Skip to main content

Advances, Systems and Applications

Table 2 ENISA’s list of vulnerabilities

From: A risk assessment model for selecting cloud service providers

Cloud specific vulnerabilities

V1. Authentication Authorization Accounting (AAA) vulnerabilities

V2. User provisioning vulnerabilities

V3. User de-provisioning vulnerabilities

V4. Remote access to management interface

V5. Hypervisor vulnerabilities

V6. Lack of resource isolation

V7. Lack of reputational isolation

V8. Communication encryption vulnerabilities

V9. Lack of or weak encryption of archives and data in transit

V10. Impossibility of processing data in encrypted form

V11. Poor key management procedures

V12. Key generation: low entropy for random number generation

V13. Lack of standard technologies and solutions

V14. No source escrow agreement

V15. Inaccurate modelling of resource

V16. No control on vulnerability assessment process

V17. Possibility that internal (cloud) network probing will occur

V18. Possibility that co-residence checks will be performed

V19. Lack of forensic readiness

V20. Sensitive media sanitization

V21. Synchronizing responsibilities or contractual obligations

external to cloud

V22. Cross-cloud applications creating hidden dependency

V23. SLA clauses with conflicting promises to different stakeholders

V24. SLA clauses containing excessive business risk

V25. Audit or certification not available to customers

V26. Certification schemes not adapted to cloud infrastructures

V27. Inadequate resource provisioning and investments in

infrastructure

V28. No policies for resource capping

V29. Storage of data in multiple jurisdictions and lack of transparency

about this

V30. Lack of information on jurisdictions

V31. Lack of completeness and transparency in terms of use

Vulnerabilities not specific to the cloud

V32. Lack of security awareness

V33. Lack of vetting processes

V34. Unclear roles and responsibilities

V35. Poor enforcement of role definitions

V36. Need-to-know principle not applied

V37. Inadequate physical security procedures

V38. Misconfiguration

V39. System or OS vulnerabilities

V40. Untrusted software

V41. Lack of, or a poor and untested, business continuity and disaster

recovery plan

V42. Lack of, or incomplete or inaccurate, asset inventory

V43. Lack of, or poor or inadequate, asset classification

V44. Unclear asset ownership

V45. Poor identification of project requirements

V46. Poor provider selection

V47. Lack of supplier redundancy

V48. Application vulnerabilities or poor patch management

V49. Resource consumption vulnerabilities

V50. Breach of NDA by provider

V51. Liability from data loss

V52. Lack of policy or poor procedures for logs collection and

retention

V53. Inadequate or misconfigured filtering resources