CLOUD COMPUTING THREATS
THREATS of cloud computing-
The cloud computing is a prominent and revolutionizing technology with virtually shared resources, Service and utility based computing. The characteristics of cloud computing may cause a lot of problems and threats in the security scope. The few are
• Abuse and immoral use of cloud computing
• Insecurity of interfaces and APIS
• Loss or leakage of data
• Malicious elements
• Hijacking of accounts/ Maintenance
• Technology sharing issues
• Risk of exposing company’s confidential data
• Data Breaches
• Multitenancy
some of them are explained-
I. Network Availability:
The value of cloud computing in a particular environment can only be realized when your network connectivity and bandwidth meet the minimum requirement which are: According to the need of the customer the cloud should be available, i.e. every time the customer asks for it, the customer should be provided with his requirement .
II. Cloud Provider Viability:
As the cloud providers are relatively new to the business, the viability and commitment of the provider has raised many questions. When a provider requires tenants to use proprietary interfaces, this concern deepens, thus leading to tenant lock-in.
III. Security Incidents:
All the users and tenants need to be appropriately informed by the provider when a particular security incident occurs. For responding to audit or assessment findings users or tenants may require support of the provider. Also, a provider may not offer sufficient support to users or tenants for resolving investigations.
IV. Loss of Physical Control:
Since users or tenants lose most of the physical control over their applications and data, this results in a range of concerns:
a. Privacy and Data:
In regards with community or public clouds, data may not remain in the same system and hence raising multiple legal concerns.
b. Control over Data:
Data belonging to a organization or user may get comingled in various different ways with data belonging to others.
V. Legal and Regulatory Compliance:
It may be unrealistic or difficult to utilize public clouds, if the data you need to process is subject to legal restrictions or regulatory compliance. Due to many technical and nontechnical factors including the current stage of cloud knowledge, it is very challenging to address the needs of regulated markets and achieving certifications for building and certifying clouds as is expected by the providers. As the best practices for cloud computing encompasses greater scope, this concern should
largely become a historical one.
VI. Data Breaches:
Data breaches are one of the top threats to cloudcomputing. Virtually any person can access all thecomputer systems connected by the Internet, this
ultimately results in exposing service providers of cloud computing to the threat of skilled hackers with malicious intentions. As the number of national (and international, as we have witnessed with China) underground hacking communities continues to grow, and hence more and more breaches are expected.
VII. Account Hijacking:
Another potentially serious threat is hijacking of accounts at cloud computing companies. Remote access of cloud data via mobile devices or remote computers is usually possible for authorized company personnel. “When employees are accessing sensitive information via remote platforms that don’t necessarily have the security mechanisms in place that would otherwise exist at a workstation computer, the potential for account hijacking, or data hijacking, increases” notes from Texas based Microsoft Dynamics Partner, Tom Caper.
VIII. Insecure application programming interfaces(APIs):
Another threat to cloud computing is Insecure application programming interfaces (APIs). Security of the interfaces which offer ways for programs to communicate with each other is not always completely guaranteed. Granting people with malicious intentions access to sensitive information
passing through the communication channel are the loopholes in security.
IX. Data Handling:
A risk to the data being handled is always posed by sharing of technology and resources among different organizations. Sometimes at cloud computing firms servers are configured to work with data from few clients. The system when adds data from a client with different requirements, there are number of things that can go wrong .
X. Data streaming security:
Data is streamed through the internet in a cloud environment. Data can be said to be safe and secure if it travels through secure “https” channels. However, the packets can be accessed when data streams over open lines, even though encrypted.
Additionally, the chances of errors can lead to illegal access or data corruption by eavesdroppers since data in the cloud is accessed frequently.
XI. IAAS, SAAS and PAAS each with its own set of issues:
Platform as a service (PaaS), software as a service
(Saas) and infrastructure as a service (IaaS) are three different pathways in cloud computing as discussed earlier. Each of the pathway has its own vulnerabilities that are not fully resolved. For instance, the same software is deployed as software as a service which is used in desktop and network environments and secure coding that will plug the loopholes and guard against penetration has yet to be developed by the developers.
