Cloud computing security: Difference between revisions

For cloud-hosted security software, see Security as a service.

Cloud computing security or, more simply, cloud security refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

Security issues associated with the cloud

Cloud computing and storage provide users with capabilities to store and process their data in third-party data centers.^[1] Organizations use the cloud in a variety of different service models (with acronyms such as SaaS, PaaS, and IaaS) and deployment models (private, public, hybrid, and community).^[2]

Security concerns associated with cloud computing are typically categorized in two ways: as security issues faced by cloud providers (organizations providing software-, platform-, or infrastructure-as-a-service via the cloud) and security issues faced by their customers (companies or organizations who host applications or store data on the cloud).^[3] The responsibility is shared, however, and is often detailed in a cloud provider's "shared security responsibility model" or "shared responsibility model."^[4][5][6] The provider must ensure that their infrastructure is secure and that their clients’ data and applications are protected, while the user must take measures to fortify their application and use strong passwords and authentication measures.^[5][6]

When an organization elects to store data or host applications on the public cloud, it loses its ability to have physical access to the servers hosting its information. As a result, potentially sensitive data is at risk from insider attacks. According to a 2010 Cloud Security Alliance report, insider attacks are one of the top seven biggest threats in cloud computing.^[7] Therefore, cloud service providers must ensure that thorough background checks are conducted for employees who have physical access to the servers in the data center. Additionally, data centers are recommended to be frequently monitored for suspicious activity.

In order to conserve resources, cut costs, and maintain efficiency, cloud service providers often store more than one customer's data on the same server. As a result, there is a chance that one user's private data can be viewed by other users (possibly even competitors). To handle such sensitive situations, cloud service providers should ensure proper data isolation and logical storage segregation.^[2]

The extensive use of virtualization in implementing cloud infrastructure brings unique security concerns for customers or tenants of a public cloud service.^[8] Virtualization alters the relationship between the OS and underlying hardware – be it computing, storage or even networking. This introduces an additional layer – virtualization – that itself must be properly configured, managed and secured.^[9] Specific concerns include the potential to compromise the virtualization software, or "hypervisor". While these concerns are largely theoretical, they do exist.^[10] For example, a breach in the administrator workstation with the management software of the virtualization software can cause the whole datacenter to go down or be reconfigured to an attacker's liking.

Cloud security controls

Cloud security architecture is effective only if the correct defensive implementations are in place. An efficient cloud security architecture should recognize the issues that will arise with security management.^[11] The security management addresses these issues with security controls. These controls are put in place to safeguard any weaknesses in the system and reduce the effect of an attack. While there are many types of controls behind a cloud security architecture, they can usually be found in one of the following categories:^[11]

Deterrent controls

These controls are intended to reduce attacks on a cloud system. Much like a warning sign on a fence or a property, deterrent controls typically reduce the threat level by informing potential attackers that there will be adverse consequences for them if they proceed. (Some consider them a subset of preventive controls.)

Preventive controls

Preventive controls strengthen the system against incidents, generally by reducing if not actually eliminating vulnerabilities. Strong authentication of cloud users, for instance, makes it less likely that unauthorized users can access cloud systems, and more likely that cloud users are positively identified.

Detective controls

Detective controls are intended to detect and react appropriately to any incidents that occur. In the event of an attack, a detective control will signal the preventative or corrective controls to address the issue.^[11] System and network security monitoring, including intrusion detection and prevention arrangements, are typically employed to detect attacks on cloud systems and the supporting communications infrastructure.

Corrective controls

Corrective controls reduce the consequences of an incident, normally by limiting the damage. They come into effect during or after an incident. Restoring system backups in order to rebuild a compromised system is an example of a corrective control.

