2nd year student studying Electronics and Communication engineering.
ISA-Bangalore Student Section, Vellore Institute of Technology, Tamil Nadu, India
TOPIC “ IS THE CLOUD AS SAFE AS IT SEEMS? ”
Cloud computing is a comprehensive term that includes a wide variety of computer services. It consists of services such as servers, storage, databases, networking, software, analytics and intelligence over the internet. It aims at providing faster innovation, flexible resources and economies of scale.
Cloud computing can be used in many fields and is not simply restricted to the IT sector, however, the afore mentioned is the largest consumer of these services.
Three main characteristics that make cloud computing different from the traditional way IT services are sold are – it sold on demand; it is elastic, the amount of usage can be determined by the user’s requirements; it is completely managed by the provider.
The major factors that make cloud computing appealing are –
- Speed – most cloud computing services are provided self service and on demand, so even vast amounts of computing resources can be provisioned in minutes.
- Global scale – it refers to delivering the right amount of IT resources right when it is needed and from the right geographic location.
- Productivity – Cloud computing removes the need for tasks such as hardware setup, software patching, etc., so IT teams can spend time on achieving more important business goals.
- Performance – The biggest cloud computing services run on a worldwide network of secure datacentres, which are regularly upgraded to the latest generation of fast and efficient computing hardware. This results in reduced network latency for applications and greater economies of scale.
- Reliability – Cloud computing makes data backup, disaster recovery and business continuity easier and less expensive.
- Security – Many cloud providers offer a broad set of policies, technologies and controls that strengthen your security posture overall, helping protect your data, apps and infrastructure from potential threats.
A cloud is of three major types – private, public and hybrid. Private cloud services are delivered form a business’s datacentre to internal users. It offers versatility and convenience but provides security from non-local users. Common technologies are VMware and OpenStack.
In public cloud models a third-party cloud service provider delivers the cloud service over the internet. They are sold on demand basis. Leading service providers are Amazon Web Services (AWS), Microsoft Azure, IBM and Google Cloud Platform.
A hybrid cloud model is a combination of public cloud services and an on-premises private cloud, with orchestration and automation between the two. It aims at creating a unified, automates, scalable environment that gives the benefits of both private and public cloud services.
There are 4 main types of cloud services – Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Serverless, Software as a Service (SaaS). IaaS is the most basic category, it allows you to rent IT infrastructure (Servers, storage networks, etc.) from a cloud provider on pay-as-you-use basis. PaaS supplies an on-demand environment for developing, testing, delivering and managing software applications. It provides developing flexibility without causing worry about the underlying infrastructure. Serverless computing handles setup, capacity planning and server management so that the app functionality is given priority. SaaS is a method for delivering software applications on demand, cloud providers can host and manage the applications.
Cloud computing poses privacy concerns because the service provider can access the data that is in the cloud at any time. It could accidentally or deliberately alter or delete information. Many cloud providers can share information with third parties if necessary, for purposes of law and order without a warrant. Users can encrypt data that is processed or stored within the cloud to prevent unauthorized access.
According to the Cloud Security Alliance, the top three threats in the cloud are
- Insecure Interfaces and API's (29%)
- Data Loss & Leakage (25%)
- Hardware Failure (10%)
In a cloud platform being shared by different users, there is a possibility that information belonging to different customers resides on the same data server. Data from hundreds or thousands of companies can be stored on large cloud servers, hackers can theoretically gain control of huge stores of information through a single attack — a process called ‘hyper jacking’. For example, the Dropbox security breach, and iCloud 2014 leak.
There is the problem of legal ownership of the data. Many Terms of Service agreements are silent on the question of ownership. There is the risk that users do not understand the issues involved when signing on to a cloud service (clicking accept without reading).
Fundamentally, private cloud is seen as more secure with higher levels of control for the owner, however public cloud is seen to be more flexible and requires less time and money investment from the user.
Security Storage hardware or servers can be physically accessed and compromised. This can lead to denial of service attack and, depending on the nature of the attack, this could lead to loss of important data availability. Confidentiality could be an issue if the attacker is able to view data at a datacentre — a problem that is handled by use of encryption and access controls, but it can be compromised. Virtual machines are vulnerable to copying to another device. The ability of an attacker to copy a virtual machine provides the attacker the advantage of trying to break into the system without detection since these attacks are being performed on a copy of the virtual machine.
Some of the threats that PaaS administrators face include the fact that since PaaS instances operate as virtual machines, it is possible for users to “break out” of their virtual machine. By doing so they may be able to bring down the hypervisor, which may be running many other customers’ PaaS instances, effectively causing a denial of service. A hypervisor administrator without high morality would have the ability to look at private data, possibly stealing intellectual property. A concern that is ever present when dealing with public cloud services is the transmission of sensitive data over the public Internet, and especially through the hardware of a hypervisor that has other tenants. Another virtual machine may intercept traffic coming over the shared network connection, exposing sensitive information to unintended parties.
The biggest security concern in the SaaS environment is immature identity management. Google has a "Secure Data Connector" that forms an encrypted connection between a customer's data and Google's business applications. This allows the customer to control which employees may access Google Apps resources. But users who use multiple SaaS applications will end up using different security and identity systems. At times it is required by a client that sensitive data should remain within certain geographical locations. But, with SaaS, users cannot be sure about the location of data storage.