Cloud Computing is basically an outsourced multi-tenanted IT Service model. The security concerns & threats applicable to cloud computing environment are same as applicable to any other IT environment. Only significant difference is that in the Cloud environment organizations lose control over the security measures required to protect their data and Information assets.
In a Cloud environment the responsibility of securing and maintaining a threat free environment lies partially with the customers and mainly with the service providers. However, the extent of responsibility depends upon the Cloud architecture & service model.
- SaaS – The service provider is responsible for the most of the security controls as the application & underlining platform including the infrastructure belongs to and is managed by the service provider.
- PaaS – Since the customer is deploying its application in service provider's environment, the customer is responsible for the security controls around its application. The platform & underlining infrastructure is the service provider's responsibility.
- IaaS – The control in this case lies partially with the service provider and primarily with the customer as the customer has the privilege of configuring & managing part of the leased infrastructure.
Having said all of the above the customer using the cloud computing service would be accountable for its own information & data. For example a credit card company using cloud computing services of a service provider would still be responsible & accountable for its customer,s personal information. The stack holders & customers would hold the credit card company responsible for any security breach.
So, it's very important that before going in for any cloud computing service the customers clearly understand the risks involved and the fact that they cannot do away with the accountability even if the responsibility of securing the information was that of the service provider.
Cloud Computing Threats
- Unauthorized Access
- Malicious Insiders
- Abuse of CC Services
- Inherent Vulnerabilities
- Data Leakage
- Espionage, loss of reputation
- Legal & regulatory requirements
- Unavailability of service
1. Malicious Insider:
As we all know internal threat is the major threat to Information Security. The situation is further exacerbating in the Cloud Computing environment where the dependency is on the external service provider. There is no transparency in terms of how the vendor takes care of internal processes. For example there would be no clarity as to how the access is granted, access revocation, access review mechanisms etc. Also, there is no clarity on the service provider?s recruitment process. This opens the avenue for malicious insiders, disgruntled & disinterested employees which could lead to compromise of valuable critical & confidential information. Impact: Human risk is the worst of all specially in the cloud computing environment where there is no control on the people handling & managing your data. A malicious insider could lead to compromise of confidentiality, availability & integrity which are the pillars of Information Security. This could further lead to legal and regulatory implications.
- The policies, processes & controls defined by Cloud Computing service providers to protect against the threat of Malicious Insiders should be in line with the requirements or policies of their clients.
- Human resource requirements (Background verifications, Hire policies etc.) should be made part of Contracts with Service provider
- Clients should have transparency and right to audit / review service providers Information Security policy & processes
- Clients should include security breach clauses in the contracts
- Access should be granted on need to know basis. Service provider employee's should be given access to only the resources that they are working on and access should be just enough for them to perform their job responsibilities
- Access logging & monitoring should be done
2. Unauthorized Access
Unauthorized access could be by external attackers or malicious insiders. The weak access, authentication & authorization controls could lead to unauthorized access. Depending upon the type of Cloud Computing service, the clients / customers might have limited or no say in defining the controls to prevent unauthorized access. For example in SaaS model the clients have a very limited option in defining the access controls. While in PaaS at least the application level access controls can be defined by the clients.
Unauthorized access could lead to compromise of confidential & critical information. This could have legal and regulatory implications as well.
- Service provider should define a strong Information Security (IS) Policy & enforce adherence to the IS policy and procedures
- Clients should have transparency and right to audit / review service providers Information Security policy & processes
- Security breach clauses could be possibly included in the contracts with the service providers
3. Inherent Vulnerabilities
Applications and Infrastructure devices have inherent vulnerabilities which if not taken care of could lead to compromise of CIA. Applications are vulnerable to SQL Injections, XSS, Session Hijacking, malicious file upload etc. Similarly servers & network devices are vulnerable to unauthorized access, DoS, buffer overflows etc. Once again the responsibility of taking care of the vulnerabilities & security holes depends upon the Cloud Computing service model. In case of PaaS if the customer is responsible for the application being hosted in the service provider facility; while service provider is responsible for the platform and underlining infrastructure. In SaaS the service provider has greater or almost the entire responsibility of ensuring a secured service. Impact: The application vulnerabilities like SQL Injection could result in compromise of client data stored in database. Vulnerabilities like XSS and Session Hijacking could lead to unauthorized access, installation of malwares / backdoors etc. Similarly vulnerabilities in the infrastructure components could lead to compromise of customer's information, data leakage, DoS etc. Exploitation of vulnerabilities could also have legal & regulatory concerns for the customers due to data leakage, unavailability of service etc.
