Professional Documents
Culture Documents
A30 PDF
A30 PDF
Section: K17SD
Introduction
Cloud computing funds started to build in early 90’s. The main idea behind cloud
computing is to separate the infrastructure and the mechanisms that a system is
composed of, from the applications and services that delivers.
Clouds are designed in such a way that can scale easily, be always available and
reduce the operational costs. That is achieved due to on demand multi-tenancy of
applications, information and hardware resources
Security
The way that security control is implemented on Cloud computing is most of the
times similar to this of traditional IT environments. But due to the distributed nature of
the assets security risks vary depending on the kind of assets in use, how and who
manages those assets, what are the control mechanisms used and where those are
located and finally who consumes those assets
In order to measure whether the security that a Cloud Provider (CP) offers is
adequate we should take under consideration the maturity, effectiveness, and
completeness of the risk-adjusted security controls that the CP implements. Security
can be implement at one or more levels. Those levels that cover just the Cloud
infrastructure are: physical security, network security, system security and
application security. Additionally security can take place at a higher level, on people,
duties and processes.
Security Benefits
[ENISA, 2009] in its report has spotted the following top security benefits that arise
due to the use of Cloud computing.
CLOUD SECURITY
Security and the benefits of scale: when implementing security on a large system the
cost for its implementation is shared on all resources and as a result the investment
end up being more effective and cost saving.
Audit and evidence gathering: since virtualization is used in order to achieve Cloud
computing, it is easy to collect all the audits that we need in order to proceed with
forensics analysis without causing a downtime during the gathering process.
More timely, effective and effective updates and defaults: another thing that Cloud
computing benefits from virtualization is that virtual machines (VM) can come pre-
patched and hardened with the latest updates. Also in case of a configuration fault or
a disaster caused by changes made on the VM, we can roll back to a previous stable
state.
Security Risks
The following classes of cloud computing risks were identified by [ENISA, 2009].
Loss of governance: as users do not physically posses any resources, CPs can take
control on a number of resources. If those resources are not covered from an SLA
security risks arise.
Lock-in: as we write this paper there is still no standardization on how to move data
and resources among different CPs. That means in case a user decides to move
from a CP to another or even to migrate those services in-house, might not be able
to do so due to incompatibilities between those parties. This creates a dependency
of the user to a particular CP.
the failure of mechanisms separating storage, memory, routing and even reputation
between different tenants.
The CP cannot provide evidence of their own compliance with the relevant
requirements
The CP does not permit audit by the cloud customer (CC).
Also it is possible that compliance with industry standards is not able to be achieved
when using public Cloud computing infrastructure.
Data protection: CP is possible to handle data in ways that are not known (not lawful
ways) to the user since the users loses the complete governance of the data. This
problem becomes even more obvious when data are transferred often between
locations. On the other hand, there are lot of CPs that provide information on how
data are handled by them, while other CPs offer in addition certification summaries
on their data processing and data security activities
Insecure or incomplete data deletion: there are various systems that upon request of
a resource deletion will not completely wipe it out. Such is the case with Cloud
computing as well. Furthermore difficulties to delete a resource on time might arise
due to multi-tenancy or dues to the fact that many copies of this resource can exist
for backup/ redundancy reasons. In cases like this the risk adds to the data
protection of the user is obvious.
Malicious insider: there is always that possibility that an insider intentionally causes
damage. For that reason a policy specifying roles for each user should be available.
The risks described above constitute the top security risks of cloud computing.
[ENISA, 2009] further categorises risks into policy and organizational risks, technical
risks, legal risks and finally not specific risks
Vulnerabilities
The list of vulnerabilities that follows [ENISA, 2009], does not cover the entirety of
possible Cloud computing vulnerabilities, it is though pretty detailed.
Conclusion
Given the risks, it strikes us as inevitable that security will become a significant cloud
computing business differentiator. Cloud computing currently offers affordable, large-
scale computations for business. If the economic case prevails, then we may find
that nothing- even security concerns-will prevent cloud computing from becoming a
consumer commodity.