Wednesday, December 11, 2019

Cloud Computing and Security Issues In The Cloud

Question: Describe about the Cloud Computing And Security Issues In The Cloud? Answer: Introduction A cloud computing can be defined as an on-demand computing model consisting of independent, networked IT (software or hardware or both) resources. Cloud service provider offers clouds with a predefined quality of the service terms through the web of Internet as a set of scalable, autonomous, easy and inexpensive on demand computing model services to the interested clients on a time bound subscription basis. Consumers benefits of migrating to the cloud computing is reduced cost, no installation/upgrade hassles, reduced setup time and higher scalability among others. This structure gives consumers the added flexibility to scale up/down in response to the market fluxes. For example, a business come in the market with a new website which might be initially not known to the customers, but in time becomes widely held with hundreds of thousands of visitors and requests per day. The business owner can request for an upgrade in service at minimum time and without investing huge in the up grad ation hardware. (Qusay F. Hassan, Faculty of Computers Information, Mansoura University, Egypt) According to a report of Business system news analysis for finance and IT professional top cloud vendors are seeing a growth of 90% per annum. Cloud security services revenue is expected to reach 4 bn USD by the year end 2016 from 2 bn that was in last year. And, according to a report by Nicole Henderson, sensitive data leaks cost average organizations $1.9 million, and this suggests the fast growing concerns in the area of cloud security. One reason of the concern is the growing number of attacks from hackers who can find a huge amount of data coming from different organizations but available in a single cloud infrastructure. There have been examples of attacks happening on huge cloud services like dropbox where attackers were able to retrieve the sensitive personal information of employees. However in spite of these attacks elevating concerns, most organizations still make use of multiple cloud services for their business operations. This report suggests this importance of development of security measures and policies by organizations. The paper attempts to understand more about the types of attacks and security strategies that can be used to prevent such attacks. Critical Analysis Threats in Cloud Computing Without any doubt it can be said that businesses can reap huge assistances from cloud computing but along with these advantages, there are some potential threats as well such as: Data Breaches: This includes potential loss of personal information such as through credit card which currently is one of the major concerns in security of cloud computing infrastructure. Data Loss: Data loss might occur when a disk or hard drive crashes without its owner having already created a backup. It can also happen if the owner of encrypted data loses the key which unlocks it. Account or Service Traffic Hijacking: Exploitation or phishing of software vulnerabilities like buffer overflow attacks, and often loss of credentials may lead to the loss of control over accounts of a user. An intruder who has got control over a user account can manipulate data, snoop on transactions, provide false and often damaging responses to its customers, and he can also readdress customers to an inappropriate or competitor's site (Sen, 2009). Insecure APIs: The cloud computing has brought the contradiction of often trying to make services available to masses while restrictive any damage all these anonymous users may cause to the service. The answer has been a public facing application programming interface, or API, that describes how a 3rd party connects an application to the service and provide confirmation that the 3rd party making the application, is actually who he claims he is. Denial of Service: Denial of service attack is an old nemesis of an online operations, but it still remain threat as it has always been. For cloud computing customers, "facing a denial of service occurrence is more like being caught in heavy traffic, there's not much to reach to your destination and nothing can be done about it except ideally sit and keep waiting." Malicious Insiders: Malicious insiders may look like a common threat. If this exists inside a large organization, the hazards are many fold exaggerated. One tactic cloud customers can use to protect themselves is to always keep their encryption keys in their premises and not in the cloud(Australian Government Department of Defence, 2012). Abuse of Cloud Services: Cloud computing brings significant, flexible services to enterprise users and also for the hackers. Hackers may use cloud servers to serve malware, distribute pirated software or launch attacks. Insufficient Due Diligence: there are good chances that expectations will not matched between service provider and customers. How will responsibility be divided? What are pledged obligations for each party? How much transparency a customer can expect from the provider when there happens to be an incident? (Charles Babcock, 2014) Figure 1: Cloud infrastructure (Monjur Ahmed and Mohammad Ashraf Hossain, 2014) Cloud Security Risks The very nature of cloud computing is