The term ‘cloud computing’ gets tossed around in media and business settings, and while everyone seems to know generally what it is, not everyone is aware of how to use it, much less how to implement it in a safe way that still enables it to provide the full benefits of storing data in the cloud versus storing and managing it on-site. Cloud computing has many benefits for businesses, such as allowing them to store information and be managed by an outside company, which eliminates the cost and effort of a company having to buy servers, install and configure them, and then hire IT staff to continue to maintain them. According to a study of over 1,300 U.S. and U.K. businesses, 88 percent reported that they saved money using cloud services, and 56 percent reported that it boosted profits (Olavsrud). These numbers are hard to argue with, but businesses also have to take into consideration the security risks involved with storing data remotely. Businesses have to make the decision of what type of cloud services to use, and must have a deployment plan in place before they begin using them, which requires knowledge of how Software as a Service (SaaS) and Infrastructure as a Service works and how to train their employees in their safe usage. Employees must be trained by informed IT staff, as the biggest risk of cloud computing lies, as always, with the end-user’s actions.
Types of Cloud Computing
After a business decides that converting their existing on-site data storage to cloud storage is the right decision for the company, they must then decide how best to go about implementing this change, which requires formulating some kind of action plan. This further involves knowing exactly what options exist to host data. Cloud servers can be split into public, private, and hybrid servers, all of which provide different benefits (businessnewsdaily.com).
Public cloud services are offered by companies that build external platforms that host multiple users, meaning the infrastructure is shared by all the users. The benefits to this model are that individual users don’t have to worry about many of the details that would plague an in-house server. Public cloud services manage the site security, as well as content management tools. They also are constantly updating, allowing for seamless transition between different and new technologies.
A private cloud refers to an in-house cloud system that is set up and maintained by a companies own IT staff. This provides a company with the flexibility to manage all of the details of their data storage which they could not get with a publicly-hosted cloud. On the downside, this is more expensive to maintain and requires the cost of buying the physical infrastructure.
A hybrid cloud system, as the name suggests, combines both the public and private cloud servers models into one integrated system. For example, a company may choose to host some more sensitive types of data, such a private customer information, or proprietary company information, in-house where they can be in complete control of the level of security employed around it. However, there is likely lots of information that is not sensitive in any way, or much less sensitive as to warrant lower security needs, with which they would be comfortable hosting on a public cloud server. This still allows them to save some money, as well as all of the other benefits of using a public cloud.
Risks Associated with Using Cloud Services
Many people in the business world are unjustly worried about the security risks involved with using a cloud service. According to the company BlackStratus, a online security information event management company, some of the common concerns of their customers about cloud services include “fear of the unknown,” or the fact that exactly what cloud services include isn’t well-defined for most people (blackstratus.com). They aren’t aware of the differences between cloud services that offer Infrastructure as a Service (IaaS) versus Software as a Service (SaaS) versus Platform as a Service (PaaS) and how exactly each of these different services can be used.
Another reason people fear switching to cloud services are because they are too concerned about needing to be involved with managing the physical structure of the servers, which Blackstratus refers to as “server huggers” (blackstratus.com). This fails to take into account that when choosing a company to host data, a lot care and research should be done to ensure they are a reputable and trustworthy company. Then, when used, it frees up the company’s IT staff to allocate more resources to other, more pressing problems as they arise rather than managing tedious daily details that can be handled by the cloud service company.
Many times, in-house IT staff are reluctant to embrace cloud technology as they worry that they are outsourcing their own jobs and therefore becoming redundant (blackstratus.com). While it is true that there may be restructuring involved with the implementation of cloud services, a company can very easily move existing IT staff into positions that allow them to pay closer attention to more important problems, increasing the security of the company overall.
The last concern mentioned by Blackstratus is a valid one, and is that of data loss (blackstratus.com). Unfortunately, this is a concern that is not specific to cloud servers, but is a problem that plagues most companies at most times. However, the usage of cloud services does come with its own set of problems surrounding data loss, and therefore the risk of data loss through cloud services does need to be addressed, though it is certainly not the only valid security concern. At the 2016 annual Cloud Security Alliance conference, there were 12 security risks mentioned as the “Treacherous 12” cloud security risks, which were defined as follows, in order of decreasing severity: data breaches, weak identity, credential and access management, insecure APIs, system and application vulnerabilities, account hijacking, malicious insiders, advanced persistent threats, data loss, insufficient due diligence, abuse and nefarious use of cloud services, denial of service, and shared technology issues. The following section will address each of these points, describing the issue as well as ways to mitigate them as a security risk when using cloud services.
Data breaches occur when controlled information is viewed or stolen from a cloud server. Because data is so valuable to many groups of people - hackers, activists, or malicious insiders - it is always going to be a top concern for companies. There are two main causes of data breaches, which are lack of encryption of data and multifactor authentication, both of which are easily dealt with at the company-level.
Weak Identity, Credential and Access Management
Weak identity is a major source of malicious activity. Weak password is very easy to correct by using a system that enforces strong password creation, and includes user education that instructs on proper password creation and pitfalls to avoid — such as reusing old passwords or writing them down and storing them where they may be discovered by third-parties. Access management systems must be able to adapt to constantly changing personnel within a company, and be able to handle changes in permission rights quickly and efficiently. Credentials and keys can become weak if they aren’t stored securely, or if they aren’t used correctly. Any weaknesses in any of these areas allows attackers an easy point to breach data.