XII. Service Level agreements:
Service level agreements are different for every cloud service provider which are aligned to fit in with their method of operation. In terms of security and safety, these SLAs may not perfectly match client expectations. There are plenty of unresolved and continuous questions such as who shares logical and physical resources and about assessments and
audits
The value of cloud computing in a particular environment can only be realized when your network connectivity and bandwidth meet the minimum requirement which are: According to the need of the customer the cloud should be available, i.e. every time the customer asks for it, the customer should be provided with his requirement .
II. Cloud Provider Viability:
As the cloud providers are relatively new to the business, the viability and commitment of the provider has raised many questions. When a provider requires tenants to use proprietary interfaces, this concern deepens, thus leading to tenant lock-in.
III. Security Incidents:
All the users and tenants need to be appropriately informed by the provider when a particular security incident occurs. For responding to audit or assessment findings users or tenants may require support of the provider. Also, a provider may not offer sufficient support to users or tenants for resolving investigations.
IV. Loss of Physical Control:
Since users or tenants lose most of the physical control over their applications and data, this results in a range of concerns:
a. Privacy and Data:
In regards with community or public clouds, data may not remain in the same system and hence raising multiple legal concerns.
b. Control over Data:
Data belonging to a organization or user may get comingled in various different ways with data belonging to others.
V. Legal and Regulatory Compliance:
It may be unrealistic or difficult to utilize public clouds, if the data you need to process is subject to legal restrictions or regulatory compliance. Due to many technical and nontechnical factors including the current stage of cloud knowledge, it is very challenging to address the needs of regulated markets and achieving certifications for building and certifying clouds as is expected by the providers. As the best practices for cloud computing encompasses greater scope, this concern should
largely become a historical one.
VI. Data Breaches:
Data breaches are one of the top threats to cloudcomputing. Virtually any person can access all thecomputer systems connected by the Internet, this
ultimately results in exposing service providers of cloud computing to the threat of skilled hackers with malicious intentions. As the number of national (and international, as we have witnessed with China) underground hacking communities continues to grow, and hence more and more breaches are expected.
VII. Account Hijacking:
Another potentially serious threat is hijacking of accounts at cloud computing companies. Remote access of cloud data via mobile devices or remote computers is usually possible for authorized company personnel. “When employees are accessing sensitive information via remote platforms that don’t necessarily have the security mechanisms in place that would otherwise exist at a workstation computer, the potential for account hijacking, or data hijacking, increases” notes from Texas based Microsoft Dynamics Partner, Tom Caper.
VIII. Insecure application programming interfaces(APIs):
Another threat to cloud computing is Insecure application programming interfaces (APIs). Security of the interfaces which offer ways for programs to communicate with each other is not always completely guaranteed. Granting people with malicious intentions access to sensitive information
passing through the communication channel are the loopholes in security.
IX. Data Handling:
A risk to the data being handled is always posed by sharing of technology and resources among different organizations. Sometimes at cloud computing firms servers are configured to work with data from few clients. The system when adds data from a client with different requirements, there are number of things that can go wrong .
X. Data streaming security:
Data is streamed through the internet in a cloud environment. Data can be said to be safe and secure if it travels through secure “https” channels. However, the packets can be accessed when data streams over open lines, even though encrypted.
Additionally, the chances of errors can lead to illegal access or data corruption by eavesdroppers since data in the cloud is accessed frequently.
XI. IAAS, SAAS and PAAS each with its own set of issues:
Platform as a service (PaaS), software as a service
(Saas) and infrastructure as a service (IaaS) are three different pathways in cloud computing as discussed earlier. Each of the pathway has its own vulnerabilities that are not fully resolved. For instance, the same software is deployed as software as a service which is used in desktop and network environments and secure coding that will plug the loopholes and guard against penetration has yet to be developed by the developers.
