Cloud Computing Security Issues and Challenges

Security Policy Standard and Management

INF 806

Odegbesan Omobolaji Ayomide

A00018467

Abstract

The advancement of IT infrastructure and Technology is on a rapid growth, There is need for easy access

to information by individual and Organizations/firms at any point in time in any geographical location

with smart device without any special Configuration or customization which requires very little

resources in servicing. The Cloud Computing is a practical example of this Technology/ Infrastructure.

Cloud Computing is an Internet based Technology which involves the storage, processing, modification

and sharing of Computer resources through Interactions and interconnection of configurable devices by

Individual or Organizations/Firms at an affordable rate. (Wikipedia, 2015).

Cloud computing provides a ground technological standard for individuals and organizations to take on

without any major financial asset required on the part of the organizations and individuals. Regardless of

the enormous amount of advantages or benefits that cloud computing provides, it is marred by security

challenges and issues which makes the acceptability rate of this technology by individuals and

organizations at a daunting rate. An example of this security concern is the compromise, modification

and theft of the critical and valuable information either by hackers or third party handling the

information’s on the cloud (Samson, 2013).

Introduction

The growth of the internet as become very rapid to the point that it allow the sharing, storage,

processing, transmission and modification of information’s and files of every kind, this new growth and

development of Information Technology is known as cloud computing (Chlcks & Cleveland, 2012). The

cloud computing provides a lot advantages such as low cost of maintenance, easy access anywhere and

anytime but as advantageous as cloud computing might be it as some disadvantages which prevent

some organizations and individuals form accepting it .

This easy is geared at looking at the major security issues and challenges that’s facing cloud computing.

First the discussion of what cloud computing in the first section which would be followed by the

characteristics, service model, deployment model in the next section which would be the followed by

the major security challenges and issues affecting cloud computing which would be supported by a case

study while a discussion and conclusion would be at the end of the paper.

Cloud Computing

The National Institute of Standard of Technology (NIST) defined cloud Computing “as a model for

enabling ubiquitous, convenient, on demand network access to a shared pool of configurable resource

(e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released

with minimal management effort or service provider interaction” (Michael Hogan, 2011), in other words

cloud computing is a virtual environment that can be access through the internet which allows for the

storage, processing, transmitting and sharing of computer resources. This type of computing service is

provided by a cloud service provider who manages data at an affordable rate to the customer

(Wikipedia, 2015).

There is an increasing amount of users moving from the old method of buying hardware for the purpose

of data maintenance which also as a downside of hardware depreciation, high cost and immobility, this

is also known as the (CAPEX MODEL) to an era of storage over the cloud through the internet this is

known as the (OPEX MODEL) (Wikipedia, 2015).

Characteristics of cloud Computing

Cloud computing as several characteristics which make it a distinctive technology as compared to other

type of the Technologies. The major characteristics of cloud computing are follows.

1. Shared computing infrastructure and resources:

Cloud computing is a technology which involves and based on the sharing of computing

resources for service rendering. The sharing of computing resources is made possible with the

use of the virtualized software mode. Cloud computing resource s are made available across a

number of customers regardless of the deployment model (Corporation, 2010).

2. Provision of dynamic and on demand self-service:

This allows the users to easily provide themselves with the required services and capabilities

which is provided automatically by a software automation system. This characteristic make

cloud computing user friendly and simple to use as there little or no interaction with the service

provider or the host company. The wide range of network accessed cloud computing

infrastructure/resource are easily accessible through device using standard based application

programme interface (API) such as laptop, pc , mobile devices over the internet (Corporation,

2010).

3. Service gauging facility:

Cloud computing system manages and measures customer used computing resources, this is

done by a metering system which is used to generate billing information and reports, this is

incorporated into the cloud computing infrastructure. This characteristics allows for

transparency as users are appropriately billed on used services by customers (Corporation,

2010).

Service Model

Service models are the service delivered to the user on the bases of their needs and requirement. This

service are very distinct from each other in that they provide different facilities and service for

customers (Michael Hogan, 2011).There are 3 types of service model which are as follows

1. Software as a Service(Saas):

In this type of service model, the authorization and access to use a software or application that

is hosted on the cloud is purchased by the customer i.e. the right to use the software or

application hosted on the cloud by the cloud provider is purchased by the user. The user does

not have authorization to manage and control cloud infrastructure, they only have the right to

use the application/software provided by the cloud provider (Michael Hogan, 2011).

2. Platform as a service(PaaS):

In this type of service model the customer or user acquires the right to access the platform

which allows them to implement, use and put up their own application software in the cloud.

The customer only have access to the platform and doesn’t the right to manage and control the

cloud infrastructure (Michael Hogan, 2011).

3. Infrastructure as a Service(Iaas):

This service model allow and grant the consumer to use the capability of Storage, Processing

and network and several other basic fundamental computing resources and also allows the

consumer to put up and deploy an operating system; application but they don’t control the

cloud infrastructure.

Deployment Model

Cloud computing have 4 different types of deployment model which support user needs and

requirement as well as customer service requirement needs and requirement.

