Security in Cloud Computing

Contents 1. INTRODUCTION................................................................................................................ 3 2. ABUSE AND NEFARIOUS USE OF CLOUD COMPUTING......................................... 4 REMEDIATION................................................................................................................... 4 3. INSECURE APPLICATION PROGRAMMING INTERFACES..................................... 4 REMEDIATION................................................................................................. 5 4. MALICIOUS INSIDERS ............................................................................ 5 REMEDIATION.................................................................................................. 5 5. SHARED TECHNOLOGY ISSUES......................................... 6 REMEDIATION................................................................................................... 6 6. DATA LOSS/LEAKAGE...................................................................... 6 REMEDIATION................................................................................................... 7 7. ACCOUNT OR SERVICE HIJACKING..................................... 7 REMEDIATION............................................................................................... 7 8. UNKNOWN RISK PROFILE................................................... 8 REMEDIATION ............................................................................... 8 9. CONCLUSION................................................................................. 9 10. REFERENCES............................................................................................ 10

1. INTRODUCTION Cloud Security is an evolving sub-domain of computer security, network security, and at a broader level information security. The cloud security concept refers to a wide set of policies, technologies, and controls which are deployed to secure data, applications, and the related infrastructure of a cloud computing system [1, 2].

For cloud customers, Security has been the prime concern for obvious reasons; many of them will make buying choices based on the reputation for privacy, confidentiality, reliability and resilience of, and the security services presented by, a cloud provider. This is obviously a strong driver for cloud providers to constantly improve their security practices to mitigate the issues concerning their customers [3, 4].

To aid and facilitate both cloud customers and the providers, CSA developed Security Guidance for Critical Areas in Cloud Computing. This guidance took no time to become the industry standard catalogue of best practices with the aim to secure Cloud Computing [5].

The prime objective of this document, Top Threats to Cloud Computing, is to scribe the desired context to assist organizations make intelligent risk management decisions regarding their cloud adoption strategies for their respective business environments [5].

There has been much debate and exchange of arguments regarding what is in scope for this research. We anticipate that this debate may continue and for future versions of Top Threats to Cloud Computing to reflect the consensus nurtured by those debates. While many issues, such as the provision of financial stability, we initially want to on the issues we feel are either unique or greatly amplified by the key characteristics of Cloud Computing (like its shared, on-demand nature). We identify the following threats in our initial document [5, 6]: Abuse and Nefarious Use of Cloud Computing Insecure Application Programming Interfaces Malicious Insiders

Shared Technology Vulnerabilities Data Loss/Leakage Account, Service & Traffic Hijacking Unknown Risk Profile

2. ABUSE AND NEFARIOUS USE OF CLOUD COMPUTING Criminals and expert data counterfeiters continue to bring up new technologies to improve their ways to extend their reach and avoid detection, Cloud Computing providers are being targeted by these activities, partially because of their relatively weaker registration systems facilitate anonymity. Moreover the fraud detection capabilities of cloud providers are limited [5].

REMEDIATION [5] Stricter initial registration and validation processes Enhanced credit card fraud monitoring and coordination Comprehensive introspection of customer network traffic Monitoring public blacklists for ones own network blocks

Remedies mentioned above are clever in a way that these dont require extensive use of resources and it doesnt require sufficient amount of time. Benefit of these would be many like it can build up good level of availability for genuine customers and it would help by restricting the abuse of network and physical infrastructure of the Data centre. One of the side advantages is simplified and cost efficient Data centre operations.

3. INSECURE APPLICATION PROGRAMMING INTERFACES With most of the cloud providers continuously strive to ensure the best practising security is well incorporated into their service models, yet it is difficult for the consumers utilising those services to understand the security implications associated with the usage, management and monitoring of cloud services. Dependability on a weak set of interfaces

and APIs exposes organizations to a variety of security issues which they may face regarding confidentiality, reliability, accessibility and liability [5].

REMEDIATION [5] Analyse the security model of cloud provider interfaces Ensure strong authentication and access controls are implemented in conjunction with encrypted transmission

Understand the dependency chain associated with the API

Cloud characteristics make configuration management and ongoing provisioning significantly more complicated compared to traditional application deployment. The environment drives the need for architectural modifications to assure complete application security. Encrypted data transmission will eradicate the threat of criminals misusing the data even if theyre smart enough to get hold of it.

4. MALICIOUS INSIDERS The impact that malicious insiders can have on an organization is undeniable, given their level of access and ability to infiltrate organizations and assets. Certain business operations can be affected by a malicious insider. Brand damage, financial impact, privacy intervention, and production losses are some of the most concerning situations. When an organization adopts cloud services, the human element gets an even more profound importance. It is really important that the cloud consumers understand what providers are doing at their end for the detection and defence against malicious insider threat [5].

