Cloud Computing and service models
The official NIST definition (NIST 800-145) of cloud computing says, “Cloud Computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of three service models, namely-
Software as a Service (SaaS) – this is also known as cloud-based software. The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. Instead of installing and maintaining software, consumer simply access it via the Internet, freeing itself from complex software and hardware management. SaaS applications run on a SaaS provider’s servers. The provider manages access to the application, including security, availability, and performance.
Platform as a Service (PaaS)- is a category of cloud computing that allows developers to use deployment platforms to build, deploy, and scale their applications. Consumer does not manage or control the underlying cloud infrastructure, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. With PaaS, the cloud provider provides all the backend infrastructure, including networking, middleware, servers, storage, virtualization, the OS, and the runtime environments. PaaS is designed to support the complete web application lifecycle: building, testing, deploying, managing, and updating.
Infrastructure as a Service (IaaS)- is a cloud delivery model that provides on-demand computing resources over the internet, including networking, storage, and other infrastructural components. IaaS allows users to develop, grow, and scale without buying and maintaining physical hardware. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).
Cloud Computing Security Issues
In the cloud, data is stored with a third-party provider and accessed over the internet. This means visibility and control over that data is limited. Lack of visibility to data, inability to control data, or theft of data in the cloud computing presents many unique security issues and challenges.
Cloud security is a Shared Responsibility
On-premises IT services, the owner is responsible for all services and control the IT infrastructure. But security isn’t the same in the cloud as it is on-premises data center. But when this is about cloud then security is not owned solely by the cloud service provider (CSP) or consumer. Cloud security is a Shared Responsibility. Shared Responsibility must be written in the service contract between the parties (consumer and CSP) and address associate risks and responsibilities from both ends. The provider must ensure that their infrastructure is secure and that their clients’ data and applications are protected, while the user must take measures to fortify their application and use strong passwords and authentication measures.
Cloud Security Threats and Controls
Now we will discuss top Cloud Security Threats, because if we clearly understand the cyber threat associate with cloud services then we can select proper cloud security control and those controls will protect our cloud environments and provide safeguard to any weaknesses in the system and reduce the effect of an attack.
Data breaches is the top security concern in cloud computing. Data breach is an incident that has potential to disclose sensitive information to an unauthorized party. The 2021 Thales Global Cloud Security Study, commissioned by Thales and conducted by 451 Research, reports that 40% of organizations have experienced a cloud-based data breach in the past 12 months. Despite these incidents, the vast majority (83%) of businesses still fail to encrypt half of the sensitive data they store in the cloud.
The primary cause of data breaches is human error and lack of knowledge. There are common concerns in businesses about the increasing complexity of cloud services. Because without proper education, this is very difficult to managing privacy and data protection in the cloud compare with on-premises solutions. For minimize this threat, the control can be
- Organizations should provide sufficient cybersecurity education on data protection to its employees.
- Organizations adopting cloud services must also adopt a cloud security strategy designed to reduce the risks of cloud assets, such as data encryption, multi-factor authentication (MFA) and privileged access security.
- Organizations should consider deploy a cloud-based SIEM solution. A SIEM can detect threaten connections from the internet, like RDP and FTP because early detection is key of effective risk management.
Sometimes cloud environments make it too easy for users to share data, either with internal employees or external third-parties. Also, this is noted that backing up a large amount of data in cloud storage can be costly and difficult, so some organizations may not perform regular data backups which introduce data loss. If organizations do not perform regular data backups, the risk of ransomware infection also increase. So, for mitigate this, the control should be
a. Performed regular backups
b. Test backup solutions (ensure data retrieval from backup is smooth and proper).
Cloud infrastructure usually designed for easy use and easy data sharing method which sometimes make difficult for an organization to ensure that data is only accessible to authorized parties. Sometimes this happens because of human negligence, for example: an admin could accidentally allow unrestricted outbound access which may introduce a security loophole and may cause cyber intrusion. To address this threat
a. Organization user/admin should familiar, learn and apply the vendor-provided security settings and associate interfaces.
Insecure API / API vulnerabilities
Cloud applications typically interact with each other via APIs (application programming interfaces) with trust relationship. Cyber attacker can exploit insecure APIs by DoS attacks and code injections, which may allow attacker access the organization data. To address this issue following control can be consider
- Design cloud security with multi-layered security and defense in depth approach. APIs should be designed with authentication, access control, encryption and activity monitoring in mind. API keys must be protected and not reused.
- Implement centralized cloud monitoring like network detection and response—so security teams can quickly identify and address API security risks.
Cloud malware or malware in the cloud refers to the cyberattack on the cloud computing-based system with a malicious code and service. Malware in the cloud can take the form of several types of attacks, such as DoS attacks, hyperjacking, and hypervisor infections. To address this threat the related control can be
- Ensure secure all access to systems using multi-factor authentication and least privilege.
- Network segmentation is a highly effective way to ensure the spread of viruses is contained in the cloud. Network segmentation divides or limits, or isolates the malicious software to a small segment which is easier to deal with and clean the cloud computing system.
- Implement a threat detection solution with threat intelligence feeds and endpoint security tools to detect malicious executables, files and suspicious applications.
Insider threats are a major security issue for any organization. On the cloud, detection of a malicious insider is even more difficult. With cloud deployments, organization’s lack control over their underlying infrastructure, making many traditional security solutions less effective. Insider threats (intentionally or maliciously) will cause a lot of harm to organization cloud system. Therefore, it is essential to detect, investigate and respond to them as fast as possible. For reduce this threat the control can be
- Applying the fundamental security concept i.e., the principle of least privilege. The principle of least privilege for cloud infrastructure states that only the minimum access necessary to perform an operation should be granted to all identities (human or non-human) and that access should be granted only for the minimum amount of time necessary. Securing identity access management operations with MFA tools.
- Monitoring user activity and gaining visibility into behavioral anomalies. Reviewing file sharing activity and revoking file sharing violations. If any suspicious activity found there it can raise alarm to concern security team.
- Ensure proper employee offboarding workflow. Prohibiting an employee’s access to IT systems should happen immediately whenever an employee’s contract is over/end/terminated. The same is true of business partners or vendors.
Cloud compliance is about complying with the laws and regulations that apply to using the cloud. When moving to the cloud it is important to know in which countries the organization data will be processed, what laws will apply, what impact they will have, and then follow a risk-based approach to comply with them. This is very important if the law requires security measures put in the place this must be fulfilled.
Governance focuses on policies for threat prevention, detection, and mitigation. Cloud governance is an extension of that oversight into the cloud. Before an organization move into a cloud, the goals and objectives clearly define. The goals and objectives should be guided by applicable laws, regulations, and contracts. The senior management must give the cloud care and attention.
Cloud computing is gaining popularity rapidly and insecure cloud platform open door for cyber intruder to access sensitive data. Before considering so many controls put in place, first priority should be ‘better visibility’. Because if we able to see transparent activity in cloud then we can effectively perform the gap analysis than to attempt to control an incomplete portion.
- Cloud Computing Security Issues, Threats and Controls - October 18, 2022