-
Seven Cloud Computing Security Issues
"Once you put it (Data) on a remote Cloud server which is
accessible via the Internet, it's not amatter of if you'll have a
breach; it is when (as evident by the countless breaches happening
thisyear)." (Liticism, 2011)
What is Cloud Computing?
"Cloud computing is an emerging computing technology that uses
the internet and central remoteservers to maintain data and
applications". (WikiInvest, 2011)
Seven Cloud Computing Security Risks
Gartner states there are Seven Cloud computing Security risks
and suggest as an organisation youshould ask questions around the
qualifications of the cloud provider including; (Brodkin, 2010)
Who are the policy makers?
Who are the architects?
Who has specialised access to data and have these administrators
had their backgrounds checkedand who manages them?
What are the service providers risk control processes?
What are their technical mechanisms and recovery plans?
What is their level of testing, security and compliance?
Where is the data located and how is this controlled?
Organisations should look at and identify any unanticipated
vulnerabilities before considering usinga cloud service
provider.
Data Protection & Security Issues
As the Cloud Service provider has access to all your data and
could potentially disclose it forunauthorized purposes this is a
major concern that raises privacy and confidentiality issues.
Cloud technology is revolutionising how organizations are doing
business. Organizations in everyindustry are embracing cloud
computing as a means to lower and costs and the
complexitiesassociated with traditional IT approaches.
"Organizations that approach cloud in a tactical fashionrisk
security exposure due to fragmentation, redundancy and operating
silos." (Managed with cloudtechnologies, no date)
We will look at the main data protection and security issues
that organisations have to considerwhen using Cloud technology
below;
Data Security and Accessibility Issues
-
Section 2(1)(d) of the Data Protection Act states that companies
protect their data fromunauthorised access, alteration, destruction
or disclosure especially when it comes to that databeing
transmitted over the cloud. (Office of the Data Protection
Commissioner, no date).
Section 2C(1) of the Data Protection Act states what an
organisation should do to implement propersecurity procedures and
be aware of the resulting consequences and effect of this data
beingdestroyed or unlawfully breached. It is important therefore to
ensure proper security and riskcontingency plans such as
encryption, personnel screening, access levels etc. (Office of the
DataProtection Commissioner, no date).
Therefore it is the organisations responsibility to consider all
these factors when giving up control oftheir data before using the
cloud.
Security Threats
Attacks on the cloud are tempting for hackers who will want to
implement cybercrime, the reasonbeing that all data may be shared
on one server using co-tendency. Basically having all your eggs
inone basket!
Even leading providers such as Google had and have security
risks where in one case people'sprivate documents stored on Google
Docs were shared with other users without their
permission.(Preston, 2009)
Even the most encrypted secure passwords have the potential to
be hacked using the combinedserver power of cloud computing.
Fraud & Cybercrime
Fraud and cybercrime are often perpetrated without your
knowledge if via Cloud Services. Using thecloud and sharing servers
can increase the risk of these servers harbouring spying agents,
passwordstealers or other types of malware. Botnets
http://www.clickbooth.com/ were responsible for thetheft of $100
million from bank accounts alone in 2009. (Babcock, C, 2010, Page
153)
When using virtual machines it is harder to detect SQL
injections and other types of malicious code.The cloud is an
attractive target for hackers who want to steal passwords, bank
account informationand personal identities as all the activity is
in one concentrated area.
Data Security - What is it?
"Data security refers to a broad set of policies, technologies,
and controls deployed to protect data,applications, and the
associated infrastructure of cloud computing." ('Cloud Computing
Security', nodate)
Cloud Computing Security Issues
No security system is 100% secure. Saleforce.com suffered a
phishing attack in December 2007when a member of staff was fooled
into giving out passwords. (Krebs, 2007)
Understand the risks of Cloud computing service providers, their
3rd parties, potential attacks ondata, downtime and exception
monitoring to ensure your business is fully protected.
-
There are no uniform standards to fully protect data controllers
yet.
Essential to know where your data is stored and the local law
and juristriction of the countrieswhere your data is stored as
mentioned previously.
Security Challenges
Listed below are some of the security challenges that should be
considered by organizations beforemoving to the cloud;
Once you assets are in the cloud you lose control over them.
Do you trust your data to your service provider? Check their
service agreements thoroughly.
The loss of control over your onsite physical security.
When sharing servers with other companies government agencies
may 'reasonable cause' to seizeyour assets because another company
has cms violated the law.
Incompatibility between cloud vendors. (Microsoft Azure is not
compatible with Amazon S3 forexample.) How do you then retrieve and
move your data?
If encrypted then who controls those encryption/decryption keys?
You or the provider?
Is your data SSL secure over the internet and/or encrypted while
in vendors storage pool?
Data integrity - is your data identically maintained during any
operation? If you are using PCI DSSfor ecommerce transaction you
will need access to the cloud provider's logs so you will need
tonegotiate access to these.
Data protection - how is your data protected?
Identity management
Physical and personnel security
Availability
Application security
Privacy Issues
The key question to ask as an organisation is; do you trust
putting your mission critical apps or dataon the cloud and what are
the consequences of doing so? (Rittinghouse and Ransome, 2010,
p.160)
Data Security Issues for Mobile Staff
As employees are working more from home, hotels or coffee shops,
companies are investigatingways to keep their devices and data safe
and secure. Some issues include unsecure access tointernet using
WiFi, theft of laptops and devices, unencrypted data, etc
-
"Desktop virtualisation may be the solution: 86 percent of the
international companies surveyed byCitrix, a cloud provider, cited
security as their primary motivation for getting into the area".
(Leach,2011)
Key Challenges
As an organisation you are storing your data on someone else's
server and as such they have admincontrol over it and can view,
delete, edit and access this data. Data level security businesses
need toknow data is protected and encrypted wherever it goes and to
have their own auditing and databackup and recovery mechanisms in
place.
Conclusion
Best practices are still being identified and defined and direct
experience may be the best learningtool. There are many risks in
the cloud but these can be evaluated and defined for certain
workloads.Organisations will have to consider whether they only use
the cloud for certain aspects of theirbusiness such as non mission
critical information or data where laws governing data
protection,security and confidentially are less stringent.