- Service provider should ensure that the application and infrastructure vulnerabilities are identified and fixed
- Patches and fixes should be applied on regular basis
- Security audits should be conducted on periodic basis and appropriate measures should be taken to fix the identified bugs
- Customers should have rights to review the security audit reports Depending upon the criticality of information in Cloud Computing environment the customers should have rights to conduct a security review of service provider applications and infrastructure
- Customers should also look into the best practices / guidelines / certifications followed by the service providers like ISO 27001, TIA 942 etc.
4. Data Loss / Leakage
Data could be leaked through many possible ways. Some of the causes could be malicious insiders, sharing of data between employees, improper & irregular backups, inappropriate data retention policy, users forgetting the secret keys / passwords etc. Once again data leakage risk is aggravated in a Cloud Computing environment because the ownership is yours however the control on processing & storing the data is not in your hands. Impact: Depending upon the cloud model & criticality of data being processed & stored in cloud Data Loss / Leakage could have some serious fall outs. Apart from loss of confidentiality, reputation for the customer's data leakage could also possibly have legal repurcations as well. Further to make the matters worse loss of intellectual property could cause competitive and financial grievances to the customers.
- As much as possible the information & data sensitive in nature should not be stored with a service provider.
- Customers should ensure that service providers should provide services as per the Information Security policy & procedures of customers. This would provide some level of comfort and control to prevent data leakage / loss
- Customer should define or should lay down in the requirement list as to how their data should be accessed, handled, processed and backed up. These requirements should be taken into consideration while drafting the contracts SLA's with the service providers.
5. Espionage & Loss of Reputation
In today's highly competitive and fast pace world competitor espionage is a growing threat. The loss of confidential and intellectual property due to espionage can lead to loss of business, reputation, good will, shareholder's trust etc. In a cloud computing scenario attackers and nefarious users could possibly take advantage of the fact that the proprietary and confidential data is stored with an outsider which could be leveraged to cause damage to the reputation of the parent organization.
Espionage can lead to loss of business, loss of reputation, loss of good will etc. Any leak of confidential information can also have legal and regulatory implications.
- Strong Information Security (IS) Policy, Procedures & Process should be defined by Cloud Computing vendors
- Cloud computing service providers should also implement strong Security controls around the applications & IT infrastructure
- The Operational efficiency of security controls should be reviewed periodically
- The IS policy & Security controls should be reviewed and updated to counteract the ever increasing security threat
- Customers should have transparency in the Security measures adopted by the Cloud Computing vendors
6. Legal & Regulatory Requirements
We are so much surrounded by legal & regulatory requirements like SOX, SAS 70, HIPAA, PCI DSS etc. Depending upon the nature of business and kind of data being handled different legal & regulatory requirements are applicable. In Cloud Computing scenario it becomes imperative that the service provider should meet the legal & regulatory requirement on behalf of the customers. So if a Cloud Computing service provider is a servicing a client in Health Care sector then it should take care of HIPAA requirements. Similarly service provider providing Cloud Computing services to Credit Card Company should take care of the PCI DSS requirements. It becomes the customers responsibly to ensure that in spite of using the Cloud Computing services their legal & regulatory requirements are being met.
Not meeting the legal & regulatory requirements could lead to legal actions causing loss of business, public trust, financial penalties and imprisonment as applicable.
- Customers / clients should have a very good understanding of the legal & regulatory requirements applicable to their business
- Customers should ensure that their legal & regulatory requirements are being fulfilled even in the Cloud Computing scenario
- Service provider should also have a clear understanding of the legal & regulatory requirements of their clients before offering their services.
- Service provider should make necessary provisions to ensure that the legal & regulatory requirements of their clients are being met.
- Customers should have transparency into the certifications & processes being followed by the service providers to ensure that the legal & regulatory requirements are met
7. Unavailability of Service
Today we all need 24×7 access to our data (official or personal). Many businesses like Banks & Military Operations rely on real time information and need to have 0 down time. Unavailability of information can have direct financial, legal & security implications. The processes and technologies are designed to ensure that information is available at all times and in case of problems downtime is within acceptable limits. Unavailability of service can be due to many reasons like inadequate backups, no BCP / DR, unavailability of resources etc. In a Cloud Computing environment service provider is responsible for the availability of service and maintaining an acceptable downtime based on the clients requirements.
