Along with the rapid development of information technology, all the organizations are seeking unique ways of driving their businesses forward, and the responsibility to manage these increasing demands is now placed on computer networks to provide a competitive edge and create new opportunities at reduced cost with efficient service. This has accelerated all the business and technological initiatives that promise to provide these services at the comparably low infrastructure and operating costs. A fine example of this scenario is the rapid growth of cloud computing.
Cloud Computing, often referred to as simply “the cloud”, is a distributed architecture that centralizes server resources on a scalable platform, enabling ubiquitous access to configurable resources and services. It provides storage and access for data over the internet instead of our computer’s hard drive. Leveraging the Internet, it provides unparalleled and distributed services based on virtualization and service-oriented architecture. Cloud is not another recent technology, but rather it can be described as a delivery model for information services using existing technologies. It does an excellent job of reducing the time spent on IT infrastructure and maintenance. Cloud presents itself as a ubiquitous, dynamically scalable, and on-demand model, that can be purchased on a ‘pay-as-you-go’ basis without any prior subscription or under/overprovisioning.
Security Issues of Cloud Computing
A tremendous amount of organizations, both small and large are embracing public and private cloud computing at a rapid pace. According to a study, it was shown that almost one-third of all the organizations have been utilizing the public and private cloud infrastructures for more than three years now, and more than half of all the organizations have their production workload all on the cloud. Even though the concept of cloud computing is far above just a physical or virtual server, which transforms into a different cybersecurity model, but gradually, all these differences lead towards a wide range of security issues.
Environments in the cloud are multidomain environments in which each domain may utilize different requirements in terms of security, privacy, trust and employ various mechanisms and methodologies that are potential enough. These domains will be able to represent services that are individually enabled or any other components belonging to the infrastructure. Service-oriented architectures form a relevant technology that facilitates these multidomain formations through service composition and orchestration. Although the cloud helps organizations accomplish more by breaking the physical bonds between users and the infrastructure, there exist several security threats that must be overcome to gain benefits from this rapidly growing computing paradigm. Enterprises are no longer sitting and wondering if they should take up the risk of migrating their applications and data to the cloud. Instead, they are doing it, but security still pertains to be a serious concern. The first step in minimizing risk in the cloud is to identify the top security threats.
All the security concerns associated with cloud computing fall into any of the two broad categories: challenges faced by cloud providers and challenges faced by their customers. However, the responsibility to stay secure is shared. It is the responsibility of the provider to ensure that their infrastructure is secure and that their client’s data is protected in all the possible means, while the user is in charge to fortify their application and use efficient authentication measures. Security and privacy form two of the major concerns in cloud computing. In the world of cloud computing, the user accesses computing power that exceeds the one contained within their physical world, through a virtual environment. To gain access to this virtual environment the user has to transfer data through the cloud, thus giving birth to numerous security breaches.
1. Data Leaks
A data leak also referred to as a data breach is the release of confidential and private data to an untrusted/unauthenticated environment. Some of the challenges in the cloud are also prevalent in traditional corporate networks, but since the data stored on cloud servers is huge, providers usually get to be the victims of these attacks. Here the damage severity is directly proportional to the sensitivity of the data that is exposed. It gets worst when financial data gets leaked, but breaches that involve information regarding health, trade secrets, and intellectual property can be even more devastating. Because, when a data breach takes place, it is not only the customers who suffer, companies also may incur huge fines, or they may even face severe criminal charges.
Apart from the huge costs that rack up due to breach investigations, brand damage and loss of business can also have their own indirect impacts on the organization for years. In a public cloud, where you are sharing resources with other organizations, the government could get a “reasonable cause” to seize your assets if another company has violated the law. This way you may put your data at the risk of seizure, just because you are sharing the environment in the cloud. Though cloud providers deploy security controls that protect their environments, it is the responsibility of the organizations to protect their own data in the cloud. Thus, the following question pertains: “Is the cloud inherently less safe, with all the sensitive data being stored online?”
