Cloud Security Threats
There are significant security concerns that need to be addressed when considering moving critical applications and sensitive data to public and shared cloud environments. There is a significant difference between cloud security and security in more traditional IT environments because of the infrastructure sharing, and the new technologies come up with the cloud, all this force the cloud provider to develop a greater level of security than the traditional level.
There are many questions come up when talking about the cloud computing security, questions like Who is accessing the customer’s data in the cloud? How the cloud providers manage the identities in the cloud? Who is managing the customer’s data? And what type of controls the providers applied? Are the cloud providers abiding the regulatory and compliance requirements? How the providers secure the resident/transit data?
What are the incident handling procedures the cloud providers follow? How the providers sanitize the data? All the giants (Microsoft, Citrix, VMware, Rackspace, Sun, IBM, Google, Salesforce.com) in the world now developing cloud computing solutions, or products, or at least use and contribute. Also many labs, institutions and universities published many papers and contribute in the cloud computing security paradigm.
Cloud Security Alliance (CSA) published many papers “Security Guidance in Critical Areas of Focus in Cloud Computing” and “Top Threats to cloud computing”. Gartner labs made many interviews with CSO’s of the big companies about cloud computing security and tens of articles on their website discuss the same topic too. The European Network and Information Security Agency (ENISA), and National Institute of Standards and Technology (NIST) described also the threats of cloud computing from their prospective. These are the major points they mentioned and had been defined as the top threats of cloud computing.
• Abuse and nefarious use of cloud services: Cybercriminals actively target cloud services providers, partially because of this relatively weak registration system that helps obscure identities, and because many providers have limited fraud-detection capabilities.
• Multitenancy and shared technology issues: attackers can gain unauthorized access and control of your underlying platform with software-only isolation mechanisms, that compromise of all the shared physical resources of the server that it controls, including memory and data as well as other virtual machines (VMs) on that server.
• Data loss or leakage: the data (customer, employee, or financial data) can be compromised by many ways, maliciously deleted, altered. And the impact of losing it will be big on the company reputation and on the customer.
• Account or service hijacking: With stolen credentials, hackers can access critical areas of your cloud and potentially eavesdrop on transactions, manipulate or falsify data, and redirect your clients to illegitimate sites.
• Unknown risk: Without clearly understanding the service provider’s security practices, your company may be open to hidden vulnerabilities and risks.
• Malicious Insiders: for example, an administrator of the cloud that goes rogue and as root access to the servers that compose the cloud or someone can steal confidential data of the cloud user, so the user is mostly left with trusting the cloud provider.
About CSA “Cloud Security Alliance is an organization with mission to promote the use of best practices for providing security assurance within cloud computing and to provide education on the uses of cloud computing to help secure any other form of computing”.
• Loss of Governance: the client necessarily cedes control to the Cloud Provider (CP) on a number of issues which may affect security and SLAs may not offer a commitment to provide security services on the part of the cloud provider, thus leaving a gap in security defenses.
• Lock-in: the lake of standard data formats or services interfaces that could guarantee data, application and service portability may be prevent the customer from taking it to another cloud provider or even take it back to his premises.
• Isolation Failure: Attacks occurred according to the multi-tenant environment in the cloud such as guest-hopping attacks, but such attacks on resource isolation mechanisms (e.g.,. against hypervisors) are still less numerous and much more difficult for an attacker to put in practice compared to attacks on traditional OSs.
• Compliance Risks: some providers can’t meet the industry standards, or Some certain compliance cannot be achieved specifically that there is no specific certificates should be achieved by the provider.
• Data Protection: cloud computing poses several data protection risks, the data should be protected in many layers and the provider can’t account on the encryption only or on the access controls only because the cloud brings new risks come with it’s new features like the multi-tenant.
• Incomplete Data Deletion: the data deletion may not result in true wiping of the data, because it may be extra copies of data are stored but are not available, or because the disk to be destroyed also stores data from other clients, and this risks are also the result of cloud features (multi-tenant, and reuse of the hardware).
• Malicious Insider: the risk of a malicious insider still be great in the cloud area, may be greater than the usual environment because the insider in this case not only have access to his company data but may other customers data may be destroy the provider reputation.
About ENISA “The European Network and Information Security Agency (ENISA) is a centre of excellence for the European Member States and European institutions in network and information security, the editors and researchers in ENISA publications are a group selected for their expertise in the subject area, including industry, academic and government experts.”.
Since 2009 Gartner define some security issues that facing the cloud technology and advises the customers to ask and discuss it with the provider:
• Privileged user access: the customer should know how the provider manages the identities and authorizations; how the provider guarantees that the people who manage and control the customer data infrastructure are trusted.
• Regulatory compliance: the cloud providers are subjected to external audits and security certifications although that there is no cloud-specific standard security certificate but the traditional compliances can apply somehow in the cloud area with some additional points.
• Data location: When you use the cloud, you probably won’t know exactly where your data is hosted. The customer should ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirement
• Data segregation: a mechanism to separate data should be deployed by the provider, the encryption may be one of the methods to secure the data and segregate it but the cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. And don’t account on encryption only.
• Recovery: every provider should have a disaster recovery protocol to protect user data, that plan should include duplicating the data and the application infrastructure across multiple sites, and the restoration procedures and time.
• Investigative support: customer should have many legal ways pursue an investigation although such support will not be easy because of the spread of the logging data and the customers in many sites and datacenters.
• Long-term viability: the provider should guarantee that the customer data will be available even if anything happened to the company itself which mean that it should have some kind of extraction plan of the data.
About Gartner “Gartner is the world’s leading information technology research and advisory company, it research, analyze and interpret the business of IT within the context of their individual role, they deliver the technology-related insight necessary for our clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises”
• Identity & Access Management: cloud providers support the SAML standard and use it to administer users and authenticate them before providing access to applications and data. SAML mapped over the digitally signed Simple Object Access Protocol (SOAP), which relies on the eXtensible Markup Language (XML) for its format. But it is not enough to maintain control over access to resources so as part of identity management, providers may use standards like the eXtensible Access Control Markup Language (XACML) to control access to cloud resources, instead of using a proprietary interface.
• Availability: availability can be affected temporarily or permanently, and a loss can be partial or complete. Denial of service attacks, equipment outages, and natural disasters are all threats to availability. The concern is that most downtime is unplanned and can impact the mission of the organization.
• Incident Response: involves an organized method for dealing with the consequences of an attack against the security of a computer system, The cloud provider’s role is vital in performing incident response activities, including incident verification, attack analysis, containment, data collection and preservation, problem remediation, and service restoration.
• Data Protection: Data stored in the cloud typically resides in a shared environment collocated with data from other customers. And must be secured while at rest, in transit, and in use, and access to it must be controlled. Standards for communications protocols and public key certificates allow data transfers to be protected using cryptography. Data sanitization is also an issue in the cloud paradigm applies to backup copies, removed storage device, and how the provider maintain the confidentiality of data when it dispose the devices
• Handling Compliance: various types of security and privacy laws and regulations exist within different countries at the national, state, making compliance a potentially complicated issue for cloud computing. the governing legal, privacy, and regulatory regimes can be ambiguous and raise a variety of concerns.
About NIST “National Institute of Standards and Technology is a physical science laboratory, its measurements support the smallest of technologies— nano-scale devices so tiny that tens of thousands can fit on the end of a single human hair—to the largest and most complex of human-made creations, from earthquake-resistant skyscrapers to wide-body jetliners to global communication networks”.
About The Author
Bahaa El-Din Ahmed, Senior Security Engineer, Egyptian Cloud Computing Center