Welcome!

Government Cloud Authors: Pat Romanski, Elizabeth White, Dana Gardner, Liz McMillan, Gopala Krishna Behara

Related Topics: Industrial IoT, IBM Cloud, Weblogic, Recurring Revenue, Artificial Intelligence, Log Management, Server Monitoring, @CloudExpo, Cloud Security, Government Cloud

Industrial IoT: Article

A Security Analysis of Cloud Computing

In a cloud environment, all security depends on the security of the cloud provider

Security Pavillion at Cloud Expo

With its ability to provide users dynamically scalable, shared resources over the Internet and avoid large upfront fixed costs, cloud computing promises to change the future of computing. However, storing a lot of data creates a situation similar to storing a lot of money, attracting more frequent assaults by increasingly skilled and highly motivated attackers. As a result, security is one - if not the - top issue that users have when considering cloud computing.

Cloud Security Concerns
Storing critical data on a cloud computing provider's servers raises several questions. Can employees/administrators at the cloud provider be trusted to not look at your data or change it? Can other customers of the cloud provider hack into your data and get access to it? Can your competitors find out what you know: who your customers are, what customer orders you are bidding on, pricing and cost information, and other critical data from your business? This information in the wrong hands would be devastating for a business. And what about privacy issues and government regulations?

In its young life, there already have been several cloud security breaches that show the threat is real. One of the more notable security incidents occurred in March 2009 with Google Docs, when a system error allowed the content of private documents to be exposed to everyone for a brief period of time. As a result of this security breakdown, a public interest group, The Electronic Privacy Information Center (EPIC), filed a detailed complaint with the Federal Trade Commission requesting an injunction against Google offering this cloud service until "safeguards are verifiably established" claiming Google's inadequate security is a deceptive business practice.

Situations like this one and other possible security problems have prompted numerous articles (for example The Twitterhack Is Cloud Computing's Wake-Up Call: Time for Security That Works) and white papers on cloud security. The Cloud Security Alliance, a non-profit organization comprised of security and technology experts, published an in-depth 83-page white paper Security Guidance for Critical Areas of Focus in Cloud Computing in April 2009. In addition to articles and white papers, research firm Gartner reports data access privileges, regulatory compliance, data location and data segregation/encryption among the top seven security concerns in cloud computing. Also, cloud computing security is one of the top ten 2009 trends identified in a survey conducted by CloudComputing.

Fortunately, there are several tools already developed for computer, network and storage security in a traditional enterprise environment that can provide security solutions for cloud computing. To establish a basis for the use of these tools, it is essential to understand one key difference between cloud computing and conventional data centers. Figure 1 shows the rather simple yet significant difference between an enterprise's data center and cloud computing. In cloud computing, several users' data is co-located and processed on shared equipment. In spite of the differences, there are similarities to enterprise concerns: access through the internet, critical storage requirements and potential for software attacks. If existing enterprise solutions are implemented and adapted to the cloud, cloud computing providers can create the security that customers require.

The difference between a conventional data center (see Figure 1a) is that it's just used by one enterprise and a cloud computing model (see Figure 1b) is that a single cloud provider hosts applications and data used by several enterprises.

A More Detailed Look at Cloud Computing Security Risks
Start-up companies, small businesses, mid-size and even large enterprises are interested in cloud computing. As a result, all of these potential users should be extremely interested in cloud computing security. A good starting point for assessing the risks in cloud computing is identifying all of the existing risks that cloud users from individuals to the largest companies and even governments encounter. Specific threats to security include:

  1. Failures in Provider Security
    In a cloud environment, all security depends on the security of the cloud provider. They control the hardware and the hypervisors on which data is stored and applications are run. Cloud provider security must be top-of-the-line.
  2. Attacks by Other Customers
    The cloud environment is shared among customers. If the barriers between customers break down, one customer can access another customer's data or interfere with their applications.
  3. Availability and Reliability Issues
    Cloud data centers are generally as reliable as enterprise data centers or more so. However, outages do occur. Also, the cloud is only usable through the Internet so Internet reliability and availability is essential.
  4. Legal and Regulatory Issues
    The virtual, international nature of cloud computing raises many legal and regulatory issues. First, export of data out of a jurisdiction may be restricted. If such export is permitted, which jurisdiction's rules apply in case of conflict? And who is liable for errors such as security breaches? These issues must be addressed for any sensitive applications of cloud computing.
  5. Perimeter Security Model Broken
    Many organizations use a perimeter security model with strong security at the perimeter of the enterprise network. This model has been weakening over the years with outsourcing and a highly mobile workforce. Cloud computing strikes its death knell. The cloud is certainly outside the perimeter of enterprise control but it will now store critical data and applications.
  6. Integrating Provider and Customer Security Systems
    Enterprises have spent decades developing a unified directory and other components of their security architecture: automated provisioning, incident detection and response, etc. Cloud providers must integrate with these systems or the bad old days of manual provisioning and uncoordinated response will return.

While there are proprietary solutions to these security problems, open solutions are easier to integrate with cloud providers and existing systems. Therefore, we must gain a better understanding of the security available through open technologies.

Countermeasures to Mitigate Risks
Addressing the six broad security threats identified previously entails a variety of countermeasures.

Threat 1 (Failures in Provider Security) encompasses most of the threats encountered in a typical enterprise. People are the greatest threat and countermeasure in security so screening, training, and monitoring of provider personnel is the most fundamental step to be taken. Physical and network security for cloud data centers are also essential.

