Security and Cloud Computing

Cloud Computing: Security Threats & Countermeasures, Auditing and Strategies Regarding the Cloud
Abstract
The cloud is the latest development in the world of the Information Age. It provides a way for data to be stored, shared, managed, and protected in an efficient and effective manner. This paper looks at some of the security threats and countermeasures that can be conducted to help make the cloud safer. It examines why auditing is essential and what strategies can be developed to protect the cloud.
Keywords: cloud computing, cloud security, IS security, IT security risks
Introduction
As the Digital Era progresses and the needed to store data becomes more pervasive, cloud computing has risen as the solution to system needs. However, as with any solution there come myriad risks that must be addressed. As Pfleeger and Pfleeger (2012) show, the cloud has five distinct characteristics: 1) it offers on-demand self-service, 2) it provides broad network access, 3) it offers resource pooling, 4) it has rapid elasticity, and 5) it gives measured service. The models of cloud computing are software as a service, platform as a service, and infrastructure as a service. The cloud types can be public, private, community-based, or hybrid (two or more types of cloud). And while cloud computing is generally regarded as secure technology, there are still security risks that have to be understood (Ahmed, 2014). This paper will examine these risks, the trends in cloud computing, companies that offer cloud computing services and regulatory issues surrounding it.
Technology Involved
Ahmed (2014) defines cloud computing as “merely a model for enabling convenient, on-demand network access to shared data pools) of configurable computing resources (e.g.,, Networks, servers, storage, application, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” (p. 207). It is a way for computing services to be pooled together in one place—like a public swimming pool that everyone with a pass has access to. The pool, of course, can be private—and members have to belong to the community of condos with access to the pool; or it can be private—and those who use it share a compound. But in every case the idea is the same. All computing, networking, server, storage, software, application and service needs are handled in the cloud, which is designed and developed for that specific purpose: to extend the metaphor, the cloud has its own pool boys, lifeguards, cleaners, and so on—those using it do not have to worry about any of the maintenance. They pay their fees and the work is done for them. That is the essence of cloud computing. To put it simply, cloud computing is conducted by a group of remote servers that host files that can be accessed by a computer linked to the Internet. Of course, whenever the Internet or networks are involved, risks of security breach are going to be present. Like anyone who is hot, the pool is the most inviting place to be—and people will try to get in whether they are invited or not. The same goes with cloud computing.
There are three risks to be assessed when utilizing cloud computing services: information security risks, physical security risks and risks to compliance. Just because the security solutions may be developed does not mean all clouds will have them. This is why auditing is so important. Before expanding on that thought, a review of the risks is needed. Gibson (2015) shows that in order to manage risk effectively, one has to be aware of the “threats and vulnerabilities” to one’s system (p. 2). So what are the threats and vulnerabilities of cloud computing?
Risks Relating to Information Security
In the Information Age, protecting information and safeguarding data is a top priority. Hacks can occur at any time in any place, and there is no lack of evidence in recent years to show how virtually any corporation, company, entity or organization can be attacked. Protecting the confidentiality of information, therefore, is one of the main risks of cloud computing (Ahmed, 2014). In a traditional network, data is safeguarded by virtue of cryptography and the physical isolation of the network for the rest of the global community. The user of the network bears the responsibility of securing it. In the cloud, the responsibility is taken out of the user’s hands and placed in the hands of those operating the cloud.
Johnson (2015) identifies the risks to information security categorically: a) unauthorized access risks, b) confidentiality risks, c) integrity risks, d) authentication risks, and e) availability risks. Only those users authorized to enter the cloud should have access. All information should be kept confidential to those without permission to see it. Information should not be “improperly changed” (Johnson, 2015, p. 10) or altered in a way that corrupts it. Devices that access the cloud should be authenticated before entry is permitted. Information in the cloud also has to be available upon request. There are also bound to be “loop holes in the security architecture of the cloud, which can be exploited by malicious users to gain access to the cloud network and the resource infrastructure” (Kashyap & Sharma, 2015, p. 33), and these need to be addressed as no matter what company is operating the cloud there will always be vulnerabilities.
