Cloud Security

Cloud Security in cloud computing can be used by the SME (Small, Medium Enterprises) wide business range of different applications; including front office, back office, custom applications, storage, business continuity. There are many business advantages: Please see Cloud Computing.  Typically they are “pay as you go” models, which foster “economies of scale” by reducing investment in hardware, software, and IT experts. Costs are lower than the cost when going to traditional IT solutions. Distributed workforce requirement in the cloud case provides ease of access to spread out physical locations, and various end-user devices, etc.

In the cloud computing environment arises network and information security opportunities. Generally speaking, large CSPs (Cloud Service Providers) such as AWS can offer advanced security measures while spreading the associated costs across shared resources. This means that basic security settings might be ‘shared’ between resources and might not be customizable but it also translates to some unique security opportunities. Below I have taken the liberty of highlighting 11 different possibilities for the network and information security:

Cloud computing data centers are spread out across different geographic regions, domestically or internationally. The geographic range provides resiliency against disasters such as storms, earthquakes, or fiber cuts. This type of topology can also be used to mitigate some Denial of Service (DoS) attacks, allowing customers to get access from other locations. The distance from one data center to the other can help reduce network latency because the services are provided from sites closer to the client. This could improve the overall availability and performance of the service.

CSPs use data centers with large amounts of resources such as space storage etc. and able to respond to businesses request for more resources during peak usage, and can respond to security threats such as DDoS (Denial of Service Attacks) Attacks. Just note that each cloud service is different and based on the requested services offer various types of elasticity.  Some limitations might be resource consumption.

In some instances elasticity may need to be configured/requested individually by the client, and may see an increase in costs.

Cloud computing is a shared pool of resources, so in practice cloud services are often compliant with best practices deployed industry-wide.  I will give you an example, PaaS providers have typical PHP application resources and SaaS providers implement standard interfaces based on XML, and JSON (Javascript Object Notation).  This provides greater flexibility for integration with other services or migrating to other platforms.  This is considered a security concern because it facilitates backup, failover, and integration with existing security tools, such as monitoring threat analysis tools.

Its important to ask which standards your CSP is using

In the case of shared resources physical security is relatively affordable.  Such security measures such as perimeter monitoring, guards, alarm systems, camera surveillance, and automated fire retardant systems are spread amongst the customers.  In most CSP environments provide state-of-the-art security measures, which mitigate risk when it comes to thefts and disaster.

Security issues can occur at any time, and having continuous monitoring 24/7 and response capabilities to respond is the benefit of cloud computing security.  Please be clear that not all CSPs providers monitor or respond to security threats some still leave some of the security responsibilities in the hands of the client.  Specifically in a Hybrid Environment.

Software development and keeping it secure isn’t easy and requires resources, time, and processes. A safe software development pipeline including unit tests, continuous integration, penetration and security tests such as load tests but most importantly, skilled and qualified resources.  This isn’t easy to setup and maintain.  To build custom software safely requires investment, even outsourcing isn’t always the most cost-beneficial way to proceed.

CSPs can afford to invest in secure software development investment, spreading these costs across many customers.  Items such as customization may be lost, but the advantage is risk mitigation in software development.

Software essential to a client is always updated and patched by the provider.  This is especially true in IaaS and PaaS Cloud Services.  A user may run its own software on top of the cloud service infrastructure and is responsible for management of the patches and updating.

Attackers need only a small window of opportunity to exploit and find a vulnerability; this holds true in particular for off the shelf software.  Cybercriminals focus particular attention on provider patches by reverse engineering.  They concentrate on the underlying vulnerabilities that can happen in a matter of hours.   These kinds of attacks happen because organizations are slow to update and patch systems. CSPs automate patching and updates, thus reducing the windows of opportunity for exploitation by cyber criminals.

Please note automated patching and updating might break functionality in cases where clients are using services such as APIs in a non-standard way, or when customers run their own code on top of a cloud services such as IaaS/PaaS, same holds true for On-premise IT deployments.

When making backups across a  broad range of applications and devices, restoring them, when needed can be daunting and time-consuming. In a cloud environment, the CSPs can implement tools to automate, create and test backups as well as provide backup and restoring solutions.  Affording the client to roll back mistakes and errors.  Cloud usage scenarios provide applications online as client-server applications.  Cloud environments reduce the amount of data kept on the customer side.  This simplifies the backup process.

