Cloud computing has emerged as viable option for the organizations to provide elastic, fast, on-demand, and cost-effective access to a pool of resources shared by multiple consumers or organizations. With the advent of cloud computing, organizations have been relieved of the responsibilities to manage the complex tasks of development and management of computing infrastructure. Rather, handling all the activities related to consumers’ data and applications is the responsibility of the cloud service providers. The cloud computing paradigm provides resources to the consumers through several means, such as virtualization, multi-tenancy model, and Web services. The consumers are provided the cloud services through the Internet. Although this paradigm brings several benefits for consumers and tenants, it also entails serious threats to the consumers’ data stored at the cloud providers’ locations. Particularly, the public cloud where the resources are shared among the multiple tenants is highly vulnerable to the security and privacy threats.
It is also important to mention that the types of threats to the data and applications in the cloud environment are actually different from the threats to the traditional information technology infrastructure. The reason for this is that in the cloud computing environment, the resources are shared and pooled among the multiple tenants or consumers. Consequently, the probability of the disclosure of information to the other unauthorized consumers and users is increased. For the consumers of private cloud, usually such types of risks are not much vital but off course they are still susceptible to other risks; however, public cloud and hybrid cloud definitely are vulnerable to the unauthorized access due to their very architectures.
In fact, both the data stored at the cloud and in transit is susceptible to unauthorized access. The data available on the world wide web (www) is particularly open to vulnerabilities of several types. According to Open Web Application Security Project, the following are the most critical security threats for Web applications and, therefore, the appropriate measures should be taken by the organizations when architecting and designing their Web applications.
- Injection flaws— these result in execution of unintended commands without appropriate authorization
- Broken Authentication— results in compromising the passwords, keys etc.
- Sensitive Data Exposure—this includes theft of sensitive information, such as credit card information, identity theft, or health information while connected through the browser etc.
- XML External Entities (XXE)—includes file disclosure of information through external entities references in XML documents
- Broken Access Control— includes access to the data one is not allowed to have, for example due to compromised access control, unauthorized access to other users’ accounts etc.
- Security Misconfigurations— the most common problem in fact. For example, inappropriate default configurations, misconfigured HTTP headers, open cloud storage, or ad hoc configurations give rise to the security vulnerabilities
- Cross-Site Scripting — includes defacing the websites or redirects the users to the malicious sites through the malicious scripts executed in the browsers.
- Insecure Deserialization — due to insecure deserialization, undesirable situations, such as injection attack, replay attacks, and privilege escalation attacks might be encountered
- Use of Components with Known Vulnerabilities—if certain libraries or components whose vulnerabilities are already known are employed, this might lead to serious issues, such as data loss or server takeover etc.
- Insufficient Logging and Monitoring— insufficient monitoring and logging also permits attackers to tamper, destroy, or hack the data
Likewise, there are also other threats for cloud users. These include:
- Loss of Control—the organizations that opt to use the cloud services and store data on the cloud eventually lose control over their data. Although, this is also dependent on the particular service model of the cloud, but it is a fact that the consumers or users have limited control over their data.
- Insider Threats—in this type of threat, some insiders having legitimate access to the cloud data can behave maliciously and disclose the organization’s sensitive information to the unauthorized parties. The insiders may be the current or former employees of the organizations or contractors who have sufficient access to the data.
- Denial of Service (DoS) attack— in this type of attack, the attacker attempts to make the resource or data unavailable to the cloud consumer. These outages may be temporary or indefinite.
- Inadequate Data Deletion—sometime the cloud providers need to delete or remove the consumers’ data from the cloud servers; however, this deletion is not complete or partial (accidentally or intentionally). The incomplete deletion of the information may result in the exposure of sensitive information to the unauthorized users.
- Lack of visibility—since the consumers data is stored at the cloud providers’ location, outside the organization, therefore, they do not have any means to effectively monitor their data and have to rely on the service providers
- External Sharing Threats — the data at cloud may also be shared externally with other entities through some means, for example sharing through links. Mishandling of these risks can result in disclosure of the sensitive information to the unauthorized external entities thus compromising the data privacy.
With the increasing threats to the cloud security, the need to devise advanced methodologies to deal with these threats has increased. In this regard, the National Institute of Standards and Technology (NIST) has introduced the cloud security framework that offers the important key functions for management of security risks in the cloud environment. The cloud policy framework serves as the guidelines for the organizations to develop the security infrastructure. The five components of this framework include:
- Identify—this refers to understanding the complete organizational requirements pertinent to the security and performing a comprehensive assessment of security risks.
- Protect—suggests deploying the security procedures and measures so that the organizational infrastructure can be protected in the wake of attacks
- Detect— the organization should have network monitoring procedures in place so that any issues or attempts to attack the organization can be proactively detected
- Respond— in response to the potential or active threats to the organizational business appropriate countermeasures are needed to deal with the attacks
- Develop—this refers to devising the procedures and measures to restore the operations in case of any disruption
In conclusion, the rate at which the world is heading towards the development of smart and automated systems, the need to secure the data and applications from the unauthorized access has also increased manifolds. Therefore, the recent research needs to focus more on the development of robust and efficient security measures to help enterprises secure their data meant for storage at cloud.