Tag Archives: Security Learning

Cloud Computing & Security – 101

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources like networks, servers, storage, applications, and services that can be rapidly provisioned and released with minimal management effort or service provider interaction”.

Source: The NIST Definition of Cloud Computing, Version 15, 10-7-09, National Institute of Standards and Technology, Information Technology Laboratory

Cloud computing is the new mantra in most of the organizations but is Cloud computing new? Personally, I believe it has been there ever since Internet email has been available. Yahoo, Hotmail, AOL etc. in their heydays were a basic cloud computing model. However, the evolution of cloud computing has taken root only in the last few years what with storage becoming cheaper and Internet access exploding globally. Now they are able to support  Enterprise applications and business processes out of the cloud environment.

The lure of cloud computing and the benefits it brings is illustrated in the graphic below.

Cloud Computing

 Security Risks in Cloud Computing:

As with any new shift in computing methods, even Cloud computing has it’s share of risks. Some of the key risks of Cloud Computing are listed down below:

Risks Implications
Geography Given various countries and various regulatory authorities, controls for supporting appropriate cross border data views and use must be maintained
Defining ownership, custodianship, processing & use rights and obligations Clearly establish rights and obligations associated with data assets. Often rights and obligations are dependent on the physical location of the data owner, custodian and user. Designing and implementing effective controls to support appropriate rights and obligations may be complex
Multi-tenancy In a multi-tenant cloud environment,users may access shared resources, possibly gaining unauthorized access to other tenants. This may have less risk in a private cloud, but more risk in a public cloud
Security If one of the cloud servers get compromised, will it lead to compromise of the other servers in the shared infrastructure? Public cloud may have an increased attack surface compared to the private cloud, however, any compromise .
Data Loss On transient systems, a cloud vendor provider instance failure may lead to permanent loss of system information including system configuration and data stored locally. The concept of a “disposable” server also adds to the risk of loss of data and system information.

 

Tackling the Security Risks:

Based on the risks listed above, the various controls that can be considered in tackling them are listed below:

Privacy and data protection
  • Establishing Data ownership across organizational data
  • Managing access rights based on data classification
  • Implementing data storage and retention policies at the cloud vendor
Security incident response
  • Managing incident investigations in a virtualized environment
  • Limiting incident spill over to multiple cloud tenants
  • Handling complicated troubleshooting due to continuous
    environment changes or elasticity
Access control
  • Access controls for cloud management interfaces
  • Access controls for segregation of duties
  • Due diligence prior to assignment of access privileges
Vulnerability management
  • Managing virtualization induced vulnerabilities
  • Ensuring timely security patches
  • Adequate vulnerability testing of cloud components
Data Leakage or Loss
  • Ensuring adequate controls on transit systems to prevent data leakage
  • Adequate change control to migrate data when instance change happens
  • Security tools to detect & prevent such threats
Virtualization
  • Proper security controls over virtual servers and applications could stop multiple security incidents across the organization
  • Secure virtual storage could act as excellent risk control for reducing impact of storage compromises and data theft

 

Conclusion:

Cloud computing is here to stay and it is important that we understand the security risks and some potential controls that can be implemented when moving to cloud. This post is a primer to what Cloud computing is and what are the various security challenges presented by it.  Let me know your thoughts on this