Cloud backup between data centers requires storage, network bandwidth and in some scenarios, the CSP will not provide the backups for free.

Magic Quadrant Enterprise Backup

Free Copy Available

Many businesses today have a range of mobile end user devices which are relatively susceptible to theft, loss, and physical damage.  Make no mistake, these can have a tremendous impact on the assets of the business for several reasons. MDM Mobile device management it’s not always easy to back up, encrypt or protect the device from loss or theft, or control access to the devices.  Cloud computing can mitigate some of these vulnerabilities by limiting the amount corporate data to the end user device.

In Cloud computing environments, some security tasks remain with the client, particularly in the case of IaaS, and PaaS.  Third party providers may be called upon to handle the security tasks such as a Security as a Service firm.  A work might be patching the OS regularly, detect and respond to safety issues by isolating and replacing infected hosts immediately.   In a traditional IT sense where physical access is required to the premises might propose a problem.

CSPs can provide a range of additional security services by partnering with third-party firms.

CSPs provide their own set of standards for Certification and Compliance, but it’s always the client’s responsibility to maintain and ensure they are following the proper security compliance standards. Many customers will deploy the services of independent auditors, to maintain the proper standards.  Although a customer must maintain respective obligations, they can take advantage of the CSP by using existing compliance certifications provided by the CSP.

I am not going to go into all the compliance processes, but consideration should be given to physical access to the assets, and in most cases CSPs will not allow access.

Security Risks

Below are the top 9 Security considerations in Cloud Computing

Confidentiality Vulnerabilities in cloud software could have a significant impact on a business.  For example, a SaaS email service which is vulnerable to SQL injection could lead to a breach of customers’ personal information.

It’s critical to understand who is responsible the software components.  SaaS or Software as a Service, are responsible for all the software vulnerabilities.  In the case of IaaS/PaaS, the customer is responsible for the software implemented.

Some examples of software vulnerabilities could lead to; a client gaining access to another customer’s information.  Through direct or side channel.   These type of weakness is called isolation failures.  In a non-cloud setting, isolation failures are less of an issue because there is no co-tenancy.

This is especially apparent to sensitive data, and it’s important to ask the right questions.  As we know SaaS providers are some of the largest well-known companies with an excellent track record and providing proper security measures.  Be careful, because not all SaaS providers do a good job at software security.  Cloud software is quite attractive to hackers and cyber criminals because it allows them access to many customers through one entity.

According to open sources: back in 2011 a large SaaS provider was down for 4-16 hours due to an isolation failure.

Cloud computing is utilized via internet connections, meaning clients need to be aware of the risk involved, especially network attacks such as; Spoofing, sniffing/eavesdropping, Denial-of-Service attack, man in the middle attacks, pharming, wiretapping.  These types of attacks typically occur on end-user interfaces, administrator interfaces, application programming interfaces or APIs

Spoofing Attacks

This type of attack happens when a third party replicates another device or user on a network, to attack against network hosts, too;  steal data, spread malware or bypass access controls.  Spoofing attacks come in several different forms that can be used to make this happen.

  • IP Address Spoofing Attacks
    • One of the most frequently used.
    • Uses IP packets from a wrong (or “spoofed”) source address disguising itself.
    • Denial of Service Attacks often uses IP Spoofing to; overload networks and devices with packets that appear as legitimate IP addresses.

Two ways it can be used to overload targets;

  • Flood a selected target from multiple spoofed addresses – more data than it can handle
  • Spoof the Targets IP address and send packets that addresses to many different recipients on the network.

Spoofing attacks can also be used to avoid IP address-based authentication.  This kind of attack and process can be very complicated because there has to be a Trust Relationship set up between machines on the network and the internal systems.   “Trust relationships” use IP addresses rather than logins to authenticate and verify devices identity.  This enables cyber criminals to use spoofing attacks to act as a machine with permissions and bypass trust-based network security.

  • ARP stands for Address Resolution Protocol.

Used to resolve IP Address to MAC addresses.  MAC stands for Media Access Control the physical address of the Machine.   The cyber criminal sends spoofed ARP messages across the local area network and linking the attacker’s MAC address with the IP address of a verified member of the network.

