Security in Cloud
one of the most discussed topics of information technology is cloud computing
and its security. When it comes to security, if your systems and the data are
not secured on the proper way, these systems can be broken and your data can be
hacked by hackers with bad intentions. Usually discussions focus on all
standard security pros, cons and requirements to stay safe. One of the most
important characteristics of any IT infrastructure that must be implemented in
a much more serious way is the cloud infrastructure.
computing is an on-demand service model for IT provision based on
virtualization and distributed computing technologies. The abstraction of
computing, network and storage infrastructure is the foundation of cloud
computing offers businesses a number of compelling benefits, such as improved
scalability and flexibility, on-demand provisioning, and lower cost.
Organizations no longer have to install expensive dedicated appliances behind
corporate firewalls to deliver mission-critical applications, and the cloud
makes it possible for knowledge workers to remain productive no matter where
they are or what device they’re using. Despite the practical benefits, cloud
computing should not be adopted without a thorough understanding of cloud
security concerns. In cloud computing, an organization trusts valuable data to
a cluster of virtual machines harnessed to perform a task, each component of
which presents a point of entry into the system. These virtual machines are
overseen by a hypervisor, which thus becomes a point of vulnerability. These risks
can be mitigated, and a good understanding of cloud computing should include a
discussion of the risks and how to mitigate them.
categories of internal network attacks that customers should be concerned with
Confidentiality breaches (disclosure of confidential data)
breaches (unauthorized modification of data)
Availability breaches (denial of service, either intentional or unintentional)
Ø Cloud Deployment Models
cloud services can be implemented in four deployment models:
• Public Cloud: The cloud infrastructure
is made available to the general public or large industry group and is owned by
an organization selling cloud services.
• Private Cloud: The cloud infrastructure
is operated entirely for a single organization. It may be managed by the
organization or a third party, and may exist on-premises or off-premises.
• Community Cloud: The cloud
infrastructure is shared by several organizations and supports a specific
community. It may be managed by the organizations or a third party, and may
exist on-premises or off-premises.
• Hybrid Cloud: The cloud infrastructure
is a composition of two or more clouds (private, community or public) that are
bound together by standardized or proprietary technology that enables
portability of data and application.
Ø Cloud Computing Categories
computing services can be offered in three basic ways: Software as a Service,
Platform as a Service, and Infrastructure as a Service.
• Infrastructure as Service (IaaS):
provides virtual machines and other abstracted hardware and operating systems
which may be controlled through a service Application Programming Interface (API).
It incorporates the capability to abstract resources as well as deliver
physical and logical connectivity to those resources. IaaS provides less
integrated security capabilities and functionality beyond protecting the
infrastructure itself. The onus for securing of and reporting on the
infrastructure falls on the provider, but all responsibility for the software
stack from the operating system to the application is the responsibility of the
customer. Examples include Amazon EC2 and S3,
Terremark Enterprise Cloud, Windows Live Skydrive and Rackspace Cloud.
• Platform as a Service (PaaS): allows
customers to develop new applications using APIs, implemented and operated remotely.
The platforms offered include development tools, configuration management and
deployment platforms. PaaS is positioned over IaaS and adds an additional layer
of integration with application development frameworks and functions such as database,
messaging, and queuing. This tradeoff extends to security features and
capabilities, where the built-in capabilities are less complete, but there is
more flexibility to layer on additional security. The provider is responsible
for securing the infrastructure and platform, and the responsibility of the
application lies with the customer. Examples are Microsoft Azure, Force and
Google App engine.
• Software as a Service (SaaS): is
software offered by a third party provider, available on demand, usually through
a Web browser, operating in a remote manner. Examples include online word
processing and spreadsheet tools, CRM services and Web content delivery
services. SaaS in turn is built upon the underlying IaaS and PaaS stacks and
provides a self-contained operating environment used to deliver the entire user
experience including the content, its presentation, the applications and
management capabilities. SaaS provides the most integrated functionality built
directly into the offering, with the least consumer extensibility, and a
relatively high level of integrated security since at the least the provider
bears a responsibility for the security. The provider has responsibility for
most aspects of security.
Cloud computing architectures offer to
its users numerous advantages that can be briefly summarized to:
• Reduced cost, since services are
provided on demand with pay-as-you-use billing system;
• Highly abstracted resources;
• Instant scalability and flexibility;
• Instantaneous provisioning;
• Shared resources, such as hardware,
• Programmatic management through API of
• Increased mobility – information is accessed
from any location.
