Like any model of IT services, the cloud introduces several security challenges specific to this paradigm of computing.
Below are my top 10 cloud-specific risks that customers should understand and address when adopting cloud services. This is a summary of the key aspects of my earlier post on the topic.
- Many organizations haven’t defined an overall risk management framework within which to assess and address cloud-specific risks.
- Infrastructure sharing introduces the possibility that a compromise to one component of the environment will affect its “neighbors.”
- Consistently enforcing security controls is hard in a rapidly-changing environment.
- In an outsourced hosting arrangement, which is often part of cloud services, take some direct control over IT away from the customer.
- The hypervisor, which handles virtualization of cloud IT resources, may be exploited.
- It may be possible to infer information about one virtual machine by observing the state of the shared system from another aspect of the underlying system and could even lead to code execution.
- The cloud service provider might incorrectly configure the hypervisor and the associated tools, introducing a vulnerability into the environment.
- The organization making use of cloud services will not know how to create a governance, risk and compliance (GRC) program that applies to the cloud environment.
- Critical security and GRC tasks might not get done, because each party will assume that the other needs is responsible for them.
- It may be hard define, validate and enforce security and related IT controls because inner-workings of cloud services may not be visible to the customer.
If you found this useful, you might like my other cloud security posts.
Update: For a follow-up to this post, see my note on Cloud Risks and the Security Risks.
Updated November 9, 2010