There have been numerous attempts to separate computer users from the hardware since the inception of computer science. Scientist want to separate the two so that they can ease the burden associated with sophisticated hardware and software for service provision. The idea of time-sharing utilities which appeared in the 1960’s and lasted up to the recent web systems has been an endeavour of computer scientists. This dream is slowly being realised through idealistic concept of cloud computing being fronted by computer science academicians and business pundits. Cloud computing is an advanced information system infrastructure, integrating several hardware and software functions to accomplish a weave of tasks.
Cloud computing eliminates the need to own expensive hardware while providing the same required service at an affordable rate. This computing concept is pushing the information system to new levels, demanding advancement by the minute as other negative parties struggle to catch up with it. One of the negative attributes trying to damage the benefits is the security threats associated with the concept.
Infrastructure as a Service (IaaS): This is a system that serves the consumer with storage, networks, provision processing amongst other relevant resources in computing. The consumer then uses these resources, but is at liberty to run subjective software which includes operation systems and applications.
PaaS (Platform as a Service): In this system a consumer is provided with capability to enter the cloud system, the cloud also provides some applications, programming languages and some tools supported by the provider. With this the user is not able to manipulate the cloud, servers, network, operating system and storage. The consumer is only allowed to control applications from his end.
SaaS (Software as a Service): In this setup, the consumer is provided with applications embedded on the cloud architecture. These applications are made available from diverse client tools via a narrow client cloud interface in the form of web browsers. The end user is not in control of the network, applications, servers or operating systems, however, he can manipulate application structure settings.
There are a number of models employed in deployment of the cloud infrastructure as discussed below
This is a cloud facility run to provide services to a single entity or organisation. The cloud infrastructure may be operated for a private organization. It also may be run by the same organisation or a third party and the infrastructure may be off or on the premise of an organisation.
Community cloud This cloud infrastructure serves several organisations that have been bound into a community by certain communal needs being served by the cloud. Similarly, its management may be by the same community or given out to a contracted third party and the infrastructure maybe on or off premise.
In this system the cloud facility is owned by a certain organisation, but it’s services are sold out to the public or a large group of businesses in need of the services. The cloud infrastructure is also available for a large industry group or general public and it is owned by an organization which sells cloud services.
As the name suggests, this is a combination of 2 or even more clouds discussed above, but each cloud that is composite of the hybrid cloud remains an individual entity fused to the others by patented technology and standards that ensure that there are highways of data between them in a complementary way.
Cloud computing is practically the most advanced technology in the world of computing today, this concept has capability to offset a number of issues that haunted traditional information systems; some of the associated benefits include
Don't waste your time on boring tasks!
Save your time for something pleasant!
The cloud computing concept is gaining more and more popularity by the day, however, there is rising apprehension concerning security of the data being placed in the cloud. While there are several benefits associated with cloud computing, security reasons still continue to be relevant; this has forced companies to reconsider the primary ways of using localised information systems hardware that could guarantee some desired level of security to their data. The features of this cloud computing system are not similar to traditional systems, there are several benefits associated with the cloud model, and this paper seeks to decipher the security contests introduced by the cloud concept and clarify the concerns from a security perspective.
Targeted data breach entails loss of private and credit card information on facts and figures of millions of cloud users. This is the kind of loss that every cloud infrastructure company is facing daily in terms of millions of data transactions. Cloud computing concept is being constantly developed and improved, and every new development faces a risk of attracting negative minds aiming at crumbling systems and penetrating the systems for classified information that they use in perpetrating criminal activity. The kind of security required for cloud computing data is multi layered. There is need for unqualified security for hypervisor manoeuvres and simulated machine operations, but this is yet to be ratified by the authorities. Critics have numerous queries on the level of security that can be achieved and whether absolute security is actually achievable by the authorities providing it. The evidence obtained in the laboratories shows that some of the so called absolute security achieved by hypervisors and virtual machines can actually be breached. Research carried out at University of Wisconsin suggested that the RSA which is a security firm in conjunction with the University of North Carolina alluded some evidence in 2012, they suggest that it is actually probable for a user at one virtual machine to gain access to activity that indicates the presence of a possible encryption key on another virtual machine on the same host, this risk branded the ‘’side channelling exposure’’. This confirms that the company delicate and critical data might land in the hands of criminals or business opponents. To date, the most severe breaches which occurred haven’t instigated elaboration of ways to eliminate them; however the possibility of severe attacks being confirmed in laboratories indicates that the future is quite risky. This also deters majority of companies from placing sensitive information on the cloud infrastructure. Encryption is one of the protection steps being taken to guard against rampant access to data, however with the use of this tool comes the use of this tool comes the risk of losing the encryption key and hence loss of data as well. The whole cloud concept, therefore, becomes a weave of information tools and infrastructure that make the whole service quite bulky and risky.