The deployment model are as follows

1. Private Cloud

This type of deployment model is mainly for a Particular firm or organization, this is an exclusive

cloud. The cloud infrastructure is solely managed, maintained, operated and controlled for a

particular organization, this type of deployment model may either be controlled by the

organisation in their premises or environment or by a third party cloud provider at a data center

(Michael Hogan, 2011).

2. Community Cloud:

In this type of deployment model, the cloud infrastructure is shared and used by several

organization that have a common need, interest and requirement. This type of deployment

model help to reduce cost as organizations that uses the model slit the cost of running the cloud

infrastructure. This cloud infrastructure may either be ran at a third party data center by the

cloud provider or either on existing premises or off premises of any of the organization (Michael

Hogan, 2011).

3. Public Cloud:

This type of deployment model supports commercial use, the cloud infrastructure is used by the

public for profitmaking and commercial use. The Customer is allowed to deploy and develop

needed service at an affordable cost (Michael Hogan, 2011).

4. Hybrid Cloud:

This is a cloud deployment model which consist of several cloud infrastructure such as private

cloud, community cloud and public cloud which remain as separate and unique clouds but also

have the capability to allow the movement of application and data from one cloud to the other

through a standardized technology (Michael Hogan, 2011).

Cloud Computing security Issues and challenges

Cloud computing was once an IT business concept that was thought of but as become a fast growing IT

technology. This Technology as gained a good ground amongst individuals and organization as it helps to

save resources and effort used to manage computing resources, this technology as completely

revolutionized the IT world, this technology promises a lot of benefits and advantages to the world but

as beneficial as the technology might be it is marred by some major issues and challenges (Zimski, 2009).

Due to this issues customers are skeptical about this new technology because this issues are pressing

issues that affects the users of this new technology.

The major challenges facing cloud computing are can are cascaded in to three broad distinctive

categories which are as follows (Beal, 2011).

1. Data Protection:

Data Protection is one of the major challenges in cloud computing, customers would have to

hand out critical and valuable information to a third party cloud provider; ensuring this that this

vital information are highly protected is a major concern for the customer and a major priority

for the cloud provider. This data must be highly protected through encryption other protection

technique with a precise role for the handler of this vital information, if not properly handled or

managed it can pose a high level of comprise risk of the information (Beal, 2011).

2. User Authentication:

User authentication is another challenge in cloud computing as data residing in a cloud needs to

be accessed only by authorized user. This is a very critical challenge in cloud computing security,

the monitoring and restriction of who is accessing the data in the cloud needs to be done by the

cloud provider. This challenge is major concern by both the customer and the service provide as

fake authentication are on high level in the present IT world. It is required of the cloud provider

to ensure a high level of authentication process and proper monitoring of entry log who

accessed what, when and how (Beal, 2011).

3. Contingency Planning:

The risk of having a data breach or comprised data in the cloud is on the high level as the

internet is not entirely secure a very good tool for the hackers to use to steal and compromise

vital information and data, there are other factors like natural disasters which can damage,

compromise, make data unavailable and lost. There is a need for a plan to retrieve protect and

restore lost, stole or compromised data in the event that any compromise due to any factor.

Contingency plan should be put in place for unexpected event and disasters if they should occur

(Beal, 2011).

There other challenges and issues affecting cloud computing like data location, the location of the stored

data is one issue that is involve laws in a particular location such as that a data might be highly secured

in one location and but not very secure in another location due to the laws of the location(Binning,

2009).

Case Study

Cloud Flare boss’s Gmail hacked in redirect attack on 4Chan

This case study shows how the cloud flare boss’s Gmail was a hacked in a redirect to 4chan.”Content

distribution network Cloud Flare reset all its customer API keys over the weekend after its CEO’s

personal and corporate Gmail was breached in an elaborate attack on one customer, which appears to

have been the 4Chan message board.

According to Cloud Flare CEO Matthew Prince, a hacker last Friday exploited a subtle flaw in Google

App’s Gmail password recovery process, allowing them to break into his personal account, breach his

CloudFlare.com Gmail address, bypass Gmail’s two-factor authentication (TFA), and redirect one

customer’s website. UGNazi, the hacker group that claimed credit for the huge breach at billing software

provider WHMCS, has also laid claim to the attack on Cloud Flare, according to a report by Softpediz

Prince said on Saturday Google confirmed there was a subtle flaw affecting not 2-step verification itself,

but the account recovery flow for some accounts.” Google said it had now blocked that attack vector.

Prince did not use Gmail’s TFA for his personal account, however, the company did for all its

CloudFlare.com Gmail accounts. Prior to Google’s confirmation, Prince was alarmed that TFA didn’t

prevent CloudFlare.com’s accounts becoming compromised since it should have prevented this attack,

even if the attacker had the password.”