Dimensions of cloud security

It is generally recommended that information security controls be selected and implemented according and in proportion to the risks, typically by assessing the threats, vulnerabilities and impacts. Cloud security concerns can be grouped in various ways; Gartner named seven^[12] while the Cloud Security Alliance identified twelve areas of concern.^[13] Cloud access security brokers (CASBs) are software that sits between cloud users and cloud applications to provide visibility into cloud application usage, data protection and governance to monitor all activity and enforce security policies.^[14]

Security and privacy

Without a "hardened" environment a service is considered a "soft" target. Virtual servers should be protected just like a physical server against data leakage, malware, and exploited vulnerabilities. "Data loss or leakage represents 24.6% and cloud related malware 3.4% of threats causing cloud outages”^[15]

Identity management

Every enterprise will have its own identity management system to control access to information and computing resources. Cloud providers either integrate the customer's identity management system into their own infrastructure, using federation or SSO technology, or a biometric-based identification system,^[1] or provide an identity management system of their own.^[16] CloudID,^[1] for instance, provides privacy-preserving cloud-based and cross-enterprise biometric identification. It links the confidential information of the users to their biometrics and stores it in an encrypted fashion. Making use of a searchable encryption technique, biometric identification is performed in encrypted domain to make sure that the cloud provider or potential attackers do not gain access to any sensitive data or even the contents of the individual queries.^[1]

Physical security

Cloud service providers physically secure the IT hardware (servers, routers, cables etc.) against unauthorized access, interference, theft, fires, floods etc. and ensure that essential supplies (such as electricity) are sufficiently robust to minimize the possibility of disruption. This is normally achieved by serving cloud applications from professionally specified, designed, constructed, managed, monitored and maintained data centers.

Personnel security

Various information security concerns relating to the IT and other professionals associated with cloud services are typically handled through pre-, para- and post-employment activities such as security screening potential recruits, security awareness and training programs, proactive.

Privacy

Providers ensure that all critical data (credit card numbers, for example) are masked or encrypted and that only authorized users have access to data in its entirety. Moreover, digital identities and credentials must be protected as should any data that the provider collects or produces about customer activity in the cloud.

Penetration testing

Penetration testing is the process of performing offensive security tests on a system, service, or computer network to find security weaknesses in it. Since the cloud is a shared environment with other customers or tenants, following penetration testing rules of engagement step-by-step is a mandatory requirement. Scanning and penetration testing from inside or outside the cloud should be authorized by the cloud provider. Violation of acceptable use policies can lead to termination of the service.^[17]

Cloud Vulnerability and Penetration Testing

Scanning the cloud from outside and inside using free or commercial products is crucial because without a hardened environment your service is considered a soft target. Virtual servers should be hardened just like a physical server against data leakage, malware, and exploited vulnerabilities. "Data loss or leakage represents 24.6% and cloud-related malware 3.4% of threats causing cloud outages”

Scanning and penetration testing from inside or outside the cloud must be authorized by the cloud provider. Since the cloud is a shared environment with other customers or tenants, following penetration testing rules of engagement step-by-step is a mandatory requirement. Violation of acceptable use policies can lead to the termination of the service. Some key terminology to grasp when discussing penetration testing is the difference between application and network layer testing. Understanding what is asked of you as the tester is sometimes the most important step in the process. The network-layer testing refers to testing that includes internal/external connections as well as the interconnected systems throughout the local network. Oftentimes, social engineering attacks are carried out, as the most vulnerable link in security is often the employee.

White-box Testing

Testing under the condition that the “attacker” has full knowledge of the internal network, its design, and implementation.

Grey-box Testing

Testing under the condition that the “attacker” has partial knowledge of the internal network, its design, and implementation.

Black-box Testing

Testing under the condition that the “attacker” has no prior knowledge of the internal network, its design, and implementation.

Data security

There are numerous security threats associated with cloud data services. This includes traditional threats and non-traditional threats. Traditional threats include: network eavesdropping, illegal invasion, and denial of service attacks, but also specific cloud computing threats, such as side channel attacks, virtualization vulnerabilities, and abuse of cloud services. The following security requirements limit the threats.^[18]

Confidentiality

Data confidentiality is the property that data contents are not made available or disclosed to illegal users. Outsourced data is stored in a cloud and out of the owners' direct control. Only authorized users can access the sensitive data while others, including CSPs, should not gain any information of the data. Meanwhile, data owners expect to fully utilize cloud data services, e.g., data search, data computation, and data sharing, without the leakage of the data contents to CSPs or other adversaries.

