Cloud computing security

Last updated

Cloud computing security or cloud security refers to a broad set of policies, technologies, applications, and controls used to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security and, more broadly, information security.

Contents

Security issues associated with the cloud

Cloud computing and storage provide users with the capability to store and process their data in third-party data centers. [1] Organizations use the cloud in a variety of service models (e.g., SaaS, PaaS, IaaS) and deployment models (private, public, hybrid, and community). [2]

Security concerns associated with cloud computing are typically divided into issues faced by cloud providers and those faced by their customers. [3] The responsibility is shared and is often described in a vendor’s "shared responsibility model". [4] [5] [6] The provider must secure its infrastructure, while customers must secure their applications, identities, and configuration settings. [5] [6]

Analyses of large-scale cloud incidents indicate that many breaches result from misconfigurations and long-unremediated exposures rather than solely from zero-day vulnerabilities. [7]

When an organization stores data or hosts applications on the public cloud, it loses physical access to the hardware. As a result, potentially sensitive data may be at risk from insider attacks. According to a 2010 Cloud Security Alliance report, insider attacks rank among the top threats in cloud computing. [8] Cloud service providers must ensure that thorough background checks are conducted for employees with physical access to data centers.

To conserve resources and reduce cost, cloud providers often store multiple customers’ data on the same server. As a result, one user’s private data might be viewable by another without proper isolation. [2] Providers implement data isolation and logical segregation to mitigate these risks.

The extensive use of virtualization in cloud infrastructure brings unique security concerns. [9] Virtualization introduces an additional layer—the hypervisor—that must be secured and correctly configured. [10] A compromise of the hypervisor management system can impact an entire data center. [11]

Cloud security controls

Cloud security architecture is effective only if the correct defensive implementations are in place. An efficient cloud security architecture should recognize the issues that will arise with security management and follow all the best practices, procedures, and guidelines to ensure a secure cloud environment. Security management addresses these issues with security controls. These controls protect cloud environments and are put in place to safeguard any weaknesses in the system and reduce the effect of an attack.

Deterrent controls
Administrative mechanisms intended to reduce attacks by informing attackers of consequences. [12]
Preventive controls
Controls designed to reduce vulnerabilities and prevent unauthorized access. [13]
Detective controls
Controls that detect and respond to security events. Includes monitoring, SIEM, IDS/IPS, malware detection. [14]
Corrective controls
Controls that reduce the impact of an incident and restore systems. [15]

Dimensions of cloud security

Cloud security engineering is characterized by the security layers, plan, design, programming, and best practices that exist inside a cloud security arrangement. Cloud security engineering requires the composed and visual model (design and UI) to be characterized by the tasks inside the Cloud. This cloud security engineering process includes such things as access to the executives, techniques, and controls to ensure applications and information. It also includes ways to deal with and keep up with permeability, consistency, danger stance, and by and large security. Processes for imparting security standards into cloud administrations and activities assume an approach that fulfills consistent guidelines and essential foundation security parts. [16]

Though the idea of cloud computing is not new, organizations are increasingly adopting it because of its flexible scalability, relative trustability, and cost-effectiveness of services. However, despite its rapid adoption in some sectors and disciplines, research and statistics indicate that security-related pitfalls remain a major barrier to its full adoption. [17]

It is generally recommended that information security controls be selected and implemented in proportion to the risks, typically by assessing the threats, vulnerabilities and impacts. Cloud security concerns can be grouped in various ways; Gartner identified seven, while the Cloud Security Alliance identified twelve areas of concern. [18] [19] Cloud access security brokers (CASBs) are software that sits between cloud users and cloud applications to provide visibility into cloud application usage, data protection and governance to monitor all activity and enforce security policies. [20]

Security and privacy

Any service without a “hardened” environment is considered a “soft” target. Virtual servers should be protected just like a physical server against data leakage, malware, and exploited vulnerabilities. “Data loss or leakage represents 24.6 % and cloud-related malware 3.4 % of threats causing cloud outages”. [21]

Identity management

Every enterprise will have its own identity management system to control access to information and computing resources. Cloud providers either integrate the customer’s identity management system into their own infrastructure, using federation or SSO technology or a biometric-based identification system, [1] or provide an identity management system of their own.

Physical security

Cloud service providers physically secure the IT hardware (servers, routers, cables etc.) against unauthorized access, interference, theft, fire, flood etc., and ensure that essential supplies (such as electricity) are sufficiently robust to minimise the possibility of disruption.

Personnel security

Various information security concerns relating to personnel involved in cloud services are typically handled through screening, security-awareness training, and role-based access controls.

