whether internal or external, can affect the entire infrastructure that the management interface controls.
- Resource exhaustion: Because cloud resources are shared by definition, resource exhaustion represents a risk to customers. This can play out as being denied access to resources already provisioned or as the inability to increase resource consumption. Examples include sudden lack of CPU or network bandwidth, which can be the result of overprovisioning to tenants by the CSP. Related to resource exhaustion are the following:
- Denial-of-service (DoS) attack, where a common network or other resource is saturated, leading to starvation of users
- Traffic analysis
- Manipulation or interception of data in transit
- Isolation control failure: Resource sharing across tenants typically requires the CSP to realize isolation controls. Isolation failure refers to the failure or nonexistence of these controls. In the context of cloud risk management, examples include one tenant’s VM instance accessing or affecting instances of another tenant, failure to limit one user’s access to the data of another user (in a software as a service SaaS solution), and entire IP address blocks being blacklisted as the result of one tenant’s activity
- Insecure or incomplete data deletion: Data erasure in most OSes is implemented by just removing directory entries rather than by reformatting the storage used. This places sensitive data at risk when that storage is reused due to the potential for recovery and exposure of that data.
- Control conflict risk: In a shared environment, controls that lead to more security for one stakeholder (blocking traffic) may make it less secure for another (loss of visibility).
- Software-related risks: Every CSP runs software, not just the SaaS providers. All software has potential vulnerabilities. From the customer’s perspective, control is transferred to the CSP, which can mean an enhanced security and risk awareness, but the ultimate accountability for compliance still falls to the customer.
Cloud attack vectors
Cloud computing brings additional attack vectors that need to be considered in addition to new technical and governance risks.
- Cloud computing uses new technology such as virtualization, federated identity management and automation through a management interface.
- Cloud computing introduces external service providers.
Therefore, with respect to cloud risk management, the following are some of the main new attack vectors:
- Guest breakout
- Identity compromise, either technical or social (for example, through employees of the provider) a API compromise, such as by leaking API credentials
- Attacks on the provider's infrastructure and facilities (for example, from a third-party administrator that may be hosting with the provider)
- Attacks on the connecting infrastructure (cloud carrier)
CCSP® is a registered mark of (ISC)².