Cloud computing technology is fast becoming a solution for problems that have plagued organisations and taxed IT departments for years. Maintaining and managing IT in-house is a heavy burden for both larger and smaller organisations. Small and medium-sized businesses have smaller budgets and fewer resources, while large organisations have massive amounts of data to manage, a high volume of traffic, many and various devices operating on a network, and a variety of internal and external applications to operate. Each presents its own challenges.
Cloud computing offers a solution for many of the problems associated with these issues, from large burdens on small departments to effective management of big data stores. Cloud computing relies on a network of remote, distributed, virtual servers connected on the Internet to store, manage, access, and process data, as well as run applications, rather than having these functions performed internally. Cloud computing is generally provided as a type of service by a cloud service provider (CSP), relieving the IT department of much of the headaches of local server maintenance.
Despite the practical benefits, cloud computing should not be adopted without a thorough understanding of cloud security concerns. In cloud computing, an organisation trusts valuable data to a cluster of virtual machines harnessed to perform a task, each component of which presents a point of entry into the system. These virtual machines are overseen by a hypervisor, which thus becomes a point of vulnerability. These risks can be mitigated, and a good understanding of cloud computing should include a discussion of the risks and how to mitigate them.
Cloud computing models
Cloud computing services can be offered in three basic ways: Software as a Service, Platform as a Service, and Infrastructure as a Service. Some CSPs (cloud service providers) have multiple offerings, such as Microsoft Azure and Amazon Web Services, which can provide both infrastructure and platform services.
Software as a Service (SaaS)
- Users have accounts which they use to access applications hosted and maintained by a provider.
- SaaS is largely used to replace end-user desktop applications.
- SaaS Examples: Google Apps, Adobe Marketing Cloud, Cisco Webex, Citrix GoTo Meetings, Facebook, Flickr, Concur.
- Common security threat to SaaS services: theft of user logins/passwords.
Platform as a Service (PaaS)
- User accesses platform and hardware hosted and maintained by a provider.
- PaaS allows developers to create applications with software components that are built into the middleware.
- PaaS Examples: GoDaddy, Apprenda, Windows Azure, Google App Engine, WordPress, Amazon Web Services.
- Common security threats to PaaS services: insufficient or breached authentication, unwanted access.
Infrastructure as a Service (IaaS)
- User accesses infrastructure hosted and maintained by a provider.
- Organisations can rent such things as physical and virtual machines, virtual data centres, firewalls, and VPN.
- IaaS examples: Rackspace, Amazon EC2, Microsoft Azure, Amazon Web Services, Google Compute Engine.
- Common security threats to IaaS services: non-compliance with industry-standard regulations, inadequate data protection, and inadequate physical protection.
Ten threats of cloud computing
- Data breach - Data breaches can result in the loss of sensitive information – in the well-publicised cases of large retailers Target and Home Depot, personal and credit card information was stolen, along with an equally important asset: the companies’ reputations. The nature of cloud computing, utilising remote computers performing parallel tasks, leaves it open to malicious infiltration at multiple points, and if an attacker gains control over the master computer, the hypervisor, an organisation can be very exposed indeed.
- Data loss - Data loss may occur as a result of an accident: when a disk drive dies without a backup, for instance, or if the owner of encrypted data loses the key that unlocks it. Data can be lost as a result of human error in an unimaginable variety of ways. And, of course, data can be lost due to a malicious attack – a data breach.
- Account or service traffic hijacking - Account hijacking is a problem in the cloud and it is all too easy for hackers to obtain credentials through phishing and other social engineering techniques that can lead to gaining control over a user’s account. Vulnerabilities specific to access through the cloud include session riding, which can steal the user’s cookies and use the account as a base to make customers victim of traffic riding. Depending on the account, the invader can potentially view or change transactions, manipulate data, and interfere with customer interactions. In addition, the attacker has access to an individual's accounts and systems.
- Denial of service attacks - Another old disrupter of online operations, denial of service attacks have been around a long time. Like account hijacking, DoS attacks remain a threat everywhere, but especially in cloud computing with its network of virtual machines, hypervisors, and multiple points of entry. A denial of service attack might diminish service without quite shutting it down, incurring bills from the cloud service for excessive resources used during the attack.
- Malicious and careless Insiders - Another old threat comes from inside – unhappy employees, saboteurs, and the worst enemies of all: ignorance and carelessness. The existence of this threat is also not specific to cloud computing, but the scale of potential damage is much greater, because a breach compromises not only the company, but all other tenants of the CSP. Companies must increase their vigilance in addressing this threat, both through employee education and working with their cloud service provider to ensure activity is being logged and alerts generated in case of unusual activity. Third-party audits are also very useful in identifying anomalies that signal a problem caused by activity from within, either within the hiring organisation or that of the CSP.
