28 Feb How to Ensure Successful Cloud Computing Security: The Risks of Cloud Computing
According to the Cloud Standards Customer Council, when considering to choose a cloud computing platform, the customers must have a ‘clear understanding of potential security benefits and risks associated with cloud computing [security], and set realistic expectations with their cloud provider’. This is a risky venture, since failure to ensure appropriate security protection when using cloud services could ultimately result in higher costs and potential loss of business, thus eliminating any of the potential benefits of cloud computing security.
So what exactly are these risks that customers should be aware of when choosing cloud computing security? The Cloud Standards Customer Council enumerates these.
Risks of Cloud Computing
Loss of governance. When customers choose a public cloud deployment, they lose control to the cloud provider over a number of issues that may affect security. Although service agreements may offer a commitment to resolve such issues on the part of the cloud provider, they might not be entirely committed to these, thus leaving gaps in security defenses.
Responsibility ambiguity. The responsibility over security may be divided between the provider and the customer, which could leave the security to be left unguarded if there is a failure to divided responsibility clearly. The division is also likely to differ depending on the cloud computing security model used.
Authentication and authorization. Since cloud computing services can easily be accessed anywhere there is an internet connection, the need to clarify the customer’s identity is very important especially since there are users now that includes employees, contractors, partners and customers. Strong authentication and authorization is very important.
Isolation failure. Some of the characteristics of public cloud computing security are risk category include multi-tenancy (the sharing of hardware resources). The failure of mechanisms separating the usage of storage, memory, routing and even reputation between tenants (guest-hopping attacks) is also a concern in cloud computing security.
Compliance and legal risks. A cloud customer’s goal in achieving certification (such as demonstrating compliance with industry standards or regulatory requirements) may be lost if the cloud provider cannot provide evidence of their own compliance with the relevant requirements, or does not permit audits by the cloud customer. Therefore, the customer should check firsthand if the cloud provider has appropriate certifications in place.
Handling of security incidents. The cloud service provider should be liable for the detection, reporting and subsequent management of security breaches. Failure of the provider to do this will greatly impact the customer. Notification rules should be established in the cloud service agreement and cloud computing security so that customers are not unaware or misinformed with any problems.
Application Protection. Applications are normally protected with state-of-the-art encryptions with the cloud computing security. Since the cloud service provider is responsible for this, both the provider and customer should rethink the parameters and ensure more protection with the applications.
Data protection. This is one of the major concerns: the exposure or release of sensitive data, and the loss or unavailability of the said data. It may be difficult for the cloud service customer to effectively check the data handling practices of the cloud provider. This could be worsened in cases of multiple transfers of data, such as between federated cloud services or where a cloud provider uses subcontractors.
Malicious behavior of insiders. Even users inside the cloud computing security could perform malicious activities because they have the authorization to access the data. This is not just limited to the users, but everyone in the cloud computing environment since such activity might occur within either or both the customer organization and the provider organization.
Business failure of the provider. If the provider fails in terms of its business in the cloud computing security, it could result to the unavailability of the data and application, making it inconvenient to the customer.
Service unavailability. Any hardware, software, or communication error or problem could result to the unavailability of the cloud computing security service.
Vendor lock-in. Dependency on proprietary services of a particular cloud service provider could lead to the customer being tied to that provider. The lack of portability of applications and data across providers poses a risk of data and service unavailability in case of a change in providers; therefore it is an important if sometimes overlooked aspect of security. Lack of interoperability of interfaces associated with cloud services similarly ties the customer to a particular provider and can make it difficult to switch to another provider.
Insecure or incomplete data deletion. If a customer chooses to terminate its contract with the cloud computing security provider, all of the customer’s data should be deleted. However, it may not always result in the complete deletion of the data. Backup copies of data usually exist, and may be mixed on the same media with other customers’ data, making it impossible to selectively erase. The very advantage of multi-tenancy thus represents a higher risk to the customer than dedicated hardware.
Visibility and Audit. Some enterprise users are creating a ‘shadow IT’ by procuring cloud services to build IT solutions without explicit organizational approval. Key challenges for the security team are to know about all uses of cloud services within the organization (what resources are being used, for what purpose, to what extent, and by whom), understand what laws, regulations and policies may apply to such uses, and regularly assess the security aspects of such uses.
Cloud Computing Security