Top 10 Cloud Security Vulnerabilities Identified Outsourcing Template

Cloud processing adds new vulnerabilities to the security and compliance landscape

The need to lower cost, increase efficiency and conserve cash has increased the motivation of companies to turn to Cloud Computing and increased the appeal of alternative delivery models.

Top 10 cloud security vulnerabilities have been identified by Janco Associates from a series of cloud security compliance audits and reviews with CTOs, CIOs and CSOs on cloud security concerns.

Cloud Vulnerabilities

  1. Data breaches - A data breach occurs when any information that is not intended for public release, including personal health information, financial information, personally identifiable information, trade secrets, and intellectual property is exposed. A data breach is not unique to cloud computing, but it is as a top concern for cloud users.
  2. Weak Security - Weak security allows cyber-criminals to act as legitimate users, operators, or developers that can read, modify, and delete data; issue control plane and management functions; spy on data. The root cause of this is insufficient identity, credential, or access control. An example is leaving a port open that allows access without authentication.
  3. Non-Secure Interfaces & API - Cloud providers typically provide a set of software user interfaces (UIs) or APIs to manage and interact with cloud services. These need to be designed to protect against accidental and malicious attempts to circumvent policy.
  4. OS vulnerabilities - OS vulnerabilities that allow attackers to infiltrate a system to steal data, taking control of the system or disrupting service operations. Vulnerabilities within the components of the operating system put the security of all services and data at significant risk. With multi-tenancy in the cloud, systems from various organizations are placed close to each other and given access to shared memory and resources, creating a new attack vectors.
  5. Account hijacking - Cloud services add a new threat to the landscape. If attackers gain access to a user’s credentials, they can eavesdrop on activities and transactions, manipulate data, return falsified information and redirect clients to illegitimate sites. For example when a cyber-attackers gains root level control of systems via an existing account.
  6. Insider breach as System Administrator - A disgruntled employee who is a system administrator can access potentially sensitive information, and can have increasing levels of access to more critical systems and eventually to data. Enterprises that depend solely on cloud service providers for security are at greater risk.
  7. Parasitic code on server - Parasitic code on server that infiltrates systems to establish a foothold in the IT infrastructure of target companies, from which they steal data. This type of code pursues its goals stealthily over an extended period of time, often adapting to the security measures. Once in place, they can move through data center networks and blend in with normal network traffic to achieve their objectives.
  8. Data Destruction - An accidental deletion by the cloud service provider, or a physical catastrophe such as a fire or earthquake, can lead to the permanent loss of customer data unless the the user takes adequate measures to back up data, following best practices in business continuity and disaster recovery.
  9. Denial of service (DoS) - DoS attacks are designed to prevent users of a service from being able to access their data or applications. Attackers can cause a system slowdown and leave all legitimate service users without access to services.
  10. Ransomware - Ransomware is malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.

How to Guide for Cloud Process and Outsourcing

How to Guide for Cloud Processing and Outsourcing has as its primary focus provides everything that is needed to select a vendor, enter into an agreement, and manage the relationship.

Order Cloud Outsourcing   Download Selected Pages

How to Guide for Cloud and Outsourcing

Order

The template is provided in WORD and Adobe Reader PDF format. It is can be used in whole or in part to plan for, negotiate, and manage the cloud outsourcing process. In the 150 plus pages included are the Outsourcing & Cloud-Based File Sharing Policy, 12 job descriptions (VP Strategy and Architecture, Director Disaster Recovery and Business Continuity, Disaster Recovery Coordinator, Manager of Cloud Applications, Manager Outsourcing, Manager User Support, Manager Vendor Management, Manager WFH Support, Cloud Computing Architect, Digital Brand Manager, Capacity Planning Supervisor, and Digital Content Specialist), sample contract, service level agreement, ISO 27001 - 27002 - 27031 security audit checklist, Business and IT Impact Questionnaire and much more.

How to Guide for Cloud Outsourcing and Disaster Recovery Bundle

Order

The bundle includes in editable Microsoft WORD and PDF formats:

  • Practical Guide for Cloud Outsourcing

  • Disaster Recovery Plan (DRP) can be used in whole or in part to establish defined responsibilities, actions and procedures to recover the computer, communication and network environment in the event of an unexpected and unscheduled interruption. The template is IS0 27000 (27031) Series, COBIT, Sarbanes Oxley, PCI-DSS, and HIPAA compliant.

How to Guide for Cloud Outsourcing, Disaster Recovery, and Security Bundle

Order

The bundle includes in editable Microsoft WORD and PDF formats:

  • Practical Guide for Cloud Outsourcing

  • Disaster Recovery Plan (DRP)

  • Security Manual Template - (ISO CobiT SOX HIPAA Compliant) includes the Business Impact questionnaire and a Threat and Vulnerability Assessment Form (PDF and Excel). It is a complete Security Manual and can be used in whole or in part to comply with Sarbanes Oxley, define responsibilities, actions and procedures to manage the security of your computer, communication, Internet and network environment.