CLOUD SECURITY

Name: Polinati Suresh Reddy

Reg No: 11703824

Roll No: A30

Section: K17SD

Submitted to: Chavi Ralhan

Introduction

Cloud computing funds started to build in early 90’s. The main idea behind cloud
computing is to separate the infrastructure and the mechanisms that a system is
composed of, from the applications and services that delivers.

Clouds are designed in such a way that can scale easily, be always available and
reduce the operational costs. That is achieved due to on demand multi-tenancy of
applications, information and hardware resources

Security

The way that security control is implemented on Cloud computing is most of the
times similar to this of traditional IT environments. But due to the distributed nature of
the assets security risks vary depending on the kind of assets in use, how and who
manages those assets, what are the control mechanisms used and where those are
located and finally who consumes those assets

Furthermore earlier we mentioned that multi-tenancy. This means that a set of

policies should be implementing how isolation of resources, billing, segmentation
and so on is achieved is a secure and concise way.

In order to measure whether the security that a Cloud Provider (CP) offers is
adequate we should take under consideration the maturity, effectiveness, and
completeness of the risk-adjusted security controls that the CP implements. Security
can be implement at one or more levels. Those levels that cover just the Cloud
infrastructure are: physical security, network security, system security and
application security. Additionally security can take place at a higher level, on people,
duties and processes.

It is necessary at this point to have understanding of the different security

responsibilities that CPs and end users have. And also that sometimes even among
different CPs the security responsibilities differ.

Security Benefits

[ENISA, 2009] in its report has spotted the following top security benefits that arise
due to the use of Cloud computing.
 CLOUD SECURITY

Security and the benefits of scale: when implementing security on a large system the
cost for its implementation is shared on all resources and as a result the investment
end up being more effective and cost saving.

Security as a market differentiator: as confidentiality, integrity and resilience is a

priority for many the end users, the decision on whether they will choose one CP
over another is made based on the reputation this CP has on security issues. Hence
competition among CPs made them provide high level services.

Standardise interfaces for managed security services: as CPs use standardise

interfaces to manage their security services the Cloud computing market benefits
from the uniformity and tested solutions this introduces.

Rapid, smart scaling of resources: Cloud computing is considered resilient since it

has the ability to dynamically reallocate resources for filtering, traffic shaping,
authentication, encryption.

Audit and evidence gathering: since virtualization is used in order to achieve Cloud
computing, it is easy to collect all the audits that we need in order to proceed with
forensics analysis without causing a downtime during the gathering process.

More timely, effective and effective updates and defaults: another thing that Cloud
computing benefits from virtualization is that virtual machines (VM) can come pre-
patched and hardened with the latest updates. Also in case of a configuration fault or
a disaster caused by changes made on the VM, we can roll back to a previous stable
state.

Benefits of resource concentration: having all of your resources concentrated makes

it cheaper to maintain and allows physical access on those easier. That outweighs
most of the times the risk the disadvantages that this generates.

Security Risks

The following classes of cloud computing risks were identified by [ENISA, 2009].

Loss of governance: as users do not physically posses any resources, CPs can take
control on a number of resources. If those resources are not covered from an SLA
security risks arise.

Lock-in: as we write this paper there is still no standardization on how to move data
and resources among different CPs. That means in case a user decides to move
from a CP to another or even to migrate those services in-house, might not be able
to do so due to incompatibilities between those parties. This creates a dependency
of the user to a particular CP.

Isolation failure: one of the disadvantages of multi-tenancy and shared resources

occurs when the resource isolation mechanism fails to separate the resource among
users. That can occur either due to an attack (guest-hopping attacks) or due to poor
mechanism design. In present days attacks of this kind are pretty rare compared to
the traditional Oss but for sure we cannot rely just on that fact. risk category covers
 CLOUD SECURITY

the failure of mechanisms separating storage, memory, routing and even reputation
between different tenants.

Compliance risks: there is a possibility that investing on achieving certification is put

under risk due to the following:

 The CP cannot provide evidence of their own compliance with the relevant
requirements
 The CP does not permit audit by the cloud customer (CC).

Also it is possible that compliance with industry standards is not able to be achieved
when using public Cloud computing infrastructure.

Management interface compromise: CPs provide to the users, management

interface for their resources on public Cloud infrastructures. That makes those
interfaces available over the internet allowing remote access applications or web
browsers vulnerabilities to allow access on resources from unauthorised users.

Data protection: CP is possible to handle data in ways that are not known (not lawful
ways) to the user since the users loses the complete governance of the data. This
problem becomes even more obvious when data are transferred often between
locations. On the other hand, there are lot of CPs that provide information on how
data are handled by them, while other CPs offer in addition certification summaries
on their data processing and data security activities

Insecure or incomplete data deletion: there are various systems that upon request of
a resource deletion will not completely wipe it out. Such is the case with Cloud
computing as well. Furthermore difficulties to delete a resource on time might arise
due to multi-tenancy or dues to the fact that many copies of this resource can exist
for backup/ redundancy reasons. In cases like this the risk adds to the data
protection of the user is obvious.

Malicious insider: there is always that possibility that an insider intentionally causes
damage. For that reason a policy specifying roles for each user should be available.

The risks described above constitute the top security risks of cloud computing.
[ENISA, 2009] further categorises risks into policy and organizational risks, technical
risks, legal risks and finally not specific risks

Vulnerabilities

The list of vulnerabilities that follows [ENISA, 2009], does not cover the entirety of
possible Cloud computing vulnerabilities, it is though pretty detailed.

AAA Vulnerabilities: Special care should be given on the authentication,

authorization and accounting system that CPs will use. Poor designed AAA systems
can result to unauthorized users to have access on resources, with unwanted results
on both the CP (legal wise) and the user (loss of information).
 CLOUD SECURITY

Conclusion

Given the risks, it strikes us as inevitable that security will become a significant cloud
computing business differentiator. Cloud computing currently offers affordable, large-
scale computations for business. If the economic case prevails, then we may find
that nothing- even security concerns-will prevent cloud computing from becoming a
consumer commodity.