In recent years, cloud computing has had a significant impact on technology that businesses are attempting to take full advantage of. This paper will discuss why cloud computing is so desirable by businesses and will also discuss the potential security risks that come with it. Once we understand cloud computing and how it works we will be better prepared to understand why these security risks are necessary. We will analyze some security breaches that have occurred due to cloud computing which we will then discover how this breach has been patched or why it is not able to be patched. After going through these examples, we will conclude by comparing security risks of cloud computing versus standard computing that we are all used to.
Analyzing the security risks of cloud environments in business
When someone thinks about technology there first thought is likely going to be devices that they personally use such as their phone or personal computer. While these devices are certainly labeled under technology there is an entirely different genre of technology that is being used by businesses. The devices businesses will typically use are used to manage services such as a website, payroll, purchases, user data, etc. which use similar but different hardware. The grouping of this technology that businesses use is referred to as the businesses infrastructure. This infrastructure is usually made up of devices such as servers, firewalls, data storage devices, and many others. Cloud computing is beginning to take over the current implementation of this hardware that makes up the technological infrastructure of many businesses.
Traditional IT Infrastructure
As one could imagine, setting up all the services required by a business can cost an incredible amount of money. There are many expenses when it comes to setting up a business’s technology infrastructure such as the costs of purchasing the equipment and paying someone to setup the equipment as well as manage the equipment. Now this isn’t so bad once it is all setup however, technology has been growing at tremendous rates with no expectations for it to slow down too much anytime soon. Moore’s law states that the number of transistors in an integrated circuit doubles about every two years and with this law being met we can certainly expect technology to continue growing at rapid rates. What this means is, for a business to keep up with competition and continue to grow technologically it must constantly replace parts of the infrastructure. This quickly turns into a vicious cycle of buying new equipment, paying to have it setup, training staff to manage the equipment, and perhaps even obtaining new employees to manage new devices. A cost that most people tend to forget is the networking and cabling required to transmit these resources from one location to the other. All these costly issues related to traditional IT infrastructure are a major reason as to why cloud computing is being considered by so many businesses. A major bonus of cloud computing is of course that it is all on the internet which gets rid of the issue of utilizing computational resources from various locations. With a cloud environment you can choose how much control you want over a service as well as how much security you require for a service. This allows you to personalize your technological infrastructure
Cloud Computing Services
“Cloud computing uses the internet to share computing resources—such as memory, storage, and processing power—and provide access to applications, data, and services from anywhere, on any device.” (Skemp, 2017). Just based off this definition it is clear as to how cloud computing could replace traditional devices. Although the previous statement was regarding replacing infrastructure this is just one scenario. Cloud computing provides infrastructure-as-a-Service, platform-as-a-service, software-as-a-service as well as storage for various purposes.
Infrastructure-as-a-service or IaaS is when a cloud provider hosts various infrastructure components and provides access to use the computational power provided by these components via the internet. Cloud providers typically offer services that will attract businesses to using their service such as troubleshooting help and monitoring tools for tracking costs, performance, and network traffic.
Platform-as-a-service is nearly the same as the previous infrastructure-as-a-service however, it builds upon this model by having the cloud provider host and manage additional features. An example of these features would be operating systems and middleware which certainly simplifies deployment but also restricts a business’s flexibility when creating their cloud environment.
Software-as-a-service is the most commonly used cloud service where a cloud provider hosts and manages an entire infrastructure along with applications for users. This eliminates the need of hardware to host the service however, the costs are significant, and the customization is heavily limited. The trade-off between customization and amount of management required is a direct relationship. The less customization you require the more you can allow the cloud provider to manage. This is shown in services offered by the cloud provider such as automatic updates for applications hosted in the cloud environment.
Cloud Computing Classifications
Along with cloud providers offering different services for different use cases, they also provide multiple classifications of cloud environments. The common environments consist of public, private, hybrid, and community cloud. Each come with their own set of positives and negatives but the biggest difference between these is their security.
