2. Cloud Computing Security
ARUNVIGNESH VENKATESH 2
Content
Cloud Computing Growth
Recent Attacks on Cloud Computing
Cloud Security Threats
Cloud Security: Things to be taken care
Solution Architecture: Secured Cloud Design
View point
3. Cloud Computing Security
ARUNVIGNESH VENKATESH 3
1. Cloud Computing Growth in recent years
I wouldn’t be surprised, if I don’t hear the word ‘cloud’ from ANY IT Techie, today. That’s the growth of
cloud computing in the market. Here’s another classic example - The interest of Google Search for ‘cloud
computing’ has drastically increased from 20% (in 2009) to around 95% (in 2015).
Not only the techies, but Global Industries are also slowly turning their steering to Cloud World because
of its fascinating factors - ‘No CapEx, Pay-as-You-Go pricing model, no infrastructure management, ‘as a
service’ options, etc.,
4. Cloud Computing Security
ARUNVIGNESH VENKATESH 4
By looking at the Enterprise’s Interest in Cloud, Leading technology vendor’s such as Oracle, Redhat,
Windows, Symantec have landed their products in Cloud Model on subscription basis over the
traditional license model.
2. Recent Attacks on Cloud Computing
As they say – “When Good goes in its way, the bad follows”, when all the eyes are blind folded with
Cloud computing’s facts, they fail to build their cloud stronger.
As the cloud emerges in recent years, the attacks on the cloud environments also increases.
5. Cloud Computing Security
ARUNVIGNESH VENKATESH 5
The Home Depot (HD), JPMorgan Chase (JPM) and even the White House were breached 2015.
Reconnaissance increased significantly in 2014. Some of the most common scans we detected included
ZmEu, Morfeus, VNCScan, and Nessus scans, as well as multiple generic scans.
Over the recent years, the numbers around healthcare data breaches can be quit sobering.
Total Breaches: 495
Total Records: 21.12 million
Total Cost: $4.1 billion
Average Size: 42,659 records
Average Cost: $8.27 million
Average Time to Identify: 84.78 days
Average Time to Notify: 68.31 days
According to a recent Cloud Security Alliance Report, insider attacks are the sixth biggest threat in cloud
computing.
3. Major Threats of Cloud Computing
The Cloud Security Alliance (CSA) leads a number of ongoing research initiatives through which it
provides white papers, tools and reports to help companies and vendors secure cloud computing
services.
CSA has created “The Treacherous 12” - Cloud Computing’s Top 12 Threats in 2016.
1) DATA BREACHES
Cloud providers become an attractive target to this attack, due to “vast amount of data”. When
a data breach occurs, companies may incur fines, or they may face lawsuits or criminal charges.
Cloud providers typically deploy security controls to protect their environments, but ultimately,
organizations are responsible for protecting their own data in the cloud.
Remedy: The CSA has recommended organizations use multifactor authentication and
encryption to protect against data breaches.
6. Cloud Computing Security
ARUNVIGNESH VENKATESH 6
2) COMPROMISED CREDENTIALS AND BROKEN AUTHENTICATION:
Organizations often struggle with identity management as they try to allocate permissions
appropriate to the user’s job role. Data breaches frequently result from lack of scalable identity
access management systems, failure to use multifactor authentication, weak password use, and
a lack of ongoing automated rotation of cryptographic keys, passwords and certificates.
Remedy: Identity systems are becoming increasingly interconnected, and federating identity
with a cloud provider (e.g. SAML assertions) is becoming more prevalent to ease the burden of
user maintenance.
Multifactor authentication systems such as smart card, OTP, and phone authentication are
required for cloud computing end users. It is recommended to use Cryptographic keys, including
TLS certificates, keys used to protect cloud services.
3) HACKED INTERFACES AND APIS
Practically every cloud service and application now offers APIs. The security of the cloud
depends upon the security of these interfaces. Some problems are:
Weak credential
Insufficient authorization checks
Insufficient input-data validation
Also, cloud APIs are still immature which means that are frequently updated. A fixed bug can
introduce another security hole in the application.