XII. Service Level agreements:
Service level agreements are different for every cloud service provider which are aligned to fit in with their method of operation. In terms of security and safety, these SLAs may not perfectly match client expectations. There are plenty of unresolved and continuous questions such as who shares logical and physical resources and about assessments and
audits
III. CLOUD COMPUTING SECURITY SOLUTIONS
The cloud must be able to gain the trust of the public, as there is a little doubt that the cloud is the way the future for computing. Those in charge of local installations can do their part by ensuring that their cloud implementations are as secure as possible. Here is the list of key strategies that could be implemented to secure the data in the cloud:
A. Recognize and Allocate Value to Properties:
Assets might be featuring antivirus apps, customer relationship management (CRM) or data, accounting; comprising personal customer details; or infrastructure like hosted web servers and OS.
B. Examine Your Responsibilities:
Among the largest cloud protection issues is the jeopardy of breaches causing theft or loss of sensitive exclusiveinformation. If the details leaked are proprietary to your\ firm, obligation is not an issue. Still you should understand where obligation lies if client or patient details goes missing out.
C. Study Compliance Necessities:
In few markets finance and healthcare are instances industrial regulations or government establish criteria for how digital information is managed, featuring stating thelevel of protection in place. You could not even be allowed to set up antivirus, or there could be limitation, like the data need to be kept within the borders of your own nation.
D. Conclude Your Risk Tolerance:
These preliminary actions all play into this undoubtedly somewhat imprecise, but crucial, following step. The essential factor to consider is the expense of making certain safety, whether in the cloud or at your own workplaces.
E. Password security:
The essential component when it comes to security in a cloud installation is the password. A wreak havoc in a cloud installation could be created unfortunately, as many people are being reckless with the passwords. One broken password can break the trust, as the cloud relies on trust
F. Use Complex Passwords:
All network tools, from NAS drives to routers to printers, and so on must be set up with complex passwords. That implies as a minimum eight characters, with combined case letters, symbols and letters and no dictionary words or appropriate names.
G. Consider going beyond passwords:
Using a two-level authentication technique could be a possibility. A number of different technologies could be used to accomplish this, and each of them offer some distinct advantage. It should be noted, however, test it thoroughly to ensure that users will be able to understand it, before deciding to use one of these options.
H. Encryption:
It is often said that any server can be broken as some security holes are unavoidable. It can never be completely known that a particular server is secure, while this point is debatable. Encryption can give users confidence that their data will be secure, and it will limit the damage that can be done from a break-in.
I. Log everything:
Getting work done and accessing information gets simpler for end users by cloud installations. However, there are certain complexities that are unavoidable on the servers. In addition, even experts only have a few years of experience and the cloud paradigm is still relatively young. Because of this, when trying to analyze problems it can be easy to become confused.
J. Do not forget the firewall:
An effective firewall is still the best frontline solution for the prevention of unauthorized access as opposed to as in recent years new methods of securing networks have become popular. Remote access is very necessary, for running a successful cloud implementation. By taking extra steps to ensure that the firewall is only allowing as much access as necessary, it may be possible to fend off malicious attackers .
K. Inquire about Safety and Integrity Certifications:
One means small companies could short-circuit unpaid attentiveness on companies’ protection controls is to inquire different certifications they could have, or seek \ reference of them at the manufactures website. By considering just those manufactures with recorded, verifiably sound security techniques might remove few of the necessity to research deeper.
L. Disable Remote Management:
Virtually all routers have a remote management tool,which permits you log in to see or edit network configurations from the Web. To decrease the danger of unapproved outsider accessibility to your network, you
must disable remote management hence administrative jobs can simply be carried within the network.
M. Create Security Controls into the Agreement:
The manufacturer might not be keen to discuss anything, or might not want to expand flexibility to small businesses. At least, cloud computing users should cautiously learn the agreement language as it associates with security controls.
N. Use WPA2:
You perhaps already understand that protecting your Wi- Fi network with WEP encryption is hardly much better than none in any way. However, the greatly remarkable WPA is amazingly at risk to breach, specifically when dictionary-based or/ and short passphrases are used.
