Cloud computing has the cost saving potential for enterprises wanting to save on software licensing and support services. Despite its advantages security issues poses a serious threat to businesses. In this article, we will explore the various security risks and steps to be taken to counter cloud computing threats.
On the first look, cloud computing has the cost saving potential offered by service providers by taking data storage and applications online. The benefits of cloud computing are indeed compelling, creating a centralised method to access shared data, significantly lowering costs and reducing data centre space, power and cooling. Cloud computing is helping corporations create new, better business models. It has opened a world of opportunities for global IT companies.
However, organisations must realise that accountability for valuable business data cannot be as conveniently outsourced. Despite having all the advantages, the use of cloud computing may lead to breaches of sensitive data by businesses and their information security obligations to clients. A company choosing to outsource their data storage risks claims being made against them by their customers if data held by the host server becomes unavailable during an interruption or outage, or even lost.
The likelihood of service interruptions raises concerns over use of the cloud for business critical applications. Security experts point out that the cloud computing community has received reports of 14 outages and consequent lost data and security issues in 2008, an increase from just one in 2007.
In the following sections we will look at the various security risks in cloud computing and how to mitigate them.
Security Risks
Cloud computing poses serious data security threats to businesses wanting to save on software licensing and support services. Companies could be exposing themselves to a business continuity disaster. In many ways cloud computing resembles the Application Service Provider (ASP) model that was prolific prior to the dot-com crash, and a lot of those providers are no longer around.
We must remember that management will always be responsible for protecting company and customer data. It is therefore essential when moving towards cloud computing that businesses consistently ensure the health of the cloud-provided services. This includes gaining complete confidence that the cloud provider is a viable, stable business with assurances and protections, such as comprehensive risk and security defences in place, to safeguard business data.
Other areas of concern are vendor lock-in, failure of mechanisms separating different companies, management interfaces that get accessed by hackers, data not deleted properly and malicious insiders. From the legal perspective, it could also be a big risk if the data centres are located in countries with a shaky legal system specifically no proper laws pertaining to data protection.
Cloud computing may lead to breaches of data protection laws by businesses and this have a direct effect on the end users. As most cloud computing service providers will not guarantee the security of the data they store, this may put cloud computing users in breach of their requirements under the laws pertaining to data protection to ensure an appropriate level of security.
Cyber-Cloud Attacks
In addition to the data protection risks caused by interruptions in businesses continuity, cloud computing has also the risks from hackers. Hackers’ invading global financial systems with the objective of stealing money and disabling the whole financial network is also a possibility. Concentrating enterprise data in the cloud makes an attractive target for advanced attacks by cyber-criminals. A single point of failure such as the common, underlying software that controls how resources in a cloud are shared could leave businesses exposed.
For anyone who tracks cyber-crimes, attacks and the insecurities that allow these activities to occur, security experts expect that e-crime and e-fraud are matters of concern for anyone connected to the internet - be they business or individual. Some of these threats emanate from small pockets of the internet community, and appear as the e-crime equivalent of a startup. They are small-time, opportunistic, and looking for ways to monetise their innovations.
Of greater concern are the others, which present themselves as sophisticated, well-established criminal enterprises, and exhibit many of the behaviours you’d expect from large corporations. These criminal organisations have an internal business logic, they invest in research, they want highly motivated staff, project plans and above all, they want to make lots of money. Given the existence of such sophisticated criminal networks, the notion of e-terrorists seems to be a little closer to reality than many of us would have hitherto believed, or even wished to accept.
Attacks against Estonia, and similar ones mounted against the UK and the US - the so-called Titan Rain emanating from China already stand as proof that cyber technology can be used to launch attacks against high-profile organisations with some degree of success. But what if the use of technology was also aligned to other forms of attack? Would it be possible to target financial markets, or a specific sector of the economy? Such speculation remains in the world of the theoretical. But our position does seem to present these pertinent questions.
Above all, how does the acceptance of cloud computing, and reliance on the internet fit in with these potential threats? Should business continuity and operational resilience play a greater role in assessing the case for cloud computing? Or is the pressure of profitability embraced as the only way to go? It is high time that we find answers to these questions. The notion of “live now, pay later” just may be too high a price to pay.
Countering Threats
When moving to cloud-based computing services, companies have to hand over control to the cloud provider on a number of issues, which may affect security negatively. For example, the provider's terms of use may not allow port scans, vulnerability assessment and penetration testing. At the same time, Service Level Agreements (SLAs) may not include those services. The result is a gap in defences.
Technology such as two-factor authentication systems, when married to encrypted VPN (Virtual Private Networks) connections, can secure an internet connection into a cloud computing-based service. Security experts say that using such techniques would tend to make interception of files and transmissions almost impossible. Logically speaking, there is no such thing as a totally secure system, especially a system that is accessible across the internet. With the right technology, the new generation of cloud computing system can be made as secure - if not more secure - than existing server-based office systems.