Remedy: The CSA also recommends adequate controls as the “first line of defense and
detection.” security-focused code reviews and rigorous penetration testing are the key security
walls for these attacks.
4) EXPLOITED SYSTEM VULNERABILITIES
‘Bugs’ in any server became exploitable remotely when networks were created. but they've
become a bigger problem with the advent of multitenancy in cloud computing. Organizations
share memory, databases, and other resources in close proximity to one another, creating new
attack surfaces.
Remedy: Best practices include regular vulnerability scanning, prompt patch management, and
quick follow-up on reported system threats, says CSA.
5) ACCOUNT HIJACKING
Cloud solutions add a new threat called ‘Account Hijacking’ to the landscape. If an attacker gains
access to customer’s credentials, they can eavesdrop on customer’s activities and transactions,
manipulate data, return falsified information and redirect end user to illegitimate sites.
Remedy: Organizations should look to prohibit the sharing of account credentials among users
and services and leverage strong two-factor authentication techniques where possible. All
accounts and account activities should be monitored and traceable to a human owner, even
service accounts.
6) MALICIOUS INSIDERS
A malicious insider threat to an organization is a current or former employee, contractor, or
other business partner who has or had authorized access to an organization’s network, system,
7. Cloud Computing Security
ARUNVIGNESH VENKATESH 7
or data and intentionally exceeded or misused that access in a manner that negatively affected
the confidentiality, integrity, or availability of the organization’s information or information
systems.
In a cloud scenario, a hell-bent insider can destroy whole infrastructures or manipulate data.
Systems that depend solely on the cloud service provider for security, such as encryption, are at
greatest risk.
Remedy: The CSA recommends that organizations control the encryption process and keys,
segregating duties and minimizing access given to users. Effective logging, monitoring, and
auditing administrator activities are also critical. Proper training and management to prevent
such mistakes becomes more critical in the cloud, due to greater potential exposure.
7) THE APT PARASITE
APTs (Advanced Persistent Threats) infiltrate systems to establish a foothold, then stealthily
infiltrate data and intellectual property over an extended period of time.
Remedy: Awareness programs that are regularly reinforced are one of the
best defenses against these types of attacks, because many of these
vulnerabilities require user intervention or action. Staff should be
ingrained with thinking twice before opening an attachment or clicking
a link.
8) PERMANENT DATA LOSS
As the cloud has matured, reports of permanent data loss due to provider error have become
extremely rare. But malicious hackers have been known to permanently delete cloud data to
harm businesses, and cloud data centers are as vulnerable to natural disasters as any facility.
Remedy: providers should offer solutions for geographic redundancy, data backup within the
cloud, and premise-to-cloud backups. Cloud providers also recommend their customers
distributing data and applications across multiple zones for added protection.
If a customer encrypts data before uploading it to the cloud, then that customer must be careful
to protect the encryption key. Once the key is lost, so is the data.
9) INADEQUATE DUE-DILIGENCE
Due diligence applies whether the organization is trying to migrate to the cloud or merging (or
working) with another company in the cloud.
An organization that rushes to adopt cloud technologies and choose CSPs without performing
due diligence exposes itself to a myriad of commercial, financial, technical, legal and compliance
risks that jeopardize its success.
Remedy: The CSA reminds organizations they must perform extensive due diligence to
understand the risks they assume when they subscribe to each cloud service.
10) CLOUD SERVICE ABUSES
Abuses that includes Poorly secured cloud service deployments, free cloud service trials and
fraudulent account sign-ups via payment instrument fraud expose cloud computing models such
as IaaS, PaaS, and SaaS to malicious attacks.
Remedy:
Providers need to recognize types of abuse -- such as scrutinizing traffic to recognize DDoS
attacks -- and offer tools for customers to monitor the health of their cloud environments.
8. Cloud Computing Security
ARUNVIGNESH VENKATESH 8
Customers should make sure providers offer a mechanism for reporting abuse. Although
customers may not be direct prey for malicious actions, cloud service abuse can still result in
service availability issues and data loss.
11) DOS ATTACKS
Denial-of-service (DoS) attacks are attacks meant to prevent users of a service from being able
to access their data or their applications. Systems may slow to a crawl or simply time out.
