Insecure Interfaces and APIs:
Cloud Computing providers expose a set of software interfaces or APIs that customers use to manage and interact with cloud services. Provisioning, management, orchestration, and monitoring are all performed using these interfaces. The security and availability of general cloud services is dependent upon the security of these basic APIs. From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy. Furthermore, organizations and third parties often build upon these interfaces to offer value-added services to their customers. This introduces the complexity of the new layered API; it also increases risk, as organizations may be required to relinquish their credentials to thirdparties in order to enable their agency.
Examples
Anonymous access and/or reusable tokens or passwords, clear-text authentication or transmission of content, inflexible access controls or improper authorizations, limited monitoring and logging capabilities, unknown service or API dependencies.
Remediation
Analyze the security model of cloud provider interfaces.
Ensure strong authentication and access controls are implemented in concert with encrypted transmission.
Understand the dependency chain associated with the API.
References
http://www.programmableweb.com
http://securitylabs.websense.com/content/
|
Our Services:
Cloud customers need assurance that providers are following sound security practices in mitigating the risks facing both the customer and the provider (e.g., DDoS attacks). They need this in order to make sound business decisions and to maintain or obtain security certifications.
Our Cloud Security Assessments provide means for customers to:
1. assess the risk of adopting cloud services; 2. compare different cloud provider offerings; 3. obtain assurance from selected cloud providers; 4. reduce the assurance burden on cloud providers. 5. select and deploy the security monitoring tools needed and customizing the flow analysis features available on routers.
Our Cloud Security Assessment evaluation will cover all aspects of security requirements.
For a complete Cloud Security Assessment and Penetration Testing for an existing configuration please select:
|