2. Poor Authentication
There are numerous attacks that result from broken authentication standards. Most organizations have a hard time with their identity management system that tries to allocate permissions according to the user’s work role. Sometimes, they even forget to release user access when the job function changes or when the user leaves the organization. Usually, developers tend to embed credentials and cryptographic keys in source code and leave them in repositories such as GitHub which is a publicly faced environment. But it is very important for the keys to be appropriately protected, along with a well-secured public key infrastructure. These keys also need to be rotated periodically, thus making it harder for attackers to use them without authorization. Organizations should understand and be aware of all the security measures the providers use to protect the identity data. Multifactor authentication techniques like one-time passwords and phone-based authentication should be encouraged as these make it difficult for hackers to log in with any stolen credentials.
3. Loss of Data
As the cloud got matured over the years, examples of cloud providers losing data have become extremely rare. But the attacks to permanently delete cloud data and harm businesses are still prevalent, thus making cloud data centers as vulnerable to natural disasters as any other facility. A malicious attack, a natural disaster, or a wipe by the service provider can erase the data on the cloud. For a business that does not have any kind of recovery plan, losing data can be a devastating event. The best example of this is when Google lost has data when lightning struck its power grid about four times. To secure your data is to carefully review your provider’s backup procedures as they are highly dependent on physical storage locations, physical disasters, and physical access. The task of protecting the data from data losses is not solely imposed on the cloud service provider only. If a customer encrypts the data and sends it to the cloud, then the burden of protecting the key is on the customer, because once the key is lost, all the data associated with it is also lost.
Backing up data every day and off-site storage remains an important aspect of cloud environments. There are certain compliance policies that specify the amount of time, for which companies should retain their audit records and other related documents. Losing such data may result in some serious regulatory consequences. A few protection rules treat data destruction and corruption of personal data as data leaks, thus requiring suitable notifications. Thus, it is always important to know the rules to stay away from trouble.
4. System Vulnerabilities
We have already learned that; cloud security is a shared burden between the client and the provider. This relationship between client and provider demands the client to take certain preventative actions in ensuring that the data always stays protected. The essential point is that clients and providers, both have shared responsibilities, and omitting one of the two may result in vulnerabilities. System vulnerabilities, exploitable bugs in programs, are not any new terms, but today, they’ve grown into a bigger problem with the rapid growth of multitenancy in cloud computing. Multiple companies share memory, databases, and various other resources with one another, creating a larger scope for new attack surfaces.
Fortunately, some of the basic practices can be used to mitigate these vulnerabilities. Some of these best practices are regular vulnerability scanning, quick patch management, and rapid follow-up on reported system threats. According to the Cloud Security Alliance, the costs incurred in mitigating these system vulnerabilities “are small when compared to other IT expenditures.” Yes, the expense of getting IT processes in place to discover and develop repair mechanisms is relatively small compared to huge potential damage. Thus, it is considered a best practice for all the regulated industries to build a patch as quickly as possible.
5. Denial of Service (DoS) Attacks
We have heard of numerous cyberattacks, that establish a long-term impact and hack into sensitive information. But denial of service assaults is an exception from these. Though they do not attempt to disturb the security perimeter, they make your services unavailable to legitimate users, by overloading your servers. However, in few scenarios, Denial of Service is also utilized for other malicious activities, and to put down security measures such as application firewalls.
Though these attacks have been existing for years, they’ve gained prominence again and thanks to cloud computing this time. These attacks affect availability, which means, systems slowly get to a crawling state or simply time out. They consume huge amounts of processing power, making it impossible to respond to any other valid and authenticated requests. Apart from the DDoS attacks, organizations should be aware of various asymmetric and application-level DoS attacks, that target web servers and databases. This attack is like being caught in a rush-hour traffic gridlock, where there is nothing that you can do, but just wait. The providers can efficiently handle DoS attacks rather than their customers. This is because, the strategy here is to mitigate the attack before it occurs, and administrators will have access to those resources whenever they require them.