the key to the problem of cloud security. Basically the pain area is that critical data can be moved out outside the à ¯Ã‚ ¬Ã‚ rewall and given over to the cloud services provider which provides storage and the access. There are a number of security risks supplementary to the cloud computing which must be effectively addressed. For instance, in a public cloud distribution, a customer relinquishes control to the cloud service provider over a number of issues which may severely affect security. Yet cloud service agreements may not offer any assurance to resolve such issues on the part of the cloud supplier which leaves gaps in security emplacements. A way this problem can be resolved is to split the responsibility of security between the customer and the service provider, with the possibility for vital parts of the fortifications to be left unchecked if there is a letdown to allocate accountability clearly depending on the cloud computing model in use. Another challenge in cloud security is the level and reliability of Authentication and authorization that is used to keep away notorious unauthorized users. The fact that sensitive cloud resources can be retrieved from anywhere on the Internet increases the need to establish with certainty the identity of a user, which can very well include contractors, employees, customers and partners. The level of authorization should not just protect the company resources and data from outsiders but often from insiders as damage can also be caused by the mischievous actions of people working in the organization if they have the access and authorizations. This is most often compounded in the cloud computing environment since such activity may occur within either or both the customer business and the provider organization. Further, the resources utilized in a cloud computing model are spread across and most often are publically accessible. With Shared and multi-tenancy resources being defining features of any public cloud computing, the risk of failure of instruments including routing, memory, storage can be another challenge. Any failure from the side of cloud service provider an have a direct impact on the performance of the client organization. Several of these failures can also cause vulnerability to attacks like guest hopping. Security risks can be on higher side, if the service providers do not carry necessary certifications. The cloud customers investment in realizing certification, such as in case of establishing compliance with industry standards or regulatory necessities, may be lost if the cloud provider cannot provide adequate evidence of their own agreement with the relevant necessities, or does not permit audits by the cloud customer. It is important to be careful while choosing right vendor for the organization as once a service provider is chosen, there is a vendor-lock in period in which the company would not have any alternative choice but to stick with existing services even in case the vendor is unable to provide reliable security. Thus, concerns of security do not begin after the cloud is deployed but even before a decision can be taken on choosing appropriate business model and the service provider. The interfaces used by management for accessing cloud applications and resources also pose very high risks, especially users are connected with the remote access through web browser that are vulnerable to attacks from hackers. Here, vendor facilities and capabilities play an important role both in terms of provision of inter-operatabilities between different interfaces and protection of the data running over these interfaces. Once a system is hacked or interrupted by an unauthorized user with bad intensions, several of the problems can occur and can disrupt the process flow in the victim organization causing risks such as service unavailability caused by network failure, unauthentic data deletion, and other issues that can cause a complete business failure(Cloud Standards Customer Council, 2015). Managing Security over Cloud As already discussed that a split of responsibility for security between the service provider and company using cloud infrastructure for running their network applications can make the security management practices both simpler and efficient, it would be worthwhile to identify specific responsibilities that both sides can carry to establish complete security practices that enhance the levels of protection for the organization. Responsibilities of Service Provider The detection, reporting and subsequent managing of security breaches may be deputized to the cloud provider, but these incidents, to a greater degree, impacts the customer. Notification rules can thus be negotiated in the cloud service agreement so that customers are not caught unaware or informed with an undesirable delay(Suri Nath, 2010). This would assist the cloud client with appropriate split of responsibility and clear understanding of what all can be expected from service provider in terms of maintaining and addressing security concerns of cloud technology. When it comes to taking measures on service providers part they can take make use of data encryption to ensure safety in cloud computing, which means that data can be encrypted before it is stored in the server. Major Service providers like Google, Yahoo, Microsoft have already achieved 