Advances, Systems and Applications
From: A risk assessment model for selecting cloud service providers
Cloud specific vulnerabilities |
V1. Authentication Authorization Accounting (AAA) vulnerabilities |
V2. User provisioning vulnerabilities |
V3. User de-provisioning vulnerabilities |
V4. Remote access to management interface |
V5. Hypervisor vulnerabilities |
V6. Lack of resource isolation |
V7. Lack of reputational isolation |
V8. Communication encryption vulnerabilities |
V9. Lack of or weak encryption of archives and data in transit |
V10. Impossibility of processing data in encrypted form |
V11. Poor key management procedures |
V12. Key generation: low entropy for random number generation |
V13. Lack of standard technologies and solutions |
V14. No source escrow agreement |
V15. Inaccurate modelling of resource |
V16. No control on vulnerability assessment process |
V17. Possibility that internal (cloud) network probing will occur |
V18. Possibility that co-residence checks will be performed |
V19. Lack of forensic readiness |
V20. Sensitive media sanitization |
V21. Synchronizing responsibilities or contractual obligations |
external to cloud |
V22. Cross-cloud applications creating hidden dependency |
V23. SLA clauses with conflicting promises to different stakeholders |
V24. SLA clauses containing excessive business risk |
V25. Audit or certification not available to customers |
V26. Certification schemes not adapted to cloud infrastructures |
V27. Inadequate resource provisioning and investments in |
infrastructure |
V28. No policies for resource capping |
V29. Storage of data in multiple jurisdictions and lack of transparency |
about this |
V30. Lack of information on jurisdictions |
V31. Lack of completeness and transparency in terms of use |
Vulnerabilities not specific to the cloud |
V32. Lack of security awareness |
V33. Lack of vetting processes |
V34. Unclear roles and responsibilities |
V35. Poor enforcement of role definitions |
V36. Need-to-know principle not applied |
V37. Inadequate physical security procedures |
V38. Misconfiguration |
V39. System or OS vulnerabilities |
V40. Untrusted software |
V41. Lack of, or a poor and untested, business continuity and disaster |
recovery plan |
V42. Lack of, or incomplete or inaccurate, asset inventory |
V43. Lack of, or poor or inadequate, asset classification |
V44. Unclear asset ownership |
V45. Poor identification of project requirements |
V46. Poor provider selection |
V47. Lack of supplier redundancy |
V48. Application vulnerabilities or poor patch management |
V49. Resource consumption vulnerabilities |
V50. Breach of NDA by provider |
V51. Liability from data loss |
V52. Lack of policy or poor procedures for logs collection and |
retention |
V53. Inadequate or misconfigured filtering resources |