Risks Relating to Physical Security
There are also physical security risks to be understood in cloud computing. Though the cloud offers a remote service where data can be stored and accessed, the actual physical servers hosting the data exist somewhere—i.e., they have a physical location. A power outage in the area where the servers are located could cause the cloud to go offline and leave users without access to their data. This happens on occasion for companies like Amazon Web Services.
The many physical security risks are associated with “hardware, virtualization, network, data and service providers” (Kazim & Zhu, 2015, p. 109). Attacks on any of these structures can lead to the compromising of the cloud. Denial of Service attacks can overwhelm a system and lead to inefficiencies for companies that have websites up for public use. In the cloud, the interconnectedness of parts creates a complex environment where vulnerabilities are not always seen until an intruder with malicious code finds them and exploits them.
Risks Relating to Compliance
Compliance is a major factor that has to be addressed, as non-compliance will essentially open the door to risks, hacks, unwanted exposure and so on. To manage compliance risks, policy principles have to be documented and a policy issued that defines how the cloud computing company intends to operate—this is the nuts and bolts of the operation—the blueprint of who does what where, when, how and why (Johnson, 2015).
Procedures have to be written to ensure the policy is executable and guidelines must be provided that establish the parameters and boundaries of the policy. To help with auditing the system, a policy definitions document should be provided as well, so that no information is lost in translation when an external auditor examines the system expecting to find something that is not where they assume it will be. The policy definitions document serves as the map of the functions in the cloud network to help auditors know what is where.
As Weiss and Solomon (2016) point out, an effective audit of a system should be able to achieve three main objectives:
1. Provide a goal-oriented review of the company’s policies, systems and controls
2. Provide assurance that effective information technology controls exist and are in place
3. Provide recommendations for improving controls where needed.
Compliance frameworks like the Control Objectives for Information and Related Technology (COBIT) are accepted as industry standards for ensuring that best practices in cloud security are available.
The ultimate goal of compliance is deterrence. Deterrence is the idea that security can be achieved “without intervention against a threat actor. Deterrence builds its own momentum. The longer attacks are deterred, the less likely it is that an attack may take place” (Countermeasures, n.d.). Deterrence cannot be accomplished, however, without a direct assessment of a system’s vulnerabilities. These must be made known, through testing and auditing, in order to develop strategies that will effect in the end a proper deterrence. Strategies for deterrence can include “architectural hardness, access control measures, guards, obvious cameras, witnesses, alarms, and alarm signs. To be effective as a deterrent, countermeasures must be visible and must seem to create too much risk to carry out the attack” (Countermeasures, n.d.). The ultimate point of deterrence, of course, is to make the public aware that the cloud is impenetrable for those who are not granted legitimate access. All deterrence should be visible for that reason—to reduce the risk of hackers seeking to find vulnerabilities. Weakness attracts wolves, but strength turns them away.
Future Trends
As the Digital Era and Information Age progress, cloud computing is going to be more and more in demand. This can already be seen in the explosion of business for companies like Amazon Web Services. Infrastructure as a service and platform as a service designs are going to become increasingly popular and required by companies that do not have their own space or workers capable of maintaining oversight of the data systems required for their operations. The industry of cloud computing has developed into its own special market where the stakes are high because information is so vital to processes in the digital world.
For that reason there will be increased demand for cloud storage capacity and companies involved providing cloud services will be expanding their footprint with physical servers increasing and spreading throughout the world. Data center owners will be tasked with placing servers in safe zones where risk of going offline is low. With data dependent businesses using data warehouses and Big Data analytics now a common feature of most enterprises, the demand for storage and 24/7 hour access is higher than it has ever been.
The Internet of Things and the use of artificial intelligence for real-time machine learning will be more popular. Machine to machine communications and human interactions with the Internet of Things will dominate processes. The complexity of the environment is only going to increase from here as all features become integrated into a self-conscious whole that is designed to learn as it goes, anticipate user needs, and forecast models of behavior that facilitate organizational growth and development across all sectors and industries.
