Top 10 Cloud Security Risks

Like any model of IT services, the cloud introduces several security challenges specific to this paradigm of computing.

Below are my top 10 cloud-specific risks that customers should understand and address when adopting cloud services. This is a summary of the key aspects of my earlier post on the topic.

  • Many organizations haven’t defined an overall risk management framework within which to assess and address cloud-specific risks.
  • Infrastructure sharing introduces the possibility that a compromise to one component of the environment will affect its “neighbors.”
  • Consistently enforcing security controls is hard in a rapidly-changing environment.
  • In an outsourced hosting arrangement, which is often part of cloud services, take some direct control over IT away from the customer.
  • The hypervisor, which handles virtualization of cloud IT resources, may be exploited.
  • It may be possible to infer information about one virtual machine by observing the state of the shared system from another aspect of the underlying system and could even lead to code execution.
  • The cloud service provider might incorrectly configure the hypervisor and the associated tools, introducing a vulnerability into the environment.
  • The organization making use of cloud services will not know how to create a governance, risk and compliance (GRC) program that applies to the cloud environment.
  • Critical security and GRC tasks might not get done, because each party will assume that the other needs is responsible for them.
  • It may be hard define, validate and enforce security and related IT controls because inner-workings of cloud services may not be visible to the customer.

If you found this useful, you might like my other cloud security posts.

Update: For a follow-up to this post, see my note on Cloud Risks and the Security Risks.

Lenny Zeltser


About the Author

Lenny Zeltser is a business and tech leader with extensive experience in information technology and security. His areas of expertise include incident response, cloud services and product management. Lenny focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches digital forensics and anti-malware courses at SANS Institute. Lenny frequently speaks at conferences, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania. The perspectives expressed by Lenny on this site don't necessarily reflect the views of NCR or SANS.

Learn more