Cloud computing risk identification

Cloud computing risk identification

 

IPolicy and organizational risks (policy and organizational risk)

1) Lock-in (locked, no replacement for service lock)

2) Loss of governance (out of governance)

3) Compliance Challenges (compliance challenge)

4) Loss of business reputation due to co-tenant activities (loss of business reputation due to shared activities)

5) Cloud service termination or failure (cloud service termination or failure)

6) Cloud provider acquisition (cloud service provider acquisition)

7) Supply chain failure (Supply Chain break)

 

Technical Risks (technical risk)

1) Resource exhaustion (under or over provisioning) (resource depletion)

2) Isolation failure (isolated)

3) Cloud provider malicious insider-abuse of high privilege roles)

4) Management Interface compromise (manipulation, availability of infrastructure) (Management Interface hazards-infrastructure availability and Control)

5) Intercepting data in transit (Data Truncation in transmission)

6) Data leakage on up/download, intra-cloud (data leakage)

7) Insecure or ineffective deletion of data (insecure or invalid data deletion)

8) Distributed Denial of Service (DDoS Distributed Denial of Service Attack)

9) Economy mic Denial of Service (edos)

10)Loss of encryption keys (key loss)

11)Undertaking malicious probes or scans (for malicious detection or scanning)

12)Compromise service engine (hazardous service engine)

13)Conflicts between customer hardening procedures and cloud environment (customer EnhancementProgramConflicts with the cloud environment)

 

Three legal risks (legal risk)

1) Subpoena and e-discovery

2) Risk from changes of jurisdiction (governing the risk of changes)

3) Data protection risks (data protection risk)

4) Licensing risks (license risk)

 

ThuRisks not specific to the cloud (non-cloud service-specific risks)

1) Network breaks)

2) Network Management (ie, network congestion/mis-connection/non-optimal use) (Network Management)

3) Modifying network traffic (network traffic change)

4) Privilege Escalation (expanded permissions)

5) Social engineering attacks (ie, impersonation )(Social engineering attacks)

6) Loss or compromise of operational logs (operation logs are lost or leaked)

7) Loss or compromise of security logs (manipulation of forensic investigation) (modifies or leaks security logs)

8) Backups lost and stolen (Backup loss and theft)

9) Unauthorized access to premises (including physical access to machines and other facilities) (unauthorized access)

10) Theft of computer equipment (theft of computer equipment)

11 ) natural disasters (natural disasters)