6. Cloud Abuses
With cloud-based services, it is possible for both small and multinational companies to host vast amounts of data easily. Bu this unprecedented storage capacity provided by the cloud has also allowed both hackers and unauthorized users to easily host and spread malware, and illegal software. These services can be misused to support nefarious activities, such as breaking an encryption key to launch an attack. Some other despicable attacks including DDoS, sending spam, and phishing emails are also made easy for hackers.
These attacks may also include sharing of pirated software, videos, music, or books, and depending on the damage incurred, huge fines may be imposed. Service providers need to learn about the various types of abuses and offer tools for customers accordingly, to control the health of their cloud. Although customers do not form the direct victims here, they may have to suffer from service availability issues and data losses. Therefore, customers should always ensure that their providers offer a security mechanism that reports abuses.
7. API Insecurity
The opportunity to customize cloud experience according to their needs is provided to users, with the help of Application programming interfaces. Although APIs seem to be of great use, they can be a huge threat to cloud security because of their very own customizable nature. This is because, along with the customization feature, they also provide the customers with authentication and access provision. Companies like Google, Facebook, YouTube, and various others provide programmers numerous tools that help in building their programs in such a way, that they can even integrate their applications with other highly demanded software.
Although this benefits programmers and businesses, it also gives birth to several security risks that lie in the communication that takes place between multiple applications. they also leave exploitable security risks. Weak APIs push organizations to be the victims of numerous security issues related to confidentiality, integrity, availability, and accountability.
8. Hijacking of Accounts
Along with the existence of Phishing, fraud, and software exploitation, the implementation of cloud services has opened a new dimension to the set of threats, because with account hijacking attackers can participate in several illegal activities including manipulating transactions, and modifying sensitive data. This even leads to the use of cloud applications by the attackers for launching their devastating attacks.
Thank hijacking; attackers can now use your credentials to access your sensitive data stored on the cloud. These methods also include scripting bugs and reusing passwords to steal sensitive data. This way, they can even misuse and manipulate the original data for their own benefit. Another best example of hijacking includes Man in The Cloud Attack – the latest trending threat that involves the hijacking of user tokens that cloud platforms provide to verify authenticated users. To minimize these, companies must ensure that the data credentials are not shared between users and services, and should utilize multifactor authentication mechanisms. Thus, our end goal should always deal with the protection of account credentials from being hijacked.
9. Insider Attacks
Sometimes an attack may come from within our own organization. The threat coming from inside has many shades: it may be a current or former employee, a system administrator, or even a business partner in the worst case. The agenda behind these threats range from stealing data for profits to brutal revenge. Usually, with the cloud, the insider may either destroy the whole infrastructure & services or even steal, manipulate, and misuse data for profits. Systems that are solely dependent on the cloud service providers for security have higher chances of getting attacked by these insiders. Though these kinds of attacks seem to take place very rarely, they still exist in few scenarios.
Also in few cases, it is easy to misconstrue a genuine entity as a “malicious” insider. For example, when a network administrator accidentally copies a sensitive database to a server that is publicly accessible, this is just an accident that can be misconstrued as an attack. Thus, it is recommended, that every organization implements logging, monitoring, and auditing services in the most efficient manner possible.
10. Poor Diligence
Until now, most of the issues that we’ve learned about are all technical in nature. However, this threat arises when an organization is not clear about any of its policies, resources, and methodologies for the cloud. Organizations that leverage the cloud without a complete understanding of its environment and the risks associated with it, may encounter numerous technical, financial, and legal risks.
In some cases, organizations are not aware of the provider’s liability in case of any data loss activity. This is because they fail to scrutinize the contract efficiently. Also, poor diligence results in numerous risks, when organizations migrate to the cloud without a proper understanding of all the services that it provides. Thus, it is highly recommended for any company to do intensive research on all the benefits, before simply subscribing to the cloud.
