Cloud Computing Risks and Security Concerns - Essay Example

Cloud Computing Risks and Security Concerns Introduction Cloud computing is an emergent technology that has revolutionised the operations of organisations to a great extent. This terminology has been defined in numerous ways but the US National Institute of Standards and Testing, NIST definition has received worldwide recognition: cloud computing refers to a model that fosters a convenient, on-demand and ubiquitous access to a network that is shared by a pool of computing resources that could be configured and that could be provisioned and released rapidly with limited service provider interaction or management effort (Mather, Kumaraswamy & Latif 2009). They could be deployed as private, solely for an organisation; public, accessible by the public; community, shared by organisation; hybrid, bringing together multiple clouds between which application and data portability could occur; and partner, offered to a limited and definite number of parties (Pearson & Yee 2013). With cloud computing, organisations do not have to invest in physical infrastructure. Instead, they contract computing services based on demand. This therefore presents immense benefits and cost savings to organisations. For this reason, over 33% of UK companies compute in the cloud (Buyya, Broberg & Goscinski 2011). However, the technology has aroused numerous risk and security concerns in organisations across the world. This paper reviews the risks associated with cloud computing and based on the three service models of this technology, the security concerns would be evaluated. This would inform the recommendations put forth to foster data, network and infrastructure security. There are three layers of cloud services referring to the varied types of service models with each providing discrete capabilities. According to Pearson and Yee (2013), consumer capabilities involve the use of the applications in the cloud infrastructure of the provider in the Software as a Service, SaaS model. Clients access the applications through a thin interface like a web browser using their devices as per their demand and pay as per use. In Platform as a Service, PaaS, the consumer would be given the capability to deploy individual applications onto the cloud infrastructure without the installation of tools or any platform on their machines. It provides platform layer resources that could be used in building higher-level services. Finally, the Infrastructure as a Service, IaaS model provides consumers with the capability to provision storage, networks, processing and other basic computing resources but would not control or manage underlying infrastructure. Consumers, who rent rather than buy these resources could deploy and also run arbitrary software, including applications and operating systems. It is the difference in the structuring of these models that presents varied security concerns among them. According to Hashizume et al. (2013), SaaS has its security largely dependent on the cloud provider and has minimal extensibility or control by the customer. This differs from PaaS which offers greater extensibility and customer control. The lower abstraction levels for IaaS provide customers with greater control on security than SaaS or PaaS would do. Thus, cloud computing is a complex technology with immense risks and security challenges, hence the need for adoption of effective and specific strategies to safeguard organisational interests. Cloud Computing Risks Organisations leverage on cloud computing for varied benefits. However, Yeboah-Boateng and Essandoh (2014) point out the existence of organisational, policy and technical obstacles that hamper the full adoption of the technology. One of such risks is the possibility of loss of governance. Usually, users would implicitly trust that cloud service providers would abide by the set terms and conditions of service. However, Yuusuf and Tubb (2013) argue that these terms and conditions could fail to conform to the policies established by the consumer organisation. Such non-compliance with the policies could lead to the organisation losing its reputation and credibility. Moreover, service providers regularly alter their terms and conditions to fit within the prevailing conditions. They however fail to explicitly inform users of such changes. This could leave users operating under different terms and conditions from the ones agreed upon initially. It could also be that a user joined a service for collaboration with peer groups in the service. Leaving such a service would adversely affect the interaction of such users with their peers. Therefore, it would be appreciated that users have no full control over their data security and that absolute protection is not guaranteed by the service provider. Cloud computing technology in itself also presents risks from its use of virtualised systems. It is this structure that poses numerous risks to the technology in addition to the risks associated with traditional systems. According to Carstensen, Moregenthal and Golden (2012), these risks include poor access controls. The hypervisor of the virtual machine, which is basically the software running copies of virtual machines ensuring they do not simultaneously use same resources, propagates hardware virtualisation and reconciles hardware access in operating virtual machines. As such, the hypervisor could make the network exposed through poor access controls. Cloud computing also has the risk of its configuration being complex. This is because virtual systems call for more complexity layers to systems and networks which increase the risk of