Cloud computing security


Cloud computing security or, more simply, cloud security refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

Security issues associated with the cloud

Cloud computing and storage provides users with capabilities to store and process their data in third-party data centers. Organizations use the cloud in a variety of different service models and deployment models. Security concerns associated with cloud computing fall into two broad categories: security issues faced by cloud providers and security issues faced by their customers. The responsibility is shared, however. The provider must ensure that their infrastructure is secure and that their clients’ data and applications are protected, while the user must take measures to fortify their application and use strong passwords and authentication measures.
When an organization elects to store data or host applications on the public cloud, it loses its ability to have physical access to the servers hosting its information. As a result, potentially sensitive data is at risk from insider attacks. According to a recent Cloud Security Alliance report, insider attacks are the sixth biggest threat in cloud computing. Therefore, cloud service providers must ensure that thorough background checks are conducted for employees who have physical access to the servers in the data center. Additionally, data centers must be frequently monitored for suspicious activity.
In order to conserve resources, cut costs, and maintain efficiency, cloud service providers often store more than one customer's data on the same server. As a result, there is a chance that one user's private data can be viewed by other users. To handle such sensitive situations, cloud service providers should ensure proper data isolation and logical storage segregation.
The extensive use of virtualization in implementing cloud infrastructure brings unique security concerns for customers or tenants of a public cloud service. Virtualization alters the relationship between the OS and underlying hardware – be it computing, storage or even networking. This introduces an additional layer – virtualization – that itself must be properly configured, managed and secured. Specific concerns include the potential to compromise the virtualization software, or "hypervisor". While these concerns are largely theoretical, they do exist. For example, a breach in the administrator workstation with the management software of the virtualization software can cause the whole datacenter to go down or be reconfigured to an attacker's liking.

Cloud security controls

Cloud security architecture is effective only if the correct defensive implementations are in place. An efficient cloud security architecture should recognize the issues that will arise with security management. The security management addresses these issues with security controls. These controls are put in place to safeguard any weaknesses in the system and reduce the effect of an attack. While there are many types of controls behind a cloud security architecture, they can usually be found in one of the following categories:
;Deterrent controls
;Preventive controls
;Detective controls
;Corrective controls

Dimensions of cloud security

It is generally recommended that information security controls be selected and implemented according and in proportion to the risks, typically by assessing the threats, vulnerabilities and impacts. Cloud security concerns can be grouped in various ways; Gartner named seven while the Cloud Security Alliance identified twelve areas of concern. Cloud access security brokers are software that sits between cloud users and cloud applications to provide visibility into cloud application usage, data protection and governance to monitor all activity and enforce security policies.

Security and privacy

;Identity management :Every enterprise will have its own identity management system to control access to information and computing resources. Cloud providers either integrate the customer's identity management system into their own infrastructure, using federation or SSO technology, or a biometric-based identification system, or provide an identity management system of their own. CloudID, for instance, provides privacy-preserving cloud-based and cross-enterprise biometric identification. It links the confidential information of the users to their biometrics and stores it in an encrypted fashion. Making use of a searchable encryption technique, biometric identification is performed in encrypted domain to make sure that the cloud provider or potential attackers do not gain access to any sensitive data or even the contents of the individual queries.
;Physical security :Cloud service providers physically secure the IT hardware against unauthorized access, interference, theft, fires, floods etc. and ensure that essential supplies are sufficiently robust to minimize the possibility of disruption. This is normally achieved by serving cloud applications from 'world-class' data centers.
;Personnel security :Various information security concerns relating to the IT and other professionals associated with cloud services are typically handled through pre-, para- and post-employment activities such as security screening potential recruits, security awareness and training programs, proactive.
;Privacy :Providers ensure that all critical data are masked or encrypted and that only authorized users have access to data in its entirety. Moreover, digital identities and credentials must be protected as should any data that the provider collects or produces about customer activity in the cloud.

Cloud Vulnerability and Penetration Testing

Scanning cloud from outside and inside using free or commercial products is very important because without a hardened environment your service is considered as a soft target. Virtual servers should be hardened like a physical server against data leakage, malware, and exploited vulnerabilities. "Data loss or leakage represents 24.6% and cloud related malware 3.4% of threats causing cloud outages”
Scanning and penetration testing from inside or outside the cloud require to be authorized by the cloud provider. Since the cloud is a shared environment with other tenants following penetration testing rules of engagement step-by-step is a mandatory requirement. Violation of which can lead to termination of the service.