It’s unclear from Prince's explanation how the attacker somehow convinced Google's account recovery

systems to add a fraudulent recovery email address to my personal Gmail account, however once it was

compromised he said the attacker was able to use the password recovery feature for his CloudFlare.com

Gmail account to access his corporate email. Prince said that no customer credit card details were

exposed since those details never pass through its servers but go straight to a billing provider, and that it

appears the attacker had not accessed its core database or seen additional client data. However, a claim

was made on the Twitter account of UGNazi member Cosmo that UGNazi had gained full access into

Cloud flare's server and obtained the database", in a post flagging that 4Chan was redirected to the

UGNazi Twitter account.

Cosmo also told Softpedia that UGNazi did access Cloud Flare's main server, could see all customer

account information, including names, payment methods, user IDs, and had access to reset any account

on Cloud Flare. The hackers said they planned on selling the information on Darkode. Cosmo also said

Prince's explanation that the attacker convinced Google's account recovery, was bogus, adding that

there was "no way you could social engineer a Google App. On Saturday Prince said Cloud Flare found

that some customer API keys were present in the email accounts that were compromised, which was

why it reset all API keys for things such as Cloud Flare WordPress plugin.

In order to ensure they could not be used as an attack vector, we reset all customer API keys and

disabled the process that would previously email them in certain cases to Cloud Flare administrator

accounts, said Prince. Despite the troubling realisation that Gmail’s two-factor authentication failed to

prevent the attack when it should have, Prince urged others to use it and said he has since turned the

feature on for his personal account. Also, even though the password reset process was used to

compromise Prince’s 20 + character, unique and randomised password, he encouraged others to use an

extremely strong password for email and to change any password recovery email to an account that you

do not use for anything else and cannot easily be guessed by a determined hacker” (Tung, 2012).

Discussion

This paper discussed about cloud computing, its characteristics, secures, above all the issues and

challenges face by cloud computing in IT world and this backed by a case study which illustrates the

importance of the three main categories of cloud computing challenges and issues which are data

protection, User authentication and Contingency plan. This main challenges issues can be seen in the

case study of the Cloud flare where the CEO corporate and personal Gmail account where hacked by

bypassing the 2 factor verification which was the Gmail authentication system and this lead to the

compromise and theft of valuable and vital information and also allow the hacker to gain access in the

firms server and database which contain valuable customers information which was stolen and sold by

the hacker, and this forced the firm to create a plan in other to prevent the reoccurrence of this event in

the future by putting preventing and proactive measures in place (Tung, 2012).

From this case study, it shows how daunting the three main challenges are to cloud computing as it

requires a proper, high level and serious attention in other to successful resolve this cloud security

issues and challenges.

Conclusion

This paper began by explaining the meaning of cloud computing alongside its attribute and it noted main

categorises of cloud computing issues and challenges which was backed by a case study which is used to

show the interaction between theory and practise and the major cloud computing security issues and

challenges faced by stakeholders of this fast growing technological innovation which went on to tell us

how importance it is squarely face this challenges into to avoid and reduce the risk associated with

challenges such as data theft and compromise of vital data and information, theft or use of fake

identification by criminals and hackers using the internet as a vital weapon for this security breach and

also a bad contingency plan can lead to valuable data lost with no way to retrieve this information when

an unexpected event happens.

In conclusion this paper showed that cloud computing also as major security issues and challenges faced

by customer and service providers despite the fact that it provides allot of benefits to both the

customers and the service providers. Cloud computing as the potential of growing to the become a more

secure virtual environment in the future.

ReferencesBeal, V. (2011, 04 11). QuinStreet Inc. Retrieved from Webopedia :

http://www.webopedia.com/DidYouKnow/Hardware_Software/cloud_computing_security_chal

lenges.html

Binning, D. (2009, 04 24). Tech Target . Retrieved from Computer Weekly :

http://www.computerweekly.com/news/2240089111/Top-five-cloud-computing-security-issues

Chlcks, K. S., & Cleveland, D. (2012, 5 25). Wikinvest . Retrieved from Wikinvest TM :

http://www.wikinvest.com/concept/Cloud_Computing

Corporation, D. (2010). Introduction to Cloud. Montreal: Dialogic Corporation.

Michael Hogan, F. L. (2011). NIST Cloud Computing Standards Roadmap. Gaithersburg: National Institute

of Standards and Technology.

Samson, T. (2013, 02 25). InfoWorld, Inc. Retrieved from InfoWorld Tech Watch:

http://www.infoworld.com/article/2613560/cloud-security/cloud-security-9-top-threats-to-

cloud-computing-security.html

Tung, L. (2012, 6 4). IDG Communications Pty Ltd. Retrieved from IDG :

http://www.cso.com.au/article/426515/cloudflare_boss_gmail_hacked_redirect_attack_4chan/

Wikipedia, t. f. (2015, 10 27). Wikimedia Foundation, Inc. Retrieved from Wikipedia, the free

encyclopedia: https://en.wikipedia.org/wiki/Cloud_computing

Zimski, P. (2009, 09 6). TechTaget . Retrieved from Computer weekly :

http://www.computerweekly.com/opinion/Cloud-computing-faces-security-storm