There are a lot of concerns in the minds of experts while moving to cloud computing. The first one is information or data security. While cost and ease of use are two great benefits of cloud computing, there are significant security concerns that need to be addressed when considering moving critical applications and sensitive data to public and shared cloud environments. Prior to any move to the cloud, it’s simple common sense and good practice to ensure that the necessary security procedures, standards, guidelines and processes are already in place at home to ensure the technical security of data.
In a cloud, data can be moved through data centers in different international locations in response to varying levels of demand. Data located in any country may be governed by the laws of that country and there are sophisticated regulatory demands on businesses to ensure the security of the information they hold and generate. Furthermore, organizations have legal obligations to preserve data and ensure that it is available for any legal proceedings—called
electronic discovery—even if the customer is not in direct possession or control of that data. Therefore, cloud customers must seek contractual assurance regarding the geographical storage and transit of their cloud-based data, to ensure compliance with existing as well as the inevitable introduction of new laws governing Therefore, cloud customers must seek contractual assurance regarding the geographical storage and transit of their cloud-based data, to ensure compliance with existing as well as the inevitable introduction of new laws governing.
Physical Security
The cloud provider is responsible for providing platform and infrastructure security. Physical access should be strictly controlled by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. As a result, an organization is responsible for managing:
- The physical location of the data center (affecting which country’s law applies);
- The security of the data center
- The trustworthiness of system administrators; and
- The documented information security program that protects the confidentiality, integrity, and availability of data and systems, including, but not limited to, configuration, patching, incident response, and business continuity management.
Environmental Controls
Cloud computing clusters architecture should be designed with resiliency and redundancy in mind,
helping minimize single points of failure and the impact of common equipment failures and
environmental risks. Dual circuits, switches, networks, and other necessary devices are utilized
to provide redundancy. Facilities infrastructure at the data centers has been designed to be
robust, fault tolerant, and concurrently maintainable.
Operational Security
Network Security: Most of the cloud computing providers employs multiple layers of defense to help protect the network perimeter from external attacks. Enforcement of network segregation using industry standard firewall and ACL technology can prevent network attacks.
Operating System Security: You have to make sure that a standard hardened operating system (OS), and security fixes are uniformly deployed to the entire infrastructure.
Access Control: Authentication controls and Authorization controls are very much required in host levels and application levels to prevent unauthorized access.
Data Security Lifecycle
The Data Security Lifecycle consists of six phases as shown in the diagram given below:
Data security: Confidentiality, Integrity, Availability, Authenticity, Authorization, Authentication, and Non-Repudiation.
Location of the data: There must be assurance that the data, including all of its copies and backups is stored only in geographic locations permitted by contract, SLA, and/or regulation. For instance, use of “compliant storage” as mandated by the European Union for storing electronic health records can be an added challenge to the data owner and cloud service provider.
Data remanance or persistence: Data must be effectively and completely removed to be deemed ‘destroyed.’ Therefore, techniques for completely and effectively locating data in the cloud, erasing/destroying data, and assuring the data has been completely removed or rendered unrecoverable must be available and used when required.
In addition, the destruction of information is more difficult to guarantee in a shared environment. Encryption, and the provision of different encryption keys for each customer in a public cloud may go some way to mitigate this, but not all cloud providers can offer this.
It is wise to ensure that data isn’t held in a proprietary format and is readily transferable to other systems as required. The format of information entrusted to a provider should be agreed and be documented in the contract.
Cloud Computing Attacks
Denial of Service attacks: Some security professionals have argued that the cloud is more vulnerable to DoS attacks, because it is shared by many users, which makes DoS attacks much more damaging. Twitter suffered a devastating DoS attack during 2009.
Side Channel attacks: An attacker could attempt to compromise the cloud by placing a malicious virtual machine in close proximity to a target cloud server and then launching a side channel attack.
Authentication attacks: Authentication is a weak point in hosted and virtual services and is frequently targeted. There are many different ways to authenticate users; for example, based on what a person knows, has, or is. The mechanisms used to secure the authentication process and the methods used are a frequent target of attackers.
Man-in-the-middle cryptographic attacks: This attack is carried out when an attacker places himself between two users. Anytime attackers can place themselves in the communication’s path, there is the possibility that they can intercept and modify communications.
Cloud computing therefore offers real benefits to companies seeking a competitive edge in today’s fast growing economy. A lot of providers are moving into this area, and the competition is driving prices even lower. Attractive pricing, the ability to free up staff for other duties, and the ability to pay for “as needed” services will continue to drive more businesses to consider cloud computing. The decision to move to cloud-based services should fit into the organization’s overall corporate objectives. A cloud provider must be able to deliver the security, availability, audit and reporting configurations you require. It is therefore essential that enterprises seeking the benefits of cloud computing ensure that their cloud providers can deliver the levels of security and control that they need and should expect.