A Gartner senior analyst referred to cloud computing as "the phrase du jour." Anyone who spends any time in information technology (IT) knows that the phrase looks to remain popular for the near future as well. In fact, Gartner predicts that the cloud computing market will reach 150 billion dollars by the year 2013. Merrill Lynch provides similar estimates predicting a growth spurt to 160 billion dollars by 2013.
The reason cloud computing is such a popular topic is because it was built to conserve resources and save money. By moving software, storage, e-mail, and so on to the cloud, organizations are able to dedicate only the resources necessary to these services. Storage space, computing power, memory, and even licensing no longer sit by idly waiting for something to do. If it is needed, it is used and paid for. Figure 1 is a diagram from Wikimedia Commons that provides an overview of cloud computing.
Figure 1. Cloud computing overview
Organizations even look to personnel savings with the cloud. By outsourcing IT services to cloud providers, they are able to free up IT staff to dedicate for projects that move business forward rather than spending time supporting services that cloud providers can take over.
When presented with the cost saving possibilities, it is difficult to understand why organizations are reluctant at times to move data, software, and other services to the cloud. That is, until you consider the security risks that are involved. According to most polls, security is the number one reason why IT leaders are hesitant to move towards cloud-based solutions. A recent survey on LinkedIn showed that 54% of the 7,053 respondents claimed that security is the top concern when it comes to migrating to the cloud.
Like any IT service, there are security vulnerabilities that attackers look for in the cloud. Yet as more IT professionals become aware of these vulnerabilities and how to address them, the cloud becomes a safer place. In fact, venturing into the cloud has improved security according to 57% of the participants of a Mimecast survey. The reason the majority of that group feel that cloud computing is safe is because they understand the threats and have learned how to mitigate them.
This article outlines some of the more common security risks associated with cloud computing along with steps that your organization can take to help mitigate these risks.
Shared technology resources
Cloud computing is broken down into the four deployment models listed and described in Table 1.
Table 1. Cloud computing deployment models
|Public cloud||The service provider makes resources (applications, storage, and so on) available to the general public over the Internet.|
|Community cloud||Several organizations share resources.|
|Private cloud||The infrastructure is dedicated to one organization.|
|Hybrid cloud||This model combines two or more of the other deployment models.|
In the public and community cloud models, and the hybrid model to some extent, many different customers share resources using virtualization. This computing platform presents the following potential weaknesses:
- Communication between different virtual machines or between a virtual machine and the host through shared disks, virtual switches, or virtual local area networks (VLANs) and a shared I/O or cache.
- Generic drivers that emulate hardware.
- Vulnerabilities in the hypervisor that allow the execution of arbitrary code on the host with the privileges of the hypervisor that allow an attacker to control all virtual machines and the host itself.
- Virtual machine-based root kits that allow for modification of the hypervisor system calls to the host operating system to run malicious code.
- An exploit, known as virtual machine escape, where a program in one virtual machine is given unrestricted access to the host through shared resources.
- Denial-of-service attacks run on one virtual machine that bring down the others running on the same host.
The first step you should take to protect against these weaknesses is to understand the environment you are working in. If data or other resources require a secured environment due to laws, standards, or industry regulations, then the approach you take needs to reflect these requirements with care given to the type of environment used. The obvious preference for this scenario is a private cloud solution or possibly a hybrid solution with sensitive data, transactions, and services hosted in the private section to give your organization greater control over security and access.
Next, you need to perform an assessment of your cloud provider. Discuss what steps they take to protect against these vulnerabilities, specifically when it comes to the hypervisor. Inquire about what virtualization software they use and what their schedule is for patching and upgrading. Check to see if the host is using a trusted platform module that creates a trusted relationship with the hypervisor to prevent against modification.
Furthermore, you should make sure that the hypervisor is configured to detect extreme resource consumption to protect against denial-of-service attacks.
Data loss and leakage
In the article, "Data Leakage Prevention and Cloud Computing," KPMG LLP says, "Once data is in a public cloud, your organizational deployment of data leakage prevention (DLP) is of no value in helping to protect the confidentiality of that data. And, your organization has no direct control over the confidentiality of your data in a public cloud in either Software as a Service (SaaS) or Platform as a Service (PaaS) delivery models." See Resources for the full article.
In an age where the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS) require organizations to take data protection seriously, what can you do to prevent data leakage in the cloud?
Turning to data leakage prevention products on the market seems like the best solution. However, these products are meant to insure the integrity and availability of data, not to secure it. In addition, these solutions are not likely be deployed in any environment where you do not control the infrastructure.
Prevention instead lies within the hardening of the systems that house and transport data.