Cloud Security Assessment
Ensure effective governance, risk and
compliance processes exist
Audit and ensure proper reporting of
operational and business processes
Manage people, roles and identities
Ensure proper protection of data and
Enforce privacy policies
Assess the security provisions for cloud
Ensure cloud networks and connections
Evaluate security controls on the
physical infrastructure and facilities
Manage security terms in the cloud service
Understand the security requirements of
the exit process
Ø Identity Security
End-to-end identity management,
third-party authentication services and identity must become a key element of
cloud security. Identity security keeps the integrity and confidentiality of
data and applications while making access readily available to appropriate
users. Support for these identity management capabilities for both users and
infrastructure components will be a major requirement for cloud computing and
identity will have to be managed in ways that build trust. It will require:
authentication: Cloud computing must move beyond authentication of username
and password, which means adopting methods and technologies that are IT
standard IT such as strong authentication, coordination within and between
enterprises, and risk-based authentication, measuring behavior history, current
context and other factors to assess the risk level of a user request.
authorization: Authorization can be stronger within an enterprise or a
private cloud, but in order to handle sensitive data and compliance requirements,
public clouds will need stronger authorization capabilities that can be
constant throughout the lifecycle of the cloud infrastructure and the data.
Ø Information Security
the traditional data center, controls on physical access, access to hardware and
software and identity controls all combine to protect the data. In the cloud, that
protective barrier that secures infrastructure is diffused. The data needs its own
security and will require:
isolation: In multi-tenancy environment data must be held securely in order
to protect it when multiple customers use shared resources. Virtualization, encryption
and access control will be workhorses for enabling varying degrees of
separation between corporations, communities of interest and users.
Stronger data security: In existing data center environments
the role-based access control at the level of user groups is acceptable in most
cases since the information remains within the control of the enterprise. However,
sensitive data will require security at the file, field or block level to meet
the demands of assurance and compliance for information in the cloud.
data classification: Enterprises will need to know what type of data is
important and where it is located as prerequisites to making performance cost-benefit
decisions, as well as ensuring focus on the most critical areas for data loss
rights management: it is often treated as a component of identity on which
users have access to. The stronger data-centric security requires policies and
control mechanisms on the storage and use of information to be associated
directly with the information itself.
and compliance: A major requirement of corporate information governance and
compliance is the creation of management and validation information –
monitoring and auditing the security state of the information with logging
capabilities. The cloud computing infrastructures must be able to verify that
data is being managed per the applicable local and international regulations
with appropriate controls, log collection and reporting.
The foundational infrastructure for a
cloud must be inherently secure whether it is a private or public cloud or
whether the service is SAAS, PAAS or IAAS. It will require:
component-level security: The cloud needs to be architected to be secure,
built with inherently secure components, deployed and provisioned securely with
strong interfaces to other components and supported securely, with
vulnerability-assessment and change-management processes that produce management
information and service-level assurances that build trust.
Stronger interface security: The points in the system where
interaction takes place (user-to-network, server-to application) require
stronger security policies and controls that ensure consistency and
lifecycle management: The economics of cloud computing are based on
multi-tenancy and the sharing of resources. As the needs of the customers and
requirements will change, a service provider must provision and decommission correspondingly
those resources – bandwidth, servers, storage and security. This lifecycle
process must be managed in order to build trust.
The infrastructure security can be
viewed, assessed and implemented according its building levels – the network,
host and application levels.
Ø Infrastructure Security – The Network Level
When looking at the network level of
infrastructure security, it is important to distinguish between public clouds
and private clouds. With private clouds, there are no new attacks,
vulnerabilities, or changes in risk specific to this topology that information security
personnel need to consider. If public cloud services are chosen, changing
security requirements will require changes to the network topology and the
manner in which the existing network topology interacts with the cloud provider’s
network topology should be taken into account. There are four significant risk
factors in this use case:
• Ensuring the confidentiality and
integrity of organization’s data-in-transit to and from a public cloud
• Ensuring proper access control
(authentication, authorization, and auditing) to whatever resources are used at
the public cloud provider;
• Ensuring the availability of the
Internet-facing resources in a public cloud that are being used by an
organization, or have been assigned to an organization by public cloud providers;
Replacing the established model of network zones and tiers with domains.
Infrastructure Security – The Host Level
reviewing host security and assessing risks, the context of cloud services delivery
models (SaaS, PaaS, and IaaS) and deployment models public, private, and hybrid)
should be considered. The host security responsibilities in SaaS and PaaS
services are transferred to the provider of cloud services. IaaS customers are
primarily responsible for securing the hosts provisioned in the cloud (virtualization
software security, customer guest OS or virtual server security).