A cloud is considered public when the infrastructure in its entirety is located at the providers data center. The only access the business has to this cloud environment is via the internet. The business or customer with this service has very limited visibility and control over where the infrastructure supporting this cloud is hosted. SaaS applications are commonly hosted on public clouds where users or businesses can either utilize the applications for free or for a fee. “Most of the IT department executives are concerned about the public cloud security and reliability. It is usually owned by a very big organization such as Amazon’s EC2, Google’s and AppEngine etc. The owner of the organization makes the public cloud infrastructure available to the customers over the internet via self-service basis multitenant model.” (“Security Issues: Public vs Private vs Hybrid Cloud Computing”). Utilizing the open internet to spread resources is the most cost-effective method of getting their service out as a product but this certainly comes with some security issues that we will investigate later.
A private cloud is built on the business’s own hardware and software which can be managed either by the business or a third party. Private clouds are often referred to as internal clouds or corporate clouds. This is because the business is creating their own personal or private cloud environment that they can control who has access to what services. There are many similarities to hosting a private cloud versus managing a data center however, a private cloud is a more cost effective with comparable control and security.
A business will often desire traits of both these cloud classifications; the public cloud for saving when security isn’t of major importance, and a private cloud for when important information is going to be traveling through the service and must be protected. Utilizing different providers, you can surely create a very cost-effective cloud environment for a business. Where this might become difficult is with managing multiple security platforms and making them work together fluidly.
A private cloud will provide you the greatest security management but with the most expensive costs. If shared data and data management concerns are the same between two or more organizations a community cloud is another option. This would be a private cloud that is now shared. While it is no longer a private cloud it allows for organizations to save costs while have a major improvement in security and management abilities.
Public Vs Private Cloud Security
“Public Clouds are hardened through continual hacking attempts. Public Cloud providers are much larger targets for hackers than private Clouds.” (“Security Issues: Public vs Private vs Hybrid Cloud Computing”). As this statement mentions, public clouds aren’t necessarily less secure than private cloud environments. Cloud providers understand how important user data can be and when they are managing the security of a service millions of customers are using they ensure security is a top priority. However, this is mainly comparing public versus a private environment for smaller businesses that may not be able to hire multiple security teams to ensure security is meeting expectations. As mentioned, public cloud environments are more likely to be targets. Meaning, a security breach in a public cloud environment could be disastrous and a business would have no ability to investigate the breach and or contain it. At this point you are relying completely on the cloud provider.
Vulnerabilities in Cloud environments
|Data Breach||Condition where the sensitive data is released, stolen, viewed or used by unauthorized person or the system.|
|Insufficient identity, credential and access management||Lack of the flexible and up-to date certificates, weak passwords, unsecure cryptographic keys.|
|Insecure interface and APIs||Exposure of applications programming interfaces and software user interfaces utilized by cloud services.|
|System vulnerabilities||System vulnerabilities within the operating systems kernel, software’s or libraries can risk cloud services.|
|Account Hijacking||Use of common methods like phishing, vulnerability exploitation to gain account credential and using them to exploit cloud.|
|Malicious Insiders||Former employee, contractor or partner who had or has the access and intentionally target the system.|
|Advance persistent threats||Sophisticated attack planned over extended time period|
|Data loss||Loss of data due to malicious attacks or accidental deletion or physical catastrophe|
|Insufficient due diligence||Insufficient roadmap and the checklist for the great chance of success.|
|Abuse and nefarious use of cloud services||Expose of cloud environment due to unnecessary use of its service because of its weak security standards.|
|Denial of service||Attack that causes cloud services an intolerable system slowdown or even a service unavailability.|
|Shared Technology issues||Sharing of hardware components leads to the compromise across the entire deployment model if there exist a single misconfiguration.|
(Bhandari, B., & Zheng, J.)
Many of these threats are also apparent in traditional environments. The difference is that the severity of these threats is much greater in cloud environments. For instance, if an insecure interface or API was used by a company such as Amazon and their public cloud environment became vulnerable; millions of users’ data could be collected by a malicious hacker. Shared technology threats are a serious issue as the act of sharing hardware cuts down on costs significantly. As stated, one single misconfiguration could leave a business’s data vulnerable to whoever the hardware is shared with. Now if the other customer you are sharing with has other vulnerabilities your business now also has those vulnerabilities.
