Cloud Threat Taxonomy
- Information security is a system of technologies, techniques, behaviors, and regulations designed to protect computer systems and data from both intentional attacks and unintentional errors.
- Cloud environments introduce distinct threat surfaces — shared infrastructure, multi-tenancy, hypervisor layers, and reliance on provider-managed controls — that require a cloud-specific threat model alongside general security practices.
Core Security Characteristics
Section titled “Core Security Characteristics”The four fundamental goals that every security measure defends:
| Characteristic | What it guarantees | Cloud context |
|---|---|---|
| Confidentiality | Information is accessible only to authorised parties | Restricts data access both in transit and at rest |
| Integrity | Data has not been altered by an unauthorised party | Guarantees that transmitted data matches received data; also covers safe storage and retrieval |
| Availability | IT resources are accessible during the specified timeframe | Shared responsibility across provider, carrier, and consumer |
| Authenticity | An interaction originated from an authorised, legitimate source | Includes non-repudiation — proof that an interaction is uniquely tied to an authorised source so it cannot be denied |
Non-repudiation means a party cannot deny that an interaction occurred — e.g., accessing a file generates a permanent audit record that cannot be disputed.
Defensive Framework
Section titled “Defensive Framework”| Concept | Role |
|---|---|
| Security Controls | Countermeasures that prevent or respond to threats, reducing or avoiding risk |
| Security Mechanisms | Distinct components that make up the defensive framework protecting resources, information, and services |
| Security Policies | Rules and regulations defining how controls and mechanisms are positioned and enforced |
See also: Defense in Depth for layered control architecture.
Basic Threat Terminology
Section titled “Basic Threat Terminology”See Threat Taxonomy & Malware for the full general taxonomy. Cloud-relevant definitions:
| Term | Definition |
|---|---|
| Risk | Potential for unwanted loss from a specific action or event |
| Vulnerability | A flaw, gap, or weakness in an IT environment, its policies, or processes |
| Zero-Day Vulnerability | A vulnerability the organisation is unaware of or has not yet patched |
| Exploit | Successfully taking advantage of a vulnerability |
| Security Breach | Unauthorized access to systems or information |
| Data Breach | A security breach where confidential information is stolen |
| Data Leak | Sensitive information shared with unauthorised parties without an attack — usually human error or intent |
| Threat | A known, potential attack that poses a danger; the full collection is the threat landscape |
| Attack | The event that occurs when a threat is carried out |
| Attack Vector | The specific path used to exploit a vulnerability (e.g., email attachments, chat, pop-ups) |
| Attack Surface | The complete collection of attack vectors available to an attacker |
An attacker who successfully gains unauthorised access within an organisational boundary is reclassified as an intruder.
See also: Vulnerability Management Lifecycle.
Cloud Threat Agents
Section titled “Cloud Threat Agents”A threat agent is an entity capable of carrying out an attack. Cloud environments have four primary categories:
Anonymous Attacker
Section titled “Anonymous Attacker”- A non-trusted cloud consumer with no permissions in the cloud environment
- Typically an external software program launching attacks over public networks
- Relies on bypassing user accounts or stealing credentials; prefers methods that maintain anonymity
Malicious Service Agent
Section titled “Malicious Service Agent”- An entity able to intercept and forward network traffic within a cloud
- Usually a service agent (or program impersonating one) with compromised or malicious logic
- Operates externally, intercepting and potentially corrupting messages in transit
Trusted Attacker (Malicious Tenant)
Section titled “Trusted Attacker (Malicious Tenant)”- An attacker who legitimately shares IT resources in the same cloud as the consumer
- Operates from within the cloud’s trust boundaries using legitimate credentials
- Targets the provider and co-tenants — credential cracking, encryption bypass, spam, DoS campaigns
Malicious Insider
Section titled “Malicious Insider”- Human threat agents acting on behalf of or in relation to the cloud provider
- Current or former employees, or third parties with physical or system access
- Highest potential for damage — may hold administrative privileges over consumer resources
General attacker categories (apply across all threat agents):
| Type | Motivation |
|---|---|
| Cyber criminals | Profit or illegal activity — steal private information |
| Malicious users | Rogue authorised users abusing trusted privileges |
| Cyber activists | Promote political, religious, or social agendas |
| State-sponsored attackers | Hired or directed by government agencies |
Common Cloud Threats
Section titled “Common Cloud Threats”Network and Interception
Section titled “Network and Interception”Traffic Eavesdropping
- Data transferred to or within a cloud is passively intercepted by a malicious service agent
- Passive attack — primarily targets confidentiality; can go undetected for long periods
Malicious Intermediary
- A malicious service agent intercepts and alters messages in transit
- Compromises both confidentiality and integrity by inserting harmful data before forwarding
Tunneling
- Attackers embed data within authorised protocol packets (HTTP, SSH, DNS, ICMP) to bypass firewall controls
- Packets adhere to firewall rules and pass without triggering alerts — used to place malware or exfiltrate data
See also: Firewall Rules & iptables.
