Many companies have realized the necessity of cloud computing because of the convenience it offers. They have been able to share resources such as applications, servers, and networks, thus enabling them to reduce costs and enhance efficiency. Cloud computing has enabled organizations to solve the problem of data storage because it offers them unlimited capacity to do so. They also benefit from increased flexibility and portability. As with many internet technologies, users worry about the security of their data. They are concerned with how they can improve cloud security at all levels. Because of its scalability, cloud service providers can no longer depend on the traditional security measures used on other internet applications such as requiring authorization.
Security issues in cloud computing emerge because of the loss of control on the part of the consumers, failure to establish lack of trust mechanisms and the multi tenancy characteristics of the cloud. Most people use the public cloud because of all the benefits it offers. However, they do not have any control of the data because the cloud service providers possess all the applications and resources as well as any available data. In addition, the providers have access to the control rules as well as any security policies. The providers also manage user identities and maintain the services and resources that the consumers use, in addition to ensuring that the consumers have all the information they need. Therefore, the consumers are not in control, as they have to depend on their providers for everything. Loss of control may limit the organization’s capability to fulfill its objectives. It may also lead to lack of confidentiality as well as a decrease in service quality and performance (Vacca, 2012).
Giving the consumers more responsibility and control will minimize security risks. For instance, many companies decision to improve on the authentication process has ensured that users have some level of responsibility. Consumers can have more control on their data by having different clouds. For instance, they can decide to have both the private and public clouds. This enables them to distribute risks to different areas. However, they have to observe the compatibility of policies in the different clouds used as well any divergence in any applications. They can also ensure that they use the different access controls available. Users should choose a provider who enables them to have control in different layers.
Providers can increase the level of consumers trust by establishing and implementing security policies and regulations. They can also ensure that they have adequate technology to handle breaches and other security issues that might emerge. The providers can minimize the lack of trust that the consumers have and increase their assurance by having a third party conduct their risk assessment. The multi tenancy attribute may cause conflicts because different users may have opposing goals. Providers cannot control all the consumers’ activities on the cloud. Some people have bad intentions such as causing harm to other people’s data when they access the cloud. This leads to the providers losing their reputation. Providers can try to work through this by blocking the IP addresses of such consumers (Vacca, 2012). However, this may not be effective as the clients may have more than one IP address, especially if he is using different devices to access the cloud. Providers have to ensure that they isolate all the users so that they can avoid conflicts. Consumers have a responsibility to ensure that their computers and other devices are secure. Ensuring security of the host computer will reduce the possible risks and vulnerabilities. Much as the provider may have done everything to ensure that there is no breach of security, data can be compromised if the users do not have secure systems. This not only affects the users’ data but also the cloud, and ends up compromising other people’s data.
There are many security issues to consider in cloud computing because there are many technologies, services, and applications involved. The cloud providers and consumers have to ensure that different elements such as the network, servers, platforms, operating systems, memory and virtualization are all secure. Security becomes of a greater concern in cloud computing because of the wide availability of data and the capability of sharing data across different networks and systems. Hackers and other attackers could be using the same provider as the users, and this gives them easy access to data. Distributed denial of service attacks affect cloud providers by making it impossible for their customers to access the services they need. The attackers aim to maximize their damage by accessing as many customers as they can. Other technical risks in cloud computing include economic denial of service, exhausting the available resources, employee or provider abuse of privilege access, data leakage, loss of encryption keys, and intercepting the data in transit among others (Vacca, 2012).
Cloud computing is a matter of trust. Consumers trust their cloud service providers to protect their data. It is important for cloud service providers to know the type of employees they have since they will have control of the consumers’ data at some point. The providers also need to have enough infrastructure and resources to ensure that they are in control of the data and that they are in a position to prevent a breach. In situations where employees choose to deploy private clouds, they should check the person they have entrusted with their information systems. They should ensure that he or she is a person of integrity who will not use the consumers’ data for other activities.
Every aspect involved in cloud computing has to be secure. This involves encryption of data at rest and at all points of transit as well as techniques in data mining to ensure that all the data available and the one transferred to different points is secure. Encryption enables the safety and protection of sensitive data. Using digital signatures that are secure will ensure that an attacker is not able to access the data. Encryption is not an effective process in the cloud, as users will have to decrypt the data, leaving it exposed to attacks. Using cryptographic keys is more effective, as it ensures that only specific users are able to access the data. Cloud vendors do not need to depend solely on the resources, such as bandwidth, which they receive from their internet providers. They should ensure that they have sufficient resources to deal with security breaches within a short time.
Different service models of cloud computing include Software as a Service (SaaS), Platform as a Service (Paas), and infrastructure as a service (IaaS). The IaaS includes all the infrastructure resources such as servers, network and software. By using Software as a Service, consumers take advantage of the applications using cloud infrastructure. Users can install their individual applications on the cloud infrastructure without adding any other tools on their machines, using Platform as a Service. The models are interrelated and this affects the level of security. Any security breach in IaaS will affect PaaS and SaaS. There is greater security reliance between SaaS and PaaS because SaaS applications are built using the PaaS platform. These types of services have particular security concerns and they require the responsibilities of different individuals. The level of abstraction and the command that the consumers have when using the models determines the security measures applied (Hashizume et al., 2013).
