A Blueprint on Ways to Get Rid of Cloud Security Issues

By CIOReview | Wednesday, July 20, 2016

“How do I secure my data?” is a major concern of CIOs leveraging cloud computing technology for data storage in their organization. As data is sensitive asset of an organization, it entails high level of security and agitation. Security issues in cloud computing vary depending upon the type of cloud models—Public, Private, and Hybrid and the service models employed in the organization. And to suppress the security issues astute selection of tools and its implementation is necessary.   

Avoiding Security Issues with the Cloud

Minimize Lack of Control:  Some system managers adduce data control as a person’s concern while leveraging cloud applications. Cloud applications are business-critical functions, where unexpected outages push FUD among the customers. Such an instance occurred on 11 April when an outage was witnessed by users globally using Google’s IaaS (Infrastructure-as-a-Service)—Compute Engine; this outage lasted for18 minutes. After analyzing the breakdown, Google executives found that the failure was due to a bug in the Network Configuration Management software.

An outage may also be caused by a SPOF (Single Point of Failure) in a cloud computing system when any single component of the system disintegrates, stopping the entire system. Fearing outages, some organization leaders opted for third-party vendors—Prescient Solutions, Infinitely Virtual and similar organizations to ensure safety of data.  But when data comes to third-party, data owners lack control and transparency of data and that becomes a potential organizational threat. Turning over to  lack of control, brings into picture a major data breach incident witnessed by a public retail industry, Target Corporation where 70 million credit and debit card retail users data was stolen, leading to the loss of profits.

Improving control over cloud data is not a daunting task. To minimize lack of control an organization must primarily select a suitable cloud framework that will introduce some security standards. There are two cloud frameworks available—FedRAMP (Federal Risk and Management Accreditation Program) and G-Cloud framework. FedRAMP’s security standards include FISMA, NIST 800, and FIPS-199; the U.K. Government G-Cloud framework features security principles that are online. After selecting a framework, assessment, and deployment of best cloud practices—Cloud Security Alliance and Cloud Best Practice Network is necessary to get an optimum cloud practice which will help in creating new cloud applications or facilitate easy migration of existing applications to the cloud.  

Post deployment, the assessment of the cloud practice is a crucial task and can be done by carrying out gap analysis. The analysis portrays a complete picture between the business requirements and compliance needs—PCI, HIPAA, and Tax data with the actual activities on the network. Further, to analyze the requirements and needs, conduct an enterprise cloud risk assessment focusing on cloud application, which helps to detect location of data. Organizations can also plan and address “Stealth IT. This step assists in obtaining an action plan; there are some companies that help through this planning and remediation process.    

Minimize Multitenancy: The fundamental principle of ‘Multitenancy’ is multiple tenants sharing the same computer hardware. It has been a boon to businesses that use cloud technology by offering those services at a reduced cost. However “Everything costs something”, and the multitenancy approach presents many challenges—compliance, security and privacy. Lack of efficient bandwidth and data isolation makes cloud computing a laborious work, as tenants launch attack towards co-resident in the same data centre. One such instance is an experiment conducted by a team of researchers using Amazon’s EC2 IaaS (Infrastructure-as-a-Service) offering, where they potentially had the ability to map the cloud infrastructure and locate specific target virtual machines. After locating the target, the researchers were able to access and reliably place a virtual machine that they controlled on the same physical server. This capability enables a variety of virtual-machine-escape attacks to compromise the target.  Hence, in multi-tenant IaaS, neighbors are similar to malicious insiders. To combat such attacks, CIOs need to design countermeasures for multitenancy involved in these three categories of risks:

• Governance, Control and Auditing: Governance and control can be gained by implementing the concept of Separation of Duties (SoD), were a single task, function or component is segregated  into multiple areas of responsibility and are assigned to different individuals. SoD governs the powers or capabilities by defining individual’s role. After defining the roles auditing needs to be conducted to maintain a minimum allowable security posture. There are some IT auditing frameworks available—CobiT and Systrust.

• Shared Services (IaaS, SaaS, and PaaS): Shared services are an intrinsic part of cloud computing. Where the risk involved by MTA clients can be categorized on the type of shared services.

In IaaS model, each client’s environment is hosted and controlled by a version of hypervisor or virtualization software. The security, robustness of hypervisor software defines the tenant’s cloud environment. And to prevent exploitations in the MTA (Multi Tenant Architecture) cloud service providers need to maintain and upgrade their hypervisor software and implement network or host based intrusion detection and prevention system.

In a SaaS model, a single object code for each MTA tenant is the name of the game. When the code is corrupted, each tenant on the MTA can access the private data of other clients. To prevent such events from happening, SaaS solutions should be developed using Aspect-Oriented Programming (AOP), which allows each client to use the same object code but implement different security measures—authentication, access algorithm, cipher strength and others.

With PaaS, each tenant may have various layers of their hosted solution—business logic, data access logic and storage, and presentation logic. The risk in PaaS is the lack of configuration information, which can be countered by maintaining a dependency map for each tenant.

• Logical Security, Access Control, and Encryption: MTA client’s data is protected through strong encryption protocols. Possibilities of having the same encryption algorithms also occur and to suppress this risk ‘Predicate Encryption’ and ‘Homomorphic Encryption’ mechanisms are used to efficiently control encryption and decryption of data segments that are stored.  Additionally, to ease access management Role-based Access Control (RBAC) can be implemented which will comprehensively employ authorization rules without changing the underlying permissions.