O. Check out the Cloud Security Alliance Control file:
The CSA has developed a comprehensive file
detailing the due diligence it suggests businesses commence when considering relocating information and apps into the cloud. These strategies are defined to support the three principal cloud security objectives, these objectives are, assuring the integrity, availability, and confidentiality of information
Risk 1: Data breach
To keep an endorsement of your data offline may diminish the hazard of data failure, but will enlarge the risk of data publicity. A virtual machine can simply right of entry your plane channel timing in sequence to derive the confidential cryptographic keys used by supplementary virtual machines in the identical network. This is the wonderful features of multitenancy, If not architecture appropriately may allocate an invader to attain to the users’ information.
Result:
• Choose a appropriate and dependable Cloud provider.
To keep an endorsement of your data offline may diminish the hazard of data failure, but will enlarge the risk of data publicity. A virtual machine can simply right of entry your plane channel timing in sequence to derive the confidential cryptographic keys used by supplementary virtual machines in the identical network. This is the wonderful features of multitenancy, If not architecture appropriately may allocate an invader to attain to the users’ information.
Result:
• Choose a appropriate and dependable Cloud provider.
Risk 2: Cloud abuse
One of the cloud’s functionality called “Infrastructure as a Service “(IaaS) which offers Virtualization of strategy, luggage compartment and network do not have a protected register process. It revenue that any person having a suitable credit card can scratch up for cloud and can instantaneously start using the cloud. Due to this several cloud network possibly will develop into a fatality of spiteful attack, spam mails and further such criminals .
Solution
• certified listing and justification processes
• avoidance of frauds by monitoring credit card processes
• complete examination of network traffic
Risk 3: Insecure API
Application User Interface, software and other interfaces are public in the midst of the users of a meticulous cloud. Security in distribution such income is merely needy on the security policies used by individual API and software. APIs and software which are disappearing to be collective upon the cloud, should have uptight safety measures in every aspects it verification or encryption in sort to stay away from any spiteful attacks
Solution
• Examine methodically the security standard of the cloud provider
• Construct certain that severe authentication along with encrypted communication are colonized.
• Examine methodically the security standard of the cloud provider
• Construct certain that severe authentication along with encrypted communication are colonized.
Risk 4: Malware attack
Due to fewer visibility and more understanding a cloud network is definitely flat to Malware attacks. Many periods it happens so that the cloud provider may not supply the details like how they grant access to software and other functionality, how they track a user and how they add their policies. This ambiguity gives a breathtaking opportunity for attackers to introduce the malicious software, viruses, etc
Solution
• preparation for the force certified supply chain management
• comprise human resource supplies also in legal contracts
• require complete visibility in security method and observance
Due to fewer visibility and more understanding a cloud network is definitely flat to Malware attacks. Many periods it happens so that the cloud provider may not supply the details like how they grant access to software and other functionality, how they track a user and how they add their policies. This ambiguity gives a breathtaking opportunity for attackers to introduce the malicious software, viruses, etc
Solution
• preparation for the force certified supply chain management
• comprise human resource supplies also in legal contracts
• require complete visibility in security method and observance
Risk 5 : Issues due to shared technology
Cloud by resources of its IaaS functionality provide high-end scalability by allowing user to right to use familiar devices. A hypervisor allow a visitor operating system to unite to supplementary objective resources. These spaces the cloud at hazard as the visitor operating system gains access still to the needless levels which influence other systems on the network.
Solution
• Accomplish best security procedures for the reason of installation/configuration.
• audit of non-authorized changes and behavior
• advance up the might do with of strengthen authorization processes for organizational and other operation.
• encourage examination level agreement for install vulnerability evaluation
• Scanning for vulnerabilities from point in time to time
Risk 6: Loss of Data
Compromising of essential data caused due to deletion, alteration, unlinking a record and storing of data on untrustworthy standard, is an additional serious threat. It leads to defeat of significant data, reputation (for businesses), belief of customers and from time to time even the customers. Now and then the loss of data might cause strict legal and policy compliance issues.
Solution:
• Guarantee authoritative API security
• protected data by means of SSL encryption
• Confirm for the integrity of the data running time period as well as manipulative time duration.
• investigate the backing and collection plans of the provider
Comments
Post a Comment