improper configuration or induce unseen vulnerabilities. The risk of privilege escalation also looms with a hacker being able to escalate the privileges they have on the system, leveraging on virtual machine that has lower level access rights. The attack on the virtual machine would then be undertaken using higher level security controls via the hypervisor. Virtual machines being inactive also make cloud computing risky. With such virtual machines capable of being used for storage of sensitive data coupled by the impossibility of monitoring access to the data, it could be a source of risk. Finally, there is the risk of difficulty in the maintenance of appropriate segregation of duties. This is because virtual machines allow access to numerous components of the cloud from various directions thus the possibility of improperly defining use access roles. Whereas organisations would outsource their operations to the cloud in cloud computing, the risks remain with them. Numerous risks inherent to traditional systems also affect cloud computing and information security professionals need to be aware of them so as to develop effective security mechanisms for cloud computing. The risks include spoofing, back-door attacks, social engineering, dumpster diving and Trojan horses and malware (Yuusuf & Tubb 2013). These risks majorly compromise privacy with the current cloud services risking exposure of data in an encrypted form to a machine operated by an organisation different from the data owner. Security Concerns Cloud computing is a relatively new form of technology. It thus presents uncertainty on security at all its levels of interaction including the host, network, data and application levels (Zargari & Smith 2014). The unresolved security issues, which Yeboah-Boateng and Essandoh (2014) consider as the major challenge in cloud computing, have halted the diffusion of the technology in organisations with the issues noted to affect both users and service providers. Critically, it would be useful to understand the dependencies and relationships in the three cloud models and how they influence security. According to Hashizume et al. (2013), PaaS and SaaS are normally hosted on IaaS. As such, in case of a breach in IaaS, both PaaS and SaaS would have their security compromised. However, should this be reversed, it would still hold. Even with this appreciation, with PaaS offering a platform for building and deploying SaaS applications, security dependency between them would be increased. This dependency means that should any layer of the cloud be compromised, then, the upper layers would also be compromised. Furthermore, each of these models has its security flaws and still share some challenges universal to them all. These dependencies and relationships have caused information executives to consider security top of their agenda for cloud computing. These concerns could relate to risk areas like lack of control, integration with internal security, being dependent on public Internet and multi-tenancy. To articulate these security concerns appropriately, this paper considers each service model separately. IaaS Security Concerns The IaaS model has its resources, including storage, networks and servers among others stored as virtualised systems and accessed via the Internet. Control and management of resources are fully allocated to users who can run software on the platform. According to Hashizume et al. (2013), this model has better security levels than the other models for as long as the virtual machine monitor gets no security hole. Users have the capacity to control the running of software in virtual machines, taking responsibility for the configuration of security policies. However, cloud providers maintain control over the storage and network infrastructure. Whereas virtualisation would allow the creation, sharing, copying, roll back and migration of virtual machines, thus allowing the running of varied applications by users, the extra layer that needs to be secured would be an opportunity for attacks (Zargari & Smith 2014). Any security breach in a virtual machine would affect the other. Virtualisation makes attack easier because it adds more interconnection complexities and entry points in addition to the vulnerabilities of the normal infrastructure. PaaS Security Concerns With PaaS, two software layers would be considered when evaluating the security concerns. These include the runtime engine, which is the PaaS platform security, and the security of the applications that customers deploy on the PaaS platform (Hashizume et al. 2013). Security of the platform is the responsibility of the provider. Thus, this third-party relationship sets forth security concerns. Additionally, PaaS offers components of third-party web services such as mashups which would have multiple source elements integrated into a single unit. For this reason, PaaS model would have security issues associated with mashups like network and data security. Application development is a complex issue for applications that need to be hosted in the cloud. The rate of change of these applications greatly affects security. Developers seek to constantly upgrade PaaS applications, thus the need to ensure flexibility of their application development. It is this change that Hashizume et al. (2013) argue that it presents security challenges with regards to the applications. Furthermore, data could be stored in locations that have different legal regimes which could compromise security. Hence, in addition to ensuring secure development techniques, it would be crucial for developers to also consider data legal aspects. Developers do not have