Modern technology offered by cloud concept is facilitating the business world in an agile manner to increase the productivity. To augment cloud technology’s acceptance and implementation several security concerns need additional study into the matter so that these issues should be appropriately handled.
These issues came from certain key references such as CSA’s (cloud security alliance) guidance, threats analysis, security assessments of ENISA and definitions of cloud computing provided by NIST. Software (SaaS), platform (PaaS) and infrastructure (IaaS) are the commonly used service models to classify the cloud service. Major focus in the industry is to deploy these models. There is no standardised method to sort out the security aspects of cloud computing.
Seven categories could be presented for future studies to concentrate on cloud’s security issues. Each of them are discussed under the points below.
1. Network Security
This category includes the problems related to network communications and configuration of cloud infrastructure. To overcome the problems related to network security issues in cloud services, similar privacy procedures and provisions should be adopted that are implemented on an existing local internal network. This way allows local network strategies to be extended and implemented on a remote process. There are three levels for this.
Transfer security: VPN (Virtual Private Network) mechanisms are required to protect the distributed architecture of cloud from possible threats such as sniffing, spoofing, man-in-the-middle and side-channel attacks. Possibility of threat increases in a distributed architecture as enormous resource is shared and large number of virtual machines are synchronized to involve a large amount of data to transfer in cloud.
Firewalling: Service provider’s cloud infrastructure is protected against both inside and outside threats by creating a firewall. What exactly firewall does is.
- It isolates the virtual machines
- Brilliantly filters addresses and ports
- Prevents Denial-of-Service (DoS)
- Detects external security assessment measures
Security configuration: Protocols, systems and technologies used should be well configured to offer the mandatory level of security and privacy.
To use the cloud services one needs to have cloud interface. This interface is responsible for every issue that is related to user, administrative and programming interfaces.
API: Programming interfaces (essential to IaaS and PaaS) must be sheltered from malwares in order to access virtualised resources efficiently.
Administrative interface: It remotely controls the resources in an IaaS model (Virtual Machine Management), controls the coding, deploying and testing in developing PaaS. It also controls user access and configuration of application tools for SaaS.
User interface: To ensure the security of the environment, it acts as the end-user interface.
Authentication: To access the cloud services certain authentication mechanisms are required. These authentication mechanisms are required to ensure the security measures, as the virtual environment is vulnerable to several attacks.
3. Data Security
For security issues protection of data is the basic thing. Data should be confidential. It is available to only authorised users.
Cryptography: Encryption of data is most popular way to make it secure and sensitive. Almost every organisation, irrelevant to its industry and state is using this method to ensure the security of the data.
Redundancy: This feature avoids the problem related to loss of data. Since, most of the business organisations are using IT services and they are totally relying on them. In this case availability and integrity of data must be guaranteed.
Disposal: Disposal of basic data is commonly referred as deletion. Complete damage of data including logging references and secret backup registries is a prerequisite in cloud technology.
This category includes the issues related to the used virtual technology in developing cloud environment. Virtualisation mostly have issues related to the management of virtual machines and is commonly known as hypervisor vulnerabilities.
Isolation: Since, every resource either hardware or software in cloud environment is shared in between the virtual machines, so this might create an issue related to data leakage and cross-VM attacks by some of the malicious entities. Though, each machine is conceptually isolated with the other one but, still there are security threats, as every resource is shared including the memory and computational resources.
Hypervisor vulnerabilities: The main component of virtualisation is hypervisor that is also referred as virtual machine management (VMM). Hypervisors security vulnerabilities are commonly the known one and it is easy to recognise them but still the solution to these vulnerabilities are limited. Complexities in getting the solution to hypervisor vulnerabilities demand more studies.
Data leakage: If there is any shortage in virtual infrastructures’ isolation controls then it can cause data leakage and reveal sensitive data of the user that can affect the confidentiality and integrity.
VM identification: To ensure the security issues it is necessary for controls to identify every virtual machine that is being used for a particular process or saving files.
Cross-VM attacks: Any virtual machine is exposed to another’s attack and it happens whenever the cryptographic keys of a machine are stolen by another one. This is known as cross-VM attack.
For example, if the memory dedicated to a virtual machine overlaps with another’s storage region then this could increase the chance of cross-VM attacks. And it also provides an exposure to other isolation-related attacks.
In cloud computing issues associated to lose the controls from administration and security are classified under governance.
Data control: Owner loses the control from data redundancy, location of the data, file systems and other related configurations whenever data moves to cloud.
Security control: If there is any unsatisfactory Service Level Agreement (SLA) is in between service provider and the user/client then the provider could lose the governance from security mechanisms and policies. Losing the controls over the governance can restrict client-side susceptibility evaluation and breach tests.
Lock-in: Due to the shortage of well-established standards (i.e. standards related to protocols and data formats) users generally depend upon the services of a particular service provider. And finally this results in user’s inability in migrations and service termination.
Compliance is related to service accessibility and assessment capability requirements. It includes certain points mentioned below.
Service Level Agreements (SLA): Certain mechanisms which ensure the basic security measures need to be adopted. Availability of services is also mentioned in SLAs.
Loss of service: Since, there is a strong interconnection in between different services in cloud environment (e.g. SaaS and IaaS have interconnections as a SaaS is provided by an IaaS with the help of a virtualised infrastructure), so interruption in services is also possible. Due to this reason, user-side data redundancy and certain disaster recovery strategies are recommended if it is relevant.
Audit: Customers, providers and third-party members are allowed to perform security and availability assessments with the help of certain transparent and efficient methodologies. A transparent API is being developed to get the solution for this problem that will perform automated auditing and other necessary roles.
Service conformity: Depending upon the SLAs predefined and basic customer needs contractual responsibility and complete service requirements should be confirmed.
7. Legal Issues
This issue is related to facets regarding judicial requirements and law (e.g. availability of data at multiple locations and privilege management).
Data location: By subpoena law-enforcement procedures customers’ data depending upon different geographic locations are held in multiple jurisdictions and are affected directly or indirectly.
E-discovery: According to the law-enforcement procedures, for an investigation regarding a particular user, a common hardware for more than one user could be removed. This results in data revelation.
Provider privilege: Provider insiders’ malicious activities could be possible threats to user data’s confidentiality, availability and integrity.
Legislation: It is related to the judicial concerns to new concepts of cloud computing.
Considering the concerns regarding the security essentials while providing cloud hosting services would be favourable for providers as well as users both.