Threats and Security Risks
Cloud Risks
Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a loss (an undesirable outcome). The notion implies that a choice having an influence on the outcome exists (or existed). Potential losses themselves may also be called "risks". Almost any human endeavor carries some risk, but some are much more risky than others.
There are a number of security issues/concerns associated with cloud computing but these issues fall into two broad categories: Security issues faced by cloud providers (organizations providing software-, platform-, or infrastructure-as-a-service via the cloud) and security issues faced by their customers. In most cases, the provider must ensure that their infrastructure is secure and that their clients’ data and applications are protected while the customer must ensure that the provider has taken the proper security measures to protect their information.
The extensive use of virtualization in implementing cloud infrastructure brings unique security concerns for customers or tenants of a public cloud service. Virtualization alters the relationship between the OS and underlying hardware - be it computing, storage or even networking. This introduces an additional layer - virtualization - that itself must be properly configured, managed and secured. Specific concerns include the potential to compromise the virtualization software, or "hypervisor". While these concerns are largely theoretical, they do exist.
Cloud Security Controls
Cloud security architecture is only effective if the correct defensive implementations are in place. An efficient cloud security architecture should recognize the issues that will arise with security management. The security management addresses these issues with security controls. These controls are put in place to safeguard any weaknesses in the system and reduce the effect of an attack. While there are many types of controls behind a cloud security architecture, they can usually be found in one of the following categories:
Deterrent Controls
These controls are set in place to prevent any purposeful attack on a cloud system. Much like a warning sign on a fence or a property, these controls do not reduce the actual vulnerability of a system.
Preventative Controls
These controls upgrade the strength of the system by managing the vulnerabilities. The preventative control will safeguard vulnerabilities of the system. If an attack were to occur, the preventative controls are in place to cover the attack and reduce the damage and violation to the system's security.
Corrective Controls
Corrective controls are used to reduce the effect of an attack. Unlike the preventative controls, the corrective controls take action as an attack is occurring.
Detective Controls
Detective controls are used to detect any attacks that may be occurring to the system. In the event of an attack, the detective control will signal the preventative or corrective controls to address the issue
Dimensions of cloud security
Correct security controls should be implemented according to asset, threat, and vulnerability risk assessment matrices. While cloud security concerns can be grouped into any number of dimensions (Gartner names seven while the Cloud Security Alliance identifies fourteen areas of concern) these dimensions have been aggregated into three general areas: Security and Privacy, Compliance, and Legal or Contractual Issues.
Security and privacy -
- Identity management - Every enterprise will have its own identity management system to control access to information and computing resources. Cloud providers either integrate the customer’s identity management system into their own infrastructure, using federation or SSO technology, or provide an identity management solution of their own.
- Physical and personnel security - Providers ensure that physical machines are adequately secure and that access to these machines as well as all relevant customer data is not only restricted but that access is documented.
- Availability - Cloud providers assure customers that they will have regular and predictable access to their data and applications.
- Application security - Cloud providers ensure that applications available as a service via the cloud are secure by implementing testing and acceptance procedures for outsourced or packaged application code. It also requires application security measures be in place in the production environment.
- Privacy - Finally, providers ensure that all critical data (credit card numbers, for example) are masked and that only authorized users have access to data in its entirety. Moreover, digital identities and credentials must be protected as should any data that the provider collects or produces about customer activity in the cloud.
- Legal issues - In addition, providers and customers must consider legal issues, such as Contracts and E-Discovery, and the related laws, which may vary by country
Top security risks
Private and public clouds function in the same way: Applications are hosted on a server and accessed over the Internet. Whether you’re using a Software as a Service (SaaS) version of customer relationship management (CRM) software, creating offsite backups of your company data, or setting up a social media marketing page, you’re trusting a third-party company with information about your business and, most likely, your customers.
Although cloud computing can offer small businesses significant cost-saving benefits—namely, pay-as-you-go access to sophisticated software and powerful hardware—the service does come with certain security risks. When evaluating potential providers of cloud-based services, you should keep these top five security concerns in mind.
1. Secure data transfer. All of the traffic travelling between your network and whatever service you’re accessing in the cloud must traverse the Internet. Make sure your data is always travelling on a secure channel; only connect your browser to the provider via a URL that begins with ”https.” Also, your data should always be encrypted and authenticated using industry standard protocols, such as IPsec (Internet Protocol Security), that have been developed specifically for protecting Internet traffic.
2. Secure software interfaces. The Cloud Security Alliance (CSA) recommends that you be aware of the software interfaces, or APIs, that are used to interact with cloud services. ”Reliance on a weak set of interfaces and APIs exposes organizations to a variety of security issues related to confidentiality, integrity, availability, and accountability,” says the group in its Top Threats to Cloud Computing document. CSA recommends learning how any cloud provider you’re considering integrates security throughout its service, from authentication and access control techniques to activity monitoring policies.