In a poll conducted it was found that information security management, along with regulatory compliance and the challenges of managing IT risks, were uppermost in members' minds when it comes to security. Early examples of this technology, such as the simple web-based email services offered by Google and others, are difficult to secure when using standard web interface, but security experts believe that, with the right technology, these problems can be solved. The information we are all giving to online companies is enormous and dangerous and experts are of the opinion that security is going to get worse before it gets better.
To minimise the risks in cloud computing environment, the security administrator should prepare a list of questions that a company needs to ask potential cloud providers. For example, what guarantees does the provider offer that customer resources are fully isolated, what security education program does it run for staff, what measures are taken to ensure third-party service levels are met, and so on. In the end a good contract can lessen the risks. Companies should especially pay attention to their rights and obligations related to data transfers, access to data by law enforcement and notifications of breaches in security. Experts say that like all other outsourcing, ensuring security in cloud computing is more of a contract issue than a technical one. The contract is the only real control you have.
Security experts say that most service providers of cloud-based services fail to address the security concerns of enterprises. They tend to be vague or evasive when questioned about security. Enterprises need to be sure their data will be protected properly, that it will not be lost or damaged, that it will always be accessible, and that it will not be transferred to the wrong jurisdiction.
Securing Data in Cloud
Securing data in the cloud is not a trivial task. Online storage vendors such as The Linkup and Carbonite have lost data, and were unable to recover it for customers. Secondly, there is the danger that sensitive data could fall into the wrong hands. Before signing up with any cloud vendor, customers should demand information about data security practices, scrutinise SLAs, and make sure they have the ability to encrypt data both in transit and at rest.
Before choosing a cloud vendor, do your due diligence by examining the SLA to understand what it guarantees and what it doesn't, and scour through any publicly accessible availability data. Businesses must fully understand providers' security measures or run the risk of endangering their data. Unless cloud providers can readily disclose their security controls and the extent to which they are implemented to the consumer, and the consumer knows which controls are needed to maintain the security of their information, there is tremendous potential for misguided decisions and detrimental outcomes.
In general, potential users of cloud services need to do a risk assessment that takes into account the importance of data to a business and the security that providers can probably deliver. As with any security area, organisations should adopt a risk-based approach to moving to the cloud and selecting security options.
To ensure secure cloud services, security experts recommend the following steps:
-
Determine exactly what data or function is being considered for the cloud.
-
Assess how important the data or function is to the organisation.
-
Determine which of the following cloud options are acceptable: public; private (internal); private (external); community; hybrid.
-
Evaluate the degree of control available to implement risk mitigations.
-
Map out the flow of data in and out of the cloud to identify points of exposure to risk.
Alongside guarantees from the provider, businesses must also ensure that they have an alternative strategy in place in the case of any disruptions or loss of connectivity to the cloud-based service. This includes awareness of any of the provider's fallback plans and commitments that may jeapordise valuable information. Businesses also need to bear in mind that any interruptions to cloud computing providers may have to be dealt with on both a short- and long-term basis, depending on the nature of the disturbance.
What the Experts Say
Security experts say that cloud computing is all about managing the risks. However, relatively few companies are equipped to do that properly with a dedicated risk manager. Businesses need to understand the value of all the different types of data they want to store on the cloud, but many do not. Public clouds offer the greatest economies of scale but the least amount of control over data, while private clouds offer more control, but without the same cost benefit. Understanding the value of each type of data can help businesses decide what type of cloud is the best fit. Experts say that most organisations will probably not go for one type over the other, but instead use a combination of two to form a public-private hybrid.
Security experts argue that the problem still remains of having no standards for cloud computing for handling different kinds of data, especially sensitive personal data such as healthcare records. Global IT security organisations and governments have a role to play in taking the lead on standards and should intervene rather than leaving it up to the emerging service providers.
Experts believe that by setting guidelines now that will not stifle growth, authorities could tip the balance in favour of making cloud computing highly secure. Cloud-based services can potentially offer businesses a greater depth of defences than they could achieve on their own. A simpler, standard environment can be protected more easily and cloud providers can use rights management and encryption technologies to provide an extremely high level of protection.
Most IT security professionals agree that in the short term, businesses should be extremely wary of putting sensitive company data in public clouds. Businesses should also stick to low risk, low volume applications and build internal and private clouds to enable collaboration within the organisation and externally with partners. Finally experts say that - demand greater transparency from the providers, mitigate risk with clear Service Level Agreement (SLA) and ensure you have an exit strategy.
Whilst the benefits of moving to the cloud are evident businesses must be aware of what they are getting into, and be able to mitigate the risks.
—By: R. Manoj. The author is an Assistant Editor at Fanatic Media, Bangalore. He is also an Independent Researcher, specialising in Computer System Security. He has an active interest in designing security algorithms for securing mission critical systems. He can reached at infosecurity@fanaticmedia.com |
