SECURITY ISSUES IN CLOUD COMPUTING
The innovative concept of Cloud Computing has turn out as a revolutionary idea which has certainly brought a stamp marked worth to the already-thriving IT industry. It caters the concept of cloud. Information of various sorts is kept on clouds or major servers, from where users can connect, share, and interact with other computers. Services can be availed at any time by the users and providers are solely responsible for the management of resources on cloud. It’s a humongous accomplishment for sharing of data and information over the internet. For the last couple of years it has been noticed that cloud infrastructure has shifted itself from the title of the most promising business concept to one of the fastest growing domain of the flourishing IT industry. On a decently negligible cost, gaining fast access to the diverse applications, and using it frequently was once a dream IT industry wove for the circulation of information. And today, it appears as a massive success on successful accomplishment of this revolutionary notion in the domain of IT industry. It has been observed that more and more information is being placed on clouds. Particularly recession-hit companies, which need services like fast access to their information, feasible communication and large storage, prefer clouds over any other alternative to place their data or information. But with such significant facilities, the issue that pops up is whether these clouds are secure enough. What are the security issues that can outburst in placing information on an unreliable medium like a cloud?
Cloud Computing, a substantial innovation in the flourishing IT industry, is an entirely new model for consumption and delivery for IT services. End users are ignorant towards the details of who’s responsible for managing the technology. Providers of the Cloud services are liable and accountable for managing the cloud infrastructure. Services provided by cloud are considered as on demand services, because these services are availed on demand by the users.
Gartner predicts that cloud computing will surge to 150 billion dollars by 2013. Below is a partial list of companies that provide cloud computing services:
• Amazon • Google
• Microsoft • Salesforce.com
• Citrix •IBM
• Mozyhome • Sun
• cohensiveFT • Icloud
• Nivanix • VMware
• Flexscale • Joyent
• Rackspace (10 Security Concerns For Cloud Computing, 2010)
With the provision of ample of services by cloud infrastructure, come risks or security concerns. These security issues and concerns need to be addressed. A system must be devised up that can provide better security mechanisms on a cloud, so that the users (without hesitation) can get the most out of these valuable services. Cost and feasibility of usage are two humongous advantages that a cloud can offer its users.
Users can consume services at a rate that is set by their particular needs. This on demand service can be provided at any time (10 Security Concerns For Cloud Computing, 2010)
According to International Data Corporation (IDC), “The proliferation of devices, compliance, improved systems performance, online commerce and increased replication to secondary or backup sites is contributing to an annual doubling of the amount of information transmitted over the Internet.”
The cost of dealing with this amount of data is something that companies must address. In today’s economy, companies are looking at any cost saving measures, and the bottom line is that cloud computing provides much greater flexibility than previous computing models
(10 Security Concerns For Cloud Computing, 2010)
Cloud Computing Security Concerns
Security concerns are embedded with each new innovation that outburst in the world.
Different countries have different requirements and controls placed on access. Because your data is in the cloud, you may not realize that the data must reside in a physical location. Your cloud provider should agree in writing to provide the level of security required for your customers (10 Security Concerns For Cloud Computing, 2010)
Insider attacks are a huge intervening risk in cloud infrastructure. It has usually been observed that a potential hacker has the entrusted or approved access to a cloud. There are high chances that such a hacker may cause serious damage to the data stored on the cloud. In 2009, similar case was reported when an insider was accused of planting a logic bomb on Fanny Mae servers that if launched would have caused massive damage (10 Security Concerns For Cloud Computing, 2010)
Regulatory requirements if not implemented can turn out fatal for servers on a cloud. There are certain standards a cloud must acquire, such as, ISO 27002, ITIL,SafeHarborand COBIT. These standards or regulatory requirements are significantly important to implement in order to consistently regulate the servers on the cloud.
Right to audit may appear as a very petty issue, but it has a lot to do with preserving the integrity of data on a cloud. It’s important to decide before hand in writing that who will be illustrating the terms of audit. The provision of training for a provider to its employees is termed as weakest link in security. It’s important to know how a provider trains its employees for an already established Cloud framework.
Classification of data on a cloud is a major concern of security on a cloud. It’s important to tackle how data on a cloud of various users is segregated from each other. Mechanism for encryption of data has exploded out as another massive concern. It needs to be decided that when the process of encryption be performed. Whether it’s performed when data is at rest or when it’s in transit state. Such mechanisms are security concerns which need attention on the right time.