Application programming interfaces (APIs), as well as user interfaces (UIs) allow a user to interact with a program and what gives a user access to cloud services. If these aren’t secure, the entire process becomes a security threat. They are constantly being updated, and often times third-party services require access to the system to make changes, which makes it more vulnerable to attack or even to accidental misuse. Care must be taken to ensure security is updated as quickly as changes are made to APIs and UIs, as well as preventative measures taken, such as threat modeling and penetration testing (Treacherous 12).
System and Application Vulnerabilities
Bugs in systems and applications are nothing unique to cloud servers, they are well known to exist in all computer systems, and have only become more prevalent with the advent of networked computers, which can allow remote access to systems that were previously insulated from outside attack. Additionally, cloud usage can potentially expose all the computers that are interconnected within the cloud network, risking much more data than that from just one computer. The same solutions for this exist as for singular systems, which are ensuring robust security plans are in place at all times, as well as competent IT staff that are ready to deploy emergency contingency plans as soon as a problem arises.
Account hijacking, like system bugs, is something that is seen in all spheres of computer realms, not just cloud services. This happens as a result of stolen credentials, which can occur from a variety of sources, be it social engineering, or data stolen from other websites from a user who reuses passwords across sites. Once an account is compromised, it is possible to snoop on all of the activities of the user and control whatever aspects of the system are beneficial to the attacker. This can be prevented by two-factor authentication and strong password use that are unique to sensitive profiles rather than being used for multiple sites and user profiles.
The threat from malicious insiders will always exist and should be a valid area of concern for private companies. Cloud service providers may pose a significant threat of damage from malicious insiders if a company using their services doesn’t have enough oversight. They should constantly be running audits which include tracking users and their activities to prevent from malicious attacks, as threats can come from system administrators, tech-savvy insiders, disgruntled employees, or ignorant and incompetent employees (cloudtweak.com).
Advanced Persistent Threats
Advanced persistent threats are the stereotypical malicious hacker attack: programs created for nefarious purposes to steal or misuse data. These insidious programs are planted and then can adapt to changing security measures, making them very difficult to detect. Though they can be difficult to prevent, it is important that measures are in place that will detect them as they happen. These include monitoring network traffic, learning to identify early warning signs such as malicious URLs and mobile apps, payloads and bad files, investigating suspicious files, validating any findings, and planning an appropriate response (trendmicro.com).
Data loss is a big problem for companies. It is a huge asset for most companies, and can be easily corrupted or lost. Data can be accidentally deleted, or as a result of malicious attack, from other the cloud service provider or from the customer. If a customer encrypts data and then loses the encryption key after uploading , for example, the data is as lost as if it were deleted outright. The easiest way to protect against data loss is to backup data and find out what the cloud service provider has for contingency plans if such a data loss were to occur.
Insufficient Due Diligence
Because cloud technology is such a recent technological advent, not all new companies will be following the newest and best practice security guidelines for its safe use, which is why it is so important to do thorough research before beginning to use a cloud service provider. All of the preparation and careful use is meaningless if the cloud service isn’t as careful as they should be. According to Tier Point’s “With All Due Diligence,” before beginning business with a cloud service provider, a company should take the following six steps: first, physically visit the facility to see the cloud infrastructure, get references for the company when vetting them, check for compliance certificates currency, require evidence of all claims made to verify them, seek out professional recommendations, and lastly, test the system with penetration tests. The results of these six steps should help pick out the companies able to keep up with current security risks and those that cannot.
Abuse and Nefarious Use of Cloud Services
According to the CSA’s 2016 report “The Treacherous 12,” examples of misuse of cloud services includes “launching DDoS attacks, email spam and phishing campaigns; “mining” for digital currency; large-scale automated click fraud; brute-force compute attacks of stolen credential databases; and hosting of malicious or pirated content.” Because having to deal with the misuse of cloud services requires time and financial resources, this will result in higher costs for the company and therefore does need to be addressed. It is difficult to prevent this kind of misuse, as it is done, by definition, by people who are authorized to use the system, and so it is important to have good plans in place to monitor network usage, and analyze actions taken.
Denial of Service
Denial of service attacks occur when system resources are consumed by an attacker purposefully sending massive amounts of traffic to a site or application causing it to be inaccessible to other users. Cloud service providers can be targeted more often because they serve multiple clients at a time, but as a result of this they should be better equipped to handle attacks. A company should have a plan in place to monitor their websites to ensure that they can pick up a DOS attack as soon as it begins, and then be able to quickly shut down areas under attack.
Shared Technology Issues
The different offering by cloud service providers for IaaS, PaaS, and SaaS all come under the same umbrella of the “cloud” while still being different services. Because they are all together while being separate, they don’t do a good job of isolating their services when one part of the system comes under attack or has a problem of some kind. The Treacherous 12 report recommends “Mitigations to prevent a breach in shared resources should be implemented, such as multi-factor authentication on all hosts, Hostbased Intrusion Detection System (HIDS) and Network-based Intrusion Detection Systems (NIDS on internal networks, applying concepts of networking least privilege and segmentation, and keeping shared resources patched.”
Cloud service providers offer companies a way to delegate the task of storing information to an outside source, which allows them to save valuable resources such as time and money for their internal IT staff, which can further allow them to focus their energies on improving current internal security practices. As the technology continues to develop and become cheaper to use, it will become more and more of a valuable service to companies of all sizes. By thoroughly planning for contingencies, and educating users on how to correctly interact with cloud services, a company can greatly mitigate the risk they take when relying on cloud service providers, while reaping the benefits of their services to help their business grow and succeed.
...(download the rest of the essay above)