How Secure Is The Cloud?

The number of data centers and cloud services providers have significantly multiplied during the last few years due to the time and cost savings the technology provides to businesses of all sizes. Yet, many organizations are reluctant to migrate to the cloud due to security concerns.

The cloud that continues to grow.

In recent years, business productivity has become increasingly integrated with technology in order to streamline tasks, save on costs, and stay competitive in today’s marketplace.  For this reason, many businesses have switched to cloud-based infrastructures but not without careful consideration of security risks.

If you were to poll a number of businesses which rely on technology for daily activities, you would most likely find conflicting points of view when it comes to cloud security.

Some businesses will claim that shifting IT infrastructure to the cloud actually helps to increase security since most cloud service providers have advanced security technologies in place which support this perception.  Other business owners believe that migrating to the cloud poses more security risks and as a result, they delay moving to the cloud despite the fact that their in-house IT infrastructure is costly to maintain.

Part of the conflicting perceptions which surround the issue of cloud security is the fact that there have been major security breaches within the last year which involved fairly large and well-known companies.  In light of this fact, we will take a look at some of the security breaches which have recently occurred along with some of the top security threats for 2013 and security technologies, which are being used by major data center providers.

What Are Some of the Recent Security Breaches?

The year 2012 marked a significant number of data center breaches which provided hackers with access to a massive amount of personal and financial information.  This year in particular left many businesses wondering whether or not the cloud is a secure place to do business.

Yahoo:  Yahoo suffered a significant security breach in which more than 400,000 Yahoo passwords were revealed on the Internet in an effort to remind people that information security is not 100% foolproof.  To breach the system, hackers deployed a Union-based SQL injection in order to carry out data collection.  As a result, many Yahoo users were urged to change their account passwords.

FBI:  Last spring, FBI devices were hacked by AntiSec, which is a hactivist group that successfully gathered more than one million Apple Unique Device Identifiers (UDID) which were stored on a computer at the Federal Bureau of Investigation.  The breach was believed to be carried out through a Java vulnerability, which allowed the hackers to access device names, phone numbers, user names, and personal addresses.

Nationwide Insurance:   Late in 2012, hackers breached the network for both Nationwide Insurance and Allied Insurance, which are major insurance carriers.  As a result, the personal information of more than one million customers including date of birth, Social Security number, place of employment, and other sensitive information which is used to apply for insurance was subject to unauthorized access.  The massive amount of information stolen from this activity made it a major security breach.

Zappos:  The online shoe and clothing retailer Zappos suffered a significant security breach in which hackers accessed information on more than 24 million customers.  The breach netted names, email addresses, home addresses, credit card numbers, phone numbers, and passwords.  Although Zappos took a proactive response, the fact that the breach involved 24 million customers made it one of the most significant security breaches for 2012.

These are a few examples of security breaches, which occurred within the last year. Top cloud vendors continue to follow the techniques which hackers use to breach security systems to continually improve how they offer services in the cloud.  Next, we will look at some of the threats for 2013 and the security methods which are being used by top cloud vendors for increased data protection.

Current Cloud Security Strategies

In an effort to pinpoint the top cloud threats for 2013, the Cloud Security Alliance (CSA) polled a number of cloud security experts on the most significant threats to the cloud for 2013.  The survey results report was compiled to identify the most current security concerns in the industry.

The main concern of the Cloud Security Alliance is to promote best practices for securing cloud technologies.  The CSA also provides guidance to companies for the implementation of cloud computing in addition to assisting cloud vendors with addressing security models for cloud computing and the delivery of software applications.

That said let’s look at five of the top cloud security threats for 2013 and some of the strategies which are being implemented by major cloud vendors such as Google and Amazon to mitigate the risks associated with cloud services.

Data Loss and Data Breaches: Data loss and data breaches continue to be the top concern of both consumers and businesses partially because of the recent security breaches we discussed earlier in this article.  The reality is that data loss and data breaches can occur outside of malicious attacks by hackers and can be the result of human error, inadvertent deletion by the cloud service provider, physical disaster such as an earthquake or fire, a technology failure, or other type of issue.

Interface and API Vulnerability: Most of the primary cloud vendors use a set of software and application programming interfaces (API) which provide a gateway for cloud customers to manage and access cloud services.  The interfaces help to streamline implementation, management, interaction, and monitoring for cloud services.

The level of security which is used with an API determines the security of the cloud service delivery.  This means that the interfaces must be designed with the appropriate security architecture to prevent both accidental and malicious activities from bypassing policies and protocols.  If the interface is not designed with the proper architecture, this can pose a number of security threats related to integrity, confidentiality, and availability.

Hijacking: Hijacking is an attack method used by hackers to hijack cloud accounts and/or cloud service traffic.  In this instance, the hacker steals the cloud provider’s credentials to gain access to critical areas of a customer’s cloud computer services.  The technique is used to hijack client traffic to websites that appear legitimate but instead are laced with malware designed to steal sensitive data.  It is also used to gain access to servers to eavesdrop on business activities and transactions or access cloud accounts to leverage the power of an organization’s reputation in order to propagate additional attacks.

Shared Technology Susceptibility: Cloud vendors often deliver services by sharing applications, platforms, and infrastructure.  This provides a way to offer services which are scalable which makes it easy for businesses to change services as business needs change.  The shared technology can involve components such as Graphics Processing Units (GPU) Central Processing Unit (CPU) caches and other technologies which do not offer solid isolation platforms to support a multi-tenant infrastructure.  Additionally, the services can be delivered in the form of Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and/or Software as a Service (SaaS).  This presents an additional set of issues for each service which requires an in-depth security configuration since one vulnerability can compromise the entire cloud infrastructure for a business.