Privacy

Providers ensure that all critical data (credit-card numbers, for example) are masked or encrypted and that only authorised users have access to data in its entirety. Moreover, digital identities and credentials must be protected as must any data that the provider collects or produces about customer activity in the cloud.

Penetration testing

Penetration testing is the process of performing offensive security tests on a system, service, or computer network to find security weaknesses in it. Since the cloud is a shared environment with other customers or tenants, following penetration-testing rules of engagement step-by-step is a mandatory requirement. Scanning and penetration-testing from inside or outside the cloud should be authorised by the cloud provider. [22]

Cloud vulnerability and penetration testing

Scanning the cloud from outside and inside using free or commercial tools is crucial. Without a hardened environment, your service is considered a soft target. Virtual servers should be hardened just like a physical server against data leakage, malware, and exploited vulnerabilities. “Data loss or leakage represents 24.6 % and cloud-related malware 3.4 % of threats causing cloud outages”.

Privacy legislation often varies by country. By having information stored via the cloud it is difficult to determine under which jurisdiction the data falls. Trans-border clouds are popular given that the largest companies transcend several countries. Legal dilemmas from the ambiguity of the cloud refer to how there is a difference in data-sharing law between and inside organisations. [23]

Unauthorized Access to Management Interface

Due to the autonomous nature of the cloud, consumers are often given management interfaces to monitor their databases. By having controls in one central location and by having the interface be easily accessible for user convenience, there is a possibility that a single actor could gain access to the cloud's management interface; giving them control over much of the system. [24]

Data Recovery Vulnerabilities

The cloud’s use of resource pooling means memory or storage resources may be recycled to another user. It is possible for current users to access information left by previous ones. [24]

Internet Vulnerabilities

Cloud services require internet connectivity and use internet protocols, making them subject to attacks such as man-in-the-middle attacks. Furthermore, heavy reliance on internet connectivity means service disruptions or outages can cut off users entirely. [24]

Encryption Vulnerabilities

As encryption algorithms age, vulnerabilities arise. Cloud providers must stay current with encryption standards and transition older systems before they become compromised. [25]

Encryption

Some advanced encryption algorithms applied to cloud computing increase the protection of privacy. In a practice called crypto-shredding, encryption keys can be deleted when data is no longer used.

Attribute-based encryption (ABE)

Attribute-based encryption is a form of public-key encryption in which the user’s secret key and the ciphertext depend on attributes (e.g., the country the user lives in, or their subscription type). In such systems, access to decryption depends not simply on identity but on attributes.

Some of the strengths of ABE are that it bypasses the need for explicit key sharing (as in traditional PKI) and identity-based encryption (IBE). However, ABE suffers from key-redistribution complexity: since decryption keys depend on attributes rather than identities, malicious users might leak attribute information, enabling unauthorized access. [26]

Ciphertext-policy ABE (CP-ABE)

In CP-ABE, the encryptor controls the access policy for the ciphertext. The process includes Setup, Encrypt, KeyGen, and Decrypt algorithms; the encryptor defines an access structure that must match a user’s attributes before decryption is allowed. [27]

Key-policy ABE (KP-ABE)

In KP-ABE, the sender encrypts under a set of attributes, and the user’s private key is issued to match a policy describing which ciphertexts they may decrypt. KP-ABE shifts access-control responsibility partially to the key-issuer rather than the encryptor. While it provides flexibility, the policy disclosure may weaken privacy guarantees. [28]

Fully Homomorphic Encryption (FHE)

Fully Homomorphic Encryption allows arbitrary computation on ciphertext without decryption. It is emerging as a high-security option for cloud environments, including voting systems. While promising, it remains largely experimental. [29]

Searchable Encryption (SE)

Searchable encryption enables secure search on encrypted data. It has symmetric and public-key variants. While it supports functionality over encrypted data, it introduces extra attack surfaces, especially when attribute indexing is involved. [30]

Compliance

Numerous laws and regulations govern the storage and use of data. In the US these include privacy and data-protection laws, the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act, the Federal Information Security Management Act of 2002 (FISMA), and the Children’s Online Privacy Protection Act of 1998. Similar standards exist in other jurisdictions (e.g., Singapore’s Multi-Tier Cloud Security Standard).

