Seven Cloud Computing Security Issues

“Once you put it (Data) on a remote Cloud server which is accessible via the Internet, it’s not a matter of if you’ll have a breach; it is when (as evident by the countless breaches happening this year).” (Liticism, 2011)

What is Cloud Computing?

“Cloud computing is an emerging computing technology that uses the internet and central remote servers to maintain data and applications”. (WikiInvest, 2011)

Seven Cloud Computing Security Risks

Gartner states there are Seven Cloud computing Security risks and suggest as an organisation you should ask questions around the qualifications of the cloud provider including; (Brodkin, 2010)

• Who are the policy makers?
• Who are the architects?
• Who has specialised access to data and have these administrators had their backgrounds checked and who manages them?
• What are the service providers risk control processes?
• What are their technical mechanisms and recovery plans?
• What is their level of testing, security and compliance?
• Where is the data located and how is this controlled?

Organisations should look at and identify any unanticipated vulnerabilities before considering using a cloud service provider.

Data Protection & Security Issues

As the Cloud Service provider has access to all your data and could potentially disclose it for unauthorized purposes this is a major concern that raises privacy and confidentiality issues.

Cloud technology is revolutionising how organizations are doing business. Organizations in every industry are embracing cloud computing as a means to lower and costs and the complexities associated with traditional IT approaches. “Organizations that approach cloud in a tactical fashion risk security exposure due to fragmentation, redundancy and operating silos.” (Managed with cloud technologies, no date)

We will look at the main data protection and security issues that organisations have to consider when using Cloud technology below;

Data Security and Accessibility Issues

Section 2(1)(d) of the Data Protection Act states that companies protect their data from unauthorised access, alteration, destruction or disclosure especially when it comes to that data being transmitted over the cloud. (Office of the Data Protection Commissioner, no date).

Section 2C(1) of the Data Protection Act states what an organisation should do to implement proper security procedures and be aware of the resulting consequences and effect of this data being destroyed or unlawfully breached. It is important therefore to ensure proper security and risk contingency plans such as encryption, personnel screening, access levels etc. (Office of the Data Protection Commissioner, no date).

Therefore it is the organisations responsibility to consider all these factors when giving up control of their data before using the cloud.

Security Threats

Attacks on the cloud are tempting for hackers who will want to implement cybercrime, the reason being that all data may be shared on one server using co-tendency. Basically having all your eggs in one basket!

Even leading providers such as Google had and have security risks where in one case people's private documents stored on Google Docs were shared with other users without their permission. (Preston, 2009)

Even the most encrypted secure passwords have the potential to be hacked using the combined server power of cloud computing.

Fraud & Cybercrime

Fraud and cybercrime are often perpetrated without your knowledge if via Cloud Services. Using the cloud and sharing servers can increase the risk of these servers harbouring spying agents, password stealers or other types of malware. Botnets were responsible for the theft of $100 million from bank accounts alone in 2009. (Babcock, C, 2010, Page 153)

When using virtual machines it is harder to detect SQL injections and other types of malicious code. The cloud is an attractive target for hackers who want to steal passwords, bank account information and personal identities as all the activity is in one concentrated area.

Data Security – What is it?

“Data security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing.” (‘Cloud Computing Security’, no date)

Cloud Computing Security Issues

1. No security system is 100% secure. Saleforce.com suffered a phishing attack in December 2007 when a member of staff was fooled into giving out passwords. (Krebs, 2007)
2. Understand the risks of Cloud computing service providers, their 3^rd parties, potential attacks on data, downtime and exception monitoring to ensure your business is fully protected.
3. There are no uniform standards to fully protect data controllers yet.
4. Essential to know where your data is stored and the local law and juristriction of the countries where your data is stored as mentioned previously.

Security Challenges

Listed below are some of the security challenges that should be considered by organizations before moving to the cloud;

• Once you assets are in the cloud you lose control over them.
• Do you trust your data to your service provider? Check their service agreements thoroughly.
• The loss of control over your onsite physical security.
• When sharing servers with other companies government agencies may ‘reasonable cause’ to seize your assets because another company has violated the law.
• Incompatibility between cloud vendors. (Microsoft Azure is not compatible with Amazon S3 for example.) How do you then retrieve and move your data?
• If encrypted then who controls those encryption/decryption keys? You or the provider?
• Is your data SSL secure over the internet and/or encrypted while in vendors storage pool?
• Data integrity – is your data identically maintained during any operation? If you are using PCI DSS for ecommerce transaction you will need access to the cloud provider’s logs so you will need to negotiate access to these.
  • Data protection – how is your data protected?
  • Identity management
  • Physical and personnel security
  • Availability
  • Application security
  • Privacy Issues

The key question to ask as an organisation is; do you trust putting your mission critical apps or data on the cloud and what are the consequences of doing so? (Rittinghouse and Ransome, 2010, p.160)

Data Security Issues for Mobile Staff

As employees are working more from home, hotels or coffee shops, companies are investigating ways to keep their devices and data safe and secure. Some issues include unsecure access to internet using WiFi, theft of laptops and devices, unencrypted data, etc

“Desktop virtualisation may be the solution: 86 percent of the international companies surveyed by Citrix, a cloud provider, cited security as their primary motivation for getting into the area”. (Leach, 2011)

Key Challenges

As an organisation you are storing your data on someone else’s server and as such they have admin control over it and can view, delete, edit and access this data. Data level security businesses need to know data is protected and encrypted wherever it goes and to have their own auditing and data backup and recovery mechanisms in place.

Conclusion

Best practices are still being identified and defined and direct experience may be the best learning tool. There are many risks in the cloud but these can be evaluated and defined for certain workloads. Organisations will have to consider whether they only use the cloud for certain aspects of their business such as non mission critical information or data where laws governing data protection, security and confidentially are less stringent.