Cloud Computing Security

What Is Cloud Computing Security?

• Control of security in cloud computing is not fundamentally
different from security control in any IT environment.
However, because of the cloud service models employed, their
operational models, and the technologies used to enable cloud
services, cloud computing may introduce different risks to an
organization than traditional IT solutions
What Cloud Computing Security Is Not
Cloud computing security is IT responsibility
to secure the cloud for all customers, including enterprise security .

Security as a Service (SaaS) or outsourcing management to a

third party.

It is not about securing the cloud itself. Cloud computing security

is an IT procedure. A secure cloud is important to enable security
cloud computing.
What Cloud Computing Security Is
Utilizes the cloud for security applications such as identity
management, access control.

Enhances security systems’ performance while decreasing cost

related to infrastructure and technical staff item decreasing
efficiency and effectiveness of security applications at the
enterprise level.
Cloud Computing Security Fundamentals
Confidentiality
Confidentiality refers to the prevention of intentional or unintentional
unauthorized disclosure of information. Confidentiality in a cloud system
is related to the areas of intellectual property rights, covert channels,
traffic analysis, encryption.
Integrity
The concept of cloud information integrity requires that the following
three principles are met:
o Changes are not made to data by unauthorized personnel or processes.
o Unauthorized changes are not made to data by authorized personnel or
processes.
o The data is internally and externally consistent — in other words, the
internal information is consistent both among all sub-entities and
with the real-world, external situation.
 Availability
Availability ensures the reliable and timely access to cloud data .
Availability guarantees that the systems are functioning properly when
needed. In addition, this concept guarantees that the security services of the
cloud system are in working order. A denial-of-service attack is an
example of a threat against availability.
Auditing
To control operational assurance, organizations use two basic methods;
sys-
tem audits and monitoring. These methods can be employed by the cloud
customer, the cloud provider, or both, depending on asset architecture and
deployment.
o A system audit is a one-time or recurrent event to evaluate security.
o Monitoring refers to progressive activity that examines either the system or
the users, such as attack detection.
 Cloud Security Advantages

Fault tolerance and reliability

Low cost disaster recovery and data storage solutions
Hypervisor protection against network attacks
Data partitioning and replication
Improved resilience
 Cloud Security Disadvantages
Need to trust the provider’s security model
Loss of physical control
Inability to examine proprietary implementations
Inflexible support for monitoring and auditing
 Taxonomy of Security
I. Traditional Security
Concerns involving computer and network intrusions or attacks that
will be made possible or at least easier by moving to the cloud . Cloud
providers respond to these concerns by arguing that their security
measures and processes are more mature and tested than those of the
average company. If companies are worried about insider threats, it
could be easier to lock down information if it is administered by a third
party rather than in-house. Moreover, it may be easier to force security
via contract with online service providers than via internal controls.
II. Availability
Concerns centering on critical applications and data being available. As
with the traditional security concerns, cloud providers argue that their
server up-time compares well with the availability of the cloud user’s
own data centers . Besides just services and applications being down,
this includes the concern that a third-party cloud would not scale well
enough to handle certain applications.

III. Third-Party Data Control

Concerns the legal status of data being held by a third party:
implications are complex and not well understood . There is also a
potential lack of control and transparency when a third party holds the
data.
 Security Benefits of the Cloud
❑ Data Centralized
Total data size and insecure replication could be decreased by the cloud as
thin client technology becomes pervasive. Small, temporary caches on
mobile devices or netbook computers pose less risk than transporting core
data via laptops. The advantages of thin clients can be realized today but
cloud storage provides a way to centralize the data faster, more
consistently, and potentially cheaper.

❑ Decrease Time to Access Protected Documents

If a suspect has password protected a document that is significant to an
investigation, it is feasible to test a wider range of candidate passwords in
less time.
❑ Password Assurance Testing
If your organization regularly tests password strength by running
password crackers you can use cloud computing resources to
decrease crack time and you only pay for what you use.

❑ Improve Log Indexing and Search

By placing your logs in the cloud, you can leverage cloud
computing resources to index logs in real-time and gain the benefit
of instant search results.
❑ Ease of Testing of the Impact of Security Changes
Through IaaS, create a copy of your production environment,
implement a security change and test the impact at low cost, with
minimal start-up time. This removes a major barrier to developing
security architecture in production
❑ Reduce Cost of Security Testing
A SaaS provider only passes on a portion of their security testing
costs .By sharing the same application as a service, you do not bear
the full cost of an expensive security code review. Even with
Platform as a Service (PaaS) where your developers have to write
code, there are possible cost economies of scale.
 Cloud Security Levels
❑ Software as a Service (SaaS) Model
• May be customized by the user .
• Places most of the responsibility for security management on the
cloud provider.
• Provides ways to control access to the Web portal, such as the
management of user identities, application level modification, and
the ability to constrain access to specific IP address ranges or
geographies.
❑ Platform as a Service (PaaS) Model
• Refers to application development platforms where the
development tool itself is hosted in the cloud and accessed and
deployed through the Internet.
• Allows clients to assume more responsibility for managing the
configuration and security for middleware, database software, and
application runtime environments.
❑ The Infrastructure as a Service (IaaS) Model
• Provides fully scalable computing resources such as CPU, and
storage infrastructure.
• Transfers responsibility for security is from the cloud provider to
the client.
• Provides full access to the operating system that maintains virtual
images, networking, and storage.
 Cloud Security Issues
Data location: depending on contracts, some clients do not know in what
country or where data is stored.
Restoration: every provider should have a disaster restoration protocol to
protect user data.
Inquisitive support: if a client suspects faulty actions by the provider, it may
have few legal ways continue an enquiry.
Data isolation: encrypted information from multiple companies may be saved
on the same hard disk, so a mechanism to isolate data should be deployed by
the provider .
Privileged user access: information transfer from the client over the Internet
presents a certain degree of risk, because of issues of data ownership;
enterprises should spend time getting to know their providers and their
regulations as much as possible, ideally assigning some trivial applications
first.
Regulatory compliance: clients are responsible for the security of their
solution, as they can select between providers that allow audits by third party
organizations that test levels of security, and providers that do not.