Security in Cloud Computing

Security in Cloud Computing

Security issues associated with the cloud

Cloud Security Controls

Deterrent Controls

Preventative Controls

Corrective Controls

Detective Controls

Dimensions of cloud security

Security and privacy

Compliance

Business continuity and data recovery

Logs and audit trails

Legal and contractual issues

Public records

The identified shortcomings in the cloud computing services and established opportunities for growth regarding security aspects are discussed in the current research. The security of services is regarded as the first obstacle. The opportunity for growth is provided as combination of multiple service providing resources and mechanism to mitigate the effect of vulnerability. The research further elaborates the dimensions of security in a shared resources and strategically locating computing resources at multiple locations similar to cloud computing. Furthermore the legal and regulatory issues are also addressed in detail. Improvement in security of the services is also a responsibility of the cloud services users and enterprises deciding to store data. The service providers can establish storage in multiple locations, using different networks, and internet service providers to minimize disturbance in providing services. In such cases it is necessary or the users to classify their data and store the least vulnerable information on cloud computing resources.

1 Security issues associated with the cloud:

Scott Case, CEO of the Startup America Partnership however narrates a different story in favor of cloud computing while ignoring the enormous security issues posed by cloud computing for the larger organizations. Priceline.com, a company founded by Scott Case had to invest $3 million in IT infrastructure, platforms, and software development when the company was started in 1997. Comparatively, now such IT capability can be acquired using cloud services of any of the renowned vendors such as Amazon, Intuit, Dell, or IBM (Shread, 2012). The choice of vendors and cost incurred on acquisition of IaaS, PaaS, and SaaS are relatively negligible for new startups. Instead, the IT capability acquisition costs can be incurred on marketing and product development. The inventories can be managed against a fraction of cost that is incurred if startups invest in the infrastructure. The flexibility and cost reduction of IT acquisition out-weigh potential security threats.

2 Cloud Security Controls:

The security controls enables in each computing system including cloud computing are targeted at reducing the amount of vulnerabilities. It is also aimed at providing the adequate level of security to the user's data and their key information. The users of cloud computing should also assess their level of tolerance and to what extent they would like to compromise on the security of information. The security issues associated with the shared infrastructure and resources of cloud computing are mainly with respect to the loss of sensitive information, financial crimes, reputation, and resources destruction.

The controls established to counter these issues are related to be identified as four major categories including deterrent controls, preventive controls, corrective, and detective controls. All these controls refer to different areas of information security however all are related to establish a coherent and integrated system for providing uninterrupted services to their clients. The issues of information security in cloud computing also arise due to its services oriented shared nature of business. These control categories are elaborated in detail underneath.

2.1 Deterrent Controls:

The deterrence oriented controls are established to reduce the amount of vulnerabilities in cloud services. It is also deliberate attacks from hackers and other cyber criminals are handled through increased deterrence in cloud services. The deterrence against the likely attacks is achieved through updated programs and firewalls erected at the premises of cloud services providers. It is highly likely that the cloud users lose their valuable data through a well-planned attempt of security breach at cloud services provider's infrastructure. The attackers take advantage of the latest technology to enter and destroy the security mechanism of cloud services providers (Krutz, & Vines, 2010).

The deterrence control measures are described in the client's security manuals as well as the assurances provided in the service level agreements (SLA). The deterrence control measures are significant in the cloud information security as there is always a threat of attacks. The threat perception and levels have to define as assessed risks in order to maintain a high level of security. The cybercrimes can also take place through the shared systems and criminals might gain access to the information stored in the system through seeking an account. The cloud services providers need to place adequate amount of checks for their client's identity. It can also be enhanced through monitoring cloud account activity using multiple techniques.

2.2 Preventative Controls:

Krutz et al. (2010) defines that the preventive measures are also taken to reduce vulnerabilities in cloud services. These vulnerabilities may arise through the violation of security policy. There are numerous preventive measures that can be taken in order to prevent the potential threats to cloud services security. The accurate preventive controls are required to provide an effective protection against the potential attacks through physical and virtual (network) security violations. The notable preventive controls are the applications developed for integration with the systems development life cycle approach. The system disables the users from using a high level of privileges. The users are only providing minimum to adequate amount of privileges in order to restrict their attempts for violating the security policy (Mather, Kumaraswamy, & Latif, 2009).