However, cloud data centers introduce a new element that enterprise data centers have not traditionally faced: Attacks by Other Customers, threat 2 in the list above. In a cloud environment, customers are co-located in a single data center or even on a single server. These customers may be competitors. Some of them may even be hackers! Cloud providers are responsible for ensuring that one customer can't break into another customer's data and applications. The most common techniques used are virtualization (preferably via a hypervisor) and network separation (via firewalls, VLANs, and/or encryption).

The best way to ensure the reliability and availability of cloud services (addressing threat 3) is to work closely with your cloud provider and network service providers to verify and monitor their uptime. Today, uptime for most cloud providers is good but not perfect. Every major cloud provider has suffered significant downtime: Salesforce, Amazon, Google, etc. Many cloud providers don't provide Service Level Agreements (SLAs) guaranteeing uptime and the SLAs that are available provide meager recompense in case of outages. Don't forget to consider network uptime when determining cloud availability. If the network is down, who cares if the cloud is up?

Addressing legal and regulatory concerns (threat 4) generally requires calling in the lawyers and compliance experts. However, that doesn't mean that technical measures won't help. Many data breach laws include safe harbor provisions saying that if loss of encrypted data does not need to be reported. Whether this applies in your jurisdiction, using a Self Encrypting Drive (SED) is generally a no-brainer. With an SED, there's no need to worry about a hard drive or backup media being lost or stolen. Software encryption provides similar protection but with higher complexity, lower performance, and less security.

With security threat 5, the solution is as simple as eliminating the perimeter model and relying on alternate approaches. This apparently simple solution is not as easy as it sounds. It requires rethinking long-held architectural assumptions. But it also yields side benefits. By abandoning the assumption that all threats are external, we can achieve stronger protection against internal threats and greater flexibility to position trusted assets outside the traditional perimeter.

Cloud computing may seem different but in many ways it's just a simple extension of enterprise computing as we have known it for decades. As such, it should integrate with existing enterprise security systems. There's no need to reinvent the wheel. That's the essence of threat 6 and the basis for addressing it. Don't let cloud providers convince you that "it's different this time". Demand that they integrate with your existing systems such as your enterprise directory and your monitoring systems. Some cloud providers can do this and some cannot at this time. When comparing cloud vendors, be sure to factor in the cost of maintaining a new directory and monitoring system per cloud provider. If you don't consider this now, you'll soon find yourself with a mishmash of incompatible systems. Deprovisioning a user will take days or weeks. What a nightmare and security hole! Don't let it happen.

Different Security for Different Users
The attractiveness of cloud computing for a broad range of users may require differing approaches for use and security. At the one extreme, low-end users, such as start-ups, can use clouds for just about everything. The cloud provider's security and reliability generally exceeds that of a small enterprise. At the other extreme, high-end users such as large enterprises are more likely to employ a hybrid model. For legal and risk management reasons, they will keep especially sensitive data and applications in-house and may use an internal cloud. In between, mid-size enterprises can use clouds for many purposes including compute cycles for R&D projects, online collaboration, partner integration, social networking, new business tools and more.

Trust, but Verify
Cloud computing providers that can prove the trustworthiness of their resources will differentiate themselves from their competitors. To do this, they must have a way for customers to independently verify the security of the cloud service. Customers need to do more than just take the cloud provider's word for security.

To trust the security of a cloud provider, customers should be able to:

  • Verify the integrity of the machines at the cloud provider
  • Verify the identity of those machines as well as users, administrators and cloud customers
  • Verify what kind of network security measures are being used

The cloud provider that implements these types of security measures offers small and medium size enterprises improved security over what they probably have or would set up within their own organization. For many large enterprises, these steps are similar to ones that have already been or should be implemented.

Be Prepared
As computing takes a step forward to cloud computing, security should not move backward.  Users certainly should not accept moving backwards in terms of security. Going forward, computing technology and security must both advance together. Educate yourself about cloud security and you will be well prepared for the new world of the cloud.

More Stories By Steve Hanna

Steve Hanna is co-chair of the Trusted Network Connect Work Group in the Trusted Computing Group and co-chair of the Network Endpoint Assessment Working Group in the Internet Engineering Task Force. An inventor or co-inventor of 30 issued U.S. patents, he holds an A.B. in Computer Science from Harvard University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
"Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
The current age of digital transformation means that IT organizations must adapt their toolset to cover all digital experiences, beyond just the end users’. Today’s businesses can no longer focus solely on the digital interactions they manage with employees or customers; they must now contend with non-traditional factors. Whether it's the power of brand to make or break a company, the need to monitor across all locations 24/7, or the ability to proactively resolve issues, companies must adapt to...
DXWorldEXPO LLC announced today that ICC-USA, a computer systems integrator and server manufacturing company focused on developing products and product appliances, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City. ICC is a computer systems integrator and server manufacturing company focused on developing products and product appliances to meet a wide range of ...
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time t...
Founded in 2000, Chetu Inc. is a global provider of customized software development solutions and IT staff augmentation services for software technology providers. By providing clients with unparalleled niche technology expertise and industry experience, Chetu has become the premiere long-term, back-end software development partner for start-ups, SMBs, and Fortune 500 companies. Chetu is headquartered in Plantation, Florida, with thirteen offices throughout the U.S. and abroad.
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.