the access to underlying layers in the PaaS model. Thus, providers secure underlying infrastructure and the application services. However, even though developers possess full control over security of applications, Mather, Kumaraswamy and Latif (2009) observe that the development environment tools supplied by the PaaS provider do not guarantee security. Therefore, with the data and applications of users stored in the cloud, security remains a major concern and dependent on the provider. SaaS Security Concerns SaaS is a demand-based and pay-as-you-use model. Among the three cloud computing delivery models, SaaS users have the least control on security as noted by Carstensen, Moregenthal and Golden (2012). One of the security concerns with this model emerges from its application. With basic access being through a web browser, web applications have limitations that could create vulnerabilities. Cyber criminals have used the web to compromise users’ data and undertake malicious activities, the reason why SaaS, being a web-based model, presents the risk of cyber attack to its users. Traditional security measures do not offer an effective way to safeguard this model from such threats. Secondly, SaaS applications has maturity models, the first being configurability via metadata. Here, the vendor gives varied application instances for each customer though each uses same application code. Customers could alter options of configuration to serve their needs. With scalability, each customer would have individual customised software instance. This model has the least security issues among all the SaaS maturity models. The third model has multi-tenancy such that customers are served by a single instance (Yuusuf & Tubb 2013). Though it promotes efficient resource usage, its scalability is limited. With data from numerous tenants contained in the same database, data could be leaked between tenants. Whereas data security would be a concern for whichever technology, SaaS users suffer the most because of reliance on providers for security. Usually, organisations process data in plaintext and store it in the cloud with the service provider being in charge of security during processing and storage (Yuusuf & Tubb 2013). Additionally, in their study of the application of SaaS in the financial sector, Howell-Barber et al. (2013) observe that data backup, though critical for recovery in case of a disaster, presents security challenges. Even more, cloud providers could subcontract services to third parties, further enhancing security threat. With SaaS, compliance standards are difficult to develop because data is stored in the data centre of providers. This raises issues on regulatory compliance like data privacy, security and segregation which the provider is in charge of. In fact, Yeboah-Boateng and Essandoh (2014) observe that the cloud market in general has minimal compliance requirements and standards. This has been attributed to the fact that it is an emerging paradigm. Finally, accessibility in SaaS arouses security concerns. Applications in this cloud service model are accessed through web browser which makes access easy from any network device, including mobile devices and public computers (Pearson & Yee 2013). Though this could be an advantage, it exposes the model to security concerns. Other than the model service of the cloud, it has also been noted that privacy risks differ between private and public clouds. According to Jansen and Grance (2011), the security with private cloud infrastructure resembles that of the security for traditional IT infrastructure. The tools and processes used for traditional infrastructure also apply to those used for private cloud. This makes it possible to compromise security in the cloud just as it could be in traditional IT systems. On the other hand, public cloud infrastructure calls for redesigning of the architecture and processes used for security. Even so, the security issues that affect traditional systems still affect this technology. Recommendations Cloud computing bears numerous specific features like being enormous and resources of service providers being heterogeneous and completely distributed and virtualised. For this reason, Zargari, and Smith (2014) observe that traditional security mechanisms like authorisation, authentication and identity do not suffice in cloud computing. Due to the employed cloud service models, operational models and cloud service technologies, cloud computing has risks that differ from those in traditional IT environments. Thus, more robust strategies should be adopted. One of the basic approaches to foster security in cloud computing is to detach security related issues from the service provider. Digital identities have evolved as a way of identification, especially with the cloud technology, though the area is still experiencing great development. Even so, it has been widely appreciated that the fundamentals of security in cloud computing lies with placing ownership identity upon an individual as opposed to the service provider, a function that Buyya, Broberg and Goscinski (2011) refer to as user-centric identity. This sets a protocol around how the identity would be used. This approach improves the privacy issues with regards to digital identity by providing an individual with permission to apply policies depending on their identity and control what aspects of the identity to divulge. Thus, the end user not only controls own identity but also decides what information to give to parties relying on such an identity. However, with regards to the data security context, having a personally managed identity does not give the adequate