Security Risks in Cloud Computing - Term Paper Example

Running head: SECURITY RISKS IN CLOUD COMPUTING Security Risks in Cloud Computing Abstract The emergence and development of the cloud computing trend is associated with various advantages and potential benefits. On the other hand, the trend is associated with different types of risks that threaten the security of the data and the users of the technology. This report is about the possible security risks that are associated with cloud computing with reference to the CIA (confidentiality, integrity and availability) triad. The report is divided into three sections. In the first section, a brief history of cloud computing and its advantages and disadvantages are presented. The second section discusses the risks that are associated with cloud computing and the different ways in which they violate the three components of CIA. The third section discusses cases of cloud computing security attacks. Cloud computing: History, advantages and disadvantages Cloud computing is a method of computing in which users are allowed to use infrastructures, platforms and resources through an on-demand service (Hashizume, Rosado, Fernandez-Medina & Fernandez, 2013, p. 2). The infrastructure, platforms and applications that are based on a network usually exist in a form that is virtualised, meaning that they can be accessed through an abstract interface called Application Programming Interface (API). The resources and platforms are also scalable in that they can be reconfigured by users to varying load sizes according to their needs. The entire process is based on the use of different types of resources and web technologies that have been developed over the course of time; an example being Google Drive. According to Baun, Kunze, Nimis and Tai (2011, p. 3) several key characteristics of cloud computing emerge from this definition. The first one is that the services used in cloud computing are usually made available over a network and can be accessed in real time using standardised processes. Secondly, resources are pooled together and can be shared by multiple users at the same time. The third point is that the resources usually exist in highly elastic modes that allow users to access them flexibly. Google Drive satisfies a number of these characteristics. The application is made up of word processor, spreadsheet and presentation programs. Users of Google can access programs, create documents and share the documents over the Internet. Furthermore, the ease with which users can share and edit documents using Google Drive represents the high degree of user flexibility that cloud computing services offer. The development of cloud computing has been marked with the emergence of technologies such as virtualisation, web service and service-oriented architecture, service flow and web 2.0 mash-up (Furht, 2010, p. 9). These technologies have shaped its development from the initial mainframe computing to the current status of cloud computing through the intermediate stages of network computing, Internet computing and grid computing. First, development of virtualisation has been an important aspect of the development of cloud computing, since it has allowed resources to be used by different applications; this has improved the overall level of utilisation of services, since fewer servers are required for different applications. Secondly, the development of web 2.0 allowed the use of different web technologies to improve the way in which users create and share information and collaborate with each other. Thirdly, the emergence of web service and service-oriented architecture formed the foundation for the development of cloud computing. One advantage of cloud computing is that it allows users a high level of flexibility in the form of being able to scale their storage capacities and only pay for what they use (Jamsa, 2013, p. 70). Further, it allows users to easily access applications and other resources from different locations at any time over the Internet. This contributes to the overall ability of cloud computing to increase the level of efficiency in computing. Files are easily shared by different users and this reduces the overall number of servers that have to be used to access the required resources. In contrast, the disadvantages of cloud computing arise from security issues. Its use exposes users, data and the computer systems that are used to different types of security threats (Firdhous, 2015, p. 176). Security risks in cloud computing Risks in cloud computing can be analysed and understood in terms of the three elements of the CIA triad: confidentiality, integrity and availability. Confidentiality, which entails data confidentiality and privacy, refers to preventing unauthorised disclosure of the contents in cloud computing. The essence of confidentiality is to ensure that data is not disclosed to parties who are not authorised to access it, either intentionally or unintentionally. Integrity refers to the extent to which the message that is sent via the network is received in the same form and with the same content. In practice, messages can be altered intentionally by malicious individuals or unintentionally by either the senders or the recipients. The essence of integrity is to ensure that the message is not altered. Lastly, the aspect of availability in cloud computing security refers to the extent to which the networks and systems used are stable and reliable. According to Stallings (2013, p. 11), security risks and attacks in cloud computing are usually classified into passive and active types. Passive attacks are carried out with the sole intention of getting access to and using information contained in the systems and resources of cloud computing. Thus, they involve practices such as unauthorised acquisition of data through sophisticated eavesdropping techniques and monitoring of the manner in which data is transmitted over the cloud computing networks. Also, through traffic analysis, which entails analysing the frequency, destination and form of messages that are sent via cloud computing, important details about the content of the messages can be inferred. Therefore, passive attacks violate the aspect of confidentiality in the security triad in that the contents of the messages sent via the networks may be revealed to parties who are not authorised to access them. Conversely, active attacks are carried out with the intention of interfering with the resources of cloud computing and affecting the manner in which the entire network operates. One of the most common forms of active attack involves a party masquerading as another entity. This leads to unauthorised entities gaining privileges to access different resources. Another form is replay, which entails the capturing of units of data being transmitted and redirecting the data to different locations within the network to cause specific effects on the network such as delayed delivery of the message or its repeated transmission. Lastly, cloud computing risks may take the form of a denial of service attack. This is an active attack in which the normal functioning of the network is interrupted so that users cannot access resources. These forms of attack violate the different aspects of the cloud computing security triad, thus making it necessary for organisations to address them in their risk management programmes (Albakri, Shanmugam, Samy, Idris & Ahmed, 2014, p. 2118). For example, a denial of service attack violates the aspect of availability by interfering with