Cloud computing has emerged and paved its way forward at an unprecedented pace. It has managed to simultaneously transform business and government giving rise to new security challenges. The emergence of the cloud service model provides business supporting technology with an increased efficiency than ever before. The paradigm shift from server to service has revolutionized the way IT departments think, design, and provide computing solutions and applications. Yet, these revolutions have given birth to new security challenges–the full impact of which is yet to be determined.
The cloud shift proves to be more affordable and prompt, but by taking that route, it undermines the necessity of enterprise level security policies, principles, and best practices. In the event of these, businesses have made themselves vulnerable to breaches that can as easily nullify any gains that have made as a result of the cloud shift.
Cloud Security Alliance (CSA) has identified nine such risks or threats associated with cloud computing. In view of this they have created industry-wide standards for cloud security. In order to safeguard themselves in the cloud environment, businesses should understand these risks–aptly named as “The notorious nine” by CSA.
These notorious nine are;
Data Breach is a serious threat that most CIOs are concerned about. In November 2012, researchers at the University of Carolina published a paper which described how an automated machine was able to use side channel timing information to access private cryptographic keys on another machine located on the same physical server.
Security breaches are inevitable. Service providers may claim that they adopt best practices, however, we all know that there’s no way to completely eliminate risks associated with it. The best way for businesses is to be on the defensive and work with the vendors, providers, and lawyers to prepare “Data Breach Response’ in advance to reduce the risks and liabilities when data breach incident happens.
It is a petrifying thought to lose data for both businesses and consumers alike. The data in the cloud is in complete possession of the cloud service provider. Any accidental deletion through human error, a physical catastrophe like fire or earthquake, may lead to a permanent loss of all data. This risk can be mitigated by keeping an adequate backup of the data. A backup on a separate server still is open to a data breach or data loss on losing the encryption key. However, many companies are required to deal with compliance standards for record keeping. If physical records are kept, then data loss may not have that big an impact on the enterprise.
This threat is not a new one. Phishing, exploitation, fraud have found a place in cyber space for a long time. Passwords are reused often amplifying the impact. Cloud just adds to the landscape. All attackers have to do is gain access to your account, which is not hard if password and credentials are not strong enough. Attackers can then falsify, manipulate, or even redirect data. They may also make your account a base for their activities and leverage their subsequent attacks. This has been and still remains one of the top threats. Stolen credentials give the attackers power over all critical information. The enterprise data then falls into his hands and he may gain access to all cloud computing services deployed, thereby compromising the integrity and confidentiality of those services.
Cloud computing essentially works by exposing a set of APIs or software interfaces that allow consumers to remotely access data. Delivery, Management, adaptation, and monitoring services are all performed by way of these interfaces. The overall security of the cloud depends on the security of these interfaces. From credible access control to encoding and activity overview, these interfaces must be secured against accidental or purposeful efforts to circumvent policy.
These interfaces are further used by cloud users to build upon and provide value-added services to their customers. This introduces an additional layer of risk and exposure to the security breach at the API level.
The responsibility of grasping the depth of security at the API level lies with both, the service provider and the consumer as reliance on a poorly orchestrated API would lead to security issues related to integrity, confidentiality, accountability and availability.
Essentially, DoS is preventing the consumers of the cloud to access their own data. This attack tends to corner the victim into consuming inordinate amounts of limited system resources, memory, processor power, and network bandwidth or disk space. This leads to a network slow down, much like getting bottlenecked in rush hour traffic. This is a case of can’t go through, can’t get out. What results is excessive use of bandwidth. And the service providers charge based on the disk space consumed. Therefore, the increased processing time would lead to high costs..
The backbone of the entire cloud technology is storing data with a third party. Where there is trust, there is also a breach of trust. This is much like data breach, except it comes from the different sources and purposes.
CERN, the European Organization for Nuclear Research, defines an insider threat as:
“A malicious insider threat to an organization is a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.”
Cloud computing has made a name for itself as it gives large computing capabilities to even small organizations. These capabilities can even fall into the wrong hands. With such computing power, an attacker can easily crack an encryption key in no time. He may even employ these servers to plan and orchestrate a DoS attack. This threat is a risk to the service providers. They have to identify abusers and service breach from their end.
Cloud computing has made its presence felt with a bang. All the organizations want a piece of the cloud. The promise of reduced cost, efficiency in operations and improved security has baited the organizations well. By pushing to the cloud, organizations may be minimizing their risk at the operational and departmental front but they are adopting risk associated with the cloud. These risk, if not assessed diligently can pose a threat and impact organization making it difficult for them recoup for the lack of capable resources.
Cloud services are third party services. Service providers scale their resources by sharing platforms, Infrastructure, and applications. Whether it’s the hardware components that make up the infrastructure (CPU, Servers, Caches etc.) or the software ( Saas, PaaS, IaaS etc.) The risk of shared vulnerability exists in all service models. A compromise of a critical component may lead to an overall compromise of data stored on the cloud.
Having an equal understanding of both the promise that cloud computing offers and the risk that it brings is a crucial step for enterprises before adopting and transitioning their IT environment onto the cloud.