Data security

A number of security threats are associated with cloud data services: not only traditional security threats, such as network eavesdropping, illegal invasion, and denial of service attacks, but also specific cloud computing threats, such as side channel attacks, virtualization vulnerabilities, and abuse of cloud services. The following security requirements limit the threats.

Confidentiality

Data confidentiality is the property that data contents are not made available or disclosed to illegal users. Outsourced data is stored in a cloud and out of the owners' direct control. Only authorized users can access the sensitive data while others, including CSPs, should not gain any information of the data. Meanwhile, data owners expect to fully utilize cloud data services, e.g., data search, data computation, and data sharing, without the leakage of the data contents to CSPs or other adversaries.

Access controllability

Access controllability means that a data owner can perform the selective restriction of access to their data outsourced to the cloud. Legal users can be authorized by the owner to access the data, while others can not access it without permissions. Further, it is desirable to enforce fine-grained access control to the outsourced data, i.e., different users should be granted different access privileges with regard to different data pieces. The access authorization must be controlled only by the owner in untrusted cloud environments.

Integrity

Data integrity demands maintaining and assuring the accuracy and completeness of data. A data owner always expects that her or his data in a cloud can be stored correctly and trustworthily. It means that the data should not be illegally tampered, improperly modified, deliberately deleted, or maliciously fabricated. If any undesirable operations corrupt or delete the data, the owner should be able to detect the corruption or loss. Further, when a portion of the outsourced data is corrupted or lost, it can still be retrieved by the data users.

Encryption

Some advanced encryption algorithms which have been applied into cloud computing increase the protection of privacy. In a practice called crypto-shredding, the keys can simply be deleted when there is no more use of the data.

Attribute-based encryption (ABE)

is a type of public-key encryption in which the secret key of a user and the ciphertext are dependent upon attributes. In such a system, the decryption of a ciphertext is possible only if the set of attributes of the user key matches the attributes of the ciphertext.

Ciphertext-policy ABE (CP-ABE)

In the CP-ABE, the encryptor controls access strategy. The main research work of CP-ABE is focused on the design of the access structure.

Key-policy ABE (KP-ABE)

In the KP-ABE, attribute sets are used to describe the encrypted texts and the private keys are associated to specified policy that users will have.

Fully homomorphic encryption (FHE)

Fully homomorphic encryption allows computations on encrypted data, and also allows computing sum and product for the encrypted data without decryption.

Searchable encryption (SE)

Searchable encryption is a cryptographic system which offer secure search functions over encrypted data.
SE schemes can be classified into two categories: SE based on secret-key cryptography,
and SE based on public-key cryptography.
In order to improve search efficiency, symmetric-key SE generally builds keyword indexes to answer user queries. This has the obvious disadvantage of providing multimodal access routes for unauthorized data retrieval, bypassing the encryption algorithm by subjecting the framework to alternative parameters within the shared cloud environment.

Compliance

Numerous laws and regulations pertain to the storage and use of data. In the US these include privacy or data protection laws, Payment Card Industry Data Security Standard, the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act, the Federal Information Security Management Act of 2002, and Children's Online Privacy Protection Act of 1998, among others. Similar standards exist in other jurisdictions, eg Singapore's Multi-Tier Cloud Security Standard.
Similar laws may apply in different legal jurisdictions and may differ quite markedly from those enforced in the US. Cloud service users may often need to be aware of the legal and regulatory differences between the jurisdictions. For example, data stored by a cloud service provider may be located in, say, Singapore and mirrored in the US.
Many of these regulations mandate particular controls and require regular reporting. Cloud customers must ensure that their cloud providers adequately fulfil such requirements as appropriate, enabling them to comply with their obligations since, to a large extent, they remain accountable.
;Business continuity and data recovery
;Log and audit trail
;Unique compliance requirements

Legal and contractual issues

Aside from the security and compliance issues enumerated above, cloud providers and their customers will negotiate terms around liability, intellectual property, and end-of-service. In addition, there are considerations for acquiring data from the cloud that may be involved in litigation. These issues are discussed in service-level agreements.

Public records

Legal issues may also include records-keeping requirements in the public sector, where many agencies are required by law to retain and make available electronic records in a specific fashion. This may be determined by legislation, or law may require agencies to conform to the rules and practices set by a records-keeping agency. Public agencies using cloud computing and storage must take these concerns into account.