the normal functioning of cloud computing systems. On the other hand, the modification of messages violates the aspect of integrity in that the message that is received is different from that which was originally sent. Cases of security attacks in cloud computing There have been many cases in which different types of attacks have been launched against specific systems of cloud computing. In one such case, different amounts of data belonging to the customers of Amazon.com were lost as a result of a temporary outage on the Elastic Compute Cloud (EC2), where Amazon’s services were hosted. This incident was reported in April 2011. According to Cummins (2013, p. 56), the actual attack that the company faced was a re-mirroring storm. Errors committed by the engineers of the firm, who attempted to transfer the high volume traffic of customers to the low capacity network that was meant for the administrators of the company, led to a temporary outage of services and the loss of customer data. This affected operations of a subset of the company’s Elastic Block Store (EBS) in a single Availability Zone leading to customers within the East region in the United States not being able to access the services (Amazon Web Services, 2011). The temporary outage violated the aspect of accessibility; customers were not able to access their data during the time of outage. Users were directed to a website that resembled that of the company but which was actually hosted in a different location and acted as a phishing site. The loss of data violated the aspect of confidentiality in that the privacy of customer data was compromised and made accessible to unauthorised individuals. To address the re-mirroring storm, the company first disabled all the APIs for control for the affected Availability Zone (Amazon Web Services, 2011). This helped the company to restabilise the affected EBS cluster. The company also revised its change process and introduced additional excess capacities for its different clusters. Another cloud computing security attack happened in September 2014 and involved eBay, one of the leading online auction sites in the world. The systems of the company suffered a form of attack known as cross-site scripting. This form of attack entails the use of malware to interfere with the scripting languages of web pages and, as a result, gaining access to the personal data of users of the affected web pages (Oriyano & Gregg, 2010, p. 219). Many genuine users of eBay lost their personal information to the hackers as a result of the attack on the website servers. At the most basic level, the masquerading led to the loss of personal data and privacy of site users, thus violating the aspect of confidentiality. One of the things that the company did to recover from the attack was to remove the suspicious links that redirected users to different websites from its servers. The company also sent precautionary messages to its customers asking them to change the passwords to their accounts. Although removal of the suspicious scripts and sending precautionary messages to customers were effective methods of addressing the issue, the apparent slowness of the company in addressing the attack after it had actually occurred contributed to its severity (Muncaster, 2014). The third incident involved a loss of data to hackers who used Zeus botnet nodes to hijack accounts in different sites and access different types of data stored on the sites. In 2007, several organisations, including the United States Department of Transportation, Hewlett Packard, Booz Allen and Unisys, suffered from the attack. The Zeus botnet attack is a type of malware that hackers use to hijack accounts of genuine users and in the process access different types of data (Harkins, 2012, p. 81). The hijacking of accounts and the loss of data violated the aspects of confidentiality and integrity in the triad. Also, the effects of the incident were severe, because many organisations had not taken the initiative of encrypting the data that they use in their cloud computing systems (Finkle, 2007). There was little that the United States Department of Transportation and the other organisations that were affected by the malware could have done to effectively respond to the attack at the time since it was the first of its kind. That is why in the recent past, efforts to tackle its recent variants have been carried out on a multinational scale (Federal Bureau of Investigations, 2014). Conclusion Cloud computing systems offer users a high level of flexibility and efficiency in accessing and sharing resources. However, risks of passive and active attacks threaten the ability of users to benefit from the advantages of using cloud computing services. Risks compromise the level of confidentiality, integrity and access, which are important aspects of the cloud computing security triad. This has been witnessed in different cases of attacks that have been carried out against different systems of cloud computing over the course of time. Therefore, organisations need to use different security services such as authentication and access control that are available as part of their cloud computing security plans. References Amazon Web Services. (2011). Summary of the Amazon EC2 and Amazon RDS service disruption in the US East region. Retrieved from http://aws.amazon.com/message/65648/ Albakri, S. H., Shanmugam, B., Samy, G. N., Idris, N. B., & Ahmed, A. (2014). Security risk assessment framework for cloud computing environments. Security and Communications Networks, 7, 2114-2124. Baun, C., Kunze, M., Nimis, J., & Tai, S. (2011). Cloud computing: Web-based dynamic IT services. London: Springer. Cummins, S. (2013). Pro sharepoint disaster recovery and high quality availability. New York: APress. Fazil, M., & Firdhous, M. (2015). Cloud computing for rural ICT implementations: Methods, models and architectures. In V. Chang, R. J. Walter & G. Wills (Eds.). Delivery and adoption of cloud computing services in contemporary organizations (pp. 166 – 198). New York: IGI Global. Federal Bureau of Investigations. (2014). U.S leads multi-national action against gameover Zeus botnet and cryptolocker ransomware, charges botnet administrator. Retrieved from https://www.fbi.gov/news/pressrel/press-releases/u.s.-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware-charges-botnet-administrator Finkle, J. (2007, July 17). Hackers steal U.S. government, corporate data from PCs. Reuters. Retrieved from http://www.reuters.com/article/2007/07/17/us-internet-attack-idUSN1638118020070717 Furht, B. (2010). Cloud computing fundamentals. In B. Furht & A. Escalante (Eds.). Handbook of cloud computing (pp. 3 – 20). London: Springer. Harkins, M. (2012). Managing risk and information security: Protect to enable. New York: APress. Hashizume, K., Rosado, D. G., Fernandez-Medina, E., & Fernandez, E. B. (2013). The analysis of security issues for cloud computing. Journal of Internet Services and Applications, 4(5), 1-13. Jamsa, K. (2013). Cloud computing: SaaS, PaaS, IaaS, virtualization, business models, mobile security and more. Burlington: Jones & Bartlett. Muncaster, P. (2014, September 11). eBay under fire after cross-site scripting attack. InfoSecurity. Retrieved from http://www.infosecurity-magazine.com/news/ebay-under-fire-after-cross-site/ Oriyano, S. P., & Gregg, M. (2013). Hacker techniques, tools and incident handling. London: Jones & Bartlett. Stallings, W. (2013). Network security essentials: Applications and standards. London: Pearson Education. Read More