Availability is one of the pillars of CIA. Unavailability of information in critical services like military operations can be a threat to National Security and in banking operations unavailability of information can have direct financial implications. In today's complex and data availability driven world it is very imperative that information is available most of the times and unavailability is within the acceptable limits.
- Customers should define well-structured and all-encompassingSLA?s with cloud computing service provider?s to ensure the availability of their data
- Based on criticality of information being processed or stored with service providers considerations for Backup, BCP / DR should be taken into account
- Customers should evaluate the potential of the service provider to meet the availability requirements. For example if the service provider has enough human staffing, alternate DR Site availability, backup facilities etc.
- Customers should have transparency in the measures taken by the service provider to ensure availability
8. Abuse of CC Services
Many a times the Cloud Computing service providers do not have strict registration process. Using a credit card any one can register for cloud computing services online or many vendors offer free trial of their services. This opens an avenue for many nefarious users, who could anonymously exploit the cloud computing resources for malicious purpose like setting up botnets, spamming, spreading virus / malwares etc. The attackers could attempt DoS, exploiting the known vulnerabilities, etc. to compromise the cloud computing resources which would lead to compromise of other customer?s resources hosted in the same environment. For example an online cloud based corporate email service & web portal might be vulnerable to SQL injection & XSS which when exploited could result in compromise of other corporate?s information / email hosted in the same environment.
- Spread of virus, malwares , spam emails, loss of confidentiality etc.,
- Cloud computing environment used as botnets to launch further attacks
- Service provider should have stricter and regulated registration process
- Monitor the customer traffic for any malicious or nefarious activities
Periodic security assessment to ensure that the service provider's own network and other resources are not infested or compromised.
Cloud Computing Security Framework
- Information Security Policy
- Regulatory requirements
- Procedures & Processes
- Backups & DRP
- Communication Security
- Perimeter Security
- IT & Application Security
- Security Audit & Reviews
1. Information Security (IS) Policy
IS Policy is the starting point and most critical component in protecting the Information asset of any organization. The IS Policy needs to define the CIA requirements and how the same can be achieved. IS Policy is a High Level framework addressing everything related to protecting the Information Assets as per the organization?s functioning and operations. IS Policy is organization wide and is applicable to all of the organization and its subsidiaries. Subsidiaries can have their own IS Policy which in a way would be subset of the parent entity IS Policy.
In a Cloud Computing environment it is imperative that the service provider defines a stringent and all-encompassing IS Policy which ideally meets the requirements of all its customers and their respective Information Security requirements. Without a holistic and structured IS Policy the procedures followed and technology used to protect Information assets will never be adequate. Also as technology matures and new vulnerabilities & security holes are discovered, IS Policy needs to be updated on an ongoing basis.
Amongst others IS Policy takes care of the following:
- Physical & Logical Access control requirements
- Encryption requirements & techniques
- Program changes & version management
- Backup & Retentions
- BCP & DRP requirements
- Incidence Response
- Regulatory requirements
- Security reviews / audits
- Patches / Updates / AV Solutions / plugging security holes
2. Regulatory requirements
Service provider should understand the regulatory requirements of its clients. In a Cloud Computing environment since the customers would be using the service provider resources or in many cases storing their data with service provider; it becomes service provider?s responsibility to understand and meet the regulatory requirements on behalf of their customers. Based on the requirements service provider should be able to meet requirements of SOX, SAS70, HIPAA, PCI – DSS, SAS 70, ISO27001 etc. Some of the regulatory requirement restricts storing of data outside the country. The customers should be aware of such requirements and should clarify with the service provider & ensure that their data would not be stored in locations which not permitted. The customers before getting in a contract with a Cloud Computing service provider should ensure that the service provider meets their regulatory requirements. It also gives an added level of comfort and sense of security to know if service providers follow or meet certain standards for e.g. their DataCenter is as per TIA 942 requirements, the service provider is ISO 27001 certified etc.
3. Procedures & Processes
The IS Policy lays a very high level guidelines to be followed throughout the organization to ensure Information & Data security. Procedures & Processes are defined in line with the IS Policy to ensure that the requirements defined in the Policy are met. The group companies / subsidiaries & individual departments can define their own procedures and processes based on the IS Policy requirements. For example IS Policy might mention strong access control requirements and based on this requirement physical access control for data center would have 2 factor authentication (biometrics & access card) while a HR department can only have one level of authentication (access card). In a Cloud scenario it is quite critical that service providers have a well-defined& holistic Procedures & Processes based on the IS Policy. All the aspects of IS Policy should be taken into account. Ideally procedures & processes should address the requirements of all the clients. It is service provider's responsibility to ensure that defined procedures & process are strictly followed, deviation if any or noted and acted upon. Customer / clients should have rights to audit / review the Policy & procedures defined and followed by the service provider.
