Page 141 - Big data - Concept and application for telecommunications
P. 141

Big data - Concept and application for telecommunications                       4


            7.1     Security threats for cloud service customers (CSCs)

            The following threats are those that directly affect CSCs. They may affect the CSCs' personal or business
            interests, confidentiality, lawfulness or safety. Not all CSCs will be at risk by all threats. The risk will be unequal
            depending on the nature of the CSC and of the cloud computing service being used. For example, a cloud
            service  specific  to  the  transcoding  of  commercial  video  files  has  no  requirements  to  protect  personally
            identifiable information (PII), but will have strong requirements around the protection of digital assets.
            7.1.1   Data loss and leakage

            As the cloud service environment is typically a multi-tenant one, loss or leakage of data is a serious threat to
            the  CSC.  A  lack  of  appropriate  management  of  cryptographic  information,  such  as  encryption  keys,
            authentication  codes  and  access  privilege,  could  lead  to  significant  damages,  such  as  data  loss  and
            unexpected  leakage  to  the  outside.  For  example,  insufficient  authentication,  authorization,  and  audit
            controls; inconsistent use of encryption and/or authentication keys; operational failures; disposal problems;
            jurisdiction and political issues; data centre reliability; and disaster recovery, can be recognized as major
            sources of this threat and may be associated with the challenges described in clauses 8.1.2 "Loss of trust",
            clause 8.1.3 "Loss of governance" and clause 8.1.4 "Loss of confidentiality".
            7.1.2   Insecure service access

            Identity credentials, including those of CSC administrators, are especially vulnerable to unauthorized users in
            the highly distributed environment of cloud computing, since unlike traditional telecommunications it is
            often difficult to rely on location (e.g., landline) or the presence of a specific hardware element (e.g., a mobile
            subscriber identity module (SIM)) to reinforce authentication of identity. As most of the service offerings are
            remote, unprotected connections expose potential vulnerability. Even when the connections are protected
            or  local,  other  attack  methods  (such  as  phishing,  fraud,  social  engineering  and  exploitation  of  software
            vulnerabilities) may also succeed. If an attacker gains access to users' or administrators' credentials, they can
            eavesdrop on activities and transactions, manipulate data, return falsified information, and redirect a CSC's
            clients to illegitimate sites. Passwords are often reused across multiple websites and services, which amplify
            the impact of such attacks since a single break can expose multiple services. Cloud computing solutions also
            add a new threat to the landscape. The CSC's account or service instances may become a new base for an
            attacker.  From  this  point  onwards,  the  attacker  may  leverage  the  power  of  the  CSC's  reputation  and
            resources to launch subsequent attacks.

            7.1.3   Insider threats
            Where  human  beings  are  involved,  there  is  always  a  risk  of  individuals  acting  in  a  manner  that  is  not
            consistent with the security of the service. CSC employees sharing "administrator" passwords, or otherwise
            leaving credentials unsecure (e.g., written on notes stuck to a screen), careless or inadequately trained users
            (or family members in a consumer setting), or malicious actions by disgruntled employees will always pose a
            significant threat.

            7.2     Security threats for cloud service providers (CSPs)
            This clause identifies threats that directly affect CSPs. Such threats might affect the ability of a CSP to offer
            services, to do business, to retain customers, and to avoid legal or regulatory difficulties. Threats to a given
            CSP will also depend on their specific service offerings and environments.
            7.2.1   Unauthorized administration access

            The cloud computing service will include interfaces and software components that allow the CSC's own staff
            to administer those aspects of the cloud computing service that are under the CSC's control, such as the
            addition or removal of CSC employee accounts, connections to the CSC's own servers, changes to service
            capacity, updating the domain name system (DNS) entries and websites, etc. Such administrative interfaces
            can become a target of choice for attackers who impersonate the CSC's administrators to attack a CSP.
            Because such cloud computing services have to be accessible to the CSC's own staff, the protection of these
            services becomes a major concern for cloud computing security.



                                                                   Security, privacy and data protection   133
   136   137   138   139   140   141   142   143   144   145   146