Security Challenges in the Cloud
By Hasini Gunasinghe
- 21 Aug, 2011
Introduction: What is Cloud Computing
Cloud Computing is an evolving paradigm that provides hardware infrastructure, platform and software as services readily available on demand over the Internet, which users can consume on a pay-per-use basis. It is also called utility-oriented computing where computer resources are made available for consumption like other utilities such as electricity and telephone.
Cloud services reduce the initial costs and maintenance overhead of IT infrastructure resources to a greater extent and enable businesses to go into production in less time. Incidentally, according to Gartner's worldwide survey of nearly 1,600 CIOs in 2010, virtualization and cloud computing are the top technical priorities of organizations today1.
More and more businesses are moving into the cloud for accommodating high load requirements during peak times and to offer better quality of service to the customers. Consequently, security in the cloud has become a pressing concern in enterprise software markets worldwide.
- The Importance of Security in the Cloud
- Cloud's Security Challenges
The Importance of Security in the Cloud
The cloud computing model encourages businesses/e-science to rely on third party services for their computing infrastructure and software requirements. Hence trust towards service providers is fundamental when moving into the cloud.
Security and data privacy are major concerns of cloud consumers when hosting their sensitive data, applications and performing critical operations/transactions in the cloud. On the other hand, it is a major challenge for cloud providers to meet security, trust and privacy requirements of their clients.
Cloud is like a double edged sward because in the same way it provides as much resources as required by businesses/e-sciences on demand, it is also vulnerable to large-scale attacks on data and applications hosted on cloud. Therefore it is important to have paid attention to security, trust and privacy challenges from the design level itself of the cloud services.
Cloud's Security Challenges
We can identify three main layers of could computing stack as follows, each having its own security challenges.
- Infrastructure as a Service - provides network, hardware and storage as a service
- Platform as a Service - provides both system level middleware such as hypervisors, virtual machines, guest OS's and user-level middleware such as Mashups, workflows, Web services stacks implementations and application servers to host cloud apps.
- Software as a Service - provides cloud applications such as social computing, e-mail services etc.
Following can be identified as some of the main security challenges among many others, which are encountered in the cloud computing layers mentioned above:
Physical security - Data centers where important, sensitive data of millions of users is hosted, need to be protected with strong security mechanisms such as multi-factor authentications before accessing data center floors, system and network control and security monitoring. Rules and regulations in the region/country where the data centers are hosted also play a key role and have major impact on this aspect.
Availability - this is important because, when the trusted service is not available, it opens doors to phishing attackers. Since cloud services are utilized by thousands of consumers with varying load and traffic levels, it is critical to ensure minimum downtime by means of load balancing and auto-scaling.
Data isolation and protection - in a multi-tenanted environment where a large number of tenants host their important data at cloud providers' site, it is important to provide the expected level of data isolation and encryption (whether it is at disk level, directory level, file level or application level) to avoid data breaches.
Execution isolation, logic isolation - specially in multi-tenanted PaaS environments where the number of applications from different cloud consumers/SaaS providers are hosted, execution and logic isolation is a required aspect. It should be facilitated from the architecture/design level in order to prevent vulnerabilities of one tenant's application affecting other tenants' application/data.
Malicious code - Once again in PaaS (user level middleware) environments, where custom code of different tenants are allowed to be executed, it is important to prevent access to privileged operations in the user level middleware in order to protect the entire system from malicious code and security breaches.
Identity management - this is a challenge spread across four main areas:
- Authentication - cloud users need to be authenticated using strong identity factors to avoid brute force attacks and needs to support federated identity management to avoid same user identity being stored in multiple cloud environments.
- Authorization - need to have centrally governed, flexible, scalable and fine-grained access management solutions.
- Auditing - all security related events needs to be recorded and securely archived while ensuring integrity and confidentiality of the logs in order to track accountability and detect security policy violations.
- Administration - standard and secured user account provisioning mechanisms should be supported to cater the identity management requirements when moving from enterprise-to-cloud and cloud-to-cloud.
Cloud providers of any category of the cloud need to identify the security challenges/requirements and take measures to overcome/facilitate them in order to meet the consumers' quality of service expectations and be established as a trustworthy service provider.
Hasini Gunasinghe, Software Engineer, WSO2 Inc.