Several companies are jumping onto the bandwagon of cloud computing with a dream of saving costs and making IT infrastructure scalable and flexible. Yes, cloud computing can offer several benefits but at the same time, it comes with inherent risks and challenges that companies need to understand before implementing.
Challenges
Cloud computing, being a shared resource, faces several security challenges. Let’s look at them.
- Data location: Under the traditional IT infrastructure, it was relatively easy to know and maintain the location of data. With cloud computing, data could be residing physically anywhere. If the exact location of the data is not agreed upon under service level agreement (SLA) with cloud service providers (CSP), it becomes difficult to know where it’s stored, specifically when CSP is outsourcing capabilities to third parties.
- Data breaches: When it comes to cloud security, there are several factors that can lead to data breach. If CSP doesn’t implement adequate physical, logical and personnel control, anybody can access the data. Another way of breaching data is through the usage of virtual machines to extract private cryptographic keys used by other virtual machines on the same server.
- Data loss: Data can be lost due to several reasons — natural disasters such as fire, flood or earthquake; a malicious hacker could delete the data out of spite; or encryption key could be lost when the entire set of data is encrypted. Recovering the lost data is a tedious task but it becomes impossible when the lost data is untraceable. Businesses may even get into trouble with regulatory bodies when the data they were supposed to store for years is lost without a trace.
- Account or service traffic hijacking: Breaching data becomes easy for an attacker if he/she gains access to account credentials. He or she can not only eavesdrop on companies’ activities and transactions but can also manipulate data and redirect the companies’ clients to illegitimate sites.
- Insecure interfaces and APIs: Interfaces are important for cloud provisioning, management, orchestration and monitoring; while APIs are integral to security and availability of general cloud services. If these elements are weak and insecure, the risk factor for organizations increases tremendously.
- Denial of service (DoS): When companies are dependent on the availability of IT infrastructure 24/7, DoS is a huge problem. And this problem becomes an expensive one when organizations are billed by CSPs based on computer cycles and disk space consumed as DoS consume huge amount of processing time.
- Malicious insiders: A malicious insider could be anyone, from current or former employee to a contractor or a business partner who gains access to network, system or data for nefarious reasons. This type of risk is particularly great when CSPs are solely responsible for security.
- Cloud abuse: Many times hackers use cloud to break an encryption key that’s too difficult to crack on a standard computer, launch DDoS attack, propagate malware and share pirated software.
- Insufficient due diligence: Unfortunately companies using cloud do not fully understand the contractual issues concerning liability and transparency. Also, if the company’s development team isn’t fully familiar with cloud technology, it can create operational and architectural issues.
- Vulnerabilities arising out of shared technology: CSPs share infrastructure, platforms and applications to offer scalable services. Consequently, any issue in the underlying components that make up the infrastructure can make all the organizations on the server vulnerable.
Solutions
There are several steps that CSP and companies can take to combat the threats stemming from cloud computing.
- Robust security: Traditional approach toward IT infrastructure is no longer adequate. CSPs need to implement layered model to ensure the privacy and appropriate access of data in shared, multitenant cloud. This task will specifically include: content protection at different layers in the cloud infrastructure, such as at the storage, hypervisor, virtual machine and database layers; and mechanisms to provide confidentiality and access control, including encryption, obfuscation and key management.
- Trust and assurance: Companies need to have confidence and trust in the cloud environment, including in physical data centers, hardware, software and resources employed by CSPs. On the other hand, CSPs need to establish an evidence-based trust architecture and control the cloud environment through adequate monitoring and reporting capabilities. CSPs should also be able to offer audit trails to help customers meet internal and external demands for provable security.
- Isolation: CSPs can ensure isolation for companies’ data even within a multitenant environment by implementing multiple virtual data centers, each with its own virtual LAN. To up the security measures, each of the virtual data centers can be configured into one or more trust clusters, separated by demilitarized zones and virtual firewalls.
- Confidentiality: To maintain the confidentiality of companies, CSPs can offer encryption and/or obfuscation. However, obfuscation in the cloud will require the use of new architecture and approaches to enable access to the original non-obfuscated data with maximum security controls.
- Access control: Identity management and provisioning platforms should be utilized to ensure that only authorized users can access relevant applications and data. These measures should be supported by compliance and audit, and log management to let the companies track the movements in their clouds.
- Control over credentials: Companies should prohibit their employees from sharing account credentials with other parties. They can also implement two-factor authentication techniques wherever possible.
- Monitoring and governance: CSPs should offer resources that allow companies to monitor the security and compliance of their data. Also, the resources should allow the companies to take appropriate actions whenever necessary on the basis of the security information received from CSPs.
- Cloud certified professionals: One of the smart moves that companies and CSPs can make is to hire professionals with cloud computing certification. As these employees are highly trained in the fields of cloud computing technology, architecture, security, governance and capacity, the threats to cloud security are minimized.
- Precise SLA: Companies and CSPs should have clearly defined SLAs as they serve as blueprint as well as warranty for cloud computing. An ideal SLA should codify the specific parameters and minimum levels required for each element of the service; remedies in case of failures while meeting the requirements; recognition of the ownership of data stored on the cloud; details of the system infrastructure and security standards to be maintained by both the parties; and the cost to continue and discontinue the service.
About the Author:
Krishna Kumar, an engineer by education, has experience of serving the IT industry for 13 years. Currently he is the CEO of Simplilearn Solutions and displaying his expertise in e-commerce, through innovative online learning portal, which was started with the aim to help professionals round the world in achieving their world recognized professional certification. He wants to share a little about cloud computing certification training.
