SoS Musings #25 - Cloudy with a Chance of Data Hauls

SoS Musings #25
Cloudy with a Chance of Data Hauls

It is imperative that cloud security is improved as the adoption of the cloud by businesses continues to increase. Findings of LogicMonitor’s “Cloud Vision 2020: The Future of the Cloud” survey to which 300 influencers responded, including industry analysts, consultants, vendor strategists, Amazon Web Services AWS re:Invent attendees, and more, indicate that over 80 percent of enterprise workloads will be in the cloud by 2020. Digitally transforming enterprises and the goal of attaining IT agility are the major factors behind the growing adoption of cloud services. However, security remains an issue of great concern among IT professionals with 66 percent of those who responded to the survey citing security as the biggest challenge in regard to the adoption of an enterprise cloud computing strategy. The importance of securing the cloud is also indicated by the predicted global spending of 12.7 billion on cloud security by 2023. The security of cloud computing must be further explored in order to develop or bring more attention to cloud security methods. 

The “cloud” is a combination of networks, servers, and applications, which can be used by organizations for different reasons in a variety of ways. According to NIST SP 800-145, “The NIST Definition of Cloud Computing”, the characteristics of a cloud computing model include on-demand self-service, broad network access, the pooling of computing resources, scalable provisioning of capabilities, and measured service. NIST SP 800-145 also highlights the three main types of cloud computing services, Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). IaaS offers access to fundamental virtualized computing resources such as servers, storage hardware, and networking hardware, via the cloud. PaaS is the cloud computing model in which a Cloud Solution Provider (CSP) provides a platform, consisting of hardware and software, that could be used by enterprises to design, build, and deploy their own applications. SaaS is a distribution model for software in which software is hosted by a third-party provider and accessed by the customer via the internet. In addition, there are four cloud deployment models that enterprises can choose from, which include public cloud, private cloud, hybrid cloud, and community cloud.The public cloud refers to the use of computing services provisioned by third-party providers via the public internet, while the private cloud refers to the use of proprietary resources and the dedication to the needs of a single organization. A community cloud refers to the sharing of a cloud service environment by a community of consumers from different organizations that share similar missions, policies, security requirements, and more. The hybrid cloud is defined by NIST as the combination of two or more distinct cloud infrastructures, including private, community, or public, through the use of standardized or proprietary technology. Security experts have long argued about which cloud deployment model is the most secure. The private cloud deployment model is often said to be the most secure because of the associated benefits such as higher levels of visibility, control, security, and privacy, along with closer access to data. However, data breaches are possible with any cloud deployment model if best security practices are not being followed. Before an enterprise considers the use of cloud computing services, they should examine the security risks and challenges associated with each type of cloud computing service and cloud deployment model.

There are threats, risks, and vulnerabilities that are unique to the realm of cloud computing, which should be considered by organizations prior to its adoption. As highlighted by Carnegie Mellon University, the top five cloud-unique threats and risks touch on the reduced visibility and control of consumers, the simplification of unauthorized use, the compromise of internet-accessible management APIs, the failure of separation among tenants, and the incomplete deletion of data. Organizations must remember that when they move their assets and operations to the cloud, they relinquish some control and visibility over those assets and operations as well as shift responsibility to the cloud service provider (CSP) for some policies and the infrastructure. In conjunction with the loss of some visibility and control by organizations over the assets and operations that they transfer to the cloud, there is the threat of reduced ability to verify that data is being deleted in a secure manner. The features of the cloud that facilitate the provisioning of on-demand self-service can allow employees to provide services from their organization’s CSP without the permission of their IT department, thus increasing the risk of unauthorized use of cloud services, which could lead to more incidents of malware infections, data exposure, and loss of control. The application programming interfaces (APIs) used by organizations to perform activities such as supplying, managing, arranging, and monitoring assets and users, as well as interacting with cloud services, are exposed by CSPs. CSP APIs can be accessed through the internet, increasing the likelihood of their abuse by hackers. In addition, CSP APIs may contain software vulnerabilities that could allow malicious actors to launch attacks, resulting in the hijacking of an organization’s cloud assets and possibly the execution of attacks on other CSP customers. The exploitation of vulnerabilities in a CSP’s infrastructure can also result in the failure to separate tenants, which could allow attackers to access an organization’s resources via the access of another organization’s assets or data in the cloud. Other threats and risks to consider in the adoption of cloud computing is the theft of cloud credentials, the complexity of transitioning to other CSPs on account of vendor lock-in, increased complexity for IT staff, the compromise of the CSP supply chain, the misuse of authorized access by insiders, and the loss of data stored in the cloud. The Cloud Security Alliance (CSA) also highlighted the top threats facing cloud vendors with data breaches, insecure application programming interface (APIs), system and application vulnerabilities, the inadequate management of cloud identities, credentials, and access, with account hijacking, topping the list as the most severe threats. The threats, risks, and vulnerabilities surrounding cloud computing call for the development, consideration, and implementation of cloud security solutions.

Methods for bolstering cloud security must continue to be developed, explored, and implemented. Although sensitive data stored in the cloud can be encrypted, the way in which this data is accessed by users can still make it vulnerable to being exposed to hackers. Wensheng Zhang, an associate professor of computer science at Iowa State University brought attention to the possibility of hackers observing cloud storage access patterns to assume the value of data and to determine what parts of a file should be prioritized in the performance of cracking. Therefore, computer scientists are working on developing the technology to disguise access patterns in order to secure sensitive data stored in the cloud. Scientists from the Laboratory of Problem-Oriented Cloud Computing at South Ural State University (SUSU) have also worked on improving cloud security, particularly the security of information stored in cloud systems. SUSU scientists developed an algorithm that involves the double coding of information in the cloud to reduce the risk of collusion between cloud service providers. The U.S. National Security Agency (NSA) also funded a cybersecurity lab project conducted by Dr. Mengjun Xie, an associate professor of computer science at the University of Arkansas, called Networking and Network Security in the Cloud (NetSiC), which is aimed at helping students develop their networking and cyber defense skills, as well as address problems associated with the security of cloud-based computing. Google's Data Loss Prevention (DLP) tool is capable of performing scans of large amounts of data in the cloud in order to identify and redact the data that is sensitive through the use of machine learning capabilities such as image recognition, machine vision, natural language processing, and context analysis. This tool is used in many Google products, but it can also be used by administrators outside of Google's ecosystem as the tool offers an application programming interface. Google recently upgraded its DLP tool to allow those with no technical expertise to easily use it. In addition to the development and implementation of cloud security solutions, it is important that organizations follow best practices for cloud security in order to reduce the security risks associated with cloud computing. Best practices for cloud security include understanding the shared responsibility model in which the security obligations of CSPs and customers are established, asking CSPs questions pertaining to the security measures they have implemented to secure their clients’ applications and store data, establishing cloud security policies to specify who can use cloud services and how it could can be used by employees, encrypting data stored in the cloud as well as when it is in transit, and more. CSPs should also follow best practices to increase the security of their services such as performing regular examinations of their systems for vulnerabilities, establishing data deletion policies, achieving compliance certifications to highlight their ability to maintain the highest level of data security, encrypting data in motion and at rest, and providing role-based access control (RBAC) to customers. Research, development, and implementations of cloud security technologies and strategies must continue.

Moving to the cloud still presents many security risks, however the development and consideration of cloud security technologies and best practices can reduce these risks.