Access controllability

Access controllability means that a data owner can perform the selective restriction of access to their data outsourced to the cloud. Legal users can be authorized by the owner to access the data, while others can not access it without permissions. Further, it is desirable to enforce fine-grained access control to the outsourced data, i.e., different users should be granted different access privileges with regard to different data pieces. The access authorization must be controlled only by the owner in untrusted cloud environments.

Integrity

Data integrity demands maintaining and assuring the accuracy and completeness of data. A data owner always expects that her or his data in a cloud can be stored correctly and trustworthily. It means that the data should not be illegally tampered with, improperly modified, deliberately deleted, or maliciously fabricated. If any undesirable operations corrupt or delete the data, the owner should be able to detect the corruption or loss. Further, when a portion of the outsourced data is corrupted or lost, it can still be retrieved by the data users.

Encryption

Some advanced encryption algorithms which have been applied into cloud computing increase the protection of privacy. In a practice called crypto-shredding, the keys can simply be deleted when there is no more use of the data.

Attribute-based encryption (ABE)

Attribute-based encryption is a type of public-key encryption in which the secret key of a user and the ciphertext are dependent upon attributes (e.g. the country in which he lives, or the kind of subscription he has). In such a system, the decryption of a ciphertext is possible only if the set of attributes of the user key matches the attributes of the ciphertext.

Some of the strengths of Attribute-based encryption are that it attempts to solve issues that exist in current public-key infrastructure(PKI) and identity-based encryption(IBE) implementations. By relying on attributes ABE circumvents needing to share keys directly, as with PKI, as well as having to know the identity of the receiver, as with IBE.

These benefits come at a cost as ABE suffers from the decryption key re-distribution problem. Since decryption keys in ABE only contain information regarding access structure or the attributes of the user it is hard to verify the user’s actual identity. Thus malicious users can intentionally leak their attribute information so that unauthorized users can imitate and gain access.^[19]

Ciphertext-policy ABE (CP-ABE)

Ciphertext-policy ABE (CP-ABE) is a type of public-key encryption. In the CP-ABE, the encryptor controls the access strategy. The main research work of CP-ABE is focused on the design of the access structure. A ciphertext-policy attribute-based encryption scheme consists of four algorithms: Setup, Encrypt, KeyGen, and Decrypt^[20]. The Setup algorithm takes security parameters and an attribute universe description as input and outputs public parameters and a master key. The encryption algorithm takes data as an input. It then encrypts it to produce ciphertext that only a user that possesses a set of attributes that satisfies the access structure will decrypt the message. The KeyGen algorithm then takes the master key and the user’s attributes to develop a private key. Finally, the Decrypt algorithm takes the public parameters, the ciphertext, the private key, and user attributes as input. With this information, the algorithm first checks if the users’ attributes satisfy the access structure and then decrypts the ciphertext to return the data.

Key-policy ABE (KP-ABE)

Key-policy Attribute-Based Encryption, or KP-ABE, is an important type of Attribute-Based Encryption. KP-ABE allows senders to encrypt to their messages under a set of attributes, much like any Attribute Based Encryption system. For each each encryption, private user keys are then generated which contain decryption algorithms for deciphering the message and these private user keys grant users access to specific messages that they correspond to. In a KP-ABE system, ciphertexts, or the encrypted messages, are tagged by the creators with a set of attributes, while user's private keys are issued that specify which type of ciphertexts the key can decrypt.^[21] The private keys control which cipher texts a user is able to decrypt.^[22] In KP-ABE, the attribute sets are used to describe the encrypted texts and the private keys are associated to specified policy that users will have for the decryption of the ciphertexts. A drawback to KP-ABE is that in KP-ABE the encryptor does not control who has access to the encrypted data, except through descriptive attributes, which creates a reliance on the key-issuer granting and denying access to users. Hence, the creation of other ABE systems such as Ciphertext-Policy Attribute-Based Encryption. ^[23]

Fully homomorphic encryption (FHE)

Fully Homomorphic Encryption is a cryptosystem that supports arbitrary computation on ciphertext and also allows computing sum and product for the encrypted data without decryption. . Another interesting feature of Fully Homomorphic Encryption or FHE for short is that it allows operations to be executed without the need of a secret key^[24]. FHE has been linked not only to cloud computing but electronic voting as well. Fully Homomorphic Encryption has been especially helpful with the development of cloud computing and computing technologies. However as these systems are developing the need for cloud security has also increased. FHE aims to secure data transmission as well as cloud computing storage with its encryption algorithms^[25]. Its goal is to be a much more secure and efficient method of encryption on a larger scale to handle the massive capabilities of the cloud.

