The benefits of cloud computing are now obvious. The most notable are: the reduction of maintenance costs of its IT infrastructure, the reduction of energy consumption, the rapid availability of a ready-to-use platform for the deployment of applications, the provision of a simple backup solution and accessible to all, even to non-computer scientists, etc.
However, given all the possibilities offered by this new concept of computing, there is still reluctance in its adoption. This reluctance is, for the most part, linked to the safety factor, which remains a real challenge.
As a reminder, cloud computing is an IT approach that uses the Internet (or any other WAN network) to use system and application resources (servers, storage, collaboration and administration tools, etc.). These remote resources are called cloud (in the cloud).
Several studies conducted by specialists such as ISACA (Information Systems Audit and Control Association) and CSA (Cloud Security Alliance) have identified twelve points that constitute the major threats to data security and cloud applications.
1. The existence of security breaches both on one of the logical layers of the Datacenter and those resulting from human errors;
2. Fragility in access and identity management, although some providers are strengthening authentication interfaces with other means such as certificates, smart cards, OTP technology and many others;
3. The use of unsecured APIs for integrating applications with cloud services;
4. Exploit vulnerabilities of operating systems on cloud servers and even hosted applications;
5. Account piracy, which is an old type of computer attack, comes with a strong upsurge since the advent of the Internet and again that of cloud computing;
6. A malicious action initiated internally in the workforce of the supplier. An attacker in the Datacenter management team can easily undermine the privacy and integrity of the hosted environments;
7. Advanced Persistent Threats (APT), which is a form of attack where the hacker is able to somehow install a device in the internal network of the organization, from which he can eradicate important or confidential data. This is a form of attack hard to detect for a cloud service provider;
8. Data loss that can be caused by a datacenter’s (logical) computer attack, a physical attack (fire or bombardment), a natural disaster, or even just a human factor at the service provider, for example in case of bankruptcy of the society ;
9. shortcomings in internal adoption or cloud transition strategies. Businesses or organizations often do not consider all the security factors associated with their operation before subscribing to a cloud service. Some negligence, both in application development and in basic use, is sometimes fatal;
10. Fraudulent use of cloud technologies to hide identity and carry out large-scale attacks. Generally, these are accounts created during the evaluation periods (most ISPs offer 30 free trial days) or accesses purchased fraudulently;
11. Denial of service which is an attack that consists in making unavailable a service by an excessive consumption of the resources such as the processors, the memory or the network. The idea for the hacker is to successfully overload the Datacenter resources to prevent other users from taking advantage of the services;
12. The flaws related to the heterogeneity of technologies embedded in the internal architecture of the cloud, and the external interface architecture with the users.
These twelve points, as mentioned, could further comfort paranoids in their mistrust of the cloud, but will especially encourage users (individuals and businesses) to be more demanding on service levels (in English, SLA: Service Level Agreement) with suppliers