While cloud-based systems are slowly revolutionizing the way organization handle their IT needs, it is more pertinent than ever for security personnel to be aware of the implications in security that these systems can have.
This post attempts to analyze how cloud-based system handle the three basic tenets of security (C-I-A) and the benefits of disadvantages of each.
1. Confidentiality
Advantages to confidentiality:
- Encryption – Cloud-providers, who are leaders in their niche “-as-a-service“, market take pride in offering industry-specified encryption services for both data-at-rest and data-in-motion
- Auditing – Highly-rated cloud vendors periodically and voluntarily undergo audits of their security policies, practices, and controls and disclose their findings in order to gain their clients trust
- Risk-Sharing/Risk-Transference – Based on the contract agreed upon, the risk of data-confidentiality violations can be transferred completely, or shared in an owner-custodian model, with the cloud service provider.
Disadvantages to confidentiality:
- Location – The data resides in an off-premise location, increasing the factors of the unknown, as well as increasing the surface area of attack – as employees of the cloud-provider now have physical access to your data
- Multi-tenant model – Misconfigurations of virtualization, unpatched hypervisors, or exploited vulnerabilities in servers, can lead to your data being exposed while another company is accessing their data from the same physical server
- Example: The OneLogin data breach. Confidential Identity and Access information of client companies were leaked when a breach occurred due to the compromise of the account of an employee from OneLogin.
2. Integrity
Advantages to integrity:
- Hashing – A competent cloud-provider will have hashing algorithms, based on industry-standards, in place
- Updates – All updates, security patches, and hot-fixes to databases are (usually) done in a timely manner to ensure that data integrity is maintained
- Responsibility – Cloud providers are aware that their business model is completely built on trust and security, and accept the responsibility of maintaining data integrity, by employing secure coding practices, and security-aware database administrators.
SaaS-providers, in particularly, take into account SQL injections and other database vulnerabilities (from the OWASP top 10), and create solutions to reduce risks
Disadvantages to integrity:
- The unknown: Despite all assurance of maintaining data integrity through agreements and legal contracts, the fact is that the cloud-provider is still open to threats of malicious insiders, social engineering, database programming loopholes, and errant security practices.
These factors can lead to data losing its integrity while being processed, stored, or when it is in transmission. - Example: Consider an e-commerce website on the cloud with the provision of an e-wallet. A hacker could change the value of one field in the database (thereby violating data integrity) and change the balance on the account from $10 to $10,000.
3. Availability
Advantages to availability
- High Availability Model: The USP of cloud-providers is in managing their services in a manner that assures high availability
- Redundancy and backups: Most cloud-providers include data backup provisions in their service plans
- Defence against DDoS attacks – Cloud providers generally have better infrastructure, security controls, and personnel to effectively mitigate, prevent, or handle DDoS attacks, than an IT firm of a stand-alone company managing its on-premise data centers.
Disadvantages to availability
- Physical location: Infrastructure/software/data is not available physical on the premises
- Mandatory Internet connections: The organization is heavily dependent on a secure Internet connection to access their own data
- Downtime and Outages: If the cloud-provider suffers an outage, the client organizations have to suffer a loss in business revenue and data availability, unless they have invested heavily in a backup system (from another provider or on-premise) to kick-in when their primary provider goes down.
- Example: The recent Amazon EC3 outage caused many cloud-providers to go down, and thereby affected clients who were using their services.
Apart from the above-discussed aspects of security, jurisdiction also plays an important role. If there are violations of State or Federal laws with regard to the physical location of storing data, it can lead to serious compliance fines and legal touble. This is a security concern as well.
References
1. Shimamoto, D. (2015, March 6). What Cloud Security Really Means – Confidentiality and Privacy. Retrieved October 09, 2017, from http://www.techsoup.org/support/articles-and-how-tos/what-cloud-security-really-means-confidentiality-and-privacy
2. Winkler, V. (2011). Cloud Computing: Privacy, Confidentiality and the Cloud. Retrieved October 09, 2017, from https://technet.microsoft.com/en-us/library/dn235775.aspx
3. Aldossary, S. (2016). Data Security, Privacy, Availability, and Integrity in Cloud Computing: Issues and Current Solutions. Retrieved October 09, 2017, from https://thesai.org/Downloads/Volume7No4/Paper_64-Data_Security_Privacy_Availability_and_Integrity.pdf