“The Cloud” is a hot topic among all users of technology. It provides many advantages to IT management and end users, but also presents its own unique challenges relating to security.
Cloud security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing.
Overview - Security issues associated with the cloud
- security issues faced by cloud providers (organizations providing software-, platform-, or infrastructure-as-a-service via the cloud); and,
- security issues faced by their customers (companies or organizations who host applications or store data on the cloud).
However, the responsibility for cloud security is shared. The cloud provider must ensure that their infrastructure is secure and that their clients’ data and applications are protected, while the user must take measures to fortify their application and use strong passwords and authentication measures.
When an organization elects to store data or host applications on the public cloud, it loses its ability to have physical access to the servers hosting its information. As a result, potentially sensitive data is at risk from insider attacks. According to a recent Cloud Security Alliance report, insider attacks are the sixth biggest threat in cloud computing. Therefore, cloud service providers must ensure that thorough background checks are conducted for employees who have physical access to the servers in the data center. Additionally, data centers must be frequently monitored for suspicious activity.
To conserve resources, cut costs, and maintain efficiency, cloud service providers often store more than one customer's data on the same server. As a result, there is a chance that one user's private data can be viewed by other users (possibly even competitors). To handle such sensitive situations, cloud service providers should ensure proper data isolation and logical storage segregation.
The extensive use of virtualization in implementing cloud infrastructure brings unique security concerns for customers or tenants of a public cloud service. Virtualization alters the relationship between a device’s operating system and underlying hardware – be it computing, storage or even networking. This additional layer – virtualization – must be properly configured, managed and secured.
Cloud Security Controls
Cloud security architecture is effective only if the correct defensive measures are implemented. An efficient cloud security architecture should recognize the issues that will arise with security management. The security management addresses these issues with security controls. These controls safeguard any weaknesses in the system and reduce the effect of an attack. While there are many types of controls behind a cloud security architecture, they can usually be found in one of the following categories:
These controls are intended to reduce attacks on a cloud system. Much like a warning sign on a fence or a property, deterrent controls typically reduce the threat level by informing potential attackers that there will be adverse consequences for them if they proceed.
Preventive controls strengthen the system against incidents, generally by reducing if not actually eliminating vulnerabilities. Strong authentication of cloud users, for instance, makes it less likely that unauthorized users can access cloud systems, and more likely that cloud users are positively identified.
Detective controls detect and react appropriately to any incidents that occur. In the event of an attack, a detective control will signal the preventative or corrective controls to address the issue. System and network security monitoring, including intrusion detection and prevention arrangements, are typically employed to detect attacks on cloud systems and the supporting communications infrastructure.
Corrective controls reduce the consequences of an incident, normally by limiting the damage. They come into effect during or after an incident. Restoring system backups to rebuild a compromised system is an example of a corrective control.
Cloud Security Measures
It is generally recommended that information security controls be selected and implemented according and in proportion to the risks, typically by assessing the threats, vulnerabilities and impacts. Cloud security concerns can be grouped in various ways; for our purposes, we will group them as follows:
Security and privacy
Every enterprise has its own identity management system to control access to information and computing resources. Cloud providers either integrate the customer’s identity management system into their own infrastructure or provide an identity management system of their own.
Cloud service providers physically secure the IT hardware (servers, routers, cables etc.) against unauthorized access, interference, theft, fires, floods etc. and ensure that essential supplies (such as electricity) are sufficiently robust to minimize the possibility of disruption.
Various information security concerns relating to the IT and other professionals associated with cloud services are typically handled through pre-, para- and post-employment activities such as security screening potential recruits and security awareness and training programs.
Providers ensure that all critical data (credit card numbers, for example) are masked or encrypted and that only authorized users have access to data in its entirety. Moreover, digital identities and credentials must be protected as should any data that the provider collects or produces about customer activity in the cloud.
Several security threats are associated with cloud data services: not only traditional security threats, such as network eavesdropping, illegal invasion, and denial of service attacks, but also specific cloud computing threats, such as side-channel attacks, virtualization vulnerabilities, and abuse of cloud services. The following security requirements limit the threats.