100% data encryption or are in the process of achieving this. Other players like Sonic.net, Dropbox and SpiderOak, have also announced comparable data encryption programs. Other important technologies most often used by the service providers are Firewall, Anti-Virus and Anti- malware, Patch Management, Log management. Responsibilities of Client organization A secure cloud computing is not only service providers responsibility it is also clients responsibility to ensure safety on their part. With employees, business partners, customers, suppliers and contractors very increasingly accessing corporate applications and data, it is very imperative that they implement strict guidelines and ensure security in the cloud. Limiting the access to users based on context can be one way to assure that unauthorized access is not faced within the organization by misuse of the authentication features by employees. The levels of access can also be conditional and based on where the user is, and what device is in use. For instance, if someone is tries to access data from an internet caf, there should be supplementary sign-on steps and have limited access to the data. The organizational resources and data are confidential and each action within organization can count and can have some level of impact on security and thus, the company should have those systems in place that have the capabilities to understand who is accessing network and accessing what. People within the business who are confidential users, such as database supervisors and also employees with access to highly valuable intellectual property should receive an increased level of scrutiny, receive training on handling data, securely and stronger acce ss control. For instance, a user when known to be using a mobile device for applications, the devices are required to be checked for vulnerabilities. An added protection can be achieved through deployment of intelligence in the network defense devices such that it can provide an extra control with analytics and awareness into which users are accessing and what content and applications. This layer of intelligence would provide real-time visibility into the both the cloud infrastructure and the data center(Marchany, 2010). Cloud services allow organizations to run cloud based applications that can be critical to the working of an organization. In traditional business models, business applications have, been protected with defense in-depth security solutions based on a clear segregation of physical and virtual resources, within trustworthy zones but with the allocation of infrastructure using the cloud, the organization needs to rethink perimeter security at the network level, and should be applying more controls at the user end, application and data level. It is a big challenge to ensure same level of user access and defense mechanism must be applied to workloads deployed in cloud services as compared to those running in traditional data centers. This necessitates creating and running workload centric policies as well as executing central management across distributed workload instances(Ahmed Hossain, 2014). A major concern with the use of applications over cloud is the protection of data that is retrieved and shared between the infrastructure resources. The data that belongs to the client organization can be sensitive and thus, its loss can bring a huge concern for the organization. It can be difficult for the cloud service customer to effectively check the data handling follows of the cloud provider. This problem is worsened in cases of multiple transfers of data, like between federated cloud services or where a cloud supplier uses subcontractors. Visibility of the cloud services for appropriate IT audit can be an appropriate way to protect data and applications of the organization as it would keep the security systems always on check. For this, the security personnel needs to have an understanding Cloud Standards Customer Council laws, regulations and policies may apply to such uses, and regularly assess the security aspects of such uses. Traditional security measures may not sufficient to protection data and applications running over cloud and thus, additional protection measures may be required. The data shared over a cloud application has to be protected at all levels while it is in use, in storage and in transit. The cloud based services make it easy for users to gain access to systems through multiple devices such as smartphones and iPads and thus, protection needs are required to be addressed across platforms and devices. However, the challenge lies in incremental costs that are incurred in attempts to improve security that is omni-present and the organizations can only afford the required levels of security if they incremental cost can oà ¯Ã‚ ¬Ã¢â€š ¬set the commercial beneà ¯Ã‚ ¬Ã‚ ts. Here, a filtering can be done such that the security solutions are chosen based on the kinds of attacks organization is likely to face. Also, applications and infrastructure can also be divided such that each of them is provided with different levels of security based on different types of attacks faced. With this selective approach, the costs can be minimized for the organization. Attackers can be weak including those semi-skilled attackers who direct specific servers or cloud providers by