Security Risks of Cloud Computing
There are many security concerns for the core enterprise data into the cloud. These security concerns include both items that are related to traditional computing as well as security issues specific to cloud computing. Also, there are security issues that affect clients as well as providers. Most individuals think of attacks on the user’s computer when computer security is mentioned. However, it is important to also consider that individuals can hack cloud computing to create a virtual botnet work.
1. Denial-of Service
One type of attack is called Denial-of-Service (DOS) attack. In this type of attack a hacker uses infected computers to a specific website, overloading the server with requests and causing the server to get bogged down and not function efficiently. With traditional servers, there is a limit to the capabilities of the physical server. However, in a situation where the website is on a cloud and the owner pays via usage, there is seemingly an infinite amount of resources for the server. If a DOS were targeted to a cloud based server, the owner of that website could be charged an outrageous amount as the cloud provided more and more resources to supply the demand on the server caused by the DOS. In addition to inflated costs to the owner, other users of the cloud may also be affected by the DOS as shared resources are taken and used for the site with dealing with the DOS and not on the unaffected site. Another possibility is that the cloud could try to pull resources from other nodes or sections of the cloud which would then cause a significant spread of the number of people affected by the DOS attack.
2. Reputation
One side effect of sharing the hardware for several users is that the reputation of all individuals using the same hardware can be affected by each other. This type of security risk affects multiple parties. While these security risks are significant, the reality is that data centers are better capable of dealing with security as compared to individuals. The problem is that when a datacenter security flaw is exposed numerous victims will be affected, even those that exercise secure behaviors.
3. Virtual Environment
Within a piece of hardware that has multiple virtual machines resources are shared which can be used as a side channel data from one virtual machine to another. This type of attack is based on the shared resources between virtual machines. An attacker if successful can use various methods for intercepting data being sent and received from various virtual machine.
As mentioned previously, while there are security flaws within the cloud it is important to remember that there are security risks in all forms of computing. It is arguable that datacenters can provide superior security. For instance, if a security flaw is discovered research is conducted to prevent or fix the flaw and software is updated. However, typical users are not likely to maintain their system and keep it up-to-date with security updates. Cloud environment datacenters however, install and implement security updates almost immediately and can place the additional security on all the virtual machines at the same time.
4. Loose Data Control
Probably the most significant reason for deterring companies and individuals from cloud computing and cloud operating systems is that the user loses control over the data. On traditional PC or servers owned by a company or individual, there is control over how the data is stored, restrictions put on who can access it, and backup policies are established.
For cloud computing the data is stored on the server and the third-party company is responsible for deciding the details of data storage. Also, there is a level of trust required between the user and the provider. The user must trust the provider enough to store potentially confidential, secret, or sensitive data.
While there are no specific evidence of organizations sharing data illegally with third-party organizations, it is assumed that users will be obligated to consent the provider with permission to use analytics or even data stored to solicit advertisers, to receive free services. Google’s business model is centered on providing free service to users while using information obtained to benefit advertisers. It is highly likely that organizations and individuals will not want their data mined for information for advertisers. This will require the users to elect for services that include fees but offer higher confidentiality and do not sell data to advertisers.
5. XML Signature
One method for ensuring authenticity of data within the Simple Object Access Protocol (SOAP) is to create XML Signatures. Essentially, an XML signature is attached to fragments of XML to prove the recipient that the data is authentic and has integrity. However, an attack known as the “wrapper attack” in which an attacker can inject duplicate a fragment of XML while adding additional code that would lead the computer to do additional unwanted tasks. As its name implies, the attacker virtually wraps the signature around the malicious code and passes it on as if it were genuine.
XML is essential for cloud computing for sharing information between systems. The wrapper attacks as a potential way to cause malicious problems. Having said this, wrapper attacks are not common and are not very likely because they are not commonly used in business applications.