Denial of Service: A Denial of Service attack is also known as a DoS attack and is designed to prevent cloud service users from accessing data and services.  When a DoS attack is carried out the attacker overloads the servers with information packets.  This results in excessive consumption of resources such as bandwidth, processing power, memory, and disk space which, in turn, causes an extreme system slowdown.  The end result is a system outage which impedes business processes and prevents data and application access.

So, what should cloud services providers be doing to ramp up security and data protection?

There are many different security strategies and technologies that cloud providers use to circumvent the latest cloud threats.  Most cloud service providers use what is known as layered security processes which provide added assurance for data integrity while still maintaining scalability in order to meet the individual requirements for businesses.  Some of the processes include but are not limited to:

Access Audits:  For businesses which use PaaS (Platform as a Service) some cloud services providers such as Amazon implement auditing strategies which monitor all access activities by using a log which tracks all access instances.  If the business discontinues their authentication processes, then they are automatically discontinued by Amazon. The audit process is carried out without compromising data integrity and access by other users of the platform.

Customer Controlled Commands:  Some of the major cloud service providers such as Google and Amazon provide architecture for virtual commands which are strictly controlled by the cloud service customer.  This means that the customer has full control and at no time can Amazon intercede by logging into the business customer’s operating system.  As a result, a set of practices is used to guide the business customer through the necessary authentication processes in order to access the virtual commands.

Complex Firewall Configurations:  Cloud services providers offer customers a complex firewall solution which can be customized to meet the specific security needs for every business. For example, if the firewall is configured to block all traffic by default and the business wants to initiate inbound traffic, they must open the necessary ports to designate specific inbound traffic while preventing unwanted traffic. It is also possible to configure specific protocols such as IP address identification for inbound traffic.

Automated Intrusion Detection:  Many cloud vendors use automated security applications, which monitor the activities of the cloud servers and report and suspicious activity.  The cloud services provider employs staff to monitor the reports to enable a breach to be immediately detected and mitigated.

Redundancy:  The larger cloud service providers implement servers, which offer redundancy or RAID (Redundant Array of Independent Disks).  If one disk fails, the system will automatically access a new disk, which stores a backup copy of the data.  Such configurations are quite expensive for most businesses to implement in-house which makes securing data in the cloud attractive to many organizations.  Cloud service providers which offer RAID also deploy multiple servers.  In the event one server fails, a secondary server will automatically kick in.  The last layer of this type of data protection system involves an underground vault where data is protected in the event of a natural disaster.

Encryption:  Encryption is the process of scrambling data during transmission to prevent interception by hackers.  When an encryption process is deployed by the cloud services provider, the data is encrypted during transmission and then again when it reaches the storage area.  The customer is then provided with an encryption key which is password protected.  When the encryption key is used is decrypts or ‘unscrambles’ the data so it can be interpreted by the end user.

(Credit: Thanks to the people in Our IT Department for providing the above valuable insight into strategy data)

These are a few of the most common technologies cloud vendors use for data protection. The security strategies will also vary according the cloud services vendor and the type of industry such as government, retail, healthcare services, and others.

It is also important to note that cloud vendors are held to higher standards known as security compliance standards.  This means that they must deploy the latest technologies for protecting data and applications.

This is one aspect which makes cloud services a viable option for many businesses since applying security technologies in-house can result in a large capital expenditure for IT resources in order to meet industry-specific compliance standards.  This option is cost prohibitive for most businesses in today’s economy.             

How Many Business Are Using Cloud Services?

Over the last five years new technological innovations have placed scalable IT infrastructures and services within the economic reach for many enterprises. The new technologies include but are not limited to:

• Increased availability of high speed broadband networks.
• Flexible IT management and delivery.
• Business application virtualization.
• Better security monitoring and management.
• Advanced interfaces which provide better control over cloud infrastructure and services.

For these reasons, more enterprises have been choosing to set aside legacy IT systems which are operated and maintained on the premises. Instead, they are moving toward cloud infrastructures and services to reduce costs while increasing business productivity in order to remain competitive in today’s marketplace.

Can the cloud ever be safe? Is it safer than using a local network?

Cloud services can be quite safe provided the implementation is executed properly.  Businesses which have successfully migrated to the cloud have used careful planning and risk management strategies prior to implementation which significantly reduces the risks associated with this type of venture.  A carefully planned cloud architecture can, in some cases, be much safer than using a Local Area Network (LAN).  This is especially true for companies with limited IT budgets that cannot afford to implement the security technologies necessary to ensure data protection.

Cloud services can also be a safer alternative to local networks if you choose a cloud service provider which deploys the latest security technologies and has passed numerous security compliance standards.  This requires an investment of time on your part to locate a reputable and trustworthy cloud service provider who can supply your business with a secure and reliable infrastructure.

Some helpful resources.

Cloud computing Wikipedia page – http://en.wikipedia.org/wiki/Cloud_computing

A beginner’s guide to the cloud – http://mashable.com/2013/08/26/what-is-the-cloud/

About the Author

Claire is an expert in cloud technologies and network communication. Claire has worked in the IT services sector for numerous years, writing technical articles in her spare time.