4. Backups & DRP
Data availability is one of the biggest concerns in a Cloud Computing environment. Service provider should ensure that data availability requirements of respective clients are met. Data should be backed up and retained as per the defined IS Policy & procedures. Service provider should also do a periodic restoration drills to ensure that the backed up data is available in required time frame. Service provider should also define a Business Continuity & Disaster Recovery Plan (BCP & DRP) as per the need of the clients. Some clients like Financial sector might need 24×7 availability with 0 downtime while some others might have x number of hours as acceptable downtime. So the service provider should provide the clients with options as per their requirements. Also, provision should be made available for various DR site options (cold, warm, and hot). Regular DR drills should be conducted to ensure that the resources & facility is available in case of an actual disaster.
Customers should review the Backup procedures and BCP – DRP of the service providers and if need be conduct audits to ensure that it meets their data availability requirements.
5. Communication Security
It is very important to ensure that the channel used to connect to service provider or its resources is secured. SSL, VPN, SFTP and other end to end encryption techniques should be used. In a Cloud Computing environment service provider should ensure that the applications and services designed should meet the security requirements. For example HTTPS should be used instead of HTTP; SFTP should be used instead of FTP. Communication security becomes more critical the Cloud Computing scenario where the data resides in a multi-tenant shared infrastructure and it has accessed in most of the instances thru insecure public internet.
6. Perimeter Security
Perimeter security is basically building a strong physical & logical fortress to prevent intruders & attackers. The physical premises of the service provider should be well guarded. The access should be granted on need to know basis. All the entry and exit points should be secured to prevent unauthorized access. In a Cloud Computing scenario where critical data of multiple customers is being processed any unauthorized physical access can lead to compromise of confidentiality of the information which in return can have severe legal & regulatory implications. Appropriate devices like Firewall, IPS / IDS should be put in place to take care of the logical perimeter security aspect.
7. IT & Application Security
The applications, underlining OS & database should be free of vulnerabilities and security holes. The customers rely on Cloud service providers for providing a secured & risk free service. Hardening Policy / Baseline should be defined to address the security requirements of IT Infrastructure. Before an OS or database is deployed in production it should be hardened as per the hardening guidelines and a thorough security assessment of the same should be conducted. Same treatment is applicable to the applications being deployed in the cloud environment. The process of hardening is applicable to virtual environment as much it is applicable to the real infrastructure.
8. Security Audit & Reviews:
With the nature of business in Cloud it is necessary that a Security Review / Audits are conducted periodically. The review should start with the review of the IS Policy and underlining processes & procedures. It should be ensured that the defined processes are as per the IS Policy requirements. The processes should not only be defined but also should be followed and exceptions if any should be noted and duly authorized. In case of Cloud Computing with multiple customers relying on service provider there is very little margin or rather no margin for deviations and exceptions.
The Security Review / Audit should also include Security Assessment of IT Infrastructure & Applications to ensure that they are secured against vulnerabilities & security holes. In today's technology driven world everyday new vulnerabilities are discovered and appropriate work around and patches are developed by the vendors. It should be ensured that these vulnerabilities are plugged and the systems are patched. As an outcome of Security Review, if need be IS Policy & underlining procedures like Baselines / Hardening documents should be updated to meet the security requirements and prevent compromise of the Information Assets.
Some of the Cloud Computing Security Breaches
Unauthorized Access to data in the Cloud:
Twitter employee's email ID was compromised leading to unauthorized access to corporate information stored on Google Apps. This was a clear example of Privacy concerns looming in the Cloud Computing environment.
DoS in the Cloud
In a proof of concept (PoC) exercise researchers were able to bring down a small company using Cloud services off the internet. The researchers registered as legitimate users for Amazon's EC2 service and conducted targeted attacks on their client's network to cause a complete Denial of Service.
Social Engineering attack
Back in 2007 there was a Social Engineering attack on a salesforce.com employee leading to possible phishing attacks on the salesforce.com employees & its customers. In a Cloud Computing environment a phishing scam could lead to compromise of confidential details possibly causing financial & personal grievances.