As a Princeton seminary student, I had the opportunity to sing with the Princeton University Gospel Ensemble (a.k.a. PUGE). One of the more memorable songs we sang was a slave spiritual adapted from the Noah Story of the Bible. Its lyrics were the following:
"Can you see the clouds gathering,
don't let it be said too late.
You better run into the ark before the rain starts."
Slave spirituals appeared in the context of American slavery of Africans in the South. American slavery, an institution built on the enslavement of Africans, forcibly displaced them from their native lands, subjected to harsh servile labor, and broke up families. Africans attempted to liberate themselves from the tyranny of slavery with the help of the Underground Railroad, doing so at significant risk and threat to their lives. The Underground Railroad served as a northern passageway to freedom consisting of sympathetic abolitionists and a network courageous slave operatives. Together they created a secret and secure network of routes to transport freedom seekers safely to Canada. The success of these covert operations would not have been possible without the slave spirituals.
These songs served a dual purpose – to alert slaves and liberation operatives of impending danger on routes to freedom and render this messaging indecipherable to slaveholders. The mention of “gathering clouds,” coded language, mobilized the Underground Railroad network operatives to change tactics and course based on knowledge of imminent threats, enabling slaves to continue their pursuit of freedom and preserve their well-being without their oppressors catching on.
For companies on the path of cloud adoption, the fear that dark “clouds gathering” could impact business health and one's financial bottom is a source of anxiety. Despite recent data that show cloud adoption rates consistent growth over the last 18 months, a group of holdouts endure. A recent conversation with a large multinational client revealed that some technology teams remain risk averse to a public cloud; leadership’s position on a public cloud was an adamant one: “We will only implement a private cloud, never a public one.” The unspoken implication to me was “private cloud is inherently safer than public cloud. Single tenancy keeps our data safe.”
Because of this fear of threats, business leaders are hesitant to move business-critical applications to the cloud. Workloads like messaging, customer resource managements, and collaboration solutions like Box and Google Docs in this line of thinking are not worth the risk to businesses. This distrust of the cloud continues but are these fears warranted? The fact that 30% of data (of which we are aware) still reside in cloud repositories gives executive pause. Add to this number the explosive growth of data generated by Internet of Things (IoT) endpoints, data levels in cloud repositories will skyrocket exponentially, resulting in increased opportunity for data theft.
The Cloud Security Alliance (CSA) recently polled technology leaders to understand what concerns them most regarding cloud adoption. The result – the treacherous twelve cloud security concerns. Data breach, vulnerabilities, insider threat and nation-state actors, traditional concerns, are the same for executives contemplating cloud. I would argue that two main motivations characterize these “12” and other security threats: data theft and data disruption.
In the first bucket, motivated actors’ objective is to access and steal data. Concerning data theft, the following activities, ranging from trivial to highly sophisticated attacks, have been reported:
Cloud side channel attack theory, extended from traditional side channel attack methodology, has been in vogue in academic circles in recent years and considered an attack method of choice of the criminally motivated. The seminal paper on this approach, "Cross-Tenant Side-Channel Attacks in PaaS Clouds," written by researchers Juels, Reiter, and Ristenpart details three successful attacks against platform-as-a-service (PaaS) implementations. Using a framework of side channels to extract data or keys from CPU cache, they successfully exposed weaknesses in shopping carts, pseudo-random number generators (PRNGs), and the security assertion markup language (SAML) to compromise PaaS ecosystems.
In the disruption data bucket, we see distributed denial of service (DDoS) as the primary disruptor of business continuity. Malware amplification via the cloud has also resulted in outages. Each of these disruptions is meant to keep businesses off line and in some instances serve as precursors for the actual compromise.
This makeshift taxonomy presented here is not meant to be exhaustive but merely highlight active threats materializing in the cloud and the need to plan accordingly given these risks. To keep pace with threat actors and the threats they pose are typical focus areas:
Defenders in the cloud must “do the right thing(s)” and perform due diligence to withstand this next wave of threat.
Not surprisingly, a familiar cast of characters behind these threats is emerging. Foreign governments and malware dealers increasingly adopt the cloud as a medium to accomplish their nefarious ends. The tectonic shift ushered in by cloud computing emboldens threat actors to evolve and amplify their breach efforts. In the way that slaves innovated the use of slave spirituals to thwart threat, cloud adopters need to acquire usable cloud intelligence and adapt strategy to mitigate attacks.
Given this ever-changing attack surface are we poised to see new geopolitical, socio-political, and multi-national groups threaten? Are new waves of cyber-espionage or hacktivism propagated through cloud ecosystems soon to strike? Will so-called digital caliphates extend their rhetoric of hate to the cloud to carry their outreach to broader audiences? Will audit trails and attribution get harder? The data suggest that dark clouds are gathering, signaling the need for comprehensive preparedness consisting of cloud threat intelligence and threat mitigation initiatives.
 Holger Schulze, “Cloud Security Spotlight Report,” Crowd Research Partners, accessed July 14, 2016, http://www.crowdresearchpartners.com/wp-content/uploads/2016/05/Cloud-Security-Report-2016.pdf (Accessed August 3, 2016)
Cameron Coles. 100,000 Tweets in 1 Day: How one company discovered a security breach using big data analytics, https://www.skyhighnetworks.com/cloud-security-blog/100000-tweets-in-1-day-how-company-discovered-security-breach-using-big-data-analytics/ (accessed August 30, 2016)
 Cameron Coles. Poll 9 Top Questions CIOS are Asking about Cloud Threat Detection, https://www.skyhighnetworks.com/cloud-security-blog/poll-9-top-questions-cios-are-asking-about-cloud-threat-detection/ (accessed August 30, 2016)
Paul Ducklin. Opera announces data breach: Stored passwords stolen for 1.7M Users, https://nakedsecurity.sophos.com/2016/08/30/opera-announces-data-breach-stored-passwords-stolen-for-1-7m-users/ (accessed August 30, 2016)
 Brad Harris. Platform-as-a-Service (PaaS) Cloud Side-Channel Attacks: Part 1, https://securityintelligence.com/platform-as-a-service-paas-cloud-side-channel-attacks-part-i (accessed August 30, 2016). Also, “Cross-Tenant Side Channel Attacks in PaaS Clouds,” https://www.cs.unc.edu/~reiter/papers/2014/CCS1.pdf (accessed August 30, 2016)
 The Dirty Dozen: 12 cloud security threats, http://www.infoworld.com/article/3041078/security/the-dirty-dozen-12-cloud-security-threats.html (accessed August 30, 2016)
 California legislators introduced a bill this week to their governor to have ransomware considered as a form extortion http://statescoop.com/california-bill-to-treat-ransomware-as-form-of-extortion-heads-to-governor (Accessed August 30, 2016)