- Insecure APIs - To make services available on a massive scale while limiting both intended and accidental damage from all user accounts is a massive task. To provide services such as platform services, application programming interfaces are made available to integrators and developers. These APIs, being in the cloud, are now theoretically accessible from anywhere on the Internet. Malicious attackers can access the service using an API, essentially building their own application, and use it to manipulate a customer’s data.
- Abuse of cloud services - A hacker might also use cloud servers to deploy malware or launch DDoS attacks. Cloud service providers will have to be able to detect abnormal activity and stop it without impeding normal customer operations and the use of software, platforms, and infrastructure.
- Insufficient due diligence - With cloud computing being a new implementation, especially to the hiring organisations, there is a knowledge gap that can prevent sufficient exercise of due diligence when hiring a cloud service provider. Without knowing quite what they are contracting for, customers can find a mismatch between what they think they are getting and what a CSP can provide. Asking the right questions is vital, therefore, to understanding the contractual obligations and liabilities of provider and customer. Service agreements might fail to discuss disclosure in the face of an incident. Enterprise architects might not confirm whether their on premise security controls will be effective in the cloud.Hiring organisations also must make sure to choose a cloud provider that will not attempt to lock them in if the service should prove unsatisfactory, or if the organisation wants to use services from another provider. If the relationship needs to be terminated, the old CSP must be willing and able to move on and delete the organisation’s data securely and efficiently.
- Shared technology - Cloud computing by its definition – that of shared infrastructure – depends on the cooperation of multiple devices in a virtual environment, and in such an architecture, the infiltration and control of just one of those devices – especially the hypervisor – exposes all customers to a breach who are tenants in that environment. This is also true for other shared services offered by the provider, including shared applications, shared operating systems, shared APIs, and shared storage.
- Reliability and availability of service - CSPs are expected to be able to provide their services and applications whenever and wherever they are needed – which is a part of the benefit of moving to the cloud to begin with. However, even where the CSP has been utterly responsible with ensuring uninterrupted power sources and redundant backup, some downtime is inevitable and must be factored into the calculation. Customer failure, also, must be accounted for: if applications and services are critical, as in a hospital, then the customer must maintain an alternative power source to ensure its own ability to connect to the Internet.
Minimising risk in the cloud
- Implementation of critical protections include prohibiting the sharing of account credentials between users, no matter how trusted the business partner; and utilising strong two-factor authentication techniques.
- Perform effective due diligence when researching a cloud service provider. Be sure to review the CSP’s security history and references; ask about known security vulnerabilities. Be sure the service agreement includes adherence to current industry standards, and that the CSP has up-to-date knowledge of them.
- Utilise a Single Sign-on (SSO) in your organisation. An organisation might be using a number of cloud services and applications, and individual users could have multiple sets of credentials, which in itself can be exposed. SSO means that there are fewer accounts to manage as users enter and leave the organisation, and users have only one set of credentials and are less likely to write them down so they can remember them.
- Work with an expert to assure cloud security on a regular basis, either as a consultant for your business, or perform third-party audits to ensure that your CSP is compliant with your industry’s standards of security.
- Implement end-to-end encryption. Ensure the CSP has solutions for encrypting data not only in transit, which is standard, but when the data is at rest. For the lowest risk, your data should be encrypted prior to upload, while it is in storage (presumably in the CSP’s datacenter), and can only be decrypted with the correct encryption key. Ensure secure data transmission. Data must be mobile, and it must be secure as it travels, so secure the data by using an encrypted and secured communication protocol like SSL/TLS.
- Use up-to-date systems and in-house applications. Your CSP has an impossible job if they have to support outdated software with known security risks. Outdated operating systems, like Windows XP and outdated browsers, like Internet Explorer 7, put you at risk even if you have taken all other appropriate defensive action.
Migrating to the cloud has many potential benefits, if you go in with open eyes and armed with knowledge and caution. Attention should be paid to measures that can be taken proactively to prevent malicious attacks at all stages: processing, networking, transmission, storage, application security, and user access. The fact is that in this computing-heavy environment, risks exist whether you manage your IT in-house or virtually and remotely, and many cost and management benefits can be realised by utilising shared services in the cloud – as long as your IT department uses a high security standard, just as they would for applications, platforms, and infrastructure deployed in-house.
Jason Parms, Customer Service Manager at SSL2BUY.com