Ø Infrastructure Security – The Application Level
or software security should be a critical element of a security program. Most
enterprises with information security programs have yet to institute an
application security program to address this realm. Designing and implementing applications
aims at deployment on a cloud platform will require existing application security
programs to reevaluate current practices and standards. The application
security spectrum ranges from standalone single-user applications to sophisticated
multiuser e-commerce applications used by many users. The level is responsible
• Application-level security threats;
• End user security;
• SaaS application security;
• PaaS application security;
• Customer-deployed application security
• IaaS application security
• Public cloud security limitations
can be summarized that the issues of infrastructure security and cloud computing
lie in the area of definition and provision of security specified aspects each
Ø The point of Failure
continues to transform the way organizations use, store, and share data,
applications, and workloads. It has also introduced a host of new security
threats and challenges. With so much data going into the cloud—and into public
cloud services in particular—these resources become natural targets for bad
Data breaches: A data breach might be the primary objective of a
targeted attack or simply the result of human error, application
vulnerabilities, or poor security practices, CSA says. It might involve any
kind of information that was not intended for public release, including
personal health information, financial information, personally identifiable
information, trade secrets, and intellectual property. An organization’s
cloud-based data may have value to different parties for different reasons. The
risk of data breach is not unique to cloud computing, but it consistently ranks
as a top concern for cloud customers.
Insufficient identity, credential, and access management: Bad
actors masquerading as legitimate users, operators, or developers can read,
modify, and delete data; issue control plane and management functions; snoop on
data in transit or release malicious software that appears to originate from a
legitimate source, CSA says. As a result, insufficient identity, credential, or
key management can enable unauthorized access to data and potentially catastrophic
damage to organizations or end users.
Insecure interfaces and application programming interfaces (APIs): Cloud
providers expose a set of software user interfaces (UIs) or APIs that customers
use to manage and interact with cloud services. Provisioning, management, and
monitoring are all performed with these interfaces, and the security and
availability of general cloud services depends on the security of APIs, CSA
says. They need to be designed to protect against accidental and malicious
attempts to circumvent policy.
System vulnerabilities: System vulnerabilities are exploitable
bugs in programs that attackers can use to infiltrate a system to steal data,
taking control of the system or disrupting service operations. Vulnerabilities
within the components of the operating system put the security of all services
and data at significant risk, CSA says. With the advent of multi-tenancy in the
cloud, systems from various organizations are placed close to each other and
given access to shared memory and resources, creating a new attack surface.
Account hijacking: Account or service hijacking is not new,
CSA notes, but cloud services add a new threat to the landscape. If attackers
gain access to a user’s credentials, they can eavesdrop on activities and
transactions, manipulate data, return falsified information and redirect
clients to illegitimate sites. Account or service instances might become a new
base for attackers. With stolen credentials, attackers can often access
critical areas of cloud computing services, allowing them to compromise the
confidentiality, integrity, and availability of those services.
Malicious insiders: While the level of threat is open to
debate, the fact that insider threat is a real adversary is not, CSA says. A
malicious insider such as a system administrator can access potentially
sensitive information, and can have increasing levels of access to more
critical systems and eventually to data. Systems that depend solely on cloud
service providers for security are at greater risk.
Advanced persistent threats (APTs): APTs are a
parasitical form of cyber attack that infiltrates systems to establish a
foothold in the IT infrastructure of target companies, from which they steal
data. APTs pursue their goals stealthily over extended periods of time, often
adapting to the security measures intended to defend against them. Once in
place, APTs can move laterally through data center networks and blend in with
normal network traffic to achieve their objectives, CSA says.
Data loss: Data stored in
the cloud can be lost for reasons other than malicious attacks, CSA says. An
accidental deletion by the cloud service provider, or a physical catastrophe
such as a fire or earthquake, can lead to the permanent loss of customer data unless
the provider or cloud consumer takes adequate measures to back up data,
following best practices in business continuity and disaster recovery.
Insufficient due diligence: When executives create business
strategies, cloud technologies and service providers must be considered, CSA
says. Developing a good roadmap and checklist for due diligence when evaluating
technologies and providers is essential for the greatest chance of success.
Organizations, that rush to adopt cloud technologies and choose providers
without performing, due diligence, expose themselves to a number of risks.
Abuse and nefarious use of cloud services: Poorly secured
cloud service deployments, free cloud service trials, and fraudulent account
sign-ups via payment instrument fraud expose cloud computing models to
malicious attacks, CSA says. Bad actors might leverage cloud computing
resources to target users, organizations, or other cloud providers. Examples of
misuse of cloud-based resources include launching distributed denial-of-service
attacks, email spam, and phishing campaigns.
Denial of service (DoS): DoS attacks are designed to prevent
users of a service from being able to access their data or applications. By
forcing the targeted cloud service to consume inordinate amounts of finite
system resources such as processor power, memory, disk space, or network
bandwidth, attackers can cause a system slowdown and leave all legitimate
service users without access to services.
Shared technology vulnerabilities: Cloud service
providers deliver their services scalably by sharing infrastructure, platforms
or applications, CSA notes. Cloud technology divides the “as-a-service”
offering without substantially changing the off-the-shelf
hardware/software—sometimes at the expense of security. Underlying components
that comprise the infrastructure supporting cloud services deployment may not
have been designed to offer strong isolation properties for a multi-tenant
architecture or multi-customer applications. This can lead to shared technology
vulnerabilities that can potentially be exploited in all delivery models.