Remedy: Cloud providers tend to be better poised to handle DoS attacks than their customers,
the CSA said. System administrators must be able to immediately access resources that can be
used as mitigation.
12) SHARED TECHNOLOGY, SHARED DANGERS
Cloud service providers deliver their services scalable by sharing infrastructure, platforms or
applications. Cloud technology divides the “as a Service” offering without substantially changing
the off the-shelf hardware/software—sometimes at the expense of security.
The key is that a single vulnerability or misconfiguration can lead to a compromise across an
entire provider’s cloud. If an integral component gets compromised -- say, a hypervisor, a
shared platform component, or an application -- it exposes the entire environment to potential
compromise and breach.
Remedy: It is recommended to enable Multi-factor authentication on all hosts, Host based
Intrusion Detection System (HIDS) and Network-based Intrusion Detection Systems (NIDS) on
internal networks, applying concepts of networking least privilege and segmentation, and
keeping shared resources patched.
4. Securing Cloud:
Cloud always comes on Shared Responsibility model, between the service provider such as Amazon,
Azure, Google and the customers using their services.
Provider’s Security:
1. PHYSICAL SECURITY
Cloud service providers physically secure the IT hardware (servers, routers, cables etc.) against
unauthorized access, interference, theft, fires, floods etc. and ensure that essential supplies (such as
9. Cloud Computing Security
ARUNVIGNESH VENKATESH 9
electricity) are sufficiently robust to minimize the possibility of disruption. This is normally achieved by
serving cloud applications from 'world-class' (i.e. professionally specified, designed, constructed,
managed, monitored and maintained) data centers.
2. PERSONNEL SECURITY
Various information security concerns relating to the IT and other professionals associated with cloud
services are typically handled through pre-, para- and post-employment activities such as security
screening potential recruits, security awareness and training programs, proactive
3. PRIVACY
Providers ensure that all critical data (credit card numbers, for example) are masked or encrypted and
that only authorized users have access to data in its entirety. Moreover, digital identities and credentials
must be protected as should any data that the provider collects or produces about customer activity in
the cloud.
Customer’s Responsibility:
End using Customers share the equal responsibility with Providers, on securing their cloud
infrastructure. Below are the key areas where customer need to focus on their cloud security.
Provide the Security Architecture Drawing
Have Specialized Protections for the Perimeter
Hold the Firewall Segregating All Networks, Including Server Environment Operators and Users
Segregate Functions Inside the Provider
Allow Vulnerability Analysis and Ethical Hacking
Allow Access to the Environment Log and Systems
Allow the Use of Correlation Tools and Log Retention
Share the Business Continuity Policy and Disaster Recovery Plan
Detail Procedures in Case of DDoS Attacks
Access Control
5. Secured Cloud Design
The key player in Cloud Security is Solution Architect and he/she makes sure that security measures on
Customer’s Cloud Space is met, while Cloud Service provider takes care of measures in their on-prem.
11. Cloud Computing Security
ARUNVIGNESH VENKATESH 11
6. View Point
Though these many incidents have been reported, still it can’t be denied that there is a gradual Raise in
cloud computing adoption in the global market. The Best way to avoid unwanted security issues in cloud
would be,
Customer is required to perform the detailed due-diligence before moving to Cloud World.
Solution Architect is the Guide for customer in terms of Security, Compatibility and Performance, in
making their Cloud Journey Successful.
With this, customers can enjoy the benefits of Cloud Computing with the same security as ‘in-house’.
12. Cloud Computing Security
ARUNVIGNESH VENKATESH 12
CONTACT:
Arunvignesh Venkatesh,
Enteprise Cloud Consultant,
Mindtree India, Global village, RVCE post,
Mysore Road, Bangalore - 560 059
E-mail: Arunvignesh.Venkatesh@mindtree.com
Linked-In: https://in.linkedin.com/in/arunvignesh-venkatesh-5456602b
Social Network: https://www.facebook.com/arun.vignesh.7
Mobile: +91 805 053 5547 | Phone: +91 80 3395 7791 | Fax: +91 80 6706 4100