Examples of Companies Involved
Amazon Web Services (AWS) is one of the biggest cloud computing companies along with Google, Microsoft, IBM and Oracle. These companies control the give and take, the in-flow and out-flow of a great deal of the world’s information. AWS is likely to receive the contract to host all of the U.S. Defense Department’s data on its cloud—which is a multi-billion dollar contract. Because of the sensitivity of so much information, a company like AWS has to show that it can provide the best in security. Oracle, IBM, Microsoft and Google are in the same boat. Each brings its own basic functions to the arena, however. Google, for example, focuses almost exclusively on innovation and looks for ways to enhance its cloud computing technology and services, such as through its Google Translation services, which allow users to translate texts from one language to another. This type of technology is what differentiates it, and all companies have their own approaches to differentiation, which allow them to stay competitive in a market that has become more and more intense as demand has heated up in recent years.
Regulatory Issues
A variety of regulations exist in different sectors and industries where cloud computing is used. For example in the health care industry, the Health Insurance Portability and Accountability Act (HIPAA) requires that all patient information be protected and kept private. Every so often, however, breaches occur and patient information is made public—which results in a fine for the company that failed to protect its data.
The Gramm-Leach-Bliley Act (GLBA) is another regulatory act that is designed t to address companies using the cloud. Specifically, the Financial Privacy Rule and the Safeguards Rule have been written to direct organizations on information storage. The Financial Privacy Rule in particular is designed to alert users of how their information is stored, who it is shared with by the companies, how it is used and how it is protected. The Safeguards Rule “requires financial institutions to develop a written information security plan that describes how the company plans to protect clients’ nonpublic personal information” (Blaisdell, 2012). These are just a few examples of the types of regulation that exist for maintaining order within the cloud computing industry. They show that concerns about privacy, protection, and data usage are important to users just as much as they are to companies collecting the data.
Conclusion
Cloud computing is the latest advancement of the digital era, and though it has been in existence for many years, the proliferation of companies offering cloud computing services indicates the extent to which almost all organizations are becoming reliant upon the cloud. The move to cloud computing is caused by the demand for more efficient ways of handling, storing, accessing, and sharing information. As more and more companies become data-dependent, they have to find ways to manage this data, and cloud computing presents itself as the most viable and effective means available today. Protecting and securing the cloud, however, requires an extensive understanding of the risks, threats and vulnerabilities of the system. To know how to safeguard the cloud and to adhere to regulations, cloud computing providers, users, and stakeholders have to be aware of the system and its usages.

References
Ahmed, H. (2014, July). Cloud Computing Security threats and Countermeasures.
Retrieved October 2, 2018, from https://pdfs.semanticscholar.org/8ee8/7566633ae84d3289ffdee687b3df08940b27.pdf 
Blaisdell, R. (2012). Laws and regulations governing the cloud computing environment.
Retrieved from https://rickscloud.com/laws-and-regulations-governing-the-cloud-computing-environment/
Countermeasures. (n.d.). Retrieved from
http://www.infosectoday.com/Articles/Countermeasures/Countermeasures.pdf
Gibson, D. (2015). Managing risk in information systems. Burlington, MA: Jones &
Bartlett Learning. 
Johnson, R. (2015). Security policies and implementation issues (2nd Ed.). MA: Jones
& Bartlett Learning.
Kashyap, R. & Sharma, S. (2015). Security challenges and issues in cloud computing—
the way ahead. International Journal of Innovative Research in Advanced Engineering, 9(2), 32-35.
Kazim, M. & Zhu, S. (2015). A survey on top security threats in cloud computing.
International Journal of Advanced Computer Science and Applications, 6(3), 109-113
Pfleeger, C. P., & Pfleeger, S. L. (2012). Analyzing computer security: A
threat/vulnerability/countermeasure approach. NY: Prentice Hall.
Weiss, M. M., & Solomon, M. G. (2016). Auditing IT infrastructures for compliance.
Sudbury, MA: Jones & Bartlett Learning.