Searchable encryption (SE)

Searchable encryption is a cryptographic system which offer secure search functions over encrypted data. SE schemes can be classified into two categories: SE based on secret-key (or symmetric-key) cryptography, and SE based on public-key cryptography. In order to improve search efficiency, symmetric-key SE generally builds keyword indexes to answer user queries. This has the obvious disadvantage of providing multimodal access routes for unauthorized data retrieval, bypassing the encryption algorithm by subjecting the framework to alternative parameters within the shared cloud environment.

Searchable encryption (SE)

Searchable encryption is a cryptographic system which offer secure search functions over encrypted data.^[26][27] SE schemes can be classified into two categories: SE based on secret-key (or symmetric-key) cryptography, and SE based on public-key cryptography. In order to improve search efficiency, symmetric-key SE generally builds keyword indexes to answer user queries. This has the obvious disadvantage of providing multimodal access routes for unauthorized data retrieval, bypassing the encryption algorithm by subjecting the framework to alternative parameters within the shared cloud environment.^[28]

Compliance

Numerous laws and regulations pertain to the storage and use of data. In the US these include privacy or data protection laws, Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act, the Federal Information Security Management Act of 2002 (FISMA), and Children's Online Privacy Protection Act of 1998, among others. Similar standards exist in other jurisdictions, eg Singapore's Multi-Tier Cloud Security Standard.

Similar laws may apply in different legal jurisdictions and may differ quite markedly from those enforced in the US. Cloud service users may often need to be aware of the legal and regulatory differences between the jurisdictions. For example, data stored by a cloud service provider may be located in, say, Singapore and mirrored in the US.^[29]

Many of these regulations mandate particular controls (such as strong access controls and audit trails) and require regular reporting. Cloud customers must ensure that their cloud providers adequately fulfill such requirements as appropriate, enabling them to comply with their obligations since, to a large extent, they remain accountable.

Business continuity and data recovery

Cloud providers have business continuity and data recovery plans in place to ensure that service can be maintained in case of a disaster or an emergency and that any data loss will be recovered.^[30] These plans may be shared with and reviewed by their customers, ideally dovetailing with the customers' own continuity arrangements. Joint continuity exercises may be appropriate, simulating a major Internet or electricity supply failure for instance.

Log and audit trail

In addition to producing logs and audit trails, cloud providers work with their customers to ensure that these logs and audit trails are properly secured, maintained for as long as the customer requires, and are accessible for the purposes of forensic investigation (e.g., eDiscovery).

Unique compliance requirements

In addition to the requirements to which customers are subject, the data centers used by cloud providers may also be subject to compliance requirements. Using a cloud service provider (CSP) can lead to additional security concerns around data jurisdiction since customer or tenant data may not remain on the same system, or in the same data center or even within the same provider's cloud.^[31]

The European Union’s GDPR regulation has introduced new compliance requirements for customer data.

Legal and contractual issues

Aside from the security and compliance issues enumerated above, cloud providers and their customers will negotiate terms around liability (stipulating how incidents involving data loss or compromise will be resolved, for example), intellectual property, and end-of-service (when data and applications are ultimately returned to the customer). In addition, there are considerations for acquiring data from the cloud that may be involved in litigation.^[32] These issues are discussed in service-level agreements (SLA).

Public records

Legal issues may also include records-keeping requirements in the public sector, where many agencies are required by law to retain and make available electronic records in a specific fashion. This may be determined by legislation, or law may require agencies to conform to the rules and practices set by a records-keeping agency. Public agencies using cloud computing and storage must take these concerns into account.

