- November 24, 2020
- By: Olusola Akinrolabu
- in: Cloud Computing

Cybersecurity threats, whether malicious or accidental, pose a serious and ongoing challenge to cloud computing infrastructures. As it has become apparent, cloud computing has accelerated the rapid globalisation and outsourced diffusion of hardware and software systems, drastically altering consumer’s perception of infrastructure architectures, software delivery and development models. Cloud computing achieves its essential qualities (measured service, on-demand self-service, rapid elasticity, resource pooling, and broad network access), primarily by leveraging software capabilities for agility, which is a somewhat different approach in comparison to the traditional datacentre approach to resource provisioning. The components of a cloud service, particularly PaaS and SaaS applications, are made up of loosely coupled services, which helps to promote the interoperability and federation between different cloud environments. However, this new model of computing sees cloud provider trust boundaries becoming fuzzy, as a result weakening the effectiveness of traditional security controls.
Cloud computing in its quintessence can address some identified deficiencies of traditional computing due to its unique qualities, but its adoption, if not properly managed, may introduce a new facet of uncategorized threats, mainly supply chain-related threats. The review of the recent publication by the Cloud Security Alliance (CSA) titled ” The Treacherous 12″ highlights at least ten threats that are directly related to the supply chain of cloud computing. The increased numbers of parties, devices and applications involved in cloud service delivery, leads to an increase in attack surface and consequentially an increased threat of data compromise. There is limited information about just how the threats apply to real-world scenarios, or the attack vector used, or the risks and result of those events. Although a recent study by Symantec, found supply chain to be their latest threat vector, attributing this to the increased attacks on their contractors and subcontractors who are often in possession of intellectual property (IP).
Cloud services make use of Application programming interfaces (API), a Service Oriented Architecture (SOA) feature that promotes significant decoupling and dynamic binding of software capabilities. These software components are structured as services, and they encapsulate behaviour, which is presented to collaborating components on the network based on standard messaging facilities. APIs are commonly exposed to third parties using Representational State Transfer (RESTful), which helps to separate cloud resources from representation in a loosely coupled fashion. The RESTful services contribute to building resilient cloud solutions that are scalable, context independent and able to withstand component failure. However, APIs remain the most exposed part of a cloud service, and the utilisation of a weak set of APIs exposes the cloud provider and other cloud consumers to a variety of security-related issues including the loss of privacy, confidentiality, integrity, and availability of the cloud service.
With API threats currently ranked 3rd in the CSA’s top 12 treacherous threats of cloud computing, the security and availability of cloud services are directly related to how 3rd party API’s are integrated to cloud services. Any attempts to exploit the security weakness of an API or circumvent its policy, whether malicious or accidental, poses a serious and ongoing challenge to the security of cloud computing and other reliant infrastructures. Similarly, as most cloud services are web services, the APIs that connect these web services share many vulnerabilities common to web applications.
Cloud computing blurs the trusted security boundary, and its utilisation of a loosely coupled architecture could lead to sensitive data being processed outside known trusted and controllable areas, which ends up leading to risks of data loss, loss of compliance, unauthorised use or inadequate protection. Therefore it is pertinent for cloud service providers (CSPs) to ensure that their cloud offering and other dependent cloud services go through an adequate life-cycle security program and are subject to regular vulnerability assessments, including the SANS Top 25 most dangerous software errors or OWASP Top 10. Cloud providers in assessing their supply chain risks need to be able to identify their dependencies with external parties and manage these dependency risks. Also, CSPs will need to ensure that their suppliers are carrying out similar due diligence activities, as a failure to comply leaves the entire cloud supply chain exposed to external threats.
Post a Comment
You must be logged in to post a comment.