Security in Cloud Computing Security issues associated with the cloud

Cloud Security Controls

Deterrent Controls

Preventative Controls

Corrective Controls

Detective Controls

Dimensions of cloud security

Security and privacy

Compliance

Business continuity and data recovery

Logs and audit trails

Legal and contractual issues

Public records

The identified shortcomings in the cloud computing services and established opportunities for growth regarding security aspects are discussed in the current research. The security of services is regarded as the first obstacle. The opportunity for growth is provided as combination of multiple service providing resources and mechanism to mitigate the effect of vulnerability. The research further elaborates the dimensions of security in a shared resources and strategically locating computing resources at multiple locations similar to cloud computing. Furthermore the legal and regulatory issues are also addressed in detail. Improvement in security of the services is also a responsibility of the cloud services users and enterprises deciding to store data. The service providers can establish storage in multiple locations, using different networks, and internet service providers to minimize disturbance in providing services. In such cases it is necessary or the users to classify their data and store the least vulnerable information on cloud computing resources.

1 Security issues associated with the cloud:

Scott Case, CEO of the Startup America Partnership however narrates a different story in favor of cloud computing while ignoring the enormous security issues posed by cloud computing for the larger organizations. Priceline.com, a company founded by Scott Case had to invest $3 million in IT infrastructure, platforms, and software development when the company was started in 1997. Comparatively, now such IT capability can be acquired using cloud services of any of the renowned vendors such as Amazon, Intuit, Dell, or IBM (Shread, 2012). The choice of vendors and cost incurred on acquisition of IaaS, PaaS, and SaaS are relatively negligible for new startups. Instead, the IT capability acquisition costs can be incurred on marketing and product development. The inventories can be managed against a fraction of cost that is incurred if startups invest in the infrastructure. The flexibility and cost reduction of IT acquisition out-weigh potential security threats.

2 Cloud Security Controls:

The security controls enables in each computing system including cloud computing are targeted at reducing the amount of vulnerabilities. It is also aimed at providing the adequate level of security to the user's data and their key information. The users of cloud computing should also assess their level of tolerance and to what extent they would like to compromise on the security of information. The security issues associated with the shared infrastructure and resources of cloud computing are mainly with respect to the loss of sensitive information, financial crimes, reputation, and resources destruction.

The controls established to counter these issues are related to be identified as four major categories including deterrent controls, preventive controls, corrective, and detective controls. All these controls refer to different areas of information security however all are related to establish a coherent and integrated system for providing uninterrupted services to their clients. The issues of information security in cloud computing also arise due to its services oriented shared nature of business. These control categories are elaborated in detail underneath.

2.1 Deterrent Controls:

The deterrence oriented controls are established to reduce the amount of vulnerabilities in cloud services. It is also deliberate attacks from hackers and other cyber criminals are handled through increased deterrence in cloud services. The deterrence against the likely attacks is achieved through updated programs and firewalls erected at the premises of cloud services providers. It is highly likely that the cloud users lose their valuable data through a well-planned attempt of security breach at cloud services provider's infrastructure. The attackers take advantage of the latest technology to enter and destroy the security mechanism of cloud services providers (Krutz, & Vines, 2010).

The deterrence control measures are described in the client's security manuals as well as the assurances provided in the service level agreements (SLA). The deterrence control measures are significant in the cloud information security as there is always a threat of attacks. The threat perception and levels have to define as assessed risks in order to maintain a high level of security. The cybercrimes can also take place through the shared systems and criminals might gain access to the information stored in the system through seeking an account. The cloud services providers need to place adequate amount of checks for their client's identity. It can also be enhanced through monitoring cloud account activity using multiple techniques.

2.2 Preventative Controls:

Krutz et al. (2010) defines...

These vulnerabilities may arise through the violation of security policy. There are numerous preventive measures that can be taken in order to prevent the potential threats to cloud services security. The accurate preventive controls are required to provide an effective protection against the potential attacks through physical and virtual (network) security violations. The notable preventive controls are the applications developed for integration with the systems development life cycle approach. The system disables the users from using a high level of privileges. The users are only providing minimum to adequate amount of privileges in order to restrict their attempts for violating the security policy (Mather, Kumaraswamy, & Latif, 2009).
According to Mather et al. (2009) the significant preventive controls are also implemented through user authentications techniques, access control measures, and account management policies. There are browser handled and endpoint security measures that also ensure the preventive attacks are handled effectively in order to reduce the threat level. The usage of anti-virus, host-based IDS, host firewalls, and administration of virtual private networks are used as measures through policy for ensuring security in cloud computing. The applicable preventive actions for cloud computing security measures should be documented in the form of a list containing all possible states where the controls should also be defined (Ackermann, 2013).

2.3 Corrective Controls:

The rapid evolution of cloud computing services as a model for reduced infrastructure and upfront cost has also raised several security issues. The growth in number of users facilitated through cloud computing services has also raised the concerns of information and data that can be classified as vulnerable in cloud resources. It is also observed that prior to this situation the customers of cloud computing were used to secure and risk the data theft as their own decision (Isaca, 2011). However the later developments including government's initiative for using cloud resources has also raised various concerns.

The result of such development could be seen in terms of the corrective measures taken to secure cloud services through implementation of cloud security and information and data security corrective measures. The response of various communities, governments, and cloud services providers is also changing from reactive to proactive approach in implementation of corrective measures. According to Prodan, and Ostermann (2009) the assessment procedures adopted by federal and various state governments to perform vulnerability scanning is a cost effective method of initiating corrective actions. The system development life cycle approach is also regarded as significant in increasing usage of corrective measures for improvement in cloud computing information security.

2.4 Detective Controls:

According to Krutz et al. (2010) the detective controls are essential in aspect for effective cloud computing security measures. The detective controls implemented in cloud computing are required to discover the attempts made for security breach and activate the corrective and preventive controls. It can also be associated with the intelligent systems that are developed to interpret the attempts made to intrude the security settings of cloud computing. These controls also work as a coordinated insertion detections system that is also capable of detecting the violations of security policy, organizational policy and physical attempts to break in the system through breach of security apparatus.

The detective controls implemented for increasing security in cloud computing are mostly logging events and event correlation. The application vulnerability scanning and monitoring is also categorized as detective controls (Mather et al., 2009). These measures are a preemptive attempt to ensure data and information security ofcloud computing services. The cloud computing resources are secured through the auto activation of corrective and preventive measures initiated through the detective controls.

3 Dimensions of cloud security:

The cloud computing services offer three major types of services including software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS). All these services are used through networks and remote access is required to offer the services. The usage of these services also has different requirements and distinct level of controls required to ensure security for the users. These controls for cloud computing security are also segregated into three categories including SaaS, IaaS, and PaaS.

The security architecture for IaaS is concerning the assurance for the hosted applications to work according to the offered terms and conditions. The attacks on IaaS security could be dealt in similar ways as enterprise web applications in distributed architecture. The IaaS controls are essentially ensured by the user to allocate adequate level of access, user authentication, and network security. The users using the infrastructure need to ensure that they maintain an effective security policy. These controls are developed and implemented…