Similar laws may apply in different legal jurisdictions and may differ markedly from those in the US. Cloud service users must often understand the legal and regulatory differences between the jurisdictions. For example, data stored by a cloud service provider (CSP) may be located in, say, Singapore and mirrored in the US. [31]

Business continuity and data recovery
Cloud providers have business continuity and data recovery plans in place to ensure service continuity and data protection. [32]
Log and audit trail
In addition to producing logs and audit trails, cloud providers work with their customers to secure these logs and ensure they’re accessible for forensic investigation (e.g., eDiscovery).
Unique compliance requirements
In addition to the requirements on customers, data centers used by cloud providers may be subject to additional compliance obligations. Using a cloud service provider (CSP) can lead to extra security concerns around data jurisdiction since customer or tenant data may not remain in the same location or provider’s cloud. [33]
Cloud providers' security and privacy agreements must align to customer requirements and regulation Supply and demand-stacked5-law.png
Cloud providers’ security and privacy agreements must align to customer requirements and regulation

Aside from the security and compliance issues already discussed, cloud providers and their customers negotiate terms around liability (stipulating how incidents involving data loss or compromise will be resolved, for example), intellectual property, and end-of-service (when data and applications are ultimately returned to the customer). These issues are typically addressed in service-level agreements (SLAs). [34]

Public records

Legal issues may also include records-keeping requirements in the public sector, where agencies must retain and make available electronic records in a specific fashion.

