Transforming IT
Showing results for 
Search instead for 
Did you mean: 

Avoiding the Notorious 9: Protecting Cloud-based Data Against Threats


What are the “Notorious 9”? This is the term given by the Cloud Security Alliance (CSA) to the “top threats” to data security in the cloud. When it comes to moving to the cloud, data security is the number one objection that CSA hears from IT folks. How do you protect sensitive and proprietary data in a multitenant environment?


In this new blog series, CSA’s Jim Reavis will provide expert advice on how to avoid the dangers posed by each of the Notorious 9 threats. This first entry introduces Jim and the Notorious 9, and how CSA identified them. Subsequent blog entries will provide more details on each of the Notorious 9 and how to mitigate the threats.


To follow along, search for #Notorious9 on social media. We hope that you find this blog series useful.



By Jim Reavis:


At the Cloud Security Alliance (CSA), we believe that cloud computing is great, but secure cloud computing is a necessity. We don’t believe that data security concerns should prevent a company from realizing all of the business benefits that the cloud has to offer. That’s why we’ve done extensive research to identify best practices for protecting data in the cloud.


CSA has defined a data security lifecycle for the cloud, which involves a full, cradle-to-grave approach to protecting data, starting with its creation, to its storage, usage, sharing, archiving and, finally, its deletion. Granted, the steps for managing data aren’t always clear-cut. As stated in the Notorious 9 report, “…the measures you put in place to mitigate one of these [nine] threats can exacerbate the other. [For example], you may be able to encrypt your data to reduce the impact of a data breach, but if you lose your encryption key, you’ll lose your data as well.”


HP’s Cloud Computing Security Knowledge (CCSK) courses which were developed in partnership with CSA, help IT and security professionals understand the nuances of data security in the cloud while preparing them for the CCSK certification exam. The CCSK Foundation and CCSK Plus courses explain how to use encryption and key management, as well as access controls, identity management policies and data classification to ensure that data is protected against data breaches.


More importantly, these courses help IT professionals to make intelligent choices in security data against the threats of the Notorious 9.


What are the Notorious 9 threats?


In the most recent 2013 edition of this report, experts identified the following nine critical threats to cloud security (ranked in order of severity):

  1. Data Breaches
  2. Data Loss
  3. Account Hijacking
  4. Insecure APIs
  5. Denial of Service
  6. Malicious Insiders
  7. Abuse of Cloud Services
  8. Insufficient Due Diligence
  9. Shared Technology Issues

How did CSA identify and rank these threats?


To identify the top threats, CSA conducted a survey of industry experts to compile their opinions on the greatest vulnerabilities within cloud computing. The CSA Top Threats working group used these survey results alongside working group expertise to determine the Notorious 9. The resulting top threats report reflects the current consensus among experts about the most significant threats to cloud security, as validated by the survey methodology.


While there are many vulnerabilities to cloud security, this report focuses on threats specifically related to the shared, on-demand nature of cloud computing.


Security risk prevention in the cloud can be a complex issue, but if you understand the different components, they can be broken down and addressed to reduce risk. The best practices identified by the CSA and taught by CSA’s Master Training Partner, HP, can help. Stay tuned to this #Notorious9 blog series, as we dig deeper into each threat, its risk, and how to mitigate it.


Reavis small.jpgAbout the author: Jim Reavis


Co-founder and Chief Executive Officer of CSA


For many years, Jim Reavis has worked in the information security industry as an entrepreneur, writer, speaker, technologist and business strategist. Jim’s innovative thinking about emerging security trends have been published and presented widely throughout the industry and have influenced many. Jim is helping shape the future of information security and related technology industries as co-founder, CEO and driving force of the Cloud Security Alliance. Jim has been named as one of the Top 10 cloud computing leaders by


Jim is the President of Reavis Consulting Group, LLC, where he advises security companies, governments, large enterprises and other organizations on the implications of new trends such as Cloud, Mobility, Internet of Things and how to take advantage of them. Jim founded SecurityPortal, the Internet’s largest website devoted to information security in 1998, and guided it until a successful exit in 2000. Jim has been an advisor on the launch of many industry ventures that have achieved a successful M&A exit or IPO. Jim is widely quoted in the press and has worked with hundreds of corporations on their information security strategy and technology roadmap. Jim has a background in networking technologies, marketing, product management and systems integration. Jim received a B.A. in Business Administration / Computer Science from Western Washington University in 1987 and serves on WWU’s alumni board.

About the Author