According to Mather et al. (2009) the significant preventive controls are also implemented through user authentications techniques, access control measures, and account management policies. There are browser handled and endpoint security measures that also ensure the preventive attacks are handled effectively in order to reduce the threat level. The usage of anti-virus, host-based IDS, host firewalls, and administration of virtual private networks are used as measures through policy for ensuring security in cloud computing. The applicable preventive actions for cloud computing security measures should be documented in the form of a list containing all possible states where the controls should also be defined (Ackermann, 2013).

2.3 Corrective Controls:

The rapid evolution of cloud computing services as a model for reduced infrastructure and upfront cost has also raised several security issues. The growth in number of users facilitated through cloud computing services has also raised the concerns of information and data that can be classified as vulnerable in cloud resources. It is also observed that prior to this situation the customers of cloud computing were used to secure and risk the data theft as their own decision (Isaca, 2011). However the later developments including government's initiative for using cloud resources has also raised various concerns.

The result of such development could be seen in terms of the corrective measures taken to secure cloud services through implementation of cloud security and information and data security corrective measures. The response of various communities, governments, and cloud services providers is also changing from reactive to proactive approach in implementation of corrective measures. According to Prodan, and Ostermann (2009) the assessment procedures adopted by federal and various state governments to perform vulnerability scanning is a cost effective method of initiating corrective actions. The system development life cycle approach is also regarded as significant in increasing usage of corrective measures for improvement in cloud computing information security.

2.4 Detective Controls:

According to Krutz et al. (2010) the detective controls are essential in aspect for effective cloud computing security measures. The detective controls implemented in cloud computing are required to discover the attempts made for security breach and activate the corrective and preventive controls. It can also be associated with the intelligent systems that are developed to interpret the attempts made to intrude the security settings of cloud computing. These controls also work as a coordinated insertion detections system that is also capable of detecting the violations of security policy, organizational policy and physical attempts to break in the system through breach of security apparatus.

The detective controls implemented for increasing security in cloud computing are mostly logging events and event correlation. The application vulnerability scanning and monitoring is also categorized as detective controls (Mather et al., 2009). These measures are a preemptive attempt to ensure data and information security ofcloud computing services. The cloud computing resources are secured through the auto activation of corrective and preventive measures initiated through the detective controls.

3 Dimensions of cloud security:

The cloud computing services offer three major types of services including software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS). All these services are used through networks and remote access is required to offer the services. The usage of these services also has different requirements and distinct level of controls required to ensure security for the users. These controls for cloud computing security are also segregated into three categories including SaaS, IaaS, and PaaS.

The security architecture for IaaS is concerning the assurance for the hosted applications to work according to the offered terms and conditions. The attacks on IaaS security could be dealt in similar ways as enterprise web applications in distributed architecture. The IaaS controls are essentially ensured by the user to allocate adequate level of access, user authentication, and network security. The users using the infrastructure need to ensure that they maintain an effective security policy. These controls are developed and implemented to cater the hostile internet environment for multi-tenant usage of user applications hosted through cloud computing services (Mather et al., 2009).

Mather et al. (2009) further elaborates that the security controls for data in various stages. It is required for data in transit, data at rest, and data processing. It is also required for data lineage, data provenance, and data reminisce. The informed decision are required for increasing data security in cloud computing. All security measures are not a responsibility of the cloud services providers. There are various cases where security of data at cloud computing is compromised due to clients negligence. Therefore it is also required for the cloud computing customers to ensure security at their primacies and usage of the hosted applications.

4 Security and privacy:

The security and privacy concerning the cloud computing users has two distinctive directions. The security of cloud computing is concerning the internal and external safety of the infrastructure and applications. The applications and infrastructure resources of cloud computing are secured through the measures implemented as controls as described above. The security of cloud computing services from attempts of external elements as well as internal breach of the adopted policy can be reduced through effective measures at organizational level. The customers and services providers are involved in increasing the level of security against the perceived threats (Wang, Wang, Ren, & Lou, 2010).