See also

References

  1. 1 2 Haghighat, Mohammad; Zonouz, Saman; Abdel-Mottaleb, Mohamed (November 2015). "CloudID: Trustworthy cloud-based and cross-enterprise biometric identification". Expert Systems with Applications. 42 (21): 7905–7916. doi:10.1016/j.eswa.2015.06.025. S2CID   30476498.
  2. 1 2 Srinivasan, Madhan Kumar; Sarukesi, K.; Rodrigues, Paul; Manoj, M. Sai; Revathy, P. (2012). "State-of-the-art cloud computing security taxonomies". Proceedings of the International Conference on Advances in Computing, Communications and Informatics - ICACCI '12. pp. 470–476. doi:10.1145/2345396.2345474. ISBN   978-1-4503-1196-0. S2CID   18507025.
  3. "Swamp Computing a.k.a. Cloud Computing". Web Security Journal. 2009-12-28. Archived from the original on 2019-08-31. Retrieved 2010-01-25.
  4. "Cloud Controls Matrix v4" (xlsx). Cloud Security Alliance. 15 March 2021. Retrieved 21 May 2021.
  5. 1 2 "Shared Security Responsibility Model". Navigating GDPR Compliance on AWS. AWS. December 2020. Retrieved 21 May 2021.
  6. 1 2 C. Tozzi (24 September 2020). "Avoiding the Pitfalls of the Shared Responsibility Model for Cloud Security". Palo Alto Networks Blog. Retrieved 21 May 2021.
  7. "Cloud Security Programs: What You Need to Know". Varonis. Retrieved 2025-02-15.
  8. "Top Threats to Cloud Computing v1.0" (PDF). Cloud Security Alliance. March 2010. Retrieved 2020-09-19.
  9. Winkler, Vic. "Cloud Computing: Virtual Cloud Security Concerns". Technet Magazine, Microsoft. Retrieved 12 February 2012.
  10. Hickey, Kathleen (18 March 2010). "Dark Cloud: Study finds security risks in virtualization". Government Security News. Archived from the original on 30 January 2012. Retrieved 12 February 2012.
  11. Winkler, Joachim R. (2011). Securing the Cloud: Cloud Computer Security Techniques and Tactics. Elsevier. p. 59. ISBN   978-1-59749-592-9.
  12. Andress, Jason (2014). "Physical Security". The Basics of Information Security. pp. 131–149. doi:10.1016/B978-0-12-800744-0.00009-9. ISBN   978-0-12-800744-0.
  13. Virtue, Timothy; Rainey, Justin (2015). "Information Risk Assessment". HCISPP Study Guide. pp. 131–166. doi:10.1016/B978-0-12-802043-2.00006-9. ISBN   978-0-12-802043-2.
  14. "Detective Security Controls". 2020-12-04. Retrieved 7 December 2023.
  15. "What are Security Controls?". 2019-08-22. Retrieved 7 December 2023.
  16. "Cloud Security Architecture". GuidePoint Security LLC. 2023. Retrieved 6 December 2023.
  17. [ citation needed ]
  18. "Gartner: Seven cloud-computing security risks". InfoWorld. 2008-07-02. Retrieved 2010-01-25.
  19. "Top Threats to Cloud Computing Plus: Industry Insights". Cloud Security Alliance. 2017-10-20. Retrieved 2018-10-20.
  20. "What is a CASB (Cloud Access Security Broker)?". CipherCloud. Archived from the original on 2018-08-31. Retrieved 2018-08-30.
  21. Ahmad Dahari Bin Jarno; Shahrin Bin Baharom; Maryam Shahpasand (2017). "Limitations and challenges on Security Cloud Testing" (PDF). Journal of Applied Technology and Innovation. 1 (2): 89–90.
  22. Guarda, Teresa; Orozco, Walter; Augusto, Maria Fernanda; Morillo, Giovanna; Navarrete, Silvia Arévalo; Pinto, Filipe Mota (2016). "Penetration Testing on Virtual Environments". Proceedings of the 4th International Conference on Information and Network Security – ICINS ’16. pp. 9–12. doi:10.1145/3026724.3026728. ISBN   978-1-4503-4796-9. S2CID   14414621.
  23. Svantesson, Dan; Clarke, Roger (July 2010). "Privacy and consumer risks in cloud computing". Computer Law & Security Review. 26 (4): 391–397. doi:10.1016/j.clsr.2010.05.005. hdl: 1885/57037 . S2CID   62515390.
  24. 1 2 3 Grobauer, Bernd; Walloschek, Tobias; Stocker, Elmar (March 2011). "Understanding Cloud Computing Vulnerabilities". IEEE Security & Privacy. 9 (2): 50–57. doi:10.1109/MSP.2010.115. S2CID   1156866.
  25. Rukavitsyn, Andrey N.; Borisenko, Konstantin A.; Holod, Ivan I.; Shorov, Andrey V. (2017). "A cloud computing security solution based on fully homomorphic encryption". 2017 XX IEEE International Conference on Soft Computing and Measurements (SCM). pp. 272–274. doi:10.1109/SCM.2017.7970558. ISBN   978-1-5386-1810-3. S2CID   40593182.
  26. Xu, Shengmin; Yuan, Jiaming; Xu, Guowen; Li, Yingjiu; Liu, Ximeng; Zhang, Yinghui; Ying, Zuobin (October 2020). "Efficient ciphertext-policy attribute-based encryption with black-box traceability". Information Sciences. 538: 19–38. doi:10.1016/j.ins.2020.05.115. S2CID   224845384.
  27. Bethencourt, John; Sahai, Amit; Waters, Brent (May 2007). "Ciphertext-Policy Attribute-Based Encryption" (PDF). 2007 IEEE Symposium on Security and Privacy (SP ’07). pp. 321–334. doi:10.1109/SP.2007.11. ISBN   978-0-7695-2848-9. S2CID   6282684.
  28. Wang, Chang-Ji; Luo, Jian-Fa (November 2012). "A Key-Policy Attribute-Based Encryption Scheme with Constant Size Ciphertext". 2012 Eighth International Conference on Computational Intelligence and Security. pp. 447–451. doi:10.1109/CIS.2012.106. ISBN   978-1-4673-4725-9. S2CID   1116590.
  29. Armknecht, Frederik; Katzenbeisser, Stefan; Peter, Andreas (2012). "Shift-Type Homomorphic Encryption and Its Application to Fully Homomorphic Encryption" (PDF). Progress in Cryptology – AFRICACRYPT 2012. Lecture Notes in Computer Science. Vol. 7374. pp. 234–251. doi:10.1007/978-3-642-31410-0_15. ISBN   978-3-642-31409-4.
  30. Naveed, Muhammad; Prabhakaran, Manoj; Gunter, Carl A. (2014). "Dynamic Searchable Encryption via Blind Storage". 2014 IEEE Symposium on Security and Privacy. pp. 639–654. doi:10.1109/SP.2014.47. S2CID   10910918.
  31. "Managing legal risks arising from cloud computing". DLA Piper. 29 August 2014. Retrieved 2014-11-22.
  32. "It's Time to Explore the Benefits of Cloud-Based Disaster Recovery". Dell.com. Archived from the original on 2012-05-15. Retrieved 2012-03-26.
  33. Winkler, Joachim R. (2011). Securing the Cloud: Cloud Computer Security Techniques and Tactics. Elsevier. pp. 65, 68, 72, 81, 218–219, 231, 240. ISBN   978-1-59749-592-9.
  34. Adams, Richard (2013). "The emergence of cloud storage and the need for a new digital forensic process model" (PDF). In Ruan, Keyun (ed.). Cybercrime and Cloud Forensics: Applications for Investigation Processes. Information Science Reference. pp. 79–104. ISBN   978-1-4666-2662-1.

Further reading

Archive

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.