Cloud, what is it?
computing is about gracefully losing control while maintaining accountability
even if the operational responsibility falls upon one or more third parties.”
computing is a set of IT services that are provided to a customer over a
network on a leased basis and with the ability to scale up or down their
service requirements. Usually cloud computing services are delivered by a third
party provider who owns the infrastructure.”
“Cloud computing is a model for enabling ubiquitous,
convenient, on-demand network access to a shared pool of configurable computing
resources that can be rapidly provisioned and released with minimal management
effort or service provider interaction.”
What is cloud computing composed of? There are a variety of cloud deployment models, these are:
Service models of the cloud are considered as:
· IaaS Infrastructure as a Service
o Layer 4 through 7 services
· PaaS Platform as a Service
· SaaS Software as a Service
Extensions to the service model include:
· MaaS Metal as a Service
· MWaaS Malware as a Service
· On-demand self-service
· Broad network access
· Resource pooling
· Rapid elasticity
· Measured service
· Operating systems
· Virtual machines
Risk is risk and as such can be calculated for, understood and mitigated against. So what is at risk? Put simply: the data, processes, applications and transactions of the organization. Clearly identifying the risk profile of organizations choosing to move data and information systems to the cloud is very similar to the design and implementation of security policies and procedures for an “out of cloud” information security strategy. It is just that the trust boundaries have changed for the organization and its relationship with the Cloud Service Provider (CSP); there is a re-perimeterisation as the traditional lines of demarcation are redrawn to include cloud as a Service functionality and operations within the organization.
All data separation in the cloud is logical; physical separation of the data is lost when that data is transmitted to, stored within or processed by the cloud. Consequently the organization is in danger of suffering data breaches in addition to being subjected to data loss, and as such should plan for this eventuality by ensuring, at minimum, that all data is encrypted and remains encrypted even when that data is at rest. The organization is aiming to ensure the confidentiality, integrity and availability of its data. Encryption key management is a serious issue, lose your keys – lose your data. There are currently no standards for key management, there are however numerous proprietary key management systems, resulting in considerable confusion in the development of a road map for the strategic improvement of public key management into the future. A viable solution is offered by IBM, it involves the use of homomorphic public key encryption which allows for the processing of encrypted data. The traditional method of processing encrypted data required that the data be decrypted before processing and re-encrypted on completion of the processing cycle. Homomorphic encryption processing does not require that the data be decrypted prior to processing to gain accurate and meaningful results, the data remains encrypted at all times.
Organizations interact with their CSP utilizing interfaces and APIs. The security and robustness of these interfaces and APIs is crucial, if they are insecure in anyway it has an adverse effect on security, confidentiality and data integrity for both the client and provider.
Because of the nature of cloud service provision there exists for the customer of a CSP a share in technology vulnerabilities, organizations and their competitors purchase service provision from CSPs which is a standard product offer that the client organization then tailors to suit its specific business needs. As such, they are vulnerable to the CSPs technological sharing across product offerings.
The threat from within: malicious insiders: it is often quoted that employees are our greatest strength, were as when it comes to security employees are the biggest problem; and this is because of trust. An employee is in a position of trust that a malicious attacker outside the organization would never be in. There are factors that can be prepared to mitigate against the potential damage that an insider attack possess. The organization can implement a system of privileged user access and access control to security critical systems on an audited per case basis. These types of steps help lessen the impact of account or service traffic hijacking.
Denial of service
Cloud abuse can occur when the cloud is utilized maliciously to attack other elements of the cloud infrastructure. Because of the high resiliency of the IaaS and PaaS it is simple to deploy and re-deploy a malicious infrastructure. Within moments the attackers systems can be deployed, targeted and prosecuted, before shutting down and repositioning for another attack. These types of transient attacks are difficult to predict and by their nature are short lived in duration making detection problematic as well.
Insufficient due diligence is problematic when the client forgets that it is their and only their responsibility to ensure that their data, processes, applications and transactions are securely redundant and that they have a fallback position in the advent of a denial of service. In moving to the cloud the client organizations are choosing to delegate responsibility for the security and wellbeing of their data a need exists for the CSP to meet with regulatory compliance. There is a lot of legislation in place to protect the privacy of data held within the cloud. The major CSPs are implementing fourth and fifth generation infrastructure facilities, the security for which both physically and logically is exceeding and setting the standards for cloud facilities management.
