What is Cloud Security?
The surgency of cloud computing in the past decade caused cloud security to become very important. Cloud security is the practice of protecting cloud computing environments, data, information, and applications (“What is Cloud Security, or Cloud Computing Security?”, n.d.). The purpose of cloud security is to secure cloud services against hackers, malware, distributed denial of service (DDOS), unauthorized access/use, etc. Cloud security refers to protecting against any attack that will negatively harm a cloud environment.
Types of Cloud Environments
Cloud security differs depending on the type of cloud environment. There are four types of cloud environments:
- Public cloud services, operated by a public cloud provider – Normally hosted by third-party cloud service providers (Amazon Web Services, Microsoft Azure) and generally accessible through web browsers. Public cloud services are categorized into software-as-a-service (SaaS), platform-as-a-service (PaaS), or infrastructure-as-a-service (IaaS)
- Private cloud services, operated by a public cloud provider – Hosted by third-party cloud service providers and provide a cloud environment dedicated to one customer.
- Private cloud services, operated by internal staff – A business uses internal staff to operate a cloud environment that they control.
- Hybrid cloud services – Combination of private and public cloud environments which can optimize factors like cost and security. This service includes using internal staff and a public cloud provider to operate the cloud environment.
A public cloud provider takes over the responsibility of hosting data and applications which is a major difference between cloud environments and traditional IT. Traditional IT methods include holding most of the data within the company. It is important to understand security responsibilities in order to properly secure the cloud. (“What is Cloud Security? How to Secure the Cloud’, n.d.)
Cloud Security Responsibilities
Third-party cloud providers try to create built-in security into their cloud services. These provides must prevent breaches and maintain trust with the public and their customers. Although these providers attempt to secure their cloud, they can’t control how customers use their service, who has access, and what data they add to it. Cybersecurity can be weakened in the cloud depending on customers configuration, access policies, and sensitive data. Depending on the type of cloud service, the cloud provider and cloud customer share different responsibilities for security.
- Software-as-a-service (SaaS) – Customers are responsible for securing their user access and data
- Platform-as-a-service (PaaS) – Customers are responsible for securing their user access, data, and applications
- Infrastructure-as-a-service (IaaS) – Customers are responsible for securing their user access, data, applications, virtual network traffic, and operating system
Within all types of cloud services, a customer is always responsibly for securing their user access and data. Data security is the most essential part to successfully gaining the full benefits of the cloud. Although cloud services provide built-in security, everyone must actively participate in cloud security to ensure that every part of the process is secure. (“What is Cloud Security? How to Secure the Cloud’, n.d.)
Cloud Security Threats
Experts at Cloud Security Alliance have identified 12 critical issues to cloud security. The 12 critical issues (ranked in order of severity) are:
- Data Breaches
- Weak Identity, Credential and Access Management
- Insecure Application Programming Interfaces (APIs)
- System and Application Vulnerabilities
- Account Hijacking
- Malicious Insiders
- Advanced Persistent Threats (APTs)
- Data Loss
- Insufficient Due Diligence
- Abuse and Nefarious Use of Cloud Services
- Denial of Service
- Shared Technology Issues
Preventing these types of vulnerabilities have become a necessity since cloud services have become essential for businesses. It is critical that businesses protect their cloud network to remain competitive and retain consumers trust. (The 2018 Cloud Security Guide: Platforms, Threats, and Solutions, 2018)
Cloud Security Best Practices
According to BeyondTrust, there are nine cloud security best practices to help secure a cloud network.
- Strategy & Policy – A cloud security program should clearly state the responsibilities of the cloud provider and customer in terms of security and identify any possible weak points in the cloud environment.
- Network Segmentation – Isolate instances, applications, containers, and full systems from each other when possible.
- Identity and Access Management and Privileged Access Management – Implement identity management and authentication processes to ensure authorized users are the only ones with access to the cloud environment, data, and applications. Audit and record every time someone is using any part of the cloud service.
- Discover and Onboard Cloud Instances and Assets – It is important to manage and cycle passwords concerning instances, services, and assets in the cloud. This process should be automated as much as possible.
- Password Control (Privileged and Non-Privileged Passwords) – Never allow anyone to share passwords and ensure employees use password management best practices.
- Vulnerability Management – Consistently perform security audits and fix any known weak spots.