Privacy of information in cloud computing is also related to two different dimensions. The legal and unlawful release, acquisition, and misuse of classified information about customer's identity and data stored in cloud resources is subject to various privacy laws. The major portion of the responsibility is with the concerning service providers and their ability to fulfill their commitments. The release of information about customer's identity is only possible through legal procedures. After the increase in terrorism certain privacy laws are changed to provide increased access to the law enforcement agencies and government investigators. However it has to be within the legal jurisdiction and through appropriate channels of information access.

The second major issue in information privacy that is regarded as a breach of customer commitment is through unlawful sharing of the customer data with unauthorized entities. The illegal access to customer data is one of the major concerns as most of the customers are unaware of the procedures and physical controls implemented by the cloud services providers. The cloud services providers should ensure that they comply with the requirements of customer data and information privacy through elaborative and detailed controls. The breach in customer privacy may also result into sever damage of reputation and as a result losing business.

The businesses seeking cloud computing services are also required to consider the data storage facilities that are secure and enable them to safeguard their information. The data breach of confidential customer information also has potential threat for the cloud computing services providers. The businesses especially banks, insurance agencies, and medical services providers should be particular about the information they seek to store in the cloud services. The business is liable in legal and ethical terms to protect the classified information for their customers.

5 Compliance:

The issues of compliance with cloud services security and confidentiality of information saved by the clients is a relatively vast subject. There are various legal, ethical, and contractual issues that require compliance in cloud computing. The business is also prone to certain compliance and legal issues related to the business continuity and data recovery, logs and audit trials, and unique compliance requirements in cloud computing these issues are addressed in following section with detailed insight.

5.1 Business continuity and data recovery:

According to Buyya, Broberg, and Goscinski (2010) offers a large number of resources for its clients. These resources are offered by the service providers on demand basis and the customers can increase or decrease the required resources. The availability of the services from cloud service providers is one of the major issue. The natural disasters and other network related calamities can also disrupt the availability of the resources. Therefore a disaster recovery and business continuity issues are considered as important for cloud services.

Three distinct concerns are raised through the work highlighting the issues of sub-contracting cloud service providers that share the resources or infrastructure offered form other providers. The damage to infrastructure of one provider can also affect continuity of other service providers. The cloud service providers also tend to fail in their business operations and as a result they can stop offering their services. The third most significant issue is related to the multi-tenancy sharing infrastructure of the service providers. All these issues are related to assurance from the service provider and vigilant analysis of suppliers prior to acquisition of SaaS, IaaS, and Paas. All the above mentioned scenarios can disrupt and cause the business to lose data in case of non-availability of backup services (Buyya et al., 2010).

5.2 Logs and audit trails:

The availability of logs and audit trials should be produced by the business. The cloud service providers are obliged to maintain an effective archive of the logs and audit trials. The safety of these should be ensured at secure locations. The emergency situations require these trials to be used for investigation purposes (Aluru, Bandyopadhyay, Catalyurek, Dubhashi, Jones, Parashar, & Schmidt, 2011). The logging and audit trials are performed in order to ensure the security of cloud computing resources.

The regulatory compliance is also associated with fulfillment of logging and audit trials. The security management and incident management requires the usage of this information in order to recover and investigate. The SLAs and QoS management is also related to the activity for providing support and incident management modules in cloud services. The security of cloud computing is also ensured through compliance and regulations related practices (Mahmood, 2013).

5.3 Unique compliance requirements:

The security and compliance guidelines in cloud computing are related to the emphasis on roles of cloud computing customers, cloud providers, and auditors regarding the compliance requirements. The assessors also need to acquainted themselves with the unique requirements of cloud computing. Furthermore the need for extended ability to fulfill compliance requirements in cloud computing is also essentially required. The regulatory issues, customer privacy, terminations, identity protection in relation to the shared environment of cloud computing are unique for cloud computing. The patent issues should also be considered in order to provide the required services for the clients. The selection of jurisdiction is also an important factor in order to comply with the regulatory issues (Kurtz et al., 2010).

6 Legal and contractual issues:

The infrastructure of cloud computing is set up in several countries and conformance with legal requirements is obligatory however certain under developed countries have less effective information security laws. It is also required to have an interoperable system for cloud services for sharing and integration of resources. The disadvantages of cloud services can be minimized with vigilant incorporation of standard procedures for acquiring software and software suppliers