customizing existing publicly available tools or specific targets using radical methods or random attackers who use simple techniques and the tools targeting most susceptible components in a network through well-known tools or techniques that can be easily detected. Protection from such attacks is easier and less costly for the organization and thus, the applications and data that are likely to receive threats from such attackers can make use of simple and cost effective security solutions. Strong attackers can be well-financed, organized, and skilled groups of attackers with an internal hierarchy focusing in targeting particular applications and the users of the cloud. Generally this group will be a prearranged crime group focusing in large scale attacks. Also, strong attackers not only easily detected by the organizations they attack, or by the relevant law enforcement and analytical organizations specializing in eCrime or cyber safety. Justifying this threat requires a very greater intelligence on attacks and specialist resources in response to uncovering of an incident or threat. (Jaydip Sen- 2015) Conclusions Responses to the problem of security in the cloud computing varies all the way from ignoring the issue to clinging so tightly to out-of-date IT security methods and philosophies as to ban cloud services completely. Companies that have proficient compliance and governance problems, or outright data breaches, often exercise added scrutiny of the process. And its a very justià ¯Ã‚ ¬Ã‚ able concern. Signià ¯Ã‚ ¬Ã‚ cant security breaches can unpleasantly aà ¯Ã‚ ¬Ã¢â€š ¬ect a companys standing for years, occasioning in lost current and future revenues, low customer conà ¯Ã‚ ¬Ã‚ dence, legal liability and a poor public image. Cloud computing characterizes a major prospect for corporates to provide superior à ¯Ã‚ ¬Ã¢â‚¬Å¡exibility and value to the business at the same time, saving money as well. Yet safety will always be a concern when significant info assets are not anymore under direct control. An appropriate cloud security program will make available business managers with fact-ba sed and concrete solutions, to support their business needs and will allow them to appreciate the beneà ¯Ã‚ ¬Ã‚ ts of the cloud without keeping the company at undue risk of data loss or breaches. Such a program will definitely identify where the risks of transferring information assets into the cloud infrastructure are too high, which security management personals can very well put in place to minimize that risk to acceptable levels and whether the costs of those practices are reasonable by the beneà ¯Ã‚ ¬Ã‚ ts integral to the cloud computing. The paper revealed a few of the measures which can be taken to provide protection in case cloud technology is in use by an organization and these included data access limitations, device security and network protection intelligence. An appropriate method may be chosen based on the types of attackers that have be dealt by a network from random, weak, strong to substantial. References Ahmed, M., Hossain, M. A. (2014). CLOUD COMPUTING AND SECURITY ISSUES IN THE CLOUD. International Journal of Network Security Its Applications (IJNSA), 25-34. Australian Government Department of Defence. (2012). Cloud Computing Security Considerations. CYBER SECURITY OPERATIONS CENTRE. Carstensen, J., Morgenthal, J., Golden, B. (2012).Cloud Computing. Ely: IT Governance Publishing. Cloud Computing Security. (2012). Cloud Standards Customer Council. (2015). Security for Cloud Computing Ten Steps to Ensure Success. Cloud Standards Customer Council. Kazimov, T., Mahmudova, S. (2015). The Role of Biometric Technology in Information Security. International Research Journal of Engineering and Technology (IRJET) , 1509-1513. Highland, H. (1997). Security in computing.Computers Security,16(3), 181. https://dx.doi.org/10.1016/s0167-4048(97)90261-3 IEEE Cloud Computing. (2013).IEEE Transactions On Cloud Computing,1(2), 230-230. https://dx.doi.org/10.1109/tcc.2013.24 IEEE Cloud Computing Special Issue on Cloud Security. (2015).IEEE Cloud Comput.,2(5), c2-c2. https://dx.doi.org/10.1109/mcc.2015.88 Krutz, R., Vines, R. (2010).Cloud security. Indianapolis, Ind.: Wiley Pub. Marchany, R. (2010). Cloud Computing Security Issues. Virginia Tech. Marks, E., Lozano, B. (2010).Executive's guide to cloud computing. Hoboken, N.J.: Wiley. Pearson, S., Yee, G. (2013).Privacy and security for cloud computing. London: Springer. Rountree, D., Castrillo, I. (2014).The basics of cloud computing. Waltham, Mass.: Syngress. Sen, J. (2009). Security and Privacy Issues in Cloud Computing. Kolkatta: Tata Consultancy Services Ltd. Sharma, A., Verma, N. K. (2012). CLOUD COMPUTING: INFRASTRUCTURE ITS SECURITY ISSUES. International Journal of Advanced Research in Computer Science and Software Engineering, 98-103. Sosinsky, B. (2011).Cloud computing bible. Indianapolis, IN: Wiley. Suri, J., Nath, B. (2010). Security and Privacy in Cloud Computing. New Delhi: TEC. Tajts, T. (2012).Cloud computing security. Lexington, KY: CreateSpace. Tari, Z. (2014). Security and Privacy in Cloud Computing.IEEE Cloud Comput.,1(1), 54-57. https://dx.doi.org/10.1109/mcc.2014.20 Vacca, J. (2016).Cloud computing security. [Place of publication not identified]: Apple Academic Press Inc.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.