6. Browser Security
For Cloud Operating Systems such as Google Chrome OS, the browser is the main source for I/O for the user. There are many issues facing security for browsers within the cloud. The first common line of defense for browsers is for servers to use the Same Origin Policy (SOP) which is for the server to monitor the original location of the browser when the request was made and only accept requests if the request comes from the same location. However, this has been proven to not be a sufficient form of security. The main problem with browsers is that they cannot take advantage of XML Signature or encryption and makes the case for integrating this capability into future browsers.
Without the capability of using XML encryption and signature the browser is left to use Transport Layer Security (TLS) or “Secure Socket Layer” which refers to two layers: the record layer and the TLS handshake. This serves as the primary form of security for browsers. However, it requires the server to have a digital certificate and not all pages are secure. The major flaw to TLS is “phishing” which is where users are tricked by a malicious website or individual with the intent of gaining the users login information. Once the attacker has access to this data, TLS is obsolete in protecting the data. This is the first of many items that is not specific to the security of users’ data.
7. Dependence on Internet
As the use of the cloud becomes more common and applications increase, our dependency on the internet is increasing exponentially. This holds true as more and more users rely on servers for the functionality of their applications and for the storage of data. Especially when users use Cloud OS such as Google Chrome OS, users are fully dependent on the internet for any form of computing. In the event of a catastrophic virus, terrorist attack, or other event capable of disabling the internet for a large number if not all individuals, production would become severely crippled. For instance, if a company chose to outsource user authentication services hosted in the cloud, the company could suffer authorizing their users to use their services.
Standardized Cloud Security
After analyzing the material listed above, there are many items that should be focused on to maximize security within the cloud. For this reason, we have developed a list of security items that all individuals using the cloud should be aware of and review before deciding whether to use the cloud. First however, we introduce an idea for standardization of assigning security to items across the cloud.
Standardization of security levels
Cloud computing is comprised of multiple servers and datacenters providing services via the internet and forming a seemingly infinite size of computing power. Security, as discussed throughout this paper, is a major concern and faces many challenges within cloud computing. It is our suggestion that work be developed on standardizing security levels throughout the cloud that all participating organizations follow. Servers would enforce specific security measures depending on the level assigned. This standardization would allow users to designate specific security levels to different information. For instance, an organization working on storing data for different organizations may place high security on data management principles as below:
Data at Rest
- Where the Data Stored physically when it is at rest?
- Who has access to the Data while at rest?
- Is the data virtualized or shared on the same physical box? If so how is the data segregated so customers cannot access someone else’s data.
- Is Data encrypted while at rest and is there a formal process for managing encryption?
Data being Transferred (Customer to Cloud, Cloud to Customer, Within the cloud)
· How is the Data transferred from the customer to the cloud and vice versa? (Internet, VPN, ….)
· How does the data know where to go?
· Who can see the data being transferred?
· Is the data stored anywhere else before it goes into the cloud (Service Provider, Middleware, etc…?)
· Is the Data encrypted when it being transferred? (SSL?)
· Is there any monitoring or other preventative controls in place to ensure data is not being intercepted while in transition.
Data Retention
Is there a Data Retention Policy that defines:
o how long data is to retained?
o how frequently data is purged?
o how often data is backed up?
o Process for customers requesting data
o Process for legal or third party requesting data
o Shipping Data Internationally
Data Classification
· Is there a Data Classification Scheme to categorize the criticality of data?
· Is there an Identity Access Management for enterprise users, partners and clients?
Data ownership
· Who owns the data in the cloud environment or in a situation where there is a third party involved?
· Is there any contract agreement for ownership of the data when using a cloud service?
System Availability and Monitoring
· How is system performance being monitored to meet our SLA to the customer?
· How is the availability of the application being monitored?
· How is system vulnerability being monitored?
· Is there a process to manage resources and are there any alerts mechanism in place?
· Is there a formal escalation policy and procedure in place?
· Is there a formal incident management policy and procedure in place?
Change Management
· Is there a formal Change Management Policy and Procedure in place?
· Are changes reviewed and approved by the appropriate level of management? (Risk and impact analysis)
· Are changes tested and approved before they are implemented into production?
