Cloud Insecurities & defenses
With the advent of new and new technologies, organizations are finding new and creative ways of saving money, value and increasing the profit. In this world of new information systems, cloud computing is coming out as one of the most profitable ways of saving money and work on shared resources among various organizations.
Cloud computing has a lot of benefits such as
- Cost Reduction
- Business continuity
- Flexibility of work practices
- Collaboration efficiency
But like with every new technology there are some security issues that need to be dealt with.
OWASP (open web application security platform), a non-profitable organization focused on improving the security of various software and web applications, releases a list of top 10 security issues with various OS and web apps every few years has released top 10 security risks associated with cloud computing this year which are as follows
TOP 10 CLOUD SECURITY RISKS VARIOUS CLOUD ENVIOURMENTS
I) Accountability and data risks: People in any organization are responsible for the security of the data of that organization but while using the cloud services the lack of control over cloud service providers’ infrastructure and hardware and software poses a security risk for your data saved under that service provider.
i) Provider Side Mitigation:-
- Data of different customers must be logically isolated.
- Once the customer leaves the services, data must be deleted Completely.
- Provider must apply encryption algorithm from its end.
- Provider must backup data.
ii) Consumer side mitigation:-
- *Data should be encrypted from the user’s end.
- *If possible save distributed data to different service providers to reduce risk.
II) User Identity federation: We cannot choose one company’s services for all our need. Different organizations provide excellence in different services. But who will manage all of our credentials while using different cloud services and also when we will shift to another cloud provider. Letting cloud service providers manage our identities creates authentication overhead.
- Use of federated identities.
- Clear guidelines on user identities and authentication procedures.
- Use of SAML.
III) Regulatory Compliance: Every organisation needs to adhere to laws, regulations, guidelines and specification relevant to its business process of that country. But data in a cloud service is stored at a random place which can be anywhere in the entire world. Data which seems secure according to the guidelines of one country’s law may not seem secure by another. Ex., EU and USA have completely different rules related to data privacy in which EU has very strict rules for data privacy whereas USA allows its officers to access any data also for security reasons.
- Clarity over where the data is saved i.e., the physical location.
- A clear contractual agreement as to which laws will be followed.
IV) Business Continuity and Resiliency: One of the most important part of business is business continuity i.e., to make sure that the business resources and services or data(in this case) will remain available even in the case of any disaster but reports clearly show that outages happen in cloud service providing company, so 100% data availability is not ensured. The responsibility of providing data to its consumers at all times comes to the cloud service providers and not on consumer and hence it creates a security risk in terms of business continuity.
- Ensuring that the service provider’s organization is itself certified with ISO-27013
- Clear contractual guidelines on how much time after disaster will an organization bear to run without its data and service providers’ services and penalty for crossing that time.
V) User privacy and secondary usage of data: Data privacy is extremely important to the owner of the data but it may not be the case for the company providing cloud services. Once the data is sent to the cloud service provider, it cannot be deleted and can be sold to various company or individual who desires that data for revenue, it can be sent across jurisdictional borders where same rules may not apply. After these activities, user cannot do much to what happens with the data, it poses a security issue.
- First and foremost mitigation is to encrypt your data so that no one else, apart from your organization, even after acquiring the data will be able to interpret it.
- Geographical affinity and responsibility of compliance must be set between provider and consumer.
- Policy for consent and secondary usage of data or non-usage of data must be set.
VI) Service and data integration: Whenever we send data to any person as an individual, organizations or any other third party, there is a great risk at data during transit as any data during transferring state is vulnerable to several attacks like man in the middle. But when we involve cloud services as the data is transferred from one service to another, it poses an even greater risk to data.
- Data at transit must be encrypted.
- Data at rest also should be encrypted and must have strict policies as to who can access the data.
VII) Multi-tenancy and physical security: Most of the cloud service providers are multi-tenant i.e., they share various resources with each other. These resources may include networking, computing and storage services. Due to this, the security dependencies are more on logical separation than on a physical one which poses great security threats as logical separations may be inadequate, co-mingled data, malicious tenants, any one point of failure can lead to multi-point failure and also performance risks.
- Third-party assessment should happen from time to time.
- Data must be encrypted with multi-key management system.
- Administrative access to the provider’s organization must be audited.
VIII) Incidence analysis and forensic response: Because of such a complex system where different organization share networking, computing, storage and other resources where storage happens in a random location all over the world where different rules and laws exists related to data security and privacy and data is transferred to different organizations through different location all over the world, it is extremely hard to do forensic investigation and incident management whenever any incident occur related to data security and privacy.
- Regularly digital images of the machines should be taken and saved in a secured location to provide to forensic expert in case of any incident.
- Logs of important users must be regularly saved along with the digital images.
IX) Infrastructure Security: Being a complex service system any one point of failure can lead to catastrophic results. If the best practices are not ensured and systems, network devices are not updated and patched, data privacy and availability may be lost and the reputation of the service provider may be hampered.
- Regular updates must happen in both user and providers organization.
- Third-party assessment must happen to check for the infrastructure security from iso certified auditors to implement best practices.
- Duties, roles, and administrative privileges must be clearly defined.
- Hardening of OS and networks must happen regularly.
X) Non-Production environment exposure: Organisations design, develop and test their data, software, and services internally, these are called non-production environment. These environments are not that secured as data is transferred frequently among the employees of that organization but within an organization, these environment poses minimal threat as these are usually cut off from outside environment but same cannot be said about the internal working environment of the cloud service provider organization.
- Both the user and providers organization must have regular assessment of their internal network.
- Generic and old credential must be made to change to reduce the risk of computation attack.
- Multi-layer authentication must be used.
- Data should not be saved in a non-production environment for a longer duration.
- If the data is in a non-production environment, it must be encrypted.
Reference : –