Cloud Computing & Security Risks – Short Essay
Cloud Computing & SecurityIn the Spring of 2012, I touched on the security risks of Cloud Computing, in one of my class assignments.
Cloud Computing has become the latest technology buzzword. Everyone wants to be a part of the ‘almighty cloud’ and be able to access all of their personal data anytime, anywhere that they see fit, even if the average person does not completely understand the concept behind it. Although this has just recently become a household term, the theory behind cloud computing has been around and used for several years. In this article, I will be referring specifically to cloud computing used for storage of data, not computations.
The idea of cloud computing is for information, software, and resources to be shared across a network, generally with a centralized API. The information is either stored on a main server or servers but can be accessed and changed across all cloud clients. The typical personal computer is limited to the information that is specifically installed on that one unit (or so people think). But even this unit has the potential to access the data kept on a cloud server by using applications or a web browser. And this access is the same for all devices that connect to a cloud server.
Now the first thing a person may ask is why this is necessary or helpful. A quick way to answer this is to ask the person how many devices they normally use on a given day. Ten years ago, it was not uncommon for a person to own a cell phone, a pager, a palm pilot, an iPod, and a computer (or multiple computers). Each device has a very specific function but the limitations were a lack of data convergence. If you wanted the contacts you kept on your cell phone, put onto your palm pilot or your computer, you had to go to great lengths to sync them. Sometimes you had to purchase special software and take several hours of tweaking to do it. Not only was this time consuming, but also ineffective, since this process had to be repeated every single time you made a change to one of the devices. With the use of a cloud server, you have one place that your data is kept and all the devices in turn sync to the cloud, keeping every device up to date and consistent. This is a wonderful concept.
What the Risks Are
This unification comes at a price. One big problem is that the user has to rely on whoever owns and maintains the cloud server, to store and protect their data. The user no longer has control over where this data is being stored, how effectively it’s being protected, if at all, or who has access to it. Users assume that their data is safe and won’t be exploited, but we are far too trusting. We’ve traded ease of use for a higher risk of theft. And the idea of a secure cloud server is being pushed onto the individual users, as their problem to fix and maintain. Usually, without the user knowing this responsibility is now theirs. So now if a problem does occur, the user is left to fend for themselves. According to computerweekly.com, most cloud service providers encourage their customer’s to investigate all the third party vendors that the cloud service providers use, to check what customer data they may have access to. (Top 5 Cloud Computing Security Issues; computerweekly.com)
There are already several known vulnerabilities in cloud servers, but very little done to protect or resolve them. One example is the known Windows cloud image MS12-020 RDP exploit, which is a vulnerability by default. (Cloudworm; Thehackernews.com) This vulnerability can crash a system or cause of denial-of-service on some systems. Although this problem was not contained only to the bug, but also to the issue of it being leaked from MAPP, which is run by a group of security companies who test for bugs and vulnerabilities. (MS12-020 RDP Exploit Found, Researchers Say Code May Have Leaked From Security Vendor; threatpost.com)
Another bug would be the Conficker worm, which owned one of the largest cloud networks. According to Xufei ZHENG, Tao LI, and Hua YANG, “the Conficker worm controls 6.4 million computer systems in 230 countries at 230 top level domains globally, more than 18 million CPUs and 28 terabits per second of bandwidth.” (A Novel Cloud-based Worm Propagation Model; www.Jofcis.com) So as late as 2011, we know that there is a potential problem here, but professionals are not entirely sure how to secure cloud servers. One of the main protection techniques of security is containment, protection from outside influences. But with cloud computing, the goal of this service is to maintain freedom of movement. Both goals are conflicting and the idea of securing it becomes trickier then we think.
Ways to Protect Data
One of the easiest ways to protect your data is to simply, not use cloud servers, but this is unrealistic. In the corporate realm, cloud storage is vital, especially for mobile employees. So the best way to protect is to be smart. Be aware of what information is held on the cloud servers, who has access or potential access to this information (via Access Control), and minimize how much sensitive or critical data is held on the cloud servers and mask it. (Cloud Computing Security; Wikipedia.com)
According to Thu Pham, researching the cloud company’s contract policies is also essential. You need to find out what the company does with your data in the event of a contract termination. We may not think of this, since it’s in electronic form, but a huge security risk is if the company does not delete or return your data after your contract expires. (Protecting Data with Cloud Computing Services; resource.onlinetech.com)
Data masking is also an option when it’s unavoidable to hold sensitive information on a cloud server. This is a low level form of protection, but is better than no protection. Data masking can consist of encryption, switching numbers for letters, or substituting a word or number for something else, to name a few. (Data Masking; Wikipedia.com) But the best way to protect is to research the services you use, and to stay on top of their policies.
Another option for companies is instead of investing in a cloud storage provider, to instead invest in purchasing software and storing it locally. This way you have control over where the data is being kept and also know who has access to it. But this option may not be available for every company and situation.
So cloud computing security boils down to a simple rule, to keep yourself informed. It’s a personal decision; on what you feel comfortable risking and how much access you want throughout all of your devices. A user needs to understand that even though the service is not perfect, nothing in technology is. But the steps that cloud services are taking, is a start in the right direction. And if the need is high for flexibility, then a user has to stay on top of the risks involved and how well the company you are using, keeps its customers informed. (How to Protect Your Secrets; theguardian.uk) I think this is a decision that needs to be made after a great deal of research. But find one you are fine with and make sure you monitor how they are maintaining a secure service.
Additional Notes: I’ve listed several cloud service providers at the bottom of my cited sources.
© Kana Kennedy, Kennedy Info Sec, and Kennedyinfosec.com , 2011 – 2014. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Kana Kennedy and Kennedy Info Sec with appropriate and specific direction to the original content.