3. Secure stored data. Your data should be securely encrypted when it’s on the provider’s servers and while it’s in use by the cloud service. In Q&A: Demystifying Cloud Security, Forrester warns that few cloud providers assure protection for data being used within the application or for disposing of your data. Ask potential cloud providers how they secure your data not only when it’s in transit but also when it’s on their servers and accessed by the cloud-based applications. Find out, too, if the providers securely dispose of your data, for example, by deleting the encryption key.
4. User access control. Data stored on a cloud provider’s server can potentially be accessed by an employee of that company, and you have none of the usual personnel controls over those people. First, consider carefully the sensitivity of the data you’re allowing out into the cloud. Second, follow research firm Gartner’s suggestion to ask providers for specifics about the people who manage your data and the level of access they have to it.
5. Data separation. Every cloud-based service shares resources, namely space on the provider’s servers and other parts of the provider’s infrastructure. Hypervisor software is used to create virtual containers on the provider’s hardware for each of its customers. But CSA notes that ”attacks have surfaced in recent years that target the shared technology inside Cloud Computing environments.” So, investigate the compartmentalization techniques, such as data encryption, the provider uses to prevent access into your virtual container by other customers.
Cloud Threats
A threat is an act of coercion wherein an act is proposed to elicit a negative response. It is a communicated intent to inflict harm or loss on another person. It can be a crime in many jurisdictions.
Cloud computing is set of resources and services offered through the Internet. Cloud services are delivered from data centers located throughout the world. Cloud computing facilitates its consumers by providing virtual resources via internet. General example of cloud services is Google apps, provided by Google and Microsoft SharePoint. The rapid growth in field of “cloud computing” also increases severe security concerns. Security has remained a constant issue for Open Systems and internet, when we are talking about security cloud really suffers. Lack of security is the only hurdle in wide adoption of cloud computing. Cloud computing is surrounded by many security issues like securing data, and examining the utilization of cloud by the cloud computing vendors. The wide acceptance www has raised security risks along with the uncountable benefits, so is the case with cloud computing. The boom in cloud computing has brought lots of security challenges for the consumers and service providers. How the end users of cloud computing know that their information is not having any availability and security issues? Every one poses, Is their information secure?
Cloud Computing represents one of the most significant shifts in information technology many of us are likely to see in our lifetimes. Reaching the point where computing functions as a utility has great potential, promising innovations we cannot yet imagine.
Customers are both excited and nervous at the prospects of Cloud Computing. They are excited by the opportunities to reduce capital costs. They are excited for a chance to divest themselves of infrastructure management, and focus on core competencies. Most of all, they are excited by the agility offered by the on-demand provisioning of computing and the ability to align information technology with business strategies and needs more readily. However, customers are also very concerned about the risks of Cloud Computing if not properly secured, and the loss of direct control over systems for which they are nonetheless accountable.
The great breadth of recommendations provided by CSA guidance creates an implied responsibility for the reader. Not all recommendations are applicable to all uses of Cloud Computing. Some cloud services host customer information of very low sensitivity, while others represent mission critical business functions. Some cloud applications contain regulated personal information, while others instead provide cloud-based protection against external threats. It is incumbent upon the cloud customer to understand the organizational value of the system they seek to move into the cloud. Ultimately, CSA guidance must be applied within the context of the business mission, risks, rewards, and cloud threat environment — using sound risk management practices.
The following are some of the common threats to cloud computing.
1. Security
Businesses with data offloaded to the cloud are exposed to possible security breaches like hacking. This happens if the cloud service providers fail to address the security issues in the service they provide. People working for the cloud service provider are exposed to confidential information of an enterprise.
2. Outages
Although the cloud service providers claim services without disruptions, they are not completely free from outages. Service disruptions in cloud computing can be devastating for businesses. Operations of a business could entirely be halted if the cloud fails to provide the service to the employees. Businesses could lose possible customers of their online business due to outages. Outages in cloud computing can be predicted. Businesses must ensure that the service provider has the necessary mechanisms in place to avert service disruptions.
3. Malicious Insiders
Employees working for the cloud service providers can have varying access to the enterprise information stored in the cloud. So a malicious insider could gain access to confidential information about a business and could harm it. Cloud service providers should be transparent about the process of hiring people, granting access and monitoring them.
4. Abuse
Cloud based servers can be used to launch attacks and spread malicious software programs. Cloud service providers must take steps to strictly maintain the registration procedures for its customers. This can be vital in tracking and averting possible attacks.
5. Servers
Data from multiple clients can reside in the same physical server in the cloud computing environment. So a person gaining access to one client can gain access to all other clients as well.
6. Confusion with Terminology
Although there are lots of people talking about cloud computing, there are still many people who are finding it hard to understand what it really means. So businesses should not just adopt cloud computing without understanding it. It is important that they take out the time to understand the concepts before making any move towards cloud computing.
Other threats are :
- Abuse and Nefarious Use of Cloud Computing
- Insecure Application Programming Interfaces
- Malicious Insiders
- Shared Technology Vulnerabilities
- Data Loss/Leakage
- Account, Service & Traffic Hijacking