CLOUD COMPUTING-3

Security issues in Cloud Several security issues highlighted by Gartner Privileged access Regulatory compliance Data location Data segregation Recovery Investigative Support Long-term viability Data availability

Privileged access Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the "physical, logical and personnel controls" IT shops exert over in-house programs. Get as much information about the people who manage our data. Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access.

Regulatory compliance: Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are signalling that customers can only use them for the most trivial functions.

Data location When we use the cloud, we probably won't know exactly where our data is hosted. In fact, we might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers.

Data segregation Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn't a cure-all. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists

Recovery Even if we don't know where your data is, a cloud provider should tell us what will happen to our data and service in case of a disaster. Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure.

Investigative Support Investigating inappropriate or illegal activity may be impossible in cloud computing. Cloud services are specially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and datacenters.

Long-term viability: Ideally, cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But must be sure about the data will remain available even after such an event.

Data Availability Customer data is normally stored in chunk on different servers often residing in different locations or in different Clouds. In this case, data availability becomes a major legitimate issue as the availability of uninterruptible and seamless provision becomes relatively difficult.

Common Security Requirements

Fundamental cloud security challenges Data protection Where do data physically reside, and does the data’s location have legal ramifications? Are data safely protected (i.e., by encryption) while stationary or in motion within and across the cloud? How is availability of data assured in the cloud? Does the provider take measures to ensure that deleted data is not recoverable?

Compliance Is the cloud complying with all the necessary guidance? Can the provider substantiate claims that security controls are implemented sufficiently?

Security challenges cont.......... Security governance Who owns/accesses/deletes/ replicates data in the cloud? How can the client ensure policy enforcement? How can the client measure and track service/network performance? Security control What security controls does the cloud provider need to implement, and how? How are assurance levels effectively and efficiently managed in the cloud?

Multi-tenancy Are my assets vulnerable if another client is exploited by an attack? How does the cloud provider keep different clients’ data separated and inaccessible from other clients? If a forensic/electronic discovery procedure is conducted on one client’s data, how will the provider protect the confidentiality of other clients’ data?

Vulnerabilities in cloud computing Web application vulnerabilities, such as cross-site scripting and sql injection (which are symptomatic of poor field input validation, buffer overflow; as well as default configurations or mis-configured applications.) Accessibility vulnerabilities, which are vulnerabilities inherent to the TCP/IP stack and the operating systems, such as Dos and DDos Authentication of the respondent device or devices. IP spoofing, RIP attacks, ARP poisoning (spoofing), and DNS poisoning are all too common on the Internet.

Vulnerabilities in cloud cont……. Data Verification, tampering, loss and theft, while on a local machine, while in transit, while at rest at the unknown third-party device, or devices, and during remote back-ups. Physical access issues, both the issue of an organization’s staff not having physical access to the machines storing and processing a data, and the issue of unknown third parties having physical access to the machines

Cloud Computing Attacks Denial of Service (DoS) attacks - Some security professionals have argued that the cloud is more vulnerable to DoS attacks, because it is shared by many users, which makes DoS attacks much more damaging. Twitter suffered a devastating DoS attack during 2009 Side Channel attacks – An attacker could attempt to compromise the cloud by placing a malicious virtual machine in close proximity to a target cloud server and then launching a side channel attack

Authentication attacks – Authentication is a weak point in hosted and virtual services and is frequently targeted. The mechanisms used to secure the authentication process and the methods used are a frequent target of attackers. Man-in-the-middle cryptographic attacks – This attack is carried out when an attacker places himself between two users. Anytime attackers can place themselves in the communication’s path, there is the possibility that they can intercept and modify communications.