First and foremost, the cloud provider should employ a high level of encryption when it comes to handling your data—both when stored and when in transit. You must also take steps ensure that there is a signed service-level agreement between your organization and the cloud service provider that clearly defines the roles and responsibilities for securing data in the cloud. As part of this agreement, make sure the cloud service provider wipes persistent media before releasing it into the pool.
Another step to keeping your organization in compliance with PCI DSS is to make sure there is a properly configured web application firewall to protect web-based applications against a myriad of attacks. Before committing to any SaaS provider, your organization's IT department must discuss the level of protection that is in place to protect web-based software. If allowed, you should perform penetration testing against any applications your company uses.
Finally, you can take steps in-house to protect against data leakage in the cloud, but this involves a change in policies when it comes to data. Organizations that fear data leakage should have policies in place that classify data and provide standards for how to handle the different levels of data. In short, some data may not be meant for storage in the cloud.
In order for their customers to interact with cloud-based services, providers rely on application programming interfaces (APIs). Provisioning, management, orchestration, and monitoring all use these interfaces, so the fundamental security of the services provided in the cloud are dependent on the how secure these APIs are.
Anonymous access or reusable tokens or passwords, clear-text authentication or transmission of content, and inflexible access controls or improper authorizations all present serious security implications. Add to this the limited capabilities that customers have for monitoring and logging, and it seems that the customers are essentially at the mercy of the providers when it comes to who has access to the resources they are paying for.
Finally, there is the issue of APIs created by third parties. While these interfaces are often built to offer value-added services to customers, these add-ons aren't always subjected to the same type of scrutiny and review, thus adding another layer of complexity to the API and increasing the security risk. Furthermore, third-party APIs may expect organizations to give up their credentials—sometimes unbeknownst to them—to access the services provided by the API.
Remediating these risks falls largely under the task of reviewing and analyzing the security model of the cloud provider to make sure everything is being done to secure the APIs.
Your organization should scrutinize the authentication and access controls to make sure transmissions are encrypted. You should also review the dependency chain to make sure you know each API and what it requires before entering into an agreement.
While most of these vulnerabilities fall primarily on the shoulders of the cloud provider, the threat landscape of account or service hijacking is something that is shared between the provider and the customer alike.
While software vulnerabilities can make it possible for an attacker to capture account information at the source, it is not the most common method of stealing user credentials. More commonly, attackers steal user login information through phishing attacks, eavesdropping through malicious software, and fraud. Because people often reuse usernames and passwords for a variety of services, attackers often find that they can hijack credentials from the lowest hanging fruit. This may be another service that the victim uses outside the cloud provider. When attackers have recycled credentials for a user at their disposal, they can then compromise the integrity and confidentiality of data stored in the cloud. They can even use these same credentials to launch attacks against others, causing serious damage to an organization's reputation.
In addition to understanding your cloud provider's security policies, your organization should also perform some type of proactive monitoring of the activity on the cloud-based services so you can monitor unauthorized access and activity.
Unique login credentials and strong password policies also help prevent exploits that stem from shared user information. Two-factor authentication techniques help to further mitigate these types of attacks.
Organizations usually take great strides to screen employees before they hire them or grant access to certain information. When it comes to cloud providers, there is a lack of transparency in regards to the processes and procedures that govern their employees.
Turning services over to a cloud provider usually means that you have no knowledge about who has access, both physically and virtually, to your organization's resources. Cloud providers keep customers in the dark in regards to how they monitor their employees or how they analyze and report on policy compliance.
The opportunity to work with sensitive and financial data presents an attractive opportunity for criminal hackers and corporate spies. Working for a company that provides cloud-based services could enable such an adversary to harvest confidential data or gain complete control over cloud services with little or no risk.
Customers need to understand what providers are doing to detect and defend against malicious insiders as a first step. Not only should you require transparency when it comes to information security and management practices, but you should also find out what the notification process is for breaches in security. If the time frame or reporting process is not acceptable, then you should look for a different provider.
Cloud computing offers some exciting opportunities for increased collaboration, working remotely and globally, and cost savings. While there are risks associated with moving to the cloud, the risks are no greater than when services are hosted internally. The main difference is that the cloud presents attackers with a new landscape in which to attack.
If you take the time to understand the vulnerabilities that exist in the cloud and what you can do to prevent attackers from exploiting them, cloud-based services can be as secure as any service hosted within your organization's local or wide area network.
- Read "Data Leakage Prevention and Cloud Computing" on the KPMG LLP website.
- The Open Web Application Security Project keeps a list of the 10 most dangerous vulnerabilities in cloud computing.
- Explore Wikimedia Commons.
- In the developerWorks cloud developer resources, discover and share knowledge and experience of application and services developers building their projects for cloud deployment.
Get products and technologies
- Check out IBM SmartCloud Enterprise.