11. Packet Sniffing
Packet sniffing is one of the various network attacks that allow an attacker to access your files and other information. The following attack gets activated when the filter to stop host machines from viewing the data traffic is turned off. This way, the attacker will be able to view the data across the network. Implementation of Sniffing can be done locally or on the server or a router that is connected to a network. This can also include software that listens to any network device for interesting packets. When software goes through a packet with required criteria, it automatically logs it into a log file. Usually, interesting packets are the ones that include words like “login” or “password” or “credentials”. Most of the cloud service providers still do not provide any kind of strong protection against one customer from attempting to view another’s data. Thus, encrypting sensitive traffic should be used as a standard practice to avoid these attacks as much as possible.
12. Malware Injection
Malware injection refers to a type of attack, where a piece of code is injected into the cloud, and this embedded code tricks the cloud and starts to act as Software as a Service. If this event takes place successfully, the cloud system automatically redirects even the legit user requests to the injected malware. Once it gains proper access to the cloud, it starts to steal data and misuse it. This way, the attackers are gain control over the data without any valid authentication. Due to the rapid growth of these attacks, Malware Injects have become one of the major security concerns in the field of cloud computing systems.
13. Port Scanning
A malicious technique that identifies open, closed, and filtered ports on a system in a cloud environment is referred to as Port Scanning. In this, intruders seize sensitive data with the help of any open ports available. These ports include services that are running on a system, IP and MAC addresses, gateway, and firewall rules. When the Subscriber allows the traffic to flow from any source to a specific port, then that port gets vulnerable to a port scan. This is because, a port is a place where information goes into and out of the computer, and so the port scanning will then be able to identify the open doors to that computer. Also, there is no way to stop these attacks while you are using the Internet because communicating with an internet server opens a port on your computer. In cloud computing, the attacker attacks the services by discovering open ports on which these services are currently running.
Effective Countermeasures and Prevention Mechanisms
Like the way in which we secure a conventional IT environment, both cloud provider and the client need to implement an approach that addresses security in a comprehensive manner, incorporating access management, perimeter security and threat management, encryption, (DDoS) mitigation, privacy, and compliance management. Especially in a shared environment, elements related to identity and access management should be given a lot of importance, because in these environments data is stored and accessed by multiple clients. Numerous standards, procedures, and practices are required to be implemented for mitigating the probability of security threats in the field of cloud computing. These standards and measures ensure the privacy and security of confidential information in a cloud environment. Reducing the above-studied threats result in a secure environment for both, users, as well as providers of the cloud. A basic philosophy of security includes having different layers of defense, a concept also known as defense in depth. This mechanism utilizes the concept of overlapping systems which is designed to provide consistent security even if one of the systems fails. An example of this a security system working in a team with the intrusion detection system (IDS). The mechanism, Defense in depth has a high success rate in providing security, because, in this scenario, neither there is a single point of failure nor a single-entry vector where the attack can take place.
Success in cloud computing depends upon many factors. Cloud providers should be in a position to provide an effective solution to their customers that can sustain any number of malicious threats using methods such as multifactor authentication, activity monitoring, regular testing, etc. To satisfy security requirements and address the security issues as analyzed above, we can summarize some of the best practices in mitigating the cloud.
1. Breach Responses
There are some best practices to avoid data breaches in the cloud. The breach response plan is one of the best solutions as it helps in triggering a quick notification to data breaches and thus reduces the amount of harm. It contains steps involving notification of the concerned agency who could contain the breach. Also conducting periodic checks will allow the security team to have control of the network. Breaches can be avoided by classifying data and keeping track of its movement within the organizational network. Always remember to cut down on all the files and folders before revealing storage equipment. Consistently review and restrict downloads that may serve as an allegiance to the attackers. In the end, always place encryption as your last defense technique for cybercriminals. When all other attempts fail to protect your data, encryption is every organization’s last hope to the hacker’s game of breaches.
