Cloud Computing and Information Security: New Challenge

Cloud Computing is the new thing and we all love to talk about it. The US Government has a strong commitment to this new technology and even the most recognized IT Companies, like IBM, Microsoft, Google, HP, Apple and Amazon among others are already offering these services as Cloud Providers.

So, what is Cloud Computing?
It is an on-demand service model that allows access to computing resources like networks, servers, storage, applications, and services among others, with the primary advantage that it can be rapidly and automatically provisioned, even without the service provider interaction. A key characteristic is that these resources are shared among the different users of the Cloud service.

Cloud Computing caught everyone’s attention because it created a paradigm shift in the IT infrastructure concept: Instead of Companies owning data centers, servers, routers, switches and personnel to manage them, these will all be in the “cloud” provided to the Company by a third party provider.

This allows many advantages, like:

• Cost reduction in the acquisition of new servers, network infrastructure equipment (routers, switches, firewalls, etc.).
• Less in Company IT personnel, since the Cloud Provider will have a team a specialized to manage the service.
• Less in Company personnel training, since the Cloud Provider provides that.
• Operational cost reduction, like electricity, redundant equipment, and network links, etc. This will all be provided by the Cloud.
• Inexpensive Research and Development
• Capital expenditures will become operational expenditures.

What are the main characteristics of Cloud Computing services and how is it offered?

Cloud Computing has five essential characteristics:

1. On-demand self-service: A consumer can unilaterally provision computing capabilities such as server time and network storage as needed automatically, without requiring human interaction with a service provider.
2. Broad network access: Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs)
3. Resource pooling: The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand.
4. Rapid elasticity: Capabilities can be rapidly and elastically provisioned
5. Measured service. Resource usage can be monitored, controlled, and reported (e.g., storage, processing, bandwidth, or active user accounts).

Cloud Computing is offered in 3 service models:

• SaaS (Software as a Service): The consumer is to use the provider’s applications running on a cloud infrastructure and accessible from various client devices through a thin client interface such as a Web browser (e.g., web-based email).
• PaaS (Platform as a Service): The consumer is to deploy onto the cloud infrastructure applications using programming languages and tools supported by the provider (e.g., java, python, .Net).
• IaaS (Infrastructure as a Service): The provider is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary.

Additionally, the service is available in 4 delivery models called Private, Public, Hybrid and Community. Next, I will describe the two most important ones:

• Private: The cloud infrastructure is operated solely for an organization.
• Public: The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.

Privacy and Security in the Cloud: Main Concerns

These new technologies that create a paradigm shift also build up a storm of new challenges and concerns to Corporate CIOs. The NIST (National Institute of Standards and Technologies) and the CSA (Cloud Security Alliance) mention some of these concerns:

• Compliance: Data resides in the cloud and not in a fixed physical place. The exact location of it may not be available or disclosed by the Cloud Provider, making it difficult to guarantee the correct implementation of security controls required to achieve regulatory compliance. As an example, Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS), requires both technical and physical safeguards for controlling access to data, which may create compliance issues for some cloud providers
• Cloud Provider Trust:
• Data ownership: Data is processed and stored in the cloud provided by the Cloud Provider. Without a clear service agreement, there might be uncertainty who’s the owner of the information.
• Composite services: Cloud services that use third party cloud providers to outsource or subcontract some of their services should raise concerns, including the scope of control over the third party and the responsibilities involved.
• Malicious Insiders: Cloud providers grant their employees access to perform their duties (physical, virtual, etc.). A Malicious employee might have access to many Customers’ confidential data or even cause sabotage (availability issues).
• Risk Management: Organizations should ensure that security controls are implemented correctly, operate as intended, and meet its security requirements. Since all the IT infrastructure is in the Cloud, this task could be very difficult to achieve, generating higher risks.
• Architectures and attacks:
• Shared technology: The implementation of virtualization technologies create new attack surfaces since these technologies are susceptible to vulnerabilities.
• Virtual networks: Traffic over virtual networks may not be visible to security protection devices on the physical network, such as network-based intrusion detection and prevention systems.
• Insecure APIs: APIs are available to Customers for service management and might represent risks if they are not secured.
• Data loss or leakage: All service models are subject to data loss or leakage due to different factors like operation failures, missing encryption keys, data destruction challenges, DRP, etc.
• Availability: The possibility exists for a cloud provider to experience problems, like bankruptcy or facility loss, which affect service for extended periods or cause a complete shutdown.
• Attacks to/from the Cloud:
• Account or Service Hijacking: All service models are subject to Account / Service hijacking due to different factors like Phishing, Fraud, vulnerability exploits, etc. Once an attacker has access to credentials, they can easily manipulate data, access information or even contact the Customer’s clients.
• Abuse of use of Cloud Computing: The illusion of unlimited compute power, network, and storage capacity, gives spammers, malicious code authors, and other criminals the possibility to conduct their activities with more power and even anonymity.
• Denial of Service: The dynamic provisioning of a cloud in some ways simplifies the work of an attacker to cause harm. Denial of service attacks can occur against internally accessible services, such as those used in cloud management.

What recommendations are there to move to Cloud Computing Services?

There are many discussions being held about which are the best recommendations that should be taken into account when moving to Cloud Computing services. However, there are some of them that can be followed:

• Understand the various types of laws and regulations that impose security and privacy obligations on the organization and potentially impact cloud computing initiatives, particularly those involving data location, privacy and security controls, and electronic discovery requirements.
• Incorporate mechanisms into the contract that allow visibility into the security and privacy controls and processes employed by the cloud provider and their performance over time.
• Specify into the contract the need for a risk management program that is flexible enough to adapt to the continuously evolving and shifting risk landscape.
• Understand the underlying technologies the cloud provider uses to provision services, including the implications of the technical controls involved on the security and privacy of the system, with respect to the full lifecycle of the system and for all system components
• Understand virtualization and other software isolation techniques that the cloud provider employs, and assess the risks involved.
• Evaluate the suitability of the cloud provider’s data management solutions for the organizational data concerned.
• Ensure that during an intermediate or prolonged disruption or a serious disaster, critical operations can be immediately resumed and that all operations can be eventually reinstituted in a timely and organized manner.

By Agustin Chernitsky
Information Security specialist.