Seven Cloud Computing Security Issues

Download Seven Cloud Computing Security Issues

Post on 01-Nov-2015

217 views

Category:

Documents

0 download

Embed Size (px)

DESCRIPTION

"Once you put it (Data) on a remote Cloud server which is accessible via the Internet, it's not a ma

TRANSCRIPT

<ul><li><p>Seven Cloud Computing Security Issues</p><p>"Once you put it (Data) on a remote Cloud server which is accessible via the Internet, it's not amatter of if you'll have a breach; it is when (as evident by the countless breaches happening thisyear)." (Liticism, 2011)</p><p>What is Cloud Computing?</p><p>"Cloud computing is an emerging computing technology that uses the internet and central remoteservers to maintain data and applications". (WikiInvest, 2011)</p><p>Seven Cloud Computing Security Risks</p><p>Gartner states there are Seven Cloud computing Security risks and suggest as an organisation youshould ask questions around the qualifications of the cloud provider including; (Brodkin, 2010)</p><p>Who are the policy makers?</p><p>Who are the architects?</p><p>Who has specialised access to data and have these administrators had their backgrounds checkedand who manages them?</p><p>What are the service providers risk control processes?</p><p>What are their technical mechanisms and recovery plans?</p><p>What is their level of testing, security and compliance?</p><p>Where is the data located and how is this controlled?</p><p>Organisations should look at and identify any unanticipated vulnerabilities before considering usinga cloud service provider.</p><p>Data Protection &amp; Security Issues</p><p>As the Cloud Service provider has access to all your data and could potentially disclose it forunauthorized purposes this is a major concern that raises privacy and confidentiality issues.</p><p>Cloud technology is revolutionising how organizations are doing business. Organizations in everyindustry are embracing cloud computing as a means to lower and costs and the complexitiesassociated with traditional IT approaches. "Organizations that approach cloud in a tactical fashionrisk security exposure due to fragmentation, redundancy and operating silos." (Managed with cloudtechnologies, no date)</p><p>We will look at the main data protection and security issues that organisations have to considerwhen using Cloud technology below;</p><p>Data Security and Accessibility Issues</p></li><li><p>Section 2(1)(d) of the Data Protection Act states that companies protect their data fromunauthorised access, alteration, destruction or disclosure especially when it comes to that databeing transmitted over the cloud. (Office of the Data Protection Commissioner, no date).</p><p>Section 2C(1) of the Data Protection Act states what an organisation should do to implement propersecurity procedures and be aware of the resulting consequences and effect of this data beingdestroyed or unlawfully breached. It is important therefore to ensure proper security and riskcontingency plans such as encryption, personnel screening, access levels etc. (Office of the DataProtection Commissioner, no date).</p><p>Therefore it is the organisations responsibility to consider all these factors when giving up control oftheir data before using the cloud.</p><p>Security Threats</p><p>Attacks on the cloud are tempting for hackers who will want to implement cybercrime, the reasonbeing that all data may be shared on one server using co-tendency. Basically having all your eggs inone basket!</p><p>Even leading providers such as Google had and have security risks where in one case people'sprivate documents stored on Google Docs were shared with other users without their permission.(Preston, 2009)</p><p>Even the most encrypted secure passwords have the potential to be hacked using the combinedserver power of cloud computing.</p><p>Fraud &amp; Cybercrime</p><p>Fraud and cybercrime are often perpetrated without your knowledge if via Cloud Services. Using thecloud and sharing servers can increase the risk of these servers harbouring spying agents, passwordstealers or other types of malware. Botnets http://www.clickbooth.com/ were responsible for thetheft of $100 million from bank accounts alone in 2009. (Babcock, C, 2010, Page 153)</p><p>When using virtual machines it is harder to detect SQL injections and other types of malicious code.The cloud is an attractive target for hackers who want to steal passwords, bank account informationand personal identities as all the activity is in one concentrated area.</p><p>Data Security - What is it?</p><p>"Data security refers to a broad set of policies, technologies, and controls deployed to protect data,applications, and the associated infrastructure of cloud computing." ('Cloud Computing Security', nodate)</p><p>Cloud Computing Security Issues</p><p>No security system is 100% secure. Saleforce.com suffered a phishing attack in December 2007when a member of staff was fooled into giving out passwords. (Krebs, 2007)</p><p>Understand the risks of Cloud computing service providers, their 3rd parties, potential attacks ondata, downtime and exception monitoring to ensure your business is fully protected.</p></li><li><p>There are no uniform standards to fully protect data controllers yet.</p><p>Essential to know where your data is stored and the local law and juristriction of the countrieswhere your data is stored as mentioned previously.</p><p>Security Challenges</p><p>Listed below are some of the security challenges that should be considered by organizations beforemoving to the cloud;</p><p>Once you assets are in the cloud you lose control over them.</p><p>Do you trust your data to your service provider? Check their service agreements thoroughly.</p><p>The loss of control over your onsite physical security.</p><p>When sharing servers with other companies government agencies may 'reasonable cause' to seizeyour assets because another company has cms violated the law.</p><p>Incompatibility between cloud vendors. (Microsoft Azure is not compatible with Amazon S3 forexample.) How do you then retrieve and move your data?</p><p>If encrypted then who controls those encryption/decryption keys? You or the provider?</p><p>Is your data SSL secure over the internet and/or encrypted while in vendors storage pool?</p><p>Data integrity - is your data identically maintained during any operation? If you are using PCI DSSfor ecommerce transaction you will need access to the cloud provider's logs so you will need tonegotiate access to these.</p><p>Data protection - how is your data protected?</p><p>Identity management</p><p>Physical and personnel security</p><p>Availability</p><p>Application security</p><p>Privacy Issues</p><p>The key question to ask as an organisation is; do you trust putting your mission critical apps or dataon the cloud and what are the consequences of doing so? (Rittinghouse and Ransome, 2010, p.160)</p><p>Data Security Issues for Mobile Staff</p><p>As employees are working more from home, hotels or coffee shops, companies are investigatingways to keep their devices and data safe and secure. Some issues include unsecure access tointernet using WiFi, theft of laptops and devices, unencrypted data, etc</p></li><li><p>"Desktop virtualisation may be the solution: 86 percent of the international companies surveyed byCitrix, a cloud provider, cited security as their primary motivation for getting into the area". (Leach,2011)</p><p>Key Challenges</p><p>As an organisation you are storing your data on someone else's server and as such they have admincontrol over it and can view, delete, edit and access this data. Data level security businesses need toknow data is protected and encrypted wherever it goes and to have their own auditing and databackup and recovery mechanisms in place.</p><p>Conclusion</p><p>Best practices are still being identified and defined and direct experience may be the best learningtool. There are many risks in the cloud but these can be evaluated and defined for certain workloads.Organisations will have to consider whether they only use the cloud for certain aspects of theirbusiness such as non mission critical information or data where laws governing data protection,security and confidentially are less stringent.</p></li></ul>