Transforming IT
Showing results for 
Search instead for 
Did you mean: 

Avoid the Top Security Threat among the “Notorious Nine” in the Cloud


What are the “Notorious Nine”? This is the term given by CSA to the “top threats” to data security in the cloud. When it comes to moving to the cloud, data security is the number one objection that CSA hears from IT folks. How do you protect sensitive and proprietary data in a multitenant environment?


This article is the second in a new blog series, in which CSA’s Jim Reavis provides his expert advice on how to avoid the dangers posed by each of the Notorious Nine threats. The first article, introduced the series and explained how CSA identified the Notorious Nine threats. This second article discusses data breaches and in particular takes a look at how they are caused, the impact of data breach threats and why it was identified as the top threat among the Notorious Nine identified.


To follow along, search for #Notorious9 on social media.


By Jim Reavis:


What’s the top threat to your business in the cloud? According to our experts and authors of the CSA Notorious Nine report, a data breach is the top threat. A data breach is defined as an incident in which an organization’s sensitive internal data can be compromised. And, the implications to your business are serious.


While data breaches have long been a point of concern to businesses, the broader adoption of cloud computing has introduced new avenues of vulnerability to data. This is especially true in multi-tenant cloud environments where something as simple as a poorly designed database can provide an attacker with potential access not just to a single client’s data but access to every other client’s data, as well.


As we’ve seen over the past few years with the high-profile data breaches at major retailers including Target, Home Depot and Nieman Marcus, these types of data breaches can cost a company tens of millions of dollars in losses and cause permanent damage to their brand reputation. While storing data in the cloud represents a potential risk to organizations, following the best practices outlined in several of the CSA security guidance domains should go a long way towards mitigating those risks.


Avoiding the Risk: A Multi-Step Lifecycle Approach is Required


Protecting against data breaches should be considered as a multi-dimensional exercise throughout all phases of the data security lifecycle. Best practices expound upon a layered set of security defenses, as any specific security control is subject to failure.



Figure 1- CSA Data Security Lifecycle


Understanding the threat vectors that are exploited by attackers in the cloud is a good way to prioritize data protection tactics. As most cloud data stores are manipulated by web applications, employing application security best practices is a recommend method to mitigate the risks that insecure software pose to the underlying data being manipulated. Insecure Application Programming Interfaces (APIs) are an important area to protect against. Cloud-based applications are often a “mashup” between several different application modules that may even exist at multiple cloud providers. The developer may not have direct access to the source code for all of the components of a given web application. Implementing a secure software development program is the ideal remedy for poor web application security. A combination of good architectural design, quality assurance testing and change management help reduce this risk.


Another attack vector to indirectly expose cloud-based data is through side-channel attacks. In Infrastructure as a Service (IaaS) implementations, the virtualization layer is critical to understand. Vulnerabilities in virtual machines and hypervisors may help an attacker perform an escalated privilege attack and access data held within a separate virtual machine.


Even when some layers of security protections fail, it is important to understand how to make critical information resilient to attack. The most vetted security control to directly protect data of all types is encryption. Well-implemented encryption has been proven to make information indecipherable to an attacker. It is important to understand the types of encryption available at a given provider, what types of encryption a customer may be responsible to implement on their own, and to follow best practices in how it is implemented. Chief among the best practices is sound key management, to assure that some level of segregation occurs between the data processing and data ownership.


Another key but often overlooked area to understand within cloud-based data protection, is how deleted data is handled. Information that is deleted needs to be destroyed beyond recovery, which sometimes is a challenge given a cloud provider’s objective to make information redundant. A wide variety of practices may be necessary to provide this type of assurance, ranging from technical controls, like encryption, to management controls, such as due diligence in reviewing a provider’s data destruction processes.


In Summary


Data breaches are the ultimate threat that keep IT professionals awake at night for any type of information technology system. A layered approach to the implementation of security practices and strong awareness of both the provider and customer responsibilities is key to reducing this threat in the cloud.


The Data Breach threat made the top of the list when CSA conducted a survey of industry experts to assess the greatest vulnerabilities within cloud computing. The Top Threats working group used these survey results alongside their expertise to identify Data Breach as the top threat reflecting the most current concerns of the industry.


Get Some Help to Beef Up Your Approach to Cloud Security


HP’s Cloud Computing Security Knowledge (CSSK) courses were developed in partnership with CSA. These courses are designed to provide you with the knowledge that you need, to avoid security risks in the cloud and implement best practice approaches – such as to avoid data breach.


Bio on Jim Reavis:


Reavis small.jpgAs the co-founder and CEO of the Cloud Security Alliance (CSA), Jim has worked in the information security industry as an entrepreneur, writer, speaker, technologist and business strategist. Jim’s innovative thinking about emerging security trends have been published and presented widely throughout the industry and have influenced many. Jim has been named as one of the Top 10 cloud computing leaders by

0 Kudos
About the Author


June 18 - 20
Las Vegas, NV
HPE Discover 2019 Las Vegas
Learn about all things Discover 2019 in  Las Vegas, Nevada, June 18-20, 2019
Read more
Read for dates
HPE at 2019 Technology Events
Learn about the technology events where Hewlett Packard Enterprise will have a presence in 2019.
Read more
View all