Cloud Computing: Security Threats & Countermeasures, Auditing and Strategies Regarding the Cloud Abstract

The cloud is the latest development in the world of the Information Age. It provides a way for data to be stored, shared, managed, and protected in an efficient and effective manner. This paper looks at some of the security threats and countermeasures that can be conducted to help make the cloud safer. It examines why auditing is essential and what strategies can be developed to protect the cloud.

Keywords: cloud computing, cloud security, IS security, IT security risks

Introduction

As the Digital Era progresses and the needed to store data becomes more pervasive, cloud computing has risen as the solution to system needs. However, as with any solution there come myriad risks that must be addressed. As Pfleeger and Pfleeger (2012) show, the cloud has five distinct characteristics: 1) it offers on-demand self-service, 2) it provides broad network access, 3) it offers resource pooling, 4) it has rapid elasticity, and 5) it gives measured service. The models of cloud computing are software as a service, platform as a service, and infrastructure as a service. The cloud types can be public, private, community-based, or hybrid (two or more types of cloud). And while cloud computing is generally regarded as secure technology, there are still security risks that have to be understood (Ahmed, 2014). This paper will examine these risks, the trends in cloud computing, companies that offer cloud computing services and regulatory issues surrounding it.

Technology Involved

Ahmed (2014) defines cloud computing as “merely a model for enabling convenient, on-demand network access to shared data pools) of configurable computing resources (e.g.,, Networks, servers, storage, application, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” (p. 207). It is a way for computing services to be pooled together in one place—like a public swimming pool that everyone with a pass has access to. The pool, of course, can be private—and members have to belong to the community of condos with access to the pool; or it can be private—and those who use it share a compound. But in every case the idea is the same. All computing, networking, server, storage, software, application and service needs are handled in the cloud, which is designed and developed for that specific purpose: to extend the metaphor, the cloud has its own pool boys, lifeguards, cleaners, and so on—those using it do not have to worry about any of the maintenance. They pay their fees and the work is done for them. That is the essence of cloud computing. To put it simply, cloud computing is conducted by a group of remote servers that host files that can be accessed by a computer linked to the Internet. Of course, whenever the Internet or networks are involved, risks of security breach are going to be present. Like anyone who is hot, the pool is the most inviting place to be—and people will try to get in whether they are invited or not. The same goes with cloud computing.

There are three risks to be assessed when utilizing cloud computing services: information security risks, physical security risks and risks to compliance. Just because the security solutions may be developed does not mean all clouds will have them. This is why auditing is so important. Before expanding on that thought, a review of the risks is needed. Gibson (2015) shows that in order to manage risk effectively, one has to be aware of the “threats and vulnerabilities” to one’s system (p. 2). So what are the threats and vulnerabilities of cloud computing?

Hacks can occur at any time in any place, and there is no lack of evidence in recent years to show how virtually any corporation, company, entity or organization can be attacked. Protecting the confidentiality of information, therefore, is one of the main risks of cloud computing (Ahmed, 2014). In a traditional network, data is safeguarded by virtue of cryptography and the physical isolation of the network for the rest of the global community. The user of the network bears the responsibility of securing it. In the cloud, the responsibility is taken out of the user’s hands and placed in the hands of those operating the cloud.
Johnson (2015) identifies the risks to information security categorically: a) unauthorized access risks, b) confidentiality risks, c) integrity risks, d) authentication risks, and e) availability risks. Only those users authorized to enter the cloud should have access. All information should be kept confidential to those without permission to see it. Information should not be “improperly changed” (Johnson, 2015, p. 10) or altered in a way that corrupts it. Devices that access the cloud should be authenticated before entry is permitted. Information in the cloud also has to be available upon request. There are also bound to be “loop holes in the security architecture of the cloud, which can be exploited by malicious users to gain access to the cloud network and the resource infrastructure” (Kashyap & Sharma, 2015, p. 33), and these need to be addressed as no matter what company is operating the cloud there will always be vulnerabilities.

Risks Relating to Physical Security

There are also physical security risks to be understood in cloud computing. Though the cloud offers a remote service where data can be stored and accessed, the actual physical servers hosting the data exist somewhere—i.e., they have a physical location. A power outage in the area where the servers are located could cause the cloud to go offline and leave users without access to their data. This happens on occasion for companies like Amazon Web Services.

The many physical security risks are associated with “hardware, virtualization, network, data and service providers” (Kazim & Zhu, 2015, p. 109). Attacks on any of these structures can lead to the compromising of the cloud. Denial of Service attacks can overwhelm a system and lead to inefficiencies for companies that have websites up for public use. In the cloud, the interconnectedness of parts creates a complex environment where vulnerabilities are not always seen until an intruder with malicious code finds them and exploits them.

Risks Relating to Compliance

Compliance is a major factor that has to be addressed, as non-compliance will essentially open the door to risks, hacks, unwanted exposure and so on. To manage compliance risks, policy principles have to be documented and a policy issued that defines how the cloud computing company intends to operate—this is the nuts and bolts of the operation—the blueprint of who does what where, when, how and why (Johnson, 2015).

Procedures have to be written to ensure the policy is executable and guidelines must be provided that establish the parameters and boundaries of the policy. To help with auditing the system, a policy definitions document should be provided as well, so that no information is lost in translation when an external auditor examines the system expecting to find something that is not where they assume it will be. The policy definitions document serves as the map of the functions in the cloud…