REMEDIATION [5] ict supply chain management and conduct a comprehensive supplier assessment. Specify human resource requirements as part of legal contracts Require transparency into overall information security and management practices, as well as compliance reporting Determine security breach notification processes

Security in Cloud Computing

ID # 374509

Identification management is of real importance. The use of biometric systems can make the whole process work with more accuracy and unauthorized insiders will be no real harm.

5. SHARED TECHNOLOGY ISSUES Its a mere observation that attacks have been made in recent years that target the shared technology resources in a cloud computing environment. Shared elements like Disk partitions, CPU caches, GPUs, and other shared elements are not engineered for strong compartmentalization. As a result, criminals streamline their activities to impact the operations of other cloud customers, and try to gain unauthorized access to data [5].

REMEDIATION [5] ecurity best practices for installation/configuration Monitor environment for unauthorized changes/activity Promote strong authentication and access control for administrative access and operations Enforce service level agreements for patching and vulnerability remediation Conduct vulnerability scanning and configuration audits

By implementing secure configuration with frequent check of administrative monitoring over the cloud computing environment, adds to the higher hindrances to access and removes the vulnerability of leakage of data.

6. DATA LOSS/LEAKAGE Business can be affected greatly due to any sort of data leakage. Besides the damage to ones brand impression or industrys reputation, a data loss could significantly impact not only the business owner but employees and partners equally the bigger damage is the loss of customers

moral and trust over the enterprises name. Core of prosperity of any business lies in its data base and leakage or loss of data can have a devastating effect on its stability. Such a loss can directly affect the productivity of an enterprise [5].

Security in Cloud Computing

ID # 374509

The obvious threat of data compromise increases in the cloud, due to the number of and interactions between risks and challenges which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment [5].

REMEDIATION [5]

safeguards all data; Stringent access controls to prevent unauthorized access to the data; and Scheduled data backup and safe storage of the backup media Implement strong API access control Encrypt and protect integrity of data in transit Analyses data protection at both design and run time Implement strong key generation, storage and management, and destruction practices Contractually demand providers wipe persistent media before it is released into the pool Contractually specify provider backup and retention strategies

Data integrity is the most important aspect of security and confidentiality. For present concerns regarding adoption of cloud computing is security and above mentioned indicators set a threshold for cloud providers. This involves initial and continuing expenses but also a strong point for larger clientele.

7. ACCOUNT OR SERVICE HIJACKING

Account and service hijacking, usually happens by stealing credentials, stays as the most worrying threat. With stolen credentials, attackers often try to access extremely private areas of deployed cloud computing services, allowing them to compromise the confidentiality, integrity and availability of those services [5].

REMEDIATION [5]

Security in Cloud Computing

ID # 374509

Leverage strong two-factor authentication techniques where possible. Employ proactive monitoring to detect unauthorized activity. Understand cloud provider security policies and SLAs.

By simply controlling the exchange of credentials, the invasion by unauthorized people can be eliminated in a cloud environment.

8. UNKNOWN RISK PROFILE When adopting a cloud service, the characteristics and functionalities may be well advertised and presented in front of the buyer, but what about the details or compliance of the internal security procedures, configuration hardening, patching, auditing, and logging? How are your private data and related logs stored and who has access to these documents stack? What information if any will the vendor disclose in the event of an undesirable security incident? Often such questions

are not clearly answered or are simply overlooked, which leaves the customers with an unknown risk profile that may include serious threats [5].

REMEDIATION [5] disclosure of infrastructure details (e.g., patch levels, firewalls, etc.) Monitoring and alerting on necessary information

Logs and maintenance of data and detailed monitoring of necessary information generally is the right approach to avoid any mishaps to unknown risk. This remediation will be useful for providers and customers to relay on and work accordingly.

Security in Cloud Computing

ID # 374509

9. CONCLUSION Cloud computing in a business environment is of real value. It makes the cloud consumers avail the benefits of outsourced computing services. Cloud computing not only reduces the cost but also reduces the risk of data/resource vulnerability.

Some of the several security issues have been discussed. Remedies listed have been taken from a conference held by Cloud Security Alliance, which are useful, efficient and applicable.

This report will enable users, business owners and leaders (of Small and Medium Enterprises), to facilitate their evaluation and mitigation of the security risks associated with the adoption of cloud computing technologies.

10. REFERENCES 1. http://en.wikipedia.org/wiki/Cloud_computing_security 2. http://www.networkcomputing.com/cloud-computing/cloud-minuses-outweighpluses-forbusinesses.php 3. http://opencloudmanifesto.org/Cloud_Computing_Use_Cases_Whitepaper4_0.pdf 4. http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-riskassessment 5. http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf 6. http://www.cloudsecurityalliance.org/guidance