What are security issues which are specific to cloud computing?

There's an infinite amount of security issues with the cloud. To see a nasty laundry list, check out ENISA's documents.


From the ENISA pdf that @atdre already linked to in his answer.

LOSS OF GOVERNANCE: in using cloud infrastructures, the client necessarily cedes control to the Cloud Provider (CP) on a number of issues which may affect security. At the same time, SLAs may not offer a commitment to provide such services on the part of the cloud provider, thus leaving a gap in security defences.
LOCK-IN: there is currently little on offer in the way of tools, procedures or standard data formats or services interfaces that could guarantee data, application and service portability. This can make it difficult for the customer to migrate from one provider to another or migrate data and services back to an in-house IT environment. This introduces a dependency on a particular CP for service provision, especially if data portability, as the most fundamental aspect, is not enabled..
ISOLATION FAILURE: multi-tenancy and shared resources are defining characteristics of cloud computing. This risk category covers the failure of mechanisms separating storage, memory, routing and even reputation between different tenants (e.g., so-called guest-hopping attacks). However it should be considered that attacks on resource isolation mechanisms (e.g.,. against hypervisors) are still less numerous and much more difficult for an attacker to put in practice compared to attacks on traditional OSs.
COMPLIANCE RISKS: investment in achieving certification (e.g., industry standard or regulatory requirements) may be put at risk by migration to the cloud:
if the CP cannot provide evidence of their own compliance with the relevant requirements
if the CP does not permit audit by the cloud customer (CC).
In certain cases, it also means that using a public cloud infrastructure implies that certain kinds of compliance cannot be achieved (e.g., PCI DSS (4)).
MANAGEMENT INTERFACE COMPROMISE: customer management interfaces of a public cloud provider are accessible through the Internet and mediate access to larger sets of resources (than traditional hosting providers) and therefore pose an increased risk, especially when combined with remote access and web browser vulnerabilities.
DATA PROTECTION: cloud computing poses several data protection risks for cloud customers and providers. In some cases, it may be difficult for the cloud customer (in its role as data controller) to effectively check the data handling practices of the cloud provider and thus to be sure that the data is handled in a lawful way. This problem is exacerbated in cases of multiple transfers of data, e.g., between federated clouds. On the other hand, some cloud providers do provide information on their data handling practices. Some also offer certification summaries on their data processing and data security activities and the data controls they have in place, e.g., SAS70 certification.
INSECURE OR INCOMPLETE DATA DELETION: when a request to delete a cloud resource is made, as with most operating systems, this may not result in true wiping of the data. Adequate or timely data deletion may also be impossible (or undesirable from a customer perspective), either because extra copies of data are stored but are not available, or because the disk to be destroyed also stores data from other clients. In the case of multiple tenancies and the reuse of hardware resources, this represents a higher risk to the customer than with dedicated hardware.
MALICIOUS INSIDER: while usually less likely, the damage which may be caused by malicious insiders is often far greater. Cloud architectures necessitate certain roles which are extremely high-risk. Examples include CP system administrators and managed security service providers.


A small subset of security issues (not necessarily new per se to cloud, but definitely more difficult) :

  • Access control
  • Privacy and confidentiality
  • Availability (how strong is your SLA, really? does your provider indemnify for any damages resulting from being offline?)
  • connection with internal systems - you'll often have to punch open holes in your firewall to allow some other protocols to get to your sensitive, internal systems.
  • Compliance - there are some regulations, notably PCI-DSS, that you currently cannot reach compliance with, if you are using cloud-based systems. Note that they might not explicitly disallow cloud-systems, but it is simply impossible to be compliant while using cloud-systems as they are today.
  • There are certain laws, in some countries, that forbid you from moving private data of their citizens out of their country. There are other countries, where you don't want to move your data into, as you do not want to be subject to their laws... When you're clouding, you don't really know where your systems and data are located, so how can you ensure your users anything wrt their location? For that matter how do you know which laws you must comply with at which time? And how do you know you're not already illegal?