Top 10 Cloud Security Risks

Like any model of IT services, the cloud introduces several security challenges specific to this paradigm of computing.

Below are my top 10 cloud-specific risks that customers should understand and address when adopting cloud services. This is a summary of the key aspects of my earlier post on the topic.

  • Many organizations haven’t defined an overall risk management framework within which to assess and address cloud-specific risks.
  • Infrastructure sharing introduces the possibility that a compromise to one component of the environment will affect its “neighbors.”
  • Consistently enforcing security controls is hard in a rapidly-changing environment.
  • In an outsourced hosting arrangement, which is often part of cloud services, take some direct control over IT away from the customer.
  • The hypervisor, which handles virtualization of cloud IT resources, may be exploited.
  • It may be possible to infer information about one virtual machine by observing the state of the shared system from another aspect of the underlying system and could even lead to code execution.
  • The cloud service provider might incorrectly configure the hypervisor and the associated tools, introducing a vulnerability into the environment.
  • The organization making use of cloud services will not know how to create a governance, risk and compliance (GRC) program that applies to the cloud environment.
  • Critical security and GRC tasks might not get done, because each party will assume that the other needs is responsible for them.
  • It may be hard define, validate and enforce security and related IT controls because inner-workings of cloud services may not be visible to the customer.

If you found this useful, you might like my other cloud security posts.

Update: For a follow-up to this post, see my note on Cloud Risks and the Security Risks.

Lenny Zeltser


About the Author

Lenny Zeltser develops teams, products, and programs that use information security to achieve business results. Over the past two decades, Lenny has been leading efforts to establish resilient security practices and solve hard security problems. As a respected author and speaker, he has been advancing cybersecurity tradecraft and contributing to the community. His insights build upon 20 years of real-world experiences, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more