Service level agreement (SLA) terms serve as a contracted level of guaranteed service between the cloud provider and the customer that specifies what level of services will be provided (10 Security Concerns For Cloud Computing, 2010)
Long term viability of a provider must be ensured. The duration of a provider on cloud, his track record in the business is a fundamental concern. Because if they move out of the business who will be accountable for the data of its customers. Who will return the data and in which format the data of the customers will be retrieved is another issue which links to the same concern.
As an example, in 2007, online storage service MediaMax went out of business following a system administration error that deleted active customer data. The failed company left behind unhappy users and focused concerns on the reliability of cloud computing (10 Security Concerns For Cloud Computing, 2010)
Plan of action of a provider on the cloud must be outlined so that in case of security breach methods can be opted that can result in securing the users’ data on a cloud. While many providers promote their services as being unhackable, cloud-based services serve as an captivating target to hackers anyways.
Security concern of recovering a data in case of a disaster is another major problem which requires attention. Disaster recovery/Business Continuity Plan (DR/BCP) leaves a huge interrogation mark. In case of a catastrophe, when the physical servers (on a cloud) are destroyed, from where the data of the users can be retrieved.
All physical locations face threats such as fire, storms, natural disasters, and loss of power. In case of any of these events, how will the cloud provider respond, and what guarantee of continued services are they promising. As an example, in February 2009, Nokia’s Contacts On Ovi servers crashed. The last reliable backup that Nokia could recover was dated January 23rd, meaning anything synced and stored by users between January 23rd and February 9th was lost completely (10 Security Concerns For Cloud Computing, 2010)
Cloud Computing Security Issues/Attacks
Potential attack vector criminals find cloud as a huge platform to lay out attacks in. The reason they find it more vulnerable is because many users are on a cloud, and due to several users the possibility of attacks exponentially rises.
Denial Of Service (DoS) Attack is a damaging attack. And on a cloud this attack reflects enhanced vulnerability because of several users acquiring the services on cloud. Repercussions of a DoS attack are devastating for servers on the cloud. Twitter suffered a destructive DoS attack in the year 2009.
Man In The Middle Cryptographic Attack is considered as a deadly attack because hacker intercepts the communication of two users on a cloud by placing himself between the two users, and ends up modifying the communication on the communication channel between them.
Side Channel Attack is a kind of attack which is launched by a attacker by placing a malicious virtual machine in close proximity to the targeted server on a cloud. Such attack ends up breaching the security of the infrastructure.
Authentication Attack works on the principle of what a person has, is and knows. A secure mechanism of authentication needs to be devised up in order to secure data on the cloud. Authentication is generally assumed as a weak point in virtual and hosted services offered by a cloud which is frequently targeted over a cloud.
The cloud undoubtedly serves organizations with the opportunity to save money and accomplish efficiency, by leveraging virtualization to centralize applications, storage and platforms into pay-as-you-go, scalable bites of a single system or network. But without security embedded into underlying technology that supports cloud computing, businesses are setting themselves up for a fall.
A recent report conducted jointly byEMC’s RSA security division andIDGResearch Services interviewed 100 security executives at companies with revenues of £1 billion or more. Of these executives, close to half said they either have enterprise applications or business processes running in the cloud or will begin migration in the next year. At the same time, two-thirds don’t have a security strategy for cloud computing, a worrying statistic for those with such a significant revenue amount (ComputerWeekly, 2011)
One of the core aspects to keeping the cloud safe for all users is the adherence to the basic security principles that apply in the non-virtualized world. It is imperative that people do the basics: minimize administrative privilege; support enforcement of the rule of least privilege; and absolutely stay on top of vendor patches (ComputerWeekly, 2011)
Your cloud provider should agree in writing to provide the level of security required for your customers (10 Security Concerns For Cloud Computing, 2010)
Users from various part of the world are not necessarily given the same privileges. Privileges may vary from country to country. Cloud provider must agree by writing the facilities your respective cloud has given you the provision of. Access control is one of the major issues that need to be addressed with caution and vigilance. There are certain standards such as ISO 27002, ITIL, Safe Harbor and COBIT, that must be catered on the system in order to eradicate the risks of any unforeseen attack. Users must ensure that the cloud provider meet these standards, and must undergo certification, accreditation and thorough review.
In a nutshell, it isn’t wrong to state, that cloud computing is extremely beneficial for the emerging and existent enterprises and business processes, and due to its state of evolving it is expected that it can stay in here for a long haul. It’s economically viable, but can turn out as a very expensive venture if proper mechanisms to control, monitor, and regulate are not implemented.
Global Knowledge, 2010, 10 Security Concerns for Cloud computing [online] (Updated 2010)
[Accessed22 October, 2011]
ComputerWeekly, 2011 [Accessed22 October, 2011]
Mina Kazmi, Student at NUCES-FAST.