As observed above, a data breach happens when there is criminal or malicious intensions, however, loss of data can happen without having criminal or malicious intrusion into various data banks provided. This can happen due to technology malfunction or loss of it when there is no backup for the data therein. This can also occur in cases someone losses the key to encrypted data and, hence, is not able to access it. In 2011, an Amazon customer lost some small amounts of data when the amazon cloud EC2 was hit by a ‘’remirroring storm’’. This occurrence exposed the cloud for data breach or loss if anyone wanted to attack or intrude at that particular period. There are reported cases, like the case of Mat Honan, when in summer 2012 someone defaced his Gmail, Apple and Twitter accounts and deleted all his 18 month old baby pictures. Therefore, despite developed technology on data security, the threats of losing data to malicious and criminal attacks avert both consumers and businesses from this technology.
This intrusion has been viewed as rudimentary to arouse any concern. However, authorities still cite it as a possible deal breaker when it comes to cloud business. This arises when software is manipulated and tested for vulnerabilities such as password and credential losses, buffer overflow attacks which essentially lead to loss of control by the account owner. When someone else gains control of your privy account login details then the person can survey and watch your information about transaction and plans; using this data the intruder will launch several attacks as he wishes by manipulating data to provide information that is not entirely true at a calculated move to impose some damage to the business. In 2010, there was a reported case when Amazon.com wireless merchandising site was hit by a cross-site scripting attack, this led to hijacking of numerous customer details when they visited the site. Due to loss of credentials to a wrong third party, this intruder gains access into customer accounts and systems while service hijacking allows intruders into areas of the system where they gain access to a position where they can compromise the secrecy, integrity and convenience of certain needed services. Security authorities offer guidance on anti-hijacking, however the most elementary thing to do is to keep confidential data as such by not sharing it as much as possible.
An API is an application programming interface. This is the medium between clouds and the users on the other end. The cloud concept gave birth to the possibility of making a complex weave of services to millions of users while at the same time trying to protect the same cloud from any malicious or criminal intrusion. It, therefore, becomes a complex challenge to guard this cloud infrastructure. Prominent web developers of Microsoft, Tweeter and Google, joined their efforts to administer OAuth. OAuth is an open agreement service for services offered at websites that is intended to regulate access by third parties. OAuth is officially stepped up to be internet Engineering Task Force Standard in the year 2010, some versions of it have been put to use by some organisations like Microsoft and Facebook. With all this going on security authorities have always sounded a warning that APIs are subject to breaches even with several protections put in place to guard them.
When considering encryption of data as a security feature, the APIs must be aimed at data protection against both unintentional and criminal attempts of intrusion. These designs can be achieved by placing protection policy. Public users are only supported to access public domain, and even in these they only access domains that are tied to their privilege levels, however, due to the complex nature of the APIs, there is always a loophole or way of reaching levels that are not intended nor allowed, this is where the lapses start and, therefore, it becomes impossible to completely seal the system due to the nature of its existence and the complexity of operations. Additionally, there are different types of APIs and OAuth services, choosing to use a weak version of them exposes organisations to diverse security breaches and lapses all the time.
Denial of service refers to attacks that are aimed at disturbing operational services; this may be viewed as elementary threats as well. Attackers are sending automated requests to millions of cloud users and this is viewed as customer assault. Though clouds have tightened their security by verifying these requests, attackers have gone always innovated new ways of infiltrating through their protection walls by refining their attacks and repackaging them in similar ways to normal customer requests. This makes it very hard for networks to detect genuine from malicious requests.
When cloud customers are hit by this denial of service attacks, they become gridlocked in the system, more like waiting for a service that seems out of reach at the moment, but is reachable in the near future. This creates obstacles for online customers by denying them services or making them wait for services that would otherwise be available by impairing the service without blocking it completely. This delay of services raises the bill amount for the cloud user and therefore prejudices the cloud provider costing against its competitors. If the attack persists for long, the cost of operations rises gradually making it too expensive to run the business and can eventually cause the cloud to be shut down.
This is an eternal threat to the cloud business for as long as it exists. There is always the risk that an insider will be used to deliver critical information that will be used to hack the systems for malicious reasons by competitors or criminals. If your cloud service provider serves many organisations then it could be a security tip to keep your encryption keys localised and not in the cloud to avoid putting all your relevant information at someone else’s custody.
Cloud services are made possible by a complex fabric of infrastructure that is rarely affordable to a single person. It, therefore, makes possible for one to do a number of things that cannot be achieved using a single person’s limited hardware and software. Under these circumstances, it then becomes possible for malicious entities to use this sophisticated services to hack some systems in a short while, a task that could take years to accomplish if one was not served by the powerful array of cloud infrastructure. It also becomes a platform for some ill parties to launch malware or dispense software that is not genuine. It is the responsibility of cloud users to ensure that they give a service of convenience, integrity and confidentiality; however most of the abuses committed on clouds are naturally affecting end users primarily before the provider detects and it, therefore, becomes an uphill task in trying to avert the damage before it affects either parties.