Recovery from a problem is remains one of planning. A well planned disaster and recovery plan together with a solid risk assessment will ensure that at least the foreseen issues have been thought through. A solid and secure backup of the organisations data is the cornerstone of any disaster and recovery plan. In the cloud this presents issues of complexity as often different CSPs and their storage mechanisms are incompatible. Should the worst happen and there is a major incident the client will want to ensure that the CSP has sufficient investigative support to enable the cause of the problem to be identified. With this in mind the client has to consider the long-term viability of its chosen CSP, consider seriously are they going to be around in a few years’ time? This is important because of vendor lock in with technologies and service.
Figure 2 Mapping the
Cloud Model to the Security Control & Compliance Model
Mobile data access
Access control and identity management
Co-mingling of customer data, multi-tenancy
Standards and certification
Middleware layer is typically the most vulnerable
Virtualization alters the relationship between operating system and the underlying hardware infrastructure
Cloud single sign on
Authorization to data and applications
Governance and compliance
Legal ramifications of holding data in data centers in other or multiple countries
Attack surface area of cloud should be minimized
Security related to cloud providers
Security related to customers
Why cloud services are considered attractive: reduced costs, scalability and elasticity, commoditization (pay for what is used) and ubiquitous global access
It remains the client’s responsibility to backup and protect data.
Increased attack surface, share vulnerabilities with competitors
Co-resident attacks and side channeling
Security is a balancing act
Privacy and data loss
Data residency, encryption and tokenization
Shifting focus from information technology challenges to ones of business performance improvements
Sandboxing and abstraction
Security is security, so with a strategy and procedures in place there are only the unforeseen problems to be faced. The cloud whilst heralding a new format of computing, one of utilitarian commoditization, does not present anything significantly new to the information technology and systems security arena. It poses challenges that are solely cloud problems most notably governance and privacy.
For the small and medium enterprise with few IT/IS resources the cloud represent a level and state of security that is well beyond the scope and requirement of their organization. However, for the large conglomerate organization with more talent and professional staff dedicated to IT/IS the cloud represents a loss of management accountability and audit controls.
Binning, D. (2009, April 24). Top five cloud
computing security issues. Retrieved 04 14, 2015, from
Cloud Security Alliance. (2009, December). Security Guidance for Critical Areas of Focus in Cloud Computing V2.1. (G. Brunette, & R. Mogull, Eds.) Retrieved 04 12, 2015, from http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf
Cloud Security Alliance. (2010, March). Top Threats to Cloud Computing V1.0. (D. Hubbard, & M. Sutton, Eds.) Retrieved 04 12, 2015, from https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
Kuyoro, S. O., Ibikunle, F., & Awodele, O. (2011). International Journal of Computer Networks (IJCN), 3(5), 9. Retrieved 04 04, 2015, from http://www.cscjournals.org/manuscript/Journals/IJCN/volume3/Issue5/IJCN-176.pdf
Mell, P., & Grance, T. (2011, September). The NIST Definition of Cloud Computing. (National Institute of Standards and Technology Special Publication 800-145). (C. S. Division, Ed.) Gaithersburg, MD, USA. Retrieved 04 12, 2015, from http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
Rittinghouse , J. W., & Ransome, J. F. (2009). Cloud Security Challenges. In J. W. Rittinghouse, & J. F. Ransome, Cloud Computing: Implementation, Management, and Security. New York, USA: Auerbach Publications. Retrieved 04 14, 2015, from http://www.infosectoday.com/Articles/Cloud_Security_Challenges.htm
Samson, T. (2013, February 25). 9 top threats to cloud computing security. Retrieved 04 14, 2015, from InfoWorld: http://www.infoworld.com/article/2613560/cloud-security/cloud-security-9-top-threats-to-cloud-computing-security.html
Zissis, D., & Lekkas, D. (2012, March). Addressing cloud computing security issues. Future Generation Computer Systems, 28(3), 9. doi:doi:10.1016/j.future.2010.12.006