· Is access to the production environment appropriately restricted?
· Is there rollback plan for changes?
Logical and Physical Security
· How is physical access to the data centers restricted?
· How is logical access to the cloud infrastructure restricted?
· How is administrative access segregated?
· How is physical and logical access granted, modified and revoked?
· Is access to the data center and logical access to the infrastructure periodically reviewed?
· Is there a formal policy and procedure to handle data breaches?
Disaster Recovery and Business Continuity
· Is there a formal Disaster Recovery and Business Continuity Plan in place?
In theory, by allowing different items to be assigned as needing to be secure and others as not needing security, the workload and levels of security could be focused on only items that need security. Furthermore, providers could charge the security requirements for the data that it is housing.
Allowing users, the ability to assign security levels could cause problems in that some may elect to make everything secure. This may cause unnecessary security precautions being made to data that would not otherwise have been treated securely. This would waste resources and could prove to be less efficient than the current systems and methods currently in place. Also, by labeling items as secure or not, hackers may be able to better focus on information that is intended to be secure. This would greatly reduce the number of packets that hackers would have to inspect for sensitive information because they would have a method for a targeting them.
Regulatory Compliance
Organizations are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Cloud Service providers are subjected to external audits and security certifications. Cloud compliance issues arise as soon as you make use of cloud storage or backup services. By moving data from your internal storage to someone else’s you are forced to examine closely how that data will be kept so that you remain compliant with laws and industry regulations.
Organizations considering cloud-based services must understand the associated risks, defining acceptable use cases and necessary compensating controls before allowing them to be used for regulated or sensitive information. Cloud-computing environments have IT risks in common with any externally provided service. There are also some unique attributes that require risk assessment in areas such as data integrity, recovery and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance and auditing.
The key recommendations for assessing the Security Risks of Cloud Computing are:
· The most practical way to evaluate the risks associated with using a service in the cloud is to get a third party to do it.
· The Cloud-computing IT risks in areas such as data segregation, data privacy, privileged user access, service provider viability, availability and recovery should be assessed like any other externally provided service.
· The Location independence and the possibility of service provider "subcontracting" result in IT risks, legal issues and compliance issues that are unique to cloud computing.
· If your business managers are making unauthorized use of external computing services, then they are circumventing corporate security policies and creating unrecognized and unmanaged information-related risks.
· Organizations that have IT risk assessment capabilities and controls for externally sourced services should apply them to the appropriate aspects of cloud computing.
· Legal, regulatory and audit issues associated with location independence and service subcontracting should be assessed before cloud-based services are used.
· Demand transparency. Don't contract for IT services with a vendor that refuses to provide detailed information on its security and continuity management programs.
· Develop a strategy for the controlled and secure use of alternative delivery mechanisms, so that business managers know when they are appropriate to use and have a recognized approval process to follow.
· There are so many legal and trade compliance related to cloud service. The key regulations to consider to be compliant are
o Privacy Acts
o EU Data Privacy
o HIPPA
o EULA (End User License Agreement)
o Local or International Laws and Regulations
o Trade Compliance - Trade Compliance regulations with foreign countries (Banned countries)
· PCI Compliance - Understanding of how credit card information is processed and stored as it relates to cloud services
How to Assess
Ask these questions to evaluate the security and continuity risks associated with a cloud offering:
· How qualified are the policymakers, architects, coders and operators to understand and reduce the risks of their offering?
· What risk control processes and technical mechanisms are used?
· What level of testing has been done to verify that the service and control processes are functioning as designed and to identify unanticipated vulnerabilities?