The cloud providers are responsible for security using this model since the consumers do not have much control. The consumers depend on the providers, who manage technical and operations aspects including security. The cloud vendors provide the applications that are already on the cloud infrastructure. They do not have to install the applications on the consumers’ computers. There are many security issues with accessibility, applications, data security and multi-tenancy. It is easy to access any network devices using the internet but this increases security risks. There are many security risks found in insecure networks and market places. Consumers face more threats if the operating systems and other applications in their devices are vulnerable.
There is the added risk of information stealing and hacking. Many attackers use the internet to steal data and carry out other malicious activities. Using multiple tenants provides additional challenges. Having multiple tenants requires one to have different databases for information storage and this can result to data leakage. Some cloud providers use the services of third parties to handle other activities such as data backup. This increases security threats and concerns because more people will have access to the data. The multi tenancy characteristic means that a user can intrude on another person’s information (Hashizume et al., 2013).
Cloud providers need to ensure that they invest in security because they are responsible for the processing and storing of data. This will involve installing applications that will ensure that all the customers’ data are separated. There should be a clear boundary between the customers data at all levels. The boundaries should be developed in such a way that other users cannot hack into them or take advantage of any loopholes created in different processes. Having a powerful server will ensure that there is minimal data leakage. The vendors should ensure that they have strong encryption techniques to use on their networks. Using two-factor authentication improves security in a multi tenancy environment. The providers should be capable of providing all the services needed. Data backup is crucial and it is necessary in case one needs to recover data during disasters. Cloud providers should be in a position to provide data backup and they should reduce their dependence on third party contractors. Having secure protocols as well as effective password management will help towards reducing security risks (Hashizume et al., 2013).
The cloud providers make it possible for the consumers to create and manage the applications they have made by giving them a platform and other tools and services. The consumers have more control using this model but the responsibility of ensuring security falls on the cloud providers. There are two factors to consider when implementing security measures. The first is the consumer applications and the second is the PaaS platform. Security measures have to consider these two factors. The constant changes in PaaS applications and components affect its security. Security concerns arise from third parties, which provide different internet related components, the development life cycle, and the underlying infrastructure. The model takes over any third party security issues. Although the customers have greater control in this model, the cloud providers are responsible for the underlying infrastructure and applications. Therefore, they have an active role to play to ensure that the infrastructure is secure (Hashizume et al., 2013). On the other hand, developers are in charge of security of the applications they create.
Awareness and education are necessary to control any security issues in this model. The users need to distinguish between sensitive and non-sensitive information. They should avoid using the public cloud for sensitive information, as this will lead to greater risks. Service developers need to come up with enhanced secure procedures and techniques. They need to know the proper storage of data, which will enhance its security. However, risks can happen at any process of handling data. Therefore, the cloud providers should ensure that there are security measures at every level, from when they receive the data to when the consumers use it (Hashizume et al., 2013).
Individual effort alone cannot guarantee that the consumers’ data is secure. A consumer can select a complicated and effective password and username, but his efforts will be futile if the provider and other users do not make the same effort. This is a shared system, and an attack on the provider will mean an attack on the users. Before selecting a cloud service provider, customers must check if they have the necessary security measures. The consumers should use providers who have effective authentication measures. Vendors who choose to use two-factor authentication are more effective than those who ask for user name and password only. The consumers need to ensure that the vendor implements stringent security policies, procedures, and measures.
In this model, consumers have more control on security compared to the other models. It presents greater challenges in terms of enhancing security. The model provides different computer resources, which are part of the virtualized system, and the consumers can use them through the internet. The cloud providers supply the computer resources, networks and any other infrastructure to the customers. Consumers do not have any limit over the software to run using the resources provided. Users are able to develop, share, and replicate virtual machines. Attackers can take advantage of the many layers if they are not secured well. Migration of virtual machines makes it possible for attackers to compromise on data security. Sharing of resources between virtual monitors increases security threats. The ability of rolling back virtual machines creates more opportunity for security breaches (Hashizume et al., 2013).
Consumers and providers have a role to play in ensuring they enhance the virtual and physical security. Although users have greater control under this model, providers are responsible for storage and network. Simple machines are easier to secure because it is possible to identify any point of error or security breach and correct it. Having systems that are more complex and interconnected makes it hard to control any security threats and it provides many entries for malicious attackers (Hashizume et al., 2013).
Deployment models in cloud computing include public, private, hybrid, and community. In the public deployment model, organizations are free to share computer resources and infrastructure. The provider owns the infrastructure, and the consumer does not have any control. The organizations can access the resources online. Organizations do not have to worry about purchase and maintenance of the resources because they are the responsibility of the service providers. This makes it relatively cheap for businesses. This form of cloud computing is not limited to the geographical location of a business. The security of all applications is the responsibility of the provider, as the consumers do not have any control (Tipton & Nozaki, 2012). Ensuring security is important in this model, because the cloud provider depends on it to succeed. Any breach of security leads to poor reputation for the cloud vendor.
