Up in the Cloud: Data and Security Concerns in Cloud Computing
Cloud computing enables convenient access to a networks, servers, storage, applications, and services. In a cloud computing framework, shared resources can be rapidly provided on demand from individuals and organizations with minimal management or service provider interaction. This on-demand resource provision makes cloud computing a cost-effective approach to optimizing limited hardware resources. The ease of use and speed has led many individuals and organizations to shift their applications and services to the cloud.
However, the rapid adoption of cloud computing has created security concerns. These concerns include cloud-specific security challenges, along with the standard security risks associated with conventional IT infrastructures. For instance, network communication in the cloud has security vulnerabilities introduced by shared communication infrastructure and virtual networks, but it also faces challenges from conventional IT communication attacks, such as denial-of-service, man-in-the-middle and eavesdropping attacks. In recent research, Mazhar Ali, Samee U. Khan, and Athanasios V. Vasilakos distinguish these new cloud-specific security risks from those that already exist in conventional systems. They focus on three types of security threats that are specific to cloud computing: communicational, architectural, and legal.
With conventional IT infrastructure, it is standard practice for organizations to keep their digital assets, such as digital documentation, all operational and business data, and digital products and applications, in their own administrative domain. In contrast, cloud computing requires organizations to shift their digital assets to third-party cloud service providers whose infrastructure is not under the administrative control of the customer organizations. In addition, the same computing resources are shared between numerous users. Data outsourcing and resource sharing make many organizations concerned about hosting essential business data on the cloud, and are thus considered to be one of the biggest obstacles to adoption of cloud computing.
The paper identifies two types of communication-related security challenges: communication between customers and the cloud and communication within the cloud. The security risks in external communication are similar to other communication challenges over the Internet. However, internal communication introduces cloud-specific challenges. Sharing cloud resources between users requires them to share a network infrastructure within the cloud. In addition, virtual networks, a network built over physical networks that play an important role in internal communication, cannot be monitored by security protection mechanisms on the underlying physical network. Thus, virtual networks are an obstacle to utilizing standard intrusion detection and prevention mechanisms.
On the architectural level, there are cloud-specific security challenges associated with virtualization, data storage, web applications, and access control. Virtualization allows the same physical resources to be used by multiple users, creating a virtual machine for each user. Imperfect isolation between each user’s work environments may lead to data breaches and cross-user attacks. Data stored in the cloud is under the control of cloud service providers, but users only have certain level of control over their work environment. The lack of user control raises concerns about data integrity, privacy, recovery vulnerability, media sanitization, and data backup.
Placing private data under the administrative control of cloud service providers introduces legal issues as well. For instance, determining responsibility in disputes often depends on monitoring statistics provided by cloud service providers, but these statistics may not be reliable since users do not have full information on how they are generated. Also, it is challenging to maintain reasonable isolation between resources provided to different users as promised by service-level agreements, which should be equivalent to physical isolation and be able to protect users from attacks. Another issue may arise when cloud resources are physically located in multiple geographic locations, which may have conflicting legal standards regarding information security.
While many security problems in the cloud have been addressed by various approaches proposed in the literature that try to improve system design for communication, architecture, data storage, and application development, there are still significant issues that have yet to be resolved. In addition, these problems will primarily be resolved by scientific advances, which security laws and regulations have not been able to keep up with. Creating a safe cloud environment requires joint efforts from both policy makers and technicians to establish a clear definition and separation of responsibility and accountability for all parties associated with the cloud. In the meantime, it is important to raise awareness about potential security threats in the cloud.
Article Source: Ali, Mazhar, Samee U. Khan, and Athanasios V. Vasilakos. “Security in Cloud Computing: Opportunities and Challenges.” Information Science, 2015.
Featured photo: cc/(elenabs, photo ID: 65692115, from iStock by Getty Images)