Resource Overload
Section titled “Resource Overload”Denial of Service (DoS)
- Overloads IT resources until they degrade or fail entirely
- Methods: flood with traffic, imitation messages that spike workloads, requests that consume excessive memory/CPU
Distributed Denial of Service (DDoS)
- A DoS attack executed from multiple compromised systems organised in botnets
- Amplifies attack volume beyond what a single source can produce
Access and Authorization
Section titled “Access and Authorization”Insufficient Authorization
- Access is granted erroneously or too broadly, giving attackers a path to protected resources
Weak Authentication
- IT resources protected by weak passwords or shared accounts
- Enables trivial unauthorised access; a variant of insufficient authorization
Brute Force
- Tests broad combinations of usernames and passwords
- Variants: dictionary attacks (using wordlists), credential recycling (reusing credentials from past breaches)
Privilege Escalation
- Compromise a low-privilege account, then exploit a vulnerability to gain administrator access
See also: AAA: Authentication, Authorization & Accounting, Password Managers & Credential Hygiene.
Cloud Infrastructure Threats
Section titled “Cloud Infrastructure Threats”Virtualization Attack
- Cloud providers grant administrative access to virtualised IT resources
- Malicious consumers exploit this to attack the virtualisation platform itself, jeopardising underlying physical hardware
Overlapping Trust Boundaries
- Physical IT resources shared by different cloud consumers create overlapping trust boundaries
- A malicious consumer targets shared resources to compromise other tenants in the same environment
Containerization Attack
- Containers on the same machine share the host OS — a compromised host impacts all containers on it
- Mitigation: deploy containers inside virtual servers to isolate the blast radius to a single VM
Malware and Botnets
Section titled “Malware and Botnets”| Malware type | Behaviour |
|---|---|
| Virus | Spreads by infecting files and replicating itself |
| Trojan | Appears legitimate but runs malicious background processes (e.g., installing backdoors) |
| Ransomware | Restricts data access and demands payment for release |
| Spyware / Adware | Collects information secretly or displays ads that degrade system performance |
| Crypto jacking | Uses browser-based scripts to secretly mine cryptocurrency |
| Worm | Self-replicating program that spreads through network mechanisms without user action |
Botnets — coordinated networks of infected “zombie” hosts that receive remote instructions. Used to execute DDoS attacks, mass email campaigns, and crypto jacking at scale.
See also: Malware Analysis Basics.
Execution and Application
Section titled “Execution and Application”Remote Code Execution (RCE)
- An attacker executes commands on a third-party device remotely
- Achieved via downloaded malware, tunneling, brute force, or social engineering; often preceded by automated vulnerability scanning
SQL Injection
- Malicious SQL code inserted into web application entry fields forces the server to execute it
- Can write malware directly into a server’s database
Human and Coordinated Threats
Section titled “Human and Coordinated Threats”Social Engineering
- Tricks individuals into revealing sensitive information or granting access
- Phishing is the most common electronic form — fraudulent emails coerce users into damaging actions
Insider Threats
| Type | Description |
|---|---|
| Malicious | Intentional harm — e.g., disgruntled employees |
| Accidental | Mistakes from ignorance or human error |
| Negligent | Deliberate unwillingness to follow security policies |
Advanced Persistent Threat (APT)
- A sophisticated, coordinated campaign using multiple attack methods over a long period
- Targets high-value organisations — implants malware, establishes backdoors, persists to continuously harvest data
- Human factors (e.g., phishing success) are often the critical entry point
See also: Social Engineering & Physical Security, Social Engineering Deep Dive.
Cloud-Specific Security Considerations
Section titled “Cloud-Specific Security Considerations”Flawed Implementations
Section titled “Flawed Implementations”- Substandard design, implementation, or configuration of cloud deployments creates exploitable weaknesses
- If provider hardware or software has inherent operational flaws, attackers can compromise confidentiality, integrity, and availability of both provider and consumer resources
Security Policy Disparity
Section titled “Security Policy Disparity”- Moving to a public cloud requires accepting that your security strategy may not align with the provider’s approach
- Cloud consumers typically lack sufficient administrative influence over provider security policies — the provider retains legal ownership of underlying resources
- Further complicated when public clouds involve additional third parties (certificate authorities, security brokers) with their own distinct policies
Contract and SLA Security
Section titled “Contract and SLA Security”- Contracts must clearly define the level of provider indemnity and liability assumed — more provider liability means lower consumer risk
- Asset boundaries must be explicit: in mixed cloud architectures, blame for a breach must be unambiguous
- If a provider’s policies are incompatible with your security requirements, seek a different provider
See also: Security Compliance Frameworks, SLA & Quality Metrics.
Risk Management
Section titled “Risk Management”Risk management is a cyclical process of coordinated activities designed to oversee and control risk in cloud environments:
| Stage | Activity |
|---|---|
| Risk Assessment | Analyse the cloud environment to identify vulnerabilities. Quantify risks by probability and potential impact. Request provider statistics on past successful and unsuccessful attacks. |
| Risk Treatment | Create mitigation plans — eliminate, mitigate, outsource, or absorb risks. The provider may assume responsibility for specific risks as part of the contract. |
| Risk Control | Monitor risks continuously: survey related events, review effectiveness of previous treatments, identify required policy adjustments. Can be shared with or fully delegated to the provider. |
Risk management is not a one-time audit — it is a continuous cycle. Risks evolve as cloud deployments change and new threat agents emerge.
See also: Vulnerability Management Lifecycle, Defense in Depth.