2. Specialized On-Premise Equipment Strategies
Given that DDoS attacks are becoming very common, this is one of the best protection mechanisms against those. Here, instead of relying on existing firewalls, enterprises purchase and deploy dedicated mitigation appliances that sit on the data centers in front of the routers and are particularly designed to detect any malicious traffic. We can get away from DoS even by utilizing Internet Service Providers that implement mitigation facilities. One of the simplest defense mechanisms against DDoS is to ensure that there is an excess of bandwidth, but it can be expensive at times. Scanning the systems regularly for vulnerabilities, setting up intrusion detection systems, maintaining a backup of internet connection, configuring firewalls in a secure fashion, and regularly updating the old software patches are some of the best practices to prevent and fight back DoS attacks in the field of cloud computing.
3. Build a Layered Defense Mechanism
Always ensure to place restrictions on the IP addresses that can access the application. This way, threats like account hijacking can be reduced. There are various tools that specify allowable IP ranges, thus allowing users to access the application only through those networks and VPNs. It is also recommended for companies, to set up a protocol that prevents sharing account credentials between other employees and services. Another mandatory aspect is to implement a strong multifactor authentication mechanism that requires users to enter dynamic one-time passwords, delivered to them via SMS, token generators, biometrics, or any other security schemes. Though all these techniques help in mitigating risks, encryption is the best technique to prevent hijacking attacks. Therefore, always make sure to encrypt data before sending it to the cloud; this protects the data even if a breach occurs. For the ultimate protection plan, ensure to place the encrypted key nowhere close to the encrypted data. Taking advantage of the cloud begins with managing the security threats associated with it. This leads to the process of pursuing a multi-layered security approach that protects your data all the time.
4. Due Diligence and Private Solutions
Organizations should possess a clear set of goals in mind and get a thorough understanding of all benefits and risks involved with Cloud Computing, before directly jumping to it. Security concerns are common, whenever the outside world has our data. For example, a hypervisor refers to a virtual machine manager that allows multiple systems to share a single host. Now, your service provider can provide your organization with some virtual systems on the same hypervisor that is shared with the virtual systems of other customers as well. In other words, the hardware resources utilized by your systems are also utilized by the company’s systems. This process of sharing resources may be a good option for less critical systems, but this is not an apt model for systems that are referred to as highly critical. Thus, consumers need to understand the risks involved with sharing technologies and must perform activities related to due diligence covering risk assessment and risk management, application and data security, network configuration, and security. Conducting due diligence helps organizations in understanding the various risks of adopting cloud technology and provides organizations with a second chance to obtain a better understanding of their capacity and consumption needs.
5. Save the Data
We have in the above section, how compromising on sensitive data caused due to deletion, modification, and storage of data on the unreliable medium can lead to a dreadful threat. Fortunately, there are some emerging efforts in the industry to prevent these attacks and save our data from permanent losses. One of these techniques is to enforce strong API security. This way, the attackers are less likely to steal our data. Strong authentications and secure validation processes are to be implemented to avoid any cloud abuses. Securing the data with SSL encryption techniques, regularly checking the data integrity, and exploring the collection plans and backup plans of the provider are some of the additional processes that must be implemented to prevent data from getting lost.
6. Secure Networking
It is important to prevent damages caused by various attacks like SQL Injections, malware injections, Man in the cloud attacks, packet sniffing, and XSS attacks. For example, various filtering techniques can be utilized to detect and avoid SQL injection attacks. Techniques like Active Content Filtering, Content-Based Data Leakage Prevention Technology, can be used to prevent XSS attacks. Apart from these, there is a malicious sniffing detection platform that is based on address resolution protocol and roundtrip time, and this platform can detect a sniffing system running on a network. In most cases, the security measures implemented in a private network also apply to the private cloud, but in the case of a public cloud implementation, the network topology should be changed to implement the security features.