Cloud Computing Security
Download as DOCX, PDF0 likes408 views
The document discusses various security concerns in cloud computing, emphasizing the importance of policies and controls to protect data and applications. Key threats include data breaches, data loss, account hijacking, and insecure APIs, alongside the need for organizations to conduct due diligence when adopting cloud services. The Heartbleed bug is highlighted as a significant security vulnerability affecting numerous websites and cloud services, exposing sensitive information without leaving traces.
Cloud Computing Security
- 1. Cloud Computing Security By: Ahmed Banafa, Distinguished Tenured Staff | Faculty | SME | E-Learning Expert | Four-time winner of instructor of the year award A broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. Because of the cloud's very nature as a shared resource, identity management, privacy ,access control , are of particular concern. With more organizations using cloud computing and associated cloud providers for data operations, proper security in these and other potentially vulnerable areas have become a priority for organizations contracting with a cloud computing provider. Cloud computing security processes should address the security controls the cloud provider will incorporate to maintain the customer's data security, privacy andcompliance with necessary regulations. The processes will also likely include a business continuity and data backup plan in the case of a cloud security breach. In the second half of 2013, Forrester Research conducted its usual Forrsights Hardware Survey and found enterprise hardware buyers more than willing to make use of cloud servers, but they were limiting their use because of unresolved concerns over security. In that survey, 73% of IT decision makers were concerned about public cloud security, and 51% were concerned about their own private cloud security. Cloud Security Threats According to CSA’s Report of 2013the biggest threats:
- 2. Data Breaches Cloud computing introduces significant new avenues of attack. The absolute security of hypervisor operation and virtual machine operations is still to be proved. Clouds represent concentrations of corporate applications and data, and if any intruder penetrated far enough, who knows how many sensitive pieces of information will be exposed. "If a multitenant cloud service database is not properly designed, a flaw in one client's application could allow an attacker access not only to that client's data, but every other client's data as well," the report concluded. Data Loss a data breach is the result of a malicious and probably intrusive action.Small amounts of data were lost for some Amazon Web Service customers as its EC2 cloud suffered "a remirroring storm" due to human operator error on Easter weekend in 2011. And a data loss could occur intentionally in the event of a malicious attack. Account Or Service Traffic Hijacking Account hijacking sounds too elementary to be a concern in the cloud. Phishing, exploitation of software vulnerabilities such as buffer overflow attacks, and loss of passwords and credentials can all lead to the loss of control over a user account.Compromising the confidentiality, integrity, and availability of the services Insecure APIs The cloud era has brought about the contradiction of trying to make services available to millions while limiting any damage all these largely anonymous users might do to the service. The answer has been Application Programming Interface, or API, that defines how a third party connects an application to the service and providing verification that the third party producing the application is who he says he is. Leading web developers, including ones from Twitter and Google, collaborated on specifying an open authorization service for web services that controls third party access. But security experts warn that there is no perfectly secure public API. Denial Of Service Denial of service attacks are an old disrupter of online operations, but they remain a threat nevertheless. For cloud customers, "experiencing a denial-of-service attack is like being caught in rush-hour traffic gridlock: there's no way to get to your destination, and nothing you can do about it except sit and wait," according to the report. When a denial
- 3. of service attacks a customer's service in the cloud, it may impair service without shutting it down.” Malicious Insiders Malicious insiders might seem to be a common threat. If one exists inside a large cloud organization, the hazards are magnified. One tactic cloud customers should use to protect themselves is to keep their encryption keys on their own premises, not in the cloud. Abuse Of Cloud Services Cloud computing brings large-scale, elastic services to enterprise users and hackers alike. It might take an attacker years to crack an encryption key using his own limited hardware. But using an array of cloud servers, he might be able to crack it in minutes,. Insufficient Due Diligence "Too many enterprises jump into the cloud without understanding the full scope of the undertaking," said the report. Without an understanding of the service providers' environment and protections, customers don't know what to expect in the way of incident response, encryption use, and security monitoring. Not knowing these factors means organizations are taking on unknown levels of risk in ways they may not even comprehend, but that are a far departure from their current risks. Shared Technology In a multi-tenant environment, the compromise of a single component, such as the hypervisor, exposes more than just the compromised customer; rather, it exposes the entire environment to a potential of compromise and breach. The same could be said other shared services, including CPU caches, a shared database service, or shared storage. The Future The cloud now represents not only concentrations of compute power and storage, but also a concentration of security, given the potential for mischief or disaster if those centralized resources fall into the wrong hands. Whether it's a private cloud in the virtualized enterprise datacenter or a public cloud, new levels of "layered" security will need to be built in. Such security will need to operate in a highly automated fashion and be driven by well-crafted and relentlessly applied policies.
- 4. Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by encryption used to secure the Internet. Encryption provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). Heartbleed bug allows cybercriminals to access website data and visitors' personal information, including credit cards, e-mails and passwords that are stored in the cloud. Heartbleed leaves no record in an attacked Web server’s logs, which makes it impossible to tell exactly how many websites may have been exploited by it. Heartbleed went undetected for more than two years, and it could have affected thousands of OpenSSL Web servers across the globe. According to The Economist, up to two-thirds of the world's websites are vulnerable to Heartbleed attacks. While OpenSSL has been available since March 2012, it contained a serious coding error that allowed a computer at one end of an encrypted link to send a signal to the computer at the other end of it to check that it is still online. Google found that hackers could exploit this coding error, duplicate its signal and access an OpenSSL Web server's memory. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. Why it is called the Heartbleed Bug? Bug is in the OpenSSL's implementation of the (transport layer security protocols) heartbeat extension. When it is exploited it leads to the leak (bleeding) of memory contents from the server to the client and from the client to the server. Bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.