Data confidentiality provides that data contents are not made available or disclosed to unauthorized users. Outsourced data is stored in a cloud and out of the owners' direct control. Only authorized users can access the sensitive data while others, including cloud service providers (CSPs), should not gain access to the data. Meanwhile, data owners expect to fully utilize cloud data services, e.g., data search, data computation, and data sharing, without leakage of the data contents to CSPs or other adversaries.
Access controllability means that a data owner can perform the selective restriction of access to her or his data outsourced to the cloud. Legal users can be authorized by the owner to access the data, while others cannot access it without permissions. Further, it is desirable to enforce fine-grained access control to the outsourced data, i.e., different users should be granted different access privileges to different pieces of data. The access authorization must be controlled only by the owner in cloud environments.
Data integrity demands maintaining and assuring the accuracy and completeness of data. The data owner always expects that her or his data in a cloud will be stored correctly and trustworthily. It means that the data should not be illegally tampered, improperly modified, deliberately deleted, or maliciously fabricated. If any undesirable operations corrupt or delete the data, the owner should be able to detect the corruption or loss. Further, when a portion of the outsourced data is corrupted or lost, it can still be retrieved by the data users.
Encryption is the conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor. In an encryption scheme, the intended information or message, referred to as plaintext, is encrypted using an encryption algorithm – a cipher – generating ciphertext that can be read only if decrypted. It is in principle possible to decrypt the message without possessing the key, but, for a well-designed encryption scheme, considerable computational resources and skills are required. An authorized recipient can easily decrypt the message with the key provided by the originator.
Numerous laws and regulations pertain to the storage and use of data. In the US these include privacy or data protection laws, Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act, the Federal Information Security Management Act of 2002 (FISMA), and Children's Online Privacy Protection Act of 1998, among others.
Similar laws may apply in different legal jurisdictions and may differ quite markedly from those enforced in the US. Cloud service users may often need to be aware of the legal and regulatory differences between the jurisdictions. For example, data stored by a cloud service provider may be in, say, Singapore and mirrored in the US.
Many of these regulations mandate specific controls (such as strong access controls and audit trails) and require regular reporting. Cloud customers must ensure that their cloud providers adequately fulfill such requirements as appropriate, enabling them to comply with their obligations since, to a large extent, they remain accountable.
Business continuity and data recovery
Every enterprise should have a business continuity and data recovery plan. Cloud computing plays an integral part in such a plan. All data, including emails, and applications, while residing in the cloud, are also backed up by the cloud provider on a regular (at least daily) basis.
Cloud providers have their own business continuity and data recovery plans in place to ensure that their service can be maintained in case of a disaster or an emergency and that any data loss will be recovered. These plans may be shared with and reviewed by their customers, ideally dovetailing with the customers' own continuity arrangements. Joint continuity exercises may be appropriate, simulating a major Internet or electricity supply failure for instance.
Log and audit trail
In addition to producing logs and audit trails, cloud providers work with their customers to ensure that these logs and audit trails are properly secured, maintained for as long as the customer requires, and are accessible for the purposes of forensic investigation.
Unique compliance requirements
In addition to the requirements to which customers are subject, the data centers used by cloud providers may also be subject to compliance requirements. Using a CSP can lead to additional security concerns around data jurisdiction since customer or tenant data may not remain on the same system, or in the same data center or even within the same provider's cloud.
The European Union’s GDPR has introduced new compliance requirements for customer data (read more about GDPR here). The basic intent of GDPR is to provide consumers with control over their own data which they provide to online businesses.
While you may have never heard of GDPR, you have already been impacted by it. Your email inbox (and in some cases your snail mailbox) has been recently flooded by banks, investment advisors, credit card companies and online merchants, among others, with updated Privacy Policies. This is a direct result of the partial adoption of GDPR by domestic businesses who may also have customers residing in the EU due to the global presence of the Internet. It is highly likely that the United States will adopt a similar regulation in the next term of Congress.
As you can see, Cloud Security requires layers of protection and a proactive approach to constantly enhancing to maintain data security and integrity. To discuss potential exposures to your business schedule a confidential Cyber Security Consultation and Assessment with your SeedSpark team today
(Excerpted from various Wikipedia posts.)