References

1. Haghighat, M.; Zonouz, S.; Abdel-Mottaleb, M. (2015). "CloudID: Trustworthy Cloud-based and Cross-Enterprise Biometric Identification". Expert Systems with Applications. 42 (21): 7905–7916. doi:10.1016/j.eswa.2015.06.025.
2. Srinivasan, Madhan (2012). "State-of-the-art cloud computing security taxonomies". 'State-of-the-art cloud computing security taxonomies: a classification of security challenges in the present cloud computing environment. ACM ICACCI'. p. 470. doi:10.1145/2345396.2345474. ISBN 9781450311960.
3. "Swamp Computing a.k.a. Cloud Computing". Web Security Journal. 2009-12-28. Retrieved 2010-01-25.
4. "Cloud Controls Matrix v4" (xlsx). Cloud Security Alliance. 15 March 2021. Retrieved 21 May 2021.
5. "Shared Security Responsibility Model". Navigating GDPR Compliance on AWS. AWS. December 2020. Retrieved 21 May 2021.
6. Tozzi, C. (24 September 2020). "Avoiding the Pitfalls of the Shared Responsibility Model for Cloud Security". Pal Alto Blog. Palo Alto Networks. Retrieved 21 May 2021.
7. "Top Threats to Cloud Computing v1.0" (PDF). Cloud Security Alliance. March 2010. Retrieved 2020-09-19.
8. Winkler, Vic. "Cloud Computing: Virtual Cloud Security Concerns". Technet Magazine, Microsoft. Retrieved 12 February 2012.
9. Hickey, Kathleen. "Dark Cloud: Study finds security risks in virtualization". Government Security News. Retrieved 12 February 2012.
10. Winkler, Vic (2011). Securing the Cloud: Cloud Computer Security Techniques and Tactics. Waltham, MA USA: Elsevier. p. 59. ISBN 978-1-59749-592-9. Archived from the original on 2012-07-29. Retrieved 2012-02-12.
11. Krutz, Ronald L., and Russell Dean Vines. "Cloud Computing Security Architecture." Cloud Security: A Comprehensive Guide to Secure Cloud Computing. Indianapolis, IN: Wiley, 2010. 179-80. Print.
12. "Gartner: Seven cloud-computing security risks". InfoWorld. 2008-07-02. Retrieved 2010-01-25.
13. "Top Threats to Cloud Computing Plus: Industry Insights". Cloud Security Alliance. 2017-10-20. Retrieved 2018-10-20.
14. "What is a CASB (Cloud Access Security Broker)?". CipherCloud. Archived from the original on 2018-08-31. Retrieved 2018-08-30.
15. Thangasamy, Veeraiyah (2017). "Journal of Applied Technology and Innovation" (PDF). 1: 97. {{cite journal}}: Cite journal requires |journal= (help)
16. "Identity Management in the Cloud". Information Week. 2013-10-25. Retrieved 2013-06-05.
17. Guarda, Teresa; Orozco, Walter; Augusto, Maria; Morillo, Giovanna; Navarrete, Silvia; Pinto, Filipe (2016). "Penetration Testing on Virtual Environments". ICINS '16: Proceedings of the 4th International Conference on Information and Network Security (December 2016): 9–12. doi:10.1145/3026724 – via ACM.
18. Jun Tang, Yong Cui (2016). "Ensuring Security and Privacy Preservation for Cloud Data Services" (PDF). ACM Computing Surveys. 49: 1–39. doi:10.1145/2906153. Archived from the original (PDF) on 2016-04-06.
19. Xu, Shengmin; Yuan, Jiaming; Xu, Guowen; Li, Yingjiu; Liu, Ximeng; Zhang, Yinghui; Ying, Zuobin (2020-10-01). "Efficient ciphertext-policy attribute-based encryption with blackbox traceability". Information Sciences. 538: 19–38. doi:10.1016/j.ins.2020.05.115. ISSN 0020-0255.
20. Bethencourt, J., Sahai, A., & Waters, B. (2007, May). Ciphertext-policy attribute-based encryption. In 2007 IEEE symposium on security and privacy (SP'07) (pp. 321-334). IEEE. Chicago
21. Wang, Changji; Luo, Jianfa (2013-04-09). "An Efficient Key-Policy Attribute-Based Encryption Scheme with Constant Ciphertext Length". Mathematical Problems in Engineering. 2013: e810969. doi:10.1155/2013/810969. ISSN 1024-123X.
22. Wang, Chang-Ji; Luo, Jian-Fa (2012-11). "A Key-policy Attribute-based Encryption Scheme with Constant Size Ciphertext". 2012 Eighth International Conference on Computational Intelligence and Security: 447–451. doi:10.1109/CIS.2012.106. {{cite journal}}: Check date values in: |date= (help)
23. Bethencourt, John; Sahai, Amit; Waters, Brent (2007-05). "Ciphertext-Policy Attribute-Based Encryption". 2007 IEEE Symposium on Security and Privacy (SP '07): 321–334. doi:10.1109/SP.2007.11. {{cite journal}}: Check date values in: |date= (help)
24. Armknecht, Frederik; Katzenbeisser, Stefan; Peter, Andreas (2012), "Shift-Type Homomorphic Encryption and Its Application to Fully Homomorphic Encryption", Progress in Cryptology - AFRICACRYPT 2012, Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 234–251, retrieved 2021-10-27
25. Zhao, Feng; Li, Chao; Liu, Chun Feng (2014-02). "A cloud computing security solution based on fully homomorphic encryption". 16th International Conference on Advanced Communication Technology. Global IT Research Institute (GIRI). doi:10.1109/icact.2014.6779008. {{cite journal}}: Check date values in: |date= (help)
26. Wang, Qian; He, Meiqi; Du, Minxin; Chow, Sherman S. M.; Lai, Russell W. F.; Zou, Qin Zou (2018). "Searchable Encryption over Feature-Rich Data". IEEE Transactions on Dependable and Secure Computing. 15 (3): 496–510. doi:10.1109/TDSC.2016.2593444.
27. Naveed, Muhammad. "Dynamic Searchable Encryption via Blind Storage". IEEE Symposium on Security and Privacy 2014.
28. Sahayini, T (2016). "Enhancing the security of modern ICT systems with multimodal biometric cryptosystem and continuous user authentication". International Journal of Information and Computer Security. 8 (1): 55. doi:10.1504/IJICS.2016.075310.
29. "Managing legal risks arising from cloud computing". DLA Piper. Retrieved 2014-11-22.
30. "It's Time to Explore the Benefits of Cloud-Based Disaster Recovery". Dell.com. Archived from the original on 2012-05-15. Retrieved 2012-03-26.
31. Winkler, Vic (2011). Securing the Cloud: Cloud Computer Security Techniques and Tactics. Waltham, MA USA: Elsevier. pp. 65, 68, 72, 81, 218–219, 231, 240. ISBN 978-1-59749-592-9. Archived from the original on 2012-07-29. Retrieved 2012-02-12.
32. Adams, Richard (2013). "'The emergence of cloud storage and the need for a new digital forensic process model" (PDF). Murdoch University.