In the private cloud development model, the organization owns the infrastructure and the data centers. It is responsible for purchasing, building, and maintaining the cloud and this can be expensive. The organization is responsible for the daily operations and security management. Therefore, it has much control over the platform and data used. It can handle the activities internally or it can contract them to a third party. Different organizations do not share the infrastructure. The organization can manage the infrastructure or it can contract the services of a third party, which may be interior or exterior. This model tends to be more expensive because of the enhanced security (Tipton & Nozaki, 2012).
The hybrid model is a combination of the private and public models. The models act as individual entities but they are linked by standard technologies. The organization uses such a model to ensure security of the data through accessing sensitive and important applications in the private cloud, and it takes advantage of the benefits provided under the public cloud system when using applications that are not sensitive, and when not dealing with core data (Tipton & Nozaki, 2012). The architecture of the hybrid cloud as well as the services that the organization intends it to perform determines whether it will be located on sire or off site. The complex nature of the hybrid cloud predisposes it to different vulnerabilities.
The community form of cloud computing enables organizations from a particular community to share infrastructure. The organizations have similar interests such as the need to improve and maintain security. The organizations or third parties can manage the systems. The members share financial responsibility as well as the available resources. In some cases, one community member can provide the funding and resources needed. The other members then contribute accordingly. The members have control over the on some issues, and they vote to determine the course of action to take.
Recent Security Breaches
Different companies which have embraced cloud computing have experienced breaches in their security. Recently, hackers were able to expose the data of two million users using Adobe cloud service. They were able to get the users IDs and names, their encrypted card numbers, and their encrypted passwords. The hackers swiped the source code used in the company’s servers. The company examined the malware analysis. The company is a cloud provider and it implemented security updates. However, some of their customers failed to implement the updates and this left them vulnerable to attacks (Krebs, 2013).
Another security breach involved Dropbox, which is a storage cloud provider. Hackers penetrated the system and managed to retrieve the clients’ information. The hackers used information on the customers’ user names and passwords, which they had accessed from other websites to get into their Dropbox accounts. The emails on the company’s website had not been encrypted. The company worked on implementing two-factor authentication, which would prove the identity of the users accessing the system. It raised awareness to its customers, concerning the necessity of having multiple passwords for different accounts. This followed the realization that customers tend to have the same accounts when accessing different websites (Prince, 2012).
Hackers managed to tamper with Sony Network. They compromised the users’ data in different websites, including Sony play station network and Sony online entertainment. The company took the affected networks offline. The hacker was able to access more than seventy million customers’ names, passwords, addresses, logins, dates of birth, and email accounts among other information on the play station network alone. The company worked with forensic experts to solve the problem, and they revealed that the company did not have firewall. Epsilon is a cloud service provider, and it suffered a spear-phishing attack. Many businesses had entrusted the company with their customers’ data, and this was compromised after the attack (Schwartz, 2011).
The above cases highlight the importance of ensuring data security in a public cloud. Providers need to ensure that they have secured all their data, whether at rest or in transit. It also shows the importance of authorization and authentication. Some companies are still using the traditional information technology methods to enhance their security. They have failed to identify the need of enhancing and updating their security constantly. This leaves them vulnerable to attacks. Adopting a two-factor authentication and encryption is necessary in the cloud. This will improve security, as it will make it more difficult for hackers to penetrate the system. It is important for the cloud service providers to maintain security because an attack on its system affects all its customers.
Cloud computing is the responsibility of every individual involved. Providers have a major role to play, as they are responsible for providing cloud services. The decisions they make affect different individuals. They affect the consumers who are using the data at the time and any other client who may have data in the cloud. They should ensure that they have the necessary resources and infrastructure to deal with an attack when it happens and to prevent one from happening. They should also play an active role in raising awareness and educating their customers concerning the different approaches they can use to secure data and other resources on their end. Consumers should not take advantage of the fact that they do not have much control over public data. They should strive to ensure that they have played their role towards ensuring that other users are not able to access their data. This includes measures such as having strong passwords, and using different deployment models and ensuring that their host computers are secure. Security concerns keep on emerging as attackers find new ways of accessing the cloud. Therefore, system developers and cloud providers need to upgrade their applications constantly and they need to invest in technology. This will enable them to reap the full benefits of cloud computing.
Hashizume, K., Rosado, G. D., Medina, F. E., & Fernandez, B. E. (2013). An analysis of security issues for cloud computing. Journal of Internet Services and Applications, 4 (5), 2-13
Krebs, B. (2013). Adobe to announce source code, customer data breach. Retrieved from http://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
Prince, B. (2012). Spam campaign caused by stolen Dropbox employee password. Retrieved from http://www.eweek.com/c/a/Security/Spam-Campaign-Caused-by-Stolen-Dropbox-Employee-Password-344694/
Schwartz, J. M. (2011). 6 worst breaches of 2011. Retrieved from http://www.informationweek.com/security/attacks/6-worst-data-breaches-of-2011/232301079
Tipton, F. H., & Nozaki, K. M. (2012). Information security management handbook, 6ed. Boca Raton: CRC Press
Vacca, R. J. (2012). Computer and information security handbook. Waltham, MA: Newnes