Would you ever consider moving your corporate sensitive data outside of your
organization's firewalls? If the answer is 'No', then you'll have a hard time
getting convinced about using Cloud Computing. By its very nature, cloud
computing requires you to keep all your data in the cloud. It's a completely
different architecture, and to get used to it, you have to understand the key
security threats to expect.
1. Loss of control over your applications management
Let's stare at your worst fear of moving to the cloud straight in the
face-it's data ownership and privacy. Suddenly, all the information that was
earlier residing in your own data centers moves into a public cloud. Suddenly,
you've lost control and given it to a service provider. So obviously there would
be dis-comfort. What if somebody steals your data? What if somebody mis-uses
your customer information? If you have these fears, then you probably need to
start by using some non-critical applications in the cloud, and gradually move
to more critical ones. Remember, email has always been in the cloud, and yet we
all have been using it for years without any fear of data loss or lack of
control. The same thing would hold true for other applications as well.
2. Shared infrastructure will lure cyber criminals
The first thing to remember is that you're on a public infrastructure when
you move to the cloud, which is shared by multiple companies. This could act as
a 'honeypot' for hackers. Instead of wasting their time and energy targeting
individual companies, hackers would put their efforts on hacking into the cloud.
This way, if they manage to infiltrate into a public cloud, they could find ways
to upload malware to thousands of computers, converting them into Botnets, and
then using them to attack other machines. Worse still, they could also access
data of all the companies hosted on that cloud. That doesn't sound like a very
good scenario, but then let's compare a cloud service, which hosts so many
people's infrastructure, to a bank.
A bank is also a more lucrative target for robbers than an ordinary house.
And despite knowing that, it doesn't prevent you from putting your money in the
bank, because you know that your money will be safer in the bank than keeping it
at home. Similarly, cloud services providers are more prone to getting attacked
than individual companies. But that doesn't mean you shouldn't use their
services. Moreover, the bigger the cloud services provider, the more it would
invest on its security. After all, loss of a customer's data is also a loss of
reputation for the cloud service provider.
3. Vulnerabilities of shared technologies
The main technology behind cloud computing is virtualization, which is a way
to abstract the hardware from the software. This way, the cloud service provider
can dynamically allocate or re-allocate hardware resources to its customers. You
wouldn't face scalability issues in the cloud because of this. However, since
virtualization is a shared technology, there are vulnerabilities in it. So if a
zero-day attack happens in a shared infrastructure, it could quickly spread
across the public cloud and wreak havoc. Please read the article 'Security in a
Virtualized World' to find out more on security issues in virtualization
technologies.
4. Careless users can no longer be ignored
Typically, organizations are more worried about preventing outsiders from
attacking their networks and data centers. For this, they deploy firewalls, VPNs,
and lots of physical security solutions to prevent external intruders from
getting access. You would also worry about internal security threats, but may
not go beyond putting basic anti-virus, anti-spam, etc on all the machines. In
case of Cloud security however, you would have to go beyond perimeter security
because you're hosting your apps in a public infrastructure, which is easily
accessible over the Internet by anybody. Stronger passwords for users for
instance would become mandatory. Encryption of data would be another thing
you'll have to worry about, and so on. Another thing to remember is that the
Cloud is a fundamental shift in architecture of your IT infrastructure. So while
your service provider is responsible for the security of his Cloud, you're
equally responsible for ensuring that your information doesn't get stolen.
5. Identifying the right Cloud service provider
There are lots of different kinds of cloud based services you can avail,
SaaS (Software as a Service), PaaS (Platform as a service), and IaaS
(Infrastructure as a Service). Within each, there are lots of service providers,
with the highest number being in the SaaS space. That's why, the level of
security you need also depends upon the kind of service availed. Security issues
can arise due to improper risk assessment of the cloud service provider. You
need to be aware of the Cloud service provider's risk profile. Check whether
your Cloud service provider is PCI (Payment Card Industry) compliant. If not,
then don't risk putting your sensitive personal or customer record information
there.
6. Where's my data stored?
Some countries have laws against moving personal information outside of the
country. While a public cloud could have its infrastructure anywhere in the
world. If that happens, you would not know where your data is really stored.
Thankfully, this is not the case in India for a majority of services, so you
shouldn't have any legal limitations of where your data would be stored. What
you might have to worry about are the laws of the country where your cloud
service provider has stored your data. If those laws force the service provider
to share data due to a litigation, then you have no control over preventing your
corporate data from being handed out.
7. Data aggregation Programs
If you're going to use programs in your cloud that can aggregate data, viz.
credit card numbers, sensitive customer information, etc, then you have to be
extra careful that those systems don't develop any vulnerabilities. That could
lead to put you in some serious trouble.
8. Traffic hijacking attacks
Many of the attacks that have been known outside of the cloud are very much
application in the cloud as well. Things like man in the middle attack, phishing
attack, D-DoS or DdoS attack can all happen in the cloud. Apparently, one
company that had hosted its applications in the Amazon cloud faced disruption
of its services due to a D-DoS attack. It seems that it took around 18 hours to
detect and stop the attack. This could very much happen with your cloud service
provider.
9. Mis-configuration and unpatched systems
If your applications were hosted within your own data center, then you
didn't have to worry too much about mis-configured systems, slow patches, lack
of user training etc. But you can no longer be lax about these things when you
move to the cloud. A mis-configuration could cost you your data. A patch left
undeployed could lead to a malware program mis-using it.
10. Old way of programming
We're used to developing programs that are meant to work in a private
infrastructure, and not for something that's completely open like the cloud.
That's why, bugs could creep into the APIs being designed, which could be mis-used.
So, if you're developing your own applications for the cloud, your developers
must pay great attention to the APIs being created that would be used between
various applications.
Besides the above, there would be many other things you may want to check
with your cloud service provider. For instance, who is going to manage your
applications in the cloud? Is it one person or multiple people? Is there anybody
at the service provider's end who has complete access to all your data? Ideally
there shouldn't be.