- Encryption – Ensure that the data in the cloud is encrypted.
- Disaster Recovery – Have awareness of the data backup, retention, and recovery policies and processes that the cloud service has in place. Create strategies and solutions in case these policies and processes fail.
- Monitoring, Alerting, and Reporting – Implement continual security and user activity monitoring in your cloud environment. Always know exactly what is happening in your cloud environment.
These will give some guidelines for cloud security but there is no one fix to all problems. Every business has to look at their own needs and come up with a cloud security strategy that works for them. Cloud security is a continual process that will never end because people come up with new ways to infiltrate cloud environments. (“What is Cloud Security, or Cloud Computing Security?”, n.d.)
Amazon Account Hijacking Scandal in 2010
In 2010, Amazon experienced an account hijacking which allowed attackers to infiltrate the Amazon Relational Database Service (RDS). Account hijacking is when an individual or organization’s cloud account is stolen by an attacker. Once an attacker has hijacked an account or service, they may be able to eavesdrop on activities of the authorized users, impersonate authorized users, utilize the service or account to circulate malware, or tamper with the network data. (Mosca, 2014)
The hackers performed a cross-site scripting (XSS) attack on some site to gain credentials into Amazon’s cloud. The attackers then infiltrated the Amazon Relational Database Service (RDS) so they would have a backend into Amazon’s system. This allowed the hackers to capture the login information of anyone who clicked the login button on the Amazon homepage. Once amazon detected the XSS, they patched it up fairly quickly. (Mosca, 2014)
An interesting fact about this case is that it wasn’t even Amazon’s fault. The hijackers gained accessed through a more vulnerable domain. This shows that one vulnerable system may lead to the whole network being compromised. Also, Twitter, Google’s app engine, and Facebook all experience similar attacks during this time period. (Mosca, 2014)
According to the Cloud Security Alliance (CSA), organizations should disallow users and services form sharing account credentials and employ multifactor authentication to defend against the attack Amazon experienced. Although these changes will create a more secure cloud, it will make systems more difficult for everyday users because of the extra steps to login in. It is a constant struggle to secure a cloud system and everyday people are developing new ways to create a safer cloud environment. (Mosca, 2014)
How Cloud Security Relates to the Material Covered in MIS3406
In MIS3406 we learned to create a cloud-based application that is hosted on AWS. If I was to setup an application, cloud security would be a part of every decision that I make. It is very important to ensure that my application doesn’t get breached, so all of the important data isn’t stolen. The learning objectives for MIS3406 are:
- Understand the concepts of modern cloud computing
- Build a cloud application deployment infrastructure using AWS
- analyze and configure a cloud infrastructure for scaling and redundancy
- Develop a simple RESTful API using Node.js
- Deploy an API to a cloud infrastructure using instance-based and application-based methods
All of these learning objectives require some type of cloud security because we want to make sure that any important data is secured. It is also important to mention that businesses expect cloud-based applications to have security built-in.
How Cloud Security Relates to Mobile Cloud Computing
Cloud Security is important in all aspects of the cloud especially in mobile cloud computing. Mobile cloud computing can have important data stored like credit card information, current location, contacts, important notes, pictures, etc. This information must be secured and protected from outsides attacks. Cloud security will help secure mobile cloud computing applications by eliminating any weak points into the network. When applications are built on a mobile cloud computing platform, security must be built-in in order to protect all of the data that is running through or stored on the application.
Mosca, P., Zhang, Y.P., Xiao, Z.F. and Wang, Y. (2014) Cloud Security: Services, Risks, and a Case Study on Amazon Cloud Services. Int. J. Communications, Network and System Sciences, 7, 529-535.
The 2018 Cloud Security Guide: Platforms, Threats, and Solutions. (2019, October 2). Retrieved April 26, 2020, from https://www.secureworks.com/blog/cloud-security-guide-to-platforms-threats-solutions
What is Cloud Security, or Cloud Computing Security? (n.d.). Retrieved April 26, 2020, from https://www.beyondtrust.com/resources/glossary/cloud-security-cloud-computing-security
What is Cloud Security? How to Secure the Cloud. (n.d.). Retrieved April 26, 2020, from https://www.mcafee.com/enterprise/en-us/security-awareness/cloud.html