Further reading

• Mowbray, Miranda (2009). "The Fog over the Grimpen Mire: Cloud Computing and the Law". SCRIPTed. 6 (1): 129. doi:10.2966/scrip.060109.132.
• Mather, Tim; Kumaraswamy, Subra; Latif, Shahed (2009). Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance. O'Reilly Media, Inc. ISBN 9780596802769.
• Winkler, Vic (2011). Securing the Cloud: Cloud Computer Security Techniques and Tactics. Elsevier. ISBN 9781597495929.
• Ottenheimer, Davi (2012). Securing the Virtual Environment: How to Defend the Enterprise Against Attack. Wiley. ISBN 9781118155486.
• Haghighat, Mohammad (2015). "CloudID: Trustworthy Cloud-based and Cross-Enterprise Biometric Identification". Expert Systems with Applications. 42 (21): 7905–7916. doi:10.1016/j.eswa.2015.06.025.
• BS ISO/IEC 27017: "Information technology. Security techniques. Code of practice for information security controls based on ISO/IEC 27002 for cloud services." (2015)
• BS ISO/IEC 27018: "Information technology. Security techniques. Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors." (2014)
• BS ISO/IEC 27036-4: "Information technology. Security techniques. Information security for supplier relationships. Guidelines for security of cloud services" (2016)

See also

• Computer security
• Common Vulnerabilities and Exposures

External links

• Cloud Security Alliance
• Check Point Cloud Security
• Why cloud security requires multiple layers
• The Beginner's Guide to Cloud Security
• DoD Cloud Computing Security Requirements Guide (CC SRG) Archived 2018-10-21 at the Wayback Machine