Security Issues In Cloud Computing

Cloud computing security – Wikipedia, the free encyclopedia

Cloud computing security

From Wikipedia, the free encyclopedia
Jump to: navigation, search
 It has been suggested that this article or section be merged into Cloud computing. (Discuss) Proposed since December 2011.

Cloud computing security (sometimes referred to simply as “cloud security”) is an evolving sub-domain of computer security, network security, and, more broadly, information security. It refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing.

Cloud security is not to be confused with security software offerings that are “cloud-based” (a.k.a. security-as-a-service).

Security issues associated with the cloud

There are a number of security issues/concerns associated with cloud computing but these issues fall into two broad categories: Security issues faced by cloud providers (organizations providing Software-, Platform-, or Infrastructure-as-a-Service via the cloud) and security issues faced by their customers.[1] In most cases, the provider must ensure that their infrastructure is secure and that their clients’ data and applications are protected while the customer must ensure that the provider has taken the proper security measures to protect their information.[2]

The extensive use of virtualization in implementing cloud infrastructure brings unique security concerns for customers or tenants of a public cloud service.[3] Virtualization alters the relationship between the OS and underlying hardware – be it computing, storage or even networking. This introduces an additional layer – virtualization – that itself must be properly configured, managed and secured.[4] Specific concerns include the potential to compromise the virtualization software, or “hypervisor”. While these concerns are largely theoretical, they do exist.[5]

Dimensions of cloud security

Correct security controls should be implemented according to asset, threat, and vulnerability risk assessment matrices[6]. While cloud security concerns can be grouped into any number of dimensions (Gartner names seven[7] while the Cloud Security Alliance identifies fourteen areas of concern[8]) these dimensions have been aggregated into three general areas: Security and Privacy, Compliance, and Legal or Contractual Issues.[9]

Security and privacy

Identity management 
Every enterprise will have its own identity management system to control access to information and computing resources. Cloud providers either integrate the customer’s identity management system into their own infrastructure, using federation or SSO technology, or provide an identity management solution of their own.
Physical and personnel security 
Providers ensure that physical machines are adequately secure and that access to these machines as well as all relevant customer data is not only restricted but that access is documented.
Availability 
Cloud providers assure customers that they will have regular and predictable access to their data and applications.
Application security 
Cloud providers ensure that applications available as a service via the cloud are secure by implementing testing and acceptance procedures for outsourced or packaged application code. It also requires application security measures be in place in the production environment.
Privacy 
Finally, providers ensure that all critical data (credit card numbers, for example) are masked and that only authorized users have access to data in its entirety. Moreover, digital identities and credentials must be protected as should any data that the provider collects or produces about customer activity in the cloud.
Legal issues 
In addition, providers and customers must consider legal issues, such as Contracts and E-Discovery, and the related laws, which may vary by country (http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf )

Compliance

Numerous regulations pertain to the storage and use of data, including Payment Card Industry Data Security StGames Loversrd (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act, among others. Many of these regulations require regular reporting and audit trails. Cloud providers must enable their customers to comply appropriately with these regulations.

ßusiness continuity and data recovery

Cloud providers have business continuity and data recovery plans in place to ensure that service can be maintained in case of a disaster or an emergency and that any data loss will be recovered.[10] These plans are shared with and reviewed by their customers.

Logs and audit trails

In addition to producing logs and audit trails, cloud providers work with their customers to ensure that these logs and audit trails are properly secured, maintained for as long as the customer requires, and are accessible for the purposes of forensic investigation (e.g., eDiscovery).

Unique compliance requirements

In addition to the requirements to which customers are subject, the data centers maintained by cloud providers may also be subject to compliance requirements. Using a cloud service provider (CSP) can lead to additional security concerns around data jurisdiction since customer or tenant data may not remain on the same system, or in the same data center or even within the same provider’s cloud. [11]

Legal and contractual issues

Aside from the security and compliance issues enumerated above, cloud providers and their customers will negotiate terms around liability (stipulating how incidents involving data loss or compromise will be resolved, for example), intellectual property, and end-of-service (when data and applications are ultimately returned to the customer).

Public records

Legal issues may also include records-keeping requirements in the public sector, where many agencies are required by law to retain and make available electronic records in a specific fashion. This may be determined by legislation, or law may require agencies to conform to the rules and practices set by a records-keeping agency. Public agencies using cloud computing and storage must take these concerns into account.

References

  1. ^ “”Swamp Computing” a.k.a. Cloud Computing”. Web Security Journal. 2009-12-28. http://security.sys-con.com/node/1231725. Retrieved 2010-01-25. 
  2. ^ “”Thunderclouds: Managing SOA-Cloud Risk”, Philip Wik”. Service Technology Magazine. 2011-10. http://www.servicetechmag.com/I55/1011-1. Retrieved 2011-21-21. 
  3. ^ Winkler, Vic. “Cloud Computing: Virtual Cloud Security Concerns”. Technet Magazine, Microsoft. http://technet.microsoft.com/en-us/magazine/hh641415.aspx. Retrieved 12 February 2012. 
  4. ^ Hickey, Kathleen. “Dark Cloud: Study finds security risks in virtualization”. Government Security News. http://gcn.com/articles/2010/03/18/dark-cloud-security.aspx. Retrieved 12 February 2012. 
  5. ^ Winkler, Vic (2011). Securing the Cloud: Cloud Computer Security Techniques and Tactics. Waltham, MA USA: Elsevier. pp. 59. ISßN Securing the Cloud Cloud Computer Security Techniques and Tactics. http://www.elsevier.com/wps/find/bookdescription.cws_home/723529/description#description. 
  6. ^ “4 Cloud Computing Security Policies ÿou Must Know”. CloudComputingSec. 2011. http://cloudcomputingsec.com/268/4-cloud-computing-security-policies-you-must-know.html. Retrieved 2011-12-13. 
  7. ^ “Gartner: Seven cloud-computing security risks”. InfoWorld. 2008-07-02. http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks-853. Retrieved 2010-01-25. 
  8. ^ “Security Guidance for Critical Areas of Focus in Cloud Computing”. Cloud Security Alliance. 2011. https://cloudsecurityalliance.org/research/projects/security-guidance-for-critical-areas-of-focus-in-cloud-computing/. Retrieved 2011-05-04. 
  9. ^ “Cloud Security Front and Center”. Forrester Research. 2009-11-18. http://blogs.forrester.com/srm/2009/11/cloud-security-front-and-center.html. Retrieved 2010-01-25. 
  10. ^ “It’s Time to Explore the ßenefits of Cloud-ßased Disaster Recovery”. Dell.com. http://content.dell.com/us/en/enterprise/d/large-business/benefits-cloud-based-recovery.aspx. Retrieved 2012-03-26. 
  11. ^ Winkler, Vic (2011). Securing the Cloud: Cloud Computer Security Techniques and Tactics. Waltham, MA USA: Elsevier. pp. 65, 68, 72, 81, 218–219, 231, 240. ISßN 978-1-59749-592-9. http://www.elsevier.com/wps/find/bookdescription.cws_home/723529/description#description. 
Retrieved from “http://en.wikipedia.org/w/index.php?title=Cloud_computing_security&oldid=490301511″
Categories:
  • Cloud computing
  • Computer security
Hidden categories:
  • Articles to be merged from December 2011
  • All articles to be merged