background image


OWASP Cloud Top 10 Risks


What is Cloud Security?

Cloud solutions are becoming much more prevalent in today’s industries, making for a new type of computing environment, and with it, comes several security risks and challenges. The OWASP Cloud – 10 Project aims to help industries and organizations implement secure practices when looking to deploy a cloud-based solution while taking advantage of the cost-saving benefits that a SaaS model provides. Specifically, the OWASP Cloud Top 10 Security Risks outlines what organizations should keep in mind during the planning and setup phase for their cloud environment. This information has been detailed below.

What are the OWASP Cloud Top 10 Risks?

R1 Accountability and Data Ownership

Typically, when organizations deploy a cloud-based solution, the cloud service provider has partial or complete control over the data, meaning the organization relinquishes certain rights to the data. This can further lead to a lack of transparency with regards to how the company’s data is handled and maintained.

To mitigate problems with accountability and data ownership, it should be advised that the organization and cloud service provider have complete transparency and understanding of how data is being stored. Additionally, organizations should know what security mechanisms are in place to protect the data, and what the backup and recovery process is for that given provider.

R2 User Identity Federation

Developing a solution to ensure that users are properly identified across cloud computing platforms is critical to enterprise security. For access across cloud services and applications, SAML (Security Assertion Markup Language) is often implemented; however, this solution makes it possible for adversaries to gain unauthorized access if not executed properly.

Ensure the implementation of identifying users on cloud services aligns with organization’s policies and standards and enforces a robust method of doing so. Additionally, implementing an access model helps to control access to certain privileged resources.

R3 Regulatory Compliance

The physical location of where data is stored and hosted can pose a problem in terms of geographical regulatory rules. Privacy laws for data storage can vary from one country to another, so it is of critical importance to understand how compliance applies in that region.

To avoid breaching laws associated with compliance, there should be complete transparency between the organization and the cloud service provider in terms of where their data is being stored and what jurisdictions apply. It is also important to ensure that the cloud service provider has a solid understanding of what laws apply where they are hosting the data.

R4 Business Continuity and Resiliency

Often, with regards to business continuity in the case of an incident, the cloud service provider holds the responsibility to ensure that organizations’ can continue operations and providing services to their customers if an outage were to occur. Not having such a plan can lead to lack of availability, which in turn results in lost revenue.

Organizations should coordinate with their cloud service provider to ensure that a robust disaster recovery and business continuity plan is in place for emergencies.

R5 User Privacy and Secondary Usage of Data

Migrating data onto a cloud-based platform opens up more opportunities for the data to be used for other purposes. Furthermore, data mining can take place which puts the user’s privacy of their information at risk.

To mitigate the risks associated with this, it’s crucial that there’s a clear understanding about the usage of user’s data and that there’s a defined policy for acceptable use and privacy. Outlining this information with the cloud service provider will help to enforce the protection of user’s private information.

R6 Service and Data Integration

Protecting data in a transit is of particular importance for organizations implementing cloud-based solutions as sensitive information is being transferred over the Internet. Lack of transmission of secure data can lead to sensitive data exposure and compromise of company information.

Enforce the use of strong encryption protocols for data transmission such as SSL/TLS can help to protect the confidentiality of this information.

R7 Multi-Tenancy and Physical Security

Though a powerful advantage of cloud-based solutions, multi-tenant environments can lead to security risk if resources hosted in the cloud are not logically separated to ensure protection of each tenants’ data.

The cloud service provider should construct the multi-tenant environment to enforce proper logical separation of data and isolate the infrastructure for each tenant. As the organization, ensure there’s understanding of logically how and where the data is being stored and what the provider is doing to protect from data exposure.

R8 Incidence Analysis and Forensic Support

The analysis process that follows an incident requires that log files and associated data be collected for investigation. This can become complicated within a cloud environment as there are issues with multi-location storage and data that is stored on the same hardware that is unrelated and belonging to an external organization resulting in conflict in forensic recovery.

Organizations should communicate effectively with their cloud service providers to analyze how their event logs are being generated and stored. It should also be outlined between the two parties what can be done to help for future forensic recoveries (e.g. imaging, snapshots, etc.).

R9 Infrastructure Security

Implementing best infrastructure security practices will go a long way to reduce the risk of exploitation within the environment. Lack of infrastructure security, even within a cloud-based platform, can lead to compromise of your organization.

General security measures and practices are applicable here, such as routine vulnerability assessments and applying security patches and updates. For more information about what a vulnerability management entails and how it helps with infrastructure security, refer to the following blog.

R10 Non-Production Environment Exposure

If using a staging environment for testing and development purposes and hosting it along with your production environment on a cloud platform, it should be managed with standards to prevent from unauthorized access since these environments are inherently less secure than the production ones.

Avoid storing sensitive data on non-production environments and ensure that access to them are limited and protected accordingly.

How to Improve your Cloud Security

Each risk associated with cloud security has its own unique mitigation strategies that should be explored in detail in order to develop a robust cloud environment for your business solutions. Furthermore, to help improve your cloud security and overall, get a better understanding for what implementing cloud-based solutions might mean for your security posture, please feel free to contact us for more information.

Additionally, for more information about the OWASP Cloud Top 10 Security Risks, you can visit the official OWASP website.