Question

what are cloud computing security concerns and their countermeasures

Answer 1

SECURITY ISSUES AND COUNTERMEASURES

The top cloud computing threats include data breaches, data loss, account hijacking, insecure API’s, denial-of-service, malicious insiders, abuse of service, insufficient due-diligence, and shared technology.

Data Breaches

In cloud computing, the virtual machines (VMs) are residing in the same physical host and when one VM is able to access information from another VM, data breach occurs. The major risk factor is when the tenants of the two VMs are different customers. Data can be breached from highly sophisticated secured servers to poorly designed multi-tenant database where a flaw in the client’s application can lead the hacker to access client’s information and also information of every other client. Also, the rise of Web 2.0 applications and SaaS has increased the chances of side-channel attacks (nonintrusive attacks) even though transmission between web browser and server are encrypted through HTTPS and Wi-Fi encryption).

Some of side-channel attacks described with countermeasures.

Data Loss

There are a lot of ways data can be lost in cloud. Some of the reasons that could lead to permanent loss of data include malicious attacker, hard drive failure, fire or earthquake. Some of these reasons could be due to the service providers fault. Also, if the user encrypts the data and loses the encryption key, data cannot be recovered. Data protection should be done at different levels such as data in transit, data at rest and data in use. There are many data loss prevention (DLP) tools that can be chosen by organizations as per need. While data backup and encryption are the key countermeasures, there are some other new ways. Georedundant storage by Azure supports high availability for applications like scaling to multiple instances amongst others. GRS provides protection against major datacenter failures which asynchronously replicates six copies of the data across different sites of which three copies are sites on the same site and the other three are located at a different geographic region. Others such as network encryption, access controls, intrusion detection, prevention and Security training should also be implemented. Also, organizations should not link accounts together where one account is daisy chained to other accounts where there are highly chances if one account is hacked, the hackers gain access to all the other accounts it is linked to. Furthermore, service agreements containing privacy and security should be reviewed to update the terms and policies and the customers notified on a regular basis.

Some countermeasures are

Account Hijacking

Account hijacking or service hijacking uses attack methods such as phishing, fraud and exploitation of software vulnerabilities where credentials and passwords are reused. If an attacker gains access, they can eavesdrop on your transactions, manipulate the data and make the data untrustworthy. If the attacker gains access to the cloud VM that hosts our website, they can run malicious code and re-direct clients to illegitimate sites or make it inaccessible. Describes some countermeasures to prevent account hijacking.

Some countermeasures are

Insecure API’s

We have seen that the users communicate through API's and they are accessible from anywhere over the internet. Malicious attackers can use them and compromise confidentiality, availability, accountability and integrity. Cloud API's are basically software interfaces, typically standard-based which the cloud providers make available for the customers in managing their cloud services. Some of the important issues the users should be focusing on are the transport security, authentication and authorization, code and development practices and message protection.

Some countermeasures are

Denial-of-Service

The Denial-of-service (DoS) attacks attempts to make the system or network resources unavailable to the users from accessing their data and applications from cloud. This can be temporarily, indefinite interrupt or completely suspend the service of the host. The attacker can disrupt the services in the virtualized cloud environment by using the RAM, CPU, network bandwidth, and disk space. The attacker can also use distributed denial-of-service (DDoS) where more than one unique IP- address are used.

Some countermeasures are

Malicious Insiders

The employees who are working for cloud service providers such as the system administrator will have complete access to the SaaS, PaaS, and IaaS resources. Their access can be a big threat to customers to view confidential data. Any misuse by malicious insider is possible and hard to detect due to the lack of transparency into providers process and procedure. This affects the core principles of information Security (confidentially, authenticity, authorization, integrity, data protection, accountability and non-repudiation) . Countermeasures include implementing a tracking system which can generate reports of employee’s activities. Also, a client- side encryption gateway can ensure that access to the encryption key is controlled only by the enterprise, and not by the cloud service provider or a third-party encryption provider . So, even if the data is intercepted, the hackers will not be able to view the clear data since it will remain encrypted and safe. Client side encryption is a way to protect data since the encryption is done locally within the client’s browser and the private key is never transmitted to the server which leaves the data protected.

Abuse of Cloud Service

The main concern is for the CSVs rather than cloud service clients since the users will be trying to hack the system to gain access to confidential data. Anyone with a card can sign up for a free limited time period which the CSV and launch potential attacks such as password cracking and execute malicious commands. It has basically never been easier for an attacker to get illegal access to high-performance computing environment. Zeus botnet (phishing Trojan) was known to be hosted on virtual machine within Amazon cloud which led to Amazon's IP address range being blacklisted on spam list where good customers running email server on Amazon were rejected as well. This affects the core information security which is availability. There have been instances where rouge administrators conducted nefarious activities. Countermeasures include enforcing transparency into overall information security and management practices. Moreover, a credit card fraud detection mechanism can be designed to ensure unwanted registration to the cloud. Strict penalties should be enforced to cloud violators which will minimize abuse of cloud. Also, a thorough examination of network traffic via network devices logs up to application level logs should be continuously monitored. Furthermore, defense-in-depth should be used since the components include biometric verifications, antispyware, firewalls and intrusion detection. Such mechanisms are based on military principles where it is very difficult to penetrate multilayered system than a single system. If a hacker gains access, defense-in-depth gives network engineers and administrators’ time to deploy updated or new systems. A well design strategy can also identify who tried to compromise the system.

Insufficient Due-Diligence

There are hundreds of CSVs and understanding their capabilities, governance, partners, and presence/absence of redundancy and good disaster recovery in their data centers. These are actually threats if you do not perform the due diligence. When designers and architects who are unfamiliar with the cloud technologies are designing applications, unknown operational issues arise . Planning for due diligence of the CSV must include IT due-diligence checklist such as guidance from NIST and Cloud Security Alliance. The cloud provider must setup requirement for implementing applications and service using industry standard as well perform risk assessment using qualitative and quantitative methods after certain intervals to check storage, flow and processing of data. Moreover, the cloud users should consider any recent change in CSVs operating or regulatory environment, any new products adopted and other foreign operations. The cloud users should focus on how that CSV handles business continuity plan and disaster recovery plan.

Shared Technology

The three models of cloud computing (SaaS, PaaS, IaaS) is being compromised by the shared technology issue. The CSVs adopt scalable infrastructure to support multitenant environment where if one component is compromised, this exposes the risk to the entire environment which in the other hand can be said about the shared services which includes CPU caches, shared databases and shared storage. An indepth defensive strategy should apply such as use of CPU, networking, storage, applications and user access and also monitoring should be used for destructive moves and behaviors. Nothing less than best practices of installation or configuration and monitoring for unauthorized changes should be implemented. Also, strong authentication and access control for admin access and clients should be implemented. Some other steps include SLA's for patching and vulnerability remediation and to conduct vulnerability scanning and configuration audits. Moreover, if for some reason the physical server has down-time for maintenance or compliance reasons in the CSV’s datacenter, then the guest VM's will be automatically moved to other hosts. This can be achieved through vMotion in VMware and is known as high availability. When moving, the right security policy and filtering capability also needs to move otherwise other VM's will gain access to your data and this can be a big security concern.