Past Cloud Security Breaches
Deloitte Cloud-Based Email Server
“An attacker compromised account credentials and ultimately gained access to a single Deloitte cloud-based email platform. On discovering unauthorized access to the email platform, we initiated our standard and comprehensive incident response process, which included mobilizing a team of cyber-security and confidentiality experts inside and outside of Deloitte (including Mandiant).” (“Deloitte Statement on Cyber Incident.”). Here we have a massive corporation that simply did not have one of their cloud environments configured to meet common security standards. In this situation a malicious user obtained access to an account with administrative privileges which allowed them to access the cloud-based environment of Deloitte. This allowed the malicious user to obtain information on the company’s employees such as their account information and emails. Luckily for Deloitte this cloud environment was entirely separate from their other environments which were to their knowledge untouched. To protect from similar attacks in the future Deloitte implemented multi-factor authentication which likely would have prevented this attack and would have eliminated many similar threats.
DropBox Data Breach
“Four years after a data breach at cloud storage service Dropbox, details of more than 68 million user accounts have reportedly been leaked.” (Rogers .J). In the year 2016 Dropbox discovered some very unfortunate news. No business looks good when customer data gets leaked, but when more than 68 million users have their data leaked it is certainly a major issue. In the statements made it appears the passwords that were leaked were obtained prior to 2012 which means this attack was completely unknown until over 4 years later. Dropbox is a cloud-based file hosting service and offers various other cloud services such as personal cloud environments and client software. An issue with cloud-based environments as that businesses will strictly use the cloud which will almost always have a connection to the internet. What this does is give attackers the ability to attack this environment remotely while also having a less likely hood of getting caught. An environment publicly accessible is asking for hackers to use a technique called fuzzing where they can attempt to exploit numerous misconfigurations or vulnerabilities in an automated fashion. For this situation it so happened to be a vulnerability that Dropbox had patched in late 2012, but according to their statements did not know of any actual breaches.
Apple iCloud Scandals
Apple’s iCloud service allows for photos to be backed up into the cloud. This is great as it protects users from losing their photos if they were to lose their phone and not have a backup. What this also does is allow users to access their photos via the internet from a different device. “For its part, Apple maintains that its own iCloud service was not breached, but instead that ‘certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.’” (Johnson, D.). According to Apple this was not a breach due to their cloud security however, this example clearly shows how traditional attacks can have a much more significant impact due to these cloud services. Due to these attacks against iCloud user accounts multiple celebrities had their personal photos released on the internet with many of these being provocative photos.
Feeling Safe About the Cloud?
Cloud environments as mentioned in the paper comes with many benefits. The question a business must ask itself is; what risks will come with this new technology? You can nearly find every commonly used service in a cloud environment which are often offered as software-as-a-service. Security platforms such as anti-virus or firewalls are also now being stored in the cloud. Whether or not a cloud environment is a good decision is based on how much accepted risk the business is willing to have. While you can try to secure cloud environments with every trick out there the risks are still apparent. The iCloud example was crucial as it shows how the cloud environment was supposedly secure but without a doubt enabled hackers to conduct the attack. The cloud is very similar to all new technologies as no one can predict every single possible attack that would not have even been possible with previous technology.
Bhandari, B., & Zheng, J. (2018, August 13). A Preliminary Study On Emerging Cloud Computing Security Challenges. Retrieved December 10, 2018, from https://arxiv.org/pdf/1808.04143.pdf
Skemp, K. M. (2017). Cloud computing. Salem Press Encyclopedia of Science. Retrieved from http://proxy.library.stonybrook.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=ers&AN=87323246&site=eds-live&scope=site
Security Issues: Public vs Private vs Hybrid Cloud Computing R.Balasubramanian ME in Computer Science. (n.d.). United States, North America. Retrieved from http://proxy.library.stonybrook.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=edsbas&AN=edsbas.1228307D&site=eds-live&scope=site
Deloitte Statement on Cyber Incident. (2017, November 06). Retrieved from https://www2.deloitte.com/global/en/pages/about-deloitte/articles/deloitte-statement-cyber-incident.htm
Rogers, J. (n.d.). Dropbox data breach: 68 million user account details leaked. Retrieved from https://www.foxnews.com/tech/dropbox-data-breach-68-million-user-account-details-leaked
Johnson, D. (2014, September 04). Apple’s celebrity iCloud leak probably has mundane causes. Retrieved from https://www.cbsnews.com/news/apples-celebrity-icloud-leak-probably-has-mundane-causes/