What actually happens –data intended for the Host’s IP address is getting sent to the attacker instead.  The Cybercriminal uses this type of spoofing to steal information, modify the data in route or stop traffic on a Local Area Network or LAN.   This kind of spoofing only works on LANs that use Address Resolution Protocol.

  • DNS Server spoofing attacks –

Associates domain names with IP Addresses.  Devices that connect to the internet rely on DNS for resolving URLS, email, addresses and other domain names into their corresponding IP Addresses.

It’s the modification of the DNS server to reroute a specific domain name to a different IP address.  A server actually controlled by the Cyber Criminal.  Often used to spread computer worms and viruses.  The server contains infected files and malware.

In a Cloud environment, Issuing credentials to a user usually happens via emails or websites.    This opens up the vulnerability of social engineering attacks.  So, what happens is an electronic criminal fakes communication or information, so it appears to come from a viable source like the CSP.   As an example, the attacker impersonates a customer and initiates a credential recovery, this provides the malicious party access to the client’s account causing all kinds of things to happen, such as deleting the customer’s information or impersonate the CSP obtaining the credentials *aka Phishing.

The types of users might be high profile roles such as;  software developers, administrators, and managers, all on the CSP and client side of the house.

In any cloud hosting environment, a client is offed a management interface, this gives them administrator access to a large number of areas and assets.  Let’s take SaaS, for instance, all the user accounts of the clients employees are available.  In IaaS and PaaS all the different client machines and applications.  Even more so than ever if an attacker can gain access to the interface, then the damage can be huge from an economic point of view.

Some areas to consider should be the interfaces, proper authentication and authorization mechanisms particularly for administrators, developers, and managers.  Also, be aware of the browsers

One of the key advantages of cloud computing is the access to fixed mobile convergence and access from any browser via https or a secure link.  The susceptibility of loss and theft is high among tablets and mobile devices.   This represents a few vulnerabilities such as data and credential breaches.   This presents a few problems for a business.  Some risks of mobile computing is the susceptibility to malicious code.  A cyber criminal can access information on a mobile device.

The top issues affecting mobility in cloud computing are data Loss from stolen or lost devices, mobile malware, data leakage through poorly put together third party applications, vulnerability within the devices, OS, design, and applications.  Also, Network connections or insecure network connections such as one’s found in a Starbucks coffee houses, Rogue Marketplaces, and insufficient management tools.

An intruder can sniff your data in a wireless communication environment.  Data access points can be interrupted and this leads to data locked in particular services.

Break Free

T-Mobile, Mobility, Cloud Computing

Fall In Love!

AT&T Mobility, Connecting the world

Earthquakes, fires, floods can adversely affect a customer’s assets or data centers of a CSP.  It’s critical to understand failover, therefore, have a business continuity plan in place with addresses physical hazards.

Cloud Computing offers great economies of scale, getting more value for less costs.   Secure Logical isolation is the ability to make sure clients can’t access each other’s data.  Cloud computing customers should ask how their cloud service provider handles peaks in demand or increased usage. Check SLAs

Cloud Computing offers some ways to go as far as costs, but the most often route is pay as you go, It means prices are always fixed.  This also means costs can be very high in especially when users or employees upload and store a lot of data or attack reasons.   A malicious party could mount a (DoS Denial of Service Attack) and, in that case, consuming resources.  It’s considered a security risk but also a business risk. Unexpected costs could lead to financial issues and in turn result in an outage.  Check to see how your service scales with increased usage and what are the presumed costs.

Is the inability to migrate to another CSP, and this can become a finanical issue and a security risk.  Examples include legal conflicts, billing or major outages.

Standard data formats

example when circumstances force a customer to migrate to another provider, for example in case of a legal conflict, issues about billing, major outages, etc. If the customer does not use standard data formats and interfaces, then migration may become difficult and/or time-consuming.

Customers should have a business continuity strategy,

This should  include migration/exit plans for moving data and/or processes to another provider. As part of this strategy, customers should consider backing up their data regularly, in a standard format, to be able to migrate when needed, and test regularly if migration works.

Free Cloud Security Report

[contact-form-7 404 "Not Found"]"]