sense of non-repudiation to assure sensible use (Pearson & Yee 2013). Thus, on top of just being a user-centric identity, there would be need for a trusted host to issue and manage the identity, having the capabilities to give a verification of the user. Though it appears like a security paradox, it provides a balanced approach of using digital identities for the assignment of security control and policies while maintaining a high sense of user choice and privacy. Even so, keeping the provider completely off organisational data could be difficult. Thus, the recommendation by Hashizume et al. (2013) that data in cloud computing be secured through encryption would be appropriate. Strong encryption algorithms should be used to ensure that encryption functions as effectively as possible. Thus, encryption schemes like Advanced Encryption Standard, AES would be appropriate. Considering encryption of data and the three basic functions of cloud computing of storing, processing and transferring data, providers would be required to decrypt cipher data so as to be able to process data (Carstensen, Moregenthal& Golden 2012). This raises privacy concerns. As such, homomorphic encryption would allow arbitrary computations to be undertaken on the cipher texts without having to decrypt. For data transfers, digital signatures would play a great role in fostering security. Also important to protect against is manipulation of customer data. According to Jansen and Grance (2011), web applications are an easy target due to their exposure to the public who include attackers. As such, the National Technical Authority for Information Assurance (2014) argues for web application scanners as a solution to potential data manipulation. These scanners are basically programs which scan through the web front-end of web applications to make out any potential security threats. Apart from this, many other web application security tools like the web application firewall which captures all web traffic for inspection of threats could be used. Ultimately, organisations need to consider factors that are specific to them to determine the security concerns and therefore deploy the appropriate strategies to safeguard its cloud structures (Yuusuf & Tubb 2013). Carrying out proper investigations would give an organisation insights into the specific strategies to adopt that would positively influence its security strategies and keep the risks associated with cloud computing low. Conclusion The decision to compute in the cloud by organisations would normally be driven by the associated technical and cost benefits. Even so, this relatively emergent technology comes with a myriad of risks and raises critical security concerns. Therefore, understanding the associated vulnerabilities would be useful for adopting the appropriate security measures. The security concerns in this paper have been reviewed from the perspective of the three service models in cloud computing: IaaS, PaaS and SaaS. Whatever the model adopted, it would be appreciated that with cloud computing, a considerable portion of applications, data and system moves under the control of a third-party service provider thus creating a shared responsibility between the user and provider. Thus, the security concerns that arise relate to the points of interaction between these two parties, including infrastructure, data, and access and identity. Virtualisation and data storage could be considered as the most critical with any form of compromise having probable adverse effects, coupling with the numerous security issues that the technology adopts from the technologies it leverages on. Therefore, in addition to traditional security measures, organisations in the cloud need to deploy specific measures that would protect its data, infrastructure and networks. References Buyya, R, Broberg, J & Goscinski, J 2011, Cloud computing: principles and paradigms, John Wiley & Sons, Hoboken, NJ. Carstensen, J, Moregenthal, JP, & Golden, B 2012, Cloud computing: assessing the risks, IT Governance Publishing, Cambridgeshire. Hashizume, K, Rasado, DG, Fernandez-Medina, E, & Fernandez, EB 2013, ‘An analysis of security issues for cloud computing’, Journal of Internet Services and Applications, vol. 4, no. 5, viewed 10 December 2014, http://www.jisajournal.com/content/4/1/5 Howell-Barber, H, Lawler, J, Desai, S, & Joseph, A 2013, ‘A study of cloud computing Software-as-aService (SaaS) in financial firms’, Journal of Information Systems Applied Research, vol. 6, no. 3, 4 – 17. Jansen, W & Grance, T 2011, Guidelines on security and privacy in public cloud computing, National Institute of Standards and Technology, viewed 10 December 2014, http://www.cs.odu.edu/ Mather, T, Kumaraswamy, S, & Latif, S 2009, Cloud security and privacy: an enterprise perspective on risks and compliance, O’Reilly, Sebastopol, CA. National Technical Authority for Information Assurance 2014, August 14, Guidance: implementing the cloud security principles, viewed 10 December 2014, https://www.gov.uk/ Pearson, S & Yee, G (eds.) 2013, Privacy and security for cloud computing, Springer, London. Yeboah-Boateng, E & Essandoh, KA 2014, ‘Factors influencing the adoption of cloud computing by small and medium enterprises in developing economies’, International Journal of Emerging Science and Engineering, vol. 2, no. 4, pp. 13 – 20. Yuusuf, H & Tubb, C 2013, ‘Migration to cloud computing: a risk homeostasis methodology’, International Journal of Computer Applications, vol. 77, no. 7, pp. 5 – 9. Zargari, SA & Smith, A 2014, ‘Policing as a service in the cloud’, Information Security Journal, vol. 23, no. 4, pp. 148 – 158. Read More