In practice, there are only three ways to answer these questions and provide a risk assessment of a service:
1. Accept whatever assurances the service provider offers.
2. Evaluate the service provider in person.
3. Use a neutral third party to perform a security assessment.
The first method is obviously not the most rigorous or defensible, but it is the one most often used, and often for good reason. Many organizations have no ability in-house to adequately assess the security of a sophisticated offering, so they seek out suppliers that have more security and continuity expertise than they do. Unfortunately, many of today's cloud-computing products only come with the vaguest information about risk controls. Do not accept unsubstantiated claims, such as "we follow best practices," or vague assurances, such as "our employees are not reading your mail." Ask for specific evidence that answers questions on qualifications, controls and testing. Ultimately, you cannot expect any commercial organization to be totally objective about its weaknesses. To be fully transparent, a provider needs to be willing to undergo external reviews.
Those organizations that are most concerned about the risks associated with their suppliers, if they have the resources and expertise, may send a team of their own people to conduct an onsite assessment. This is common when a global bank sets up an offshore service center, but it is rare for a cloud-computing scenario. Organizations with highly regulated data doing multimillion dollar service buys will continue to perform some level of risk assessment on their service providers' sites, but this is an expensive and inefficient process for both partners, and it is virtually never an effective assessment method for cloud computing.
The most practical way to evaluate the risks associated with a cloud-based service is to get a third party to do it. A specialist security firm can often provide a higher level of rigor than any but the most sophisticated of clients. One assessment or certification firm can do a thorough risk analysis, and this single assessment can satisfy the needs of multiple customers, which dramatically reduces the cost. Furthermore, the third-party assessor is less biased than the first party customer and especially less biased than the second-party cloud provider. Neutrality is more reliable, and it is more defensible. Ultimately, certification will become the norm for cloud offerings. Although relatively few of the emerging cloud-based services have typical certifications, many of the more established SaaS offerings have been certified. It remains to be seen whether International Organization for Standardization 27001, SysTrust or perhaps some new, purpose designed certification will prove most useful. Statement on Auditing Standards No. 70 is generally not appropriate for the generic types of services being offered in the cloud, although it is being used as a form of third-party risk assessment for SaaS offerings, especially those that are more relevant to Sarbanes-Oxley regulated data.
CONCLUSION
There are arguably an infinite number of items that organization should be aware of and consider before choosing cloud computing or cloud operating systems. We attempt to list several of these items and do not in any way suggest that this list is complete. Also, anyone viewing this list should be aware that security especially for something as dynamic as cloud computing is constantly evolving and growing and he or she should seek additional items.
Social Engineering is probably the easiest method for hackers to gain access to confidential material. Always review the authenticity of any form, email, or phone call when an individual is asking you for login information, passwords, or confidential information. If in question, go directly to the website of the organization and login, never login through a third-party source. Cloud computing has security flaws but so does traditional computing. There are security flaws in every form of computing. The main determinant is how hard someone is willing to take advantage of the security flaws to get your information. Every user should be aware that no form of computing is safe, however measures can be taken to lower the risk of exposure.
Cloud computing is arguably more secure than traditional computing for most users. In most of the cloud environment, experts are responsible for maintaining the security of information and date being handled. Most individuals do not have the expertise or are not willing to implement the most up-to-date security features. For this reason, many argue that cloud computing and cloud operating are safer than traditional computing.
Be aware that a large portion of security is in the hands of the user/organization. Similarly, an organization should be aware of the level of required confidentiality of the data being used to determine what services should be used. For example, an organization planning to create a blog will not want to keep their posts secure and hidden from the public because the author wants people to read the post. In contrast, an organization responsible for maintaining a list of social security number must be sure that the social security numbers are not available to the public and are protected from malicious attacks. If you are planning to only use cloud computing for social instances and not post anything that should be kept from the public, then you should not fear using the cloud computing. However, if the data is sensitive then further evaluation of the security offered by the cloud service should be evaluated.
Finally, the last item is to use reputable companies within the cloud and do research on companies that you are not familiar with to reduce your chance of falling victim to a phishing scam or false entity.
This paper described numerous security issues facing cloud computing and cloud operating system. Issues focused on organizations as well as security which may have an indirect effect. Also, several key security issues were discussed that all organizations should be aware of when deciding whether to use the cloud or not.