Majority of companies welcome the idea of using clouds without really interrogating the whole cloud concept to understand what benefits and risks they will assume with this new idea. It is vital to fully understand the cloud concept properly, learn of its security features, its vulnerabilities and the history performance, list of clients, data storage and usage among other issues. This knowledge will assist organisations make better judgement of their cloud engagement level before entering into contracts promising the heaven that they cannot deliver, this kind of contracts are null from the onset only that one party is usually ignorant of this fact and the other party riding on extreme risk to gain something. Under these circumstances customer expectation is not tallying with abilities of the cloud provider and, therefore, cannot really deliver, in instances of attack they both lose a great deal and the liability arising cannot be settled amicably. It is also important for the cloud user to know the level of transparency that he can expect from the cloud service provider. This can assist one to decide the kind of data to share and which one to keep out of the cloud.
Companies placing their applications with core on-premise network controls in the cloud might lose the intended functionality if they are not fully aware how the cloud works, their application might seem to give different outcomes. This might amount to manipulation as not intended by the user, therefore, full information is required.
In a multi-layered approach where several tenants use a single cloud, if one of them is compromised then the effects are felt by every user of the same cloud. For instance, when the hypervisor is compromised, all customers are exposed to a potential breach of any type not just the compromised customer. A similar occurrence can happen in the event of sharing a database service, a CPU or a shared data bank.
The cloud concept is primarily based on the context of sharing infrastructure of both software and hardware. A compromise on one of this equipment exposes millions of users. The authorities have required all cloud businesses to have a comprehensive protective strategy. Protection entails the use of the CPU, data storage bank, networks, user access and applications while monitoring deals with destructive charges and conducts.
The above discussion has served to reveal the threats associated with the cloud computing concept. It is mandatory that these threats are alleviated if this cloud concept will survive into the future. Some of the systems discussed below seek to provide security against threats by the entrance of a third party that is tasked with assuring that there is enough inhibitions to all malicious and criminal system hackers of cloud systems.
This is a challenging topic in computer science and most specifically in cloud computing. Development of trustworthy systems will be a great breakthrough. Trust in information language is built around logical and mathematical functions, the more refined they are, the more trustworthy they are said to be. A system is said to be trustworthy when the risk potential is reduced and approaching nil since absolute risk free is not possible. Besides key logical functions, there are other environmental facilities that consolidate the trust of a system, these include policies and handling the data; elaboration of sound policies and employment of qualified personnel goes a long way in earning cooperate trust.
For any system to remain secure, it must be built around a strong alert system that detects threats as early as possible. This implies incorporating swift detector facilities to furnish the system with potential threat information. This requirement is quite costly to furnish, it requires a web of security controls and effective information systems. Security strongly relates to data confidentiality, integrity and convenience which are supposed to be the primary foundation of any cloud computing system.
As discussed above, introduction of a trusted third party avails a certain level of trust for the customer. The following mechanisms and techniques ensure that the relationship between the end user and the cloud provider through the middle third party remains constant and mutual.
Strong Authentication is the process of ensuring authenticity; it involves identification of exchanges and transactions that are incurred within the electronic data.
Authorisation; While applying authentication before inception of any exchange or transaction, It is important to provide for authorisation at different levels, this allows the transactions to be declared complete once they are verified and authorised.
Data confidentiality involves securing information in the cloud by use of encryption keys, policies and competent personnel. The whole idea revolves around the desire to keep private data as such and public data the same. Authorisation is required in order for one to access data that is not placed on a public domain.
Data Integrity refers to securing data from malicious access that may be used by competitors to gain advantage over the business or modifications calculated at impeding one’s business. The access of secret data by any malicious party can expose trade secrets and hand the enemy important advantage that can lead to business loss.
Low and high level confidentiality; Data protection becomes even more elusive when the data is transmitted through network of facilities. This data is usually prone to interruption, hijacking, modification or even loss. PKI in this scenario makes it possible to use IPSec or SSL to protect the data that is on transit. IPSec is a stratum procedure that is adapted to make sending and receiving of packets of information that is cryptographically protected without any alterations. IPsec makes it possible for peers to identify and authenticate each other.
It is almost a sure prediction that the future of information systems greatly depends on development of better performing clouds as the benefits surpass the negative attributes of the cloud business. Cloud computing provides necessary infrastructure that is needed to address major weaknesses in the information system industry. This paper has specified vulnerabilities and the areas of cloud services which require further improvement, as well as some of the ways that can be used to protect the cloud concept from malicious interruptions. Nevertheless, it is evident that the cloud concept has provided major opportunities for technological growth and the reason to believe that technology can be used to surmount these risks to a more secure future of cloud computing.