What are the security issues which one should discuss with a cloud-computing vendor?

 WIDELY SEEN SECURITY ISSUES

1. Data breaches: A data breach might be the primary goal of a targeted attack, or it might be the consequence of a human mistake, application flaws, or inadequate security policies. It might include any material that was not meant for public distribution, such as personal health information, financial information, personally-identifying information, trade secrets, and intellectual property. The cloud-based data of a business may be valuable to many parties for a variety of reasons. The danger of data breaches is not unique to cloud computing, but it remains a top issue for cloud consumers.

2. Insufficient identity, credential, and access management: Bad actors impersonating genuine users, operators, or developers can access, edit, and delete data; issue control plane and management functions; eavesdrop on data in transit, or distribute harmful software that looks to come from a genuine source. As a result, inadequate identity, credentials, or key management can allow for illegal data access and possibly catastrophic damage to companies or end-users.

3. Insecure interfaces and application programming interfaces (APIs): Customers employ a collection of software user interfaces (UIs), or APIs exposed by cloud providers to control and interact with cloud services. These interfaces are used for provisioning, management, and monitoring, and the security and availability of generic cloud services are all dependent on the security of APIs. They must be built to guard against both inadvertent and deliberate attempts to evade rules.

4. System vulnerabilities: System vulnerabilities are exploitable faults in programs that allow attackers to penetrate a system to steal data, take control of the system, or disrupt service operations. Vulnerabilities in the operating system's components jeopardize the security of all services and data. With the introduction of cloud multi-tenancy, systems from diverse companies are put nearby to one another and given access to shared memory and resources, resulting in the creation of a new attack surface.

5. Account hijacking: Account or service hijacking is not a new issue, but cloud services bring a new wrinkle to the mix. If an attacker gains access to a user's credentials, they can listen in on activities and transactions, modify data, return false information, and divert clients to malicious websites. Account or service instances might serve as a new base of operations for attackers. With stolen credentials, attackers may frequently get access to vital parts of cloud computing services, jeopardizing the confidentiality, integrity, and availability of such services. Malicious insiders: A malicious insider, such as a system administrator, can get access to potentially sensitive information and subsequently get access to more essential systems and data. Systems that rely primarily on cloud service providers for security is more vulnerable.

7. Advanced Persistent Threats (APTs): APTs are a parasitical type of cyber-attack that infiltrates networks to get a foothold in target firms' IT infrastructure, from which they steal data. APTs operate invisibly over long periods, frequently adapting to the security mechanisms designed to counter them. Once installed, APTS can move laterally via data center networks and blend in with normal network traffic to accomplish their goals.

8.  Data loss: Data saved in the cloud might be lost for causes other than hostile attacks. An inadvertent deletion by the cloud service provider, or a physical disaster such as a fire or earthquake, might result in the permanent loss of client data unless the provider or cloud consumer takes proper backup mechanisms, according to best practices in business continuity and disaster recovery.

9. Insufficient due diligence: Cloud technology and service providers must be considered by executives when developing corporate plans. Creating a clear plan and checklist for due diligence when assessing technologies and suppliers is critical for success. Organizations that rush to embrace cloud technology and select providers without conducting enough due diligence expose themselves to a range of hazards. 

10. Abuse and nefarious use of cloud services: Cloud computing models are vulnerable to harmful attacks due to poorly protected cloud service installations, free cloud service trials, and fraudulent account sign-ups via payment instrument fraud. Bad actors may utilize cloud computing resources to target consumers, companies, or other cloud providers. Launching distributed denial-of-service assaults, email spam, and phishing campaigns are all examples of how cloud-based services are being abused.

11. Denial of service (DoS): DoS attacks are intended to prohibit service users from accessing their data or apps. Attackers can induce a system slowdown and prevent all legitimate service users from accessing services by causing the targeted cloud service to use excessive quantities of finite system resources such as CPU power, memory, disk space, or network bandwidth.

12 Shared technology vulnerabilities: Cloud service providers provide scalable services by sharing infrastructure, platforms, or applications. Cloud computing splits the "as-a-service" offering without significantly altering off-the-shelf hardware/software-sometimes at the price of the security. The underlying infrastructure components that facilitate cloud services deployment may not have been designed to provide strong isolation features for multi-tenant architecture or multi-customer applications. This might result in shared technical vulnerabilities that can be exploited across all delivery modes.