Private cloud security risks. A private cloud configuration is a legacy configuration of a data center, often with distributed computing and BYOD capabilities. The organization controls the entire infrastructure (hardware, software, facilities, administrative personnel, security controls, and so on).
What are the security risks found in Private cloud?
A private cloud configuration is a legacy configuration of a data center, often with distributed computing and BYOD capabilities.
The organization controls the entire infrastructure.
These components might be owned, leased, or some combination thereof.
Many of the potential operating risks are somewhat attenuated by maintaining this level of control.
Policy promulgation and enforcement, network performance and security monitoring, personnel management, physical security and access, privileged account management, and auditing capability are all enhanced by ownership.
However, this entails a great deal of overhead expense and effort and does not attenuate all risks.
Personnel Threats
This includes both inadvertent and malicious threats. In the private cloud, personnel controls remain at the behest of the organization, which can be reassuring.
Natural disasters
In the private cloud, the organization knows exactly how prepared they are to cope with this situation and how often, what kind, and where backups are done.
External Attacks
These attacks can take many forms, such as unauthorized access, eavesdropping, DOS/DDoS, and so on.
Regulatory Noncompliance
In private configurations, full control resides internally, and the organization can know its exact regulatory exposure and confidently ensure that it is complying with all relevant regulations.
Malware
This can be considered an external or internal threat, depending on the source of the infection.
None of these risks are unique to the private cloud, but handling them internally provides the organization with complete knowledge and control of how each of these threats is being managed.
Important note to understand what are the security risks for cloud computing
Private cloud deployments are probably best suited to large organizations that have their own internal IT and security capabilities.
While there will be a variety of risks to the enterprise, the organization retains autonomy and authority for all aspects of the production environment.
This can be costly, but it is an excellent way to ensure all risks of concern to the organization are being addressed to the satisfaction of the organization.
What are the security risks found in Community cloud?
In a community cloud configuration, resources are shared and dispersed among an affinity group.
Infrastructure can be owned and/or operated jointly, individually, centrally, across the community, or in any combination and mixture of these options.
The benefits of the Cloud community deployment model each come with attendant security risks for cloud computing.
Resiliency Through Shared Ownership
Because the network ownership and operation are scattered among users, the environment is more likely to survive the loss of a significant number of nodes without affecting the others.
However, this introduces additional risks because each node is its own point of entry, and vulnerability in any one node can result in an intrusion on the others.
This, of course, means that the unity of configuration management and baselines is almost impossible.
With distributed ownership comes distributed decision making in terms of policy and administration.
Shared Costs
Overhead and cost of the infrastructure are shared among the members of the community, but so is access and control.
No Need for Centralized Administration for Performance and Monitoring.
Although this removes many burdens of centralized administration, it also removes the reliability of centralized and homogenized standards for performance and security monitoring.
What are the security risks found in Public cloud?
This is the deployment model that has the most focus in all blogs and the model most likely to provide the most benefit to the greatest number of cloud customers.
In the public cloud, a company offers cloud services to any entity that wants to become a cloud customer, be it an individual, company, government agency, or other organization.
Many of the same security risks for cloud computing exist in the public cloud as in the private cloud.
personnel threats, external threats, natural disasters, and so forth.
Some of them are obviated by the public cloud’s similarity to the community cloud, such as distributed infrastructure, shared costs, and reduced need for an administrative capability.
However, it is these same benefits that entail the additional security risks for cloud computing of the public cloud.
There are some additional security risks for cloud computing and that is unique to the public cloud that also must be considered.
We’ll discuss those in some detail in the following subsections of security risks for cloud computing.
Vendor Lock-In
In ceding control of the production environment and data to an external party, the organization creates a dependency on that provider.
The expense and trouble of moving the data out of the provider’s data center could be crippling to the organization, especially if the organization chose to do so before the end of the contract term.
In a sense, this can make the organization a hostage of the provider and allow the provider to decrease service levels and/or increase prices as the provider sees fit.
It’s important to stress that this is not a commonplace occurrence.
We do not mean to suggest that cloud providers are maliciously luring customers into unfavorable arrangements.
However, the possibility exists for that dependency, and dependency is a risk.
Vendor lock-in can be caused by other circumstances as well.
There are several things an organization can do to enhance the portability of its data
Ensure favorable contract terms for portability
Make sure the organization considers an exit strategy, even while creating the initial agreement with the provider at the outset of migration.
Is there a reduced-rate trial period in the provider environment?
What is the penalty for early transfer (severing the contract)?
At the end of the contract term, will there be any difficulty, contractually, or in terms of performance, in moving the data to another provider?
Avoid proprietary formats
Don’t sign with a provider unless the raw data can be recovered in a format that could be used at another provider’s site.
This might involve using some form of conversion before moving the data, and that conversion should be simple and inexpensive if the customer chooses to move.
Ensure there are no physical limitations to moving
Make sure that the bandwidth leaving the old provider is sufficient for the purposes of moving your organization’s entire data set and that the new provider can handle that size of importation.
Check for regulatory constraints
There should be more than one cloud provider that can handle your organization’s specific compliance needs.
If your needs are bizarrely unique and restrictive.
Vendor Lock-Out
Another problem associated with ceding control of the organization’s data and production environment is referred to as vendor lock-out also known as provider lock-out.
Vendor lock-out can be caused when the cloud provider goes out of business, is acquired by another interest, or ceases operation for any reason.
In these circumstances, the concern is whether the customer can still readily access and recover their data.
We cannot really plan for all the possible reasons vendor lock-out might occur.
We can, however, be aware that the possibility exists and make decisions accordingly.
Some of the factors we may want to consider when selecting a cloud provider include the following for minimizing associated security risks for cloud computing
Provider Longevity
How long has the provider been in business?
Do they seem to be a market leader?
This aspect may be more difficult than others to assess because IT is an extremely volatile field and new entrants are constantly entering while stalwarts often leave with little warning.
Cloud technology and services on a large scale, in particular, are a fairly recent development and may be more prone to significant and unexpected turbulence.
Core Competency
Can this provider offer your organization what it needs?
Are they capable of meeting all your service requirements?
Do they have the staff, resources, and infrastructure to handle your organization’s demands, as well as those of their other customers?
One measure of the possible strength and suitability of a given provider is whether a cloud service is central to their offerings or is an additional function for their company.
Jurisdictional Suitability
What country is the provider in, and which state?
This question must be asked in terms of both where it is chartered and where it operates. Where is the data center?
Where is its long-term storage and backup capability?
Will your organization’s data by crossing boundaries and borders?
Can your organization use this provider and remain compliant with all applicable regulations?
Supply Chain Dependencies
Does the provider rely on any other entities for its critical functions, both upstream and downstream?
Are there essential suppliers, vendors, and utilities without which the provider could not perform?
This aspect will be very difficult to investigate without considerable disclosure on the part of the provider.
Legislative Environment
What pending statutes might affect your organization’s ability to use that provider?
This facet might carry the most potential impact for cloud customers and also be the most challenging to predict.
Multitenant Environments
Going into a public cloud means entering a multitenant environment.
There will be no providers that will host your organization as their sole customer.
Indeed, you should be wary of any provider that would want to be in that position. It doesn’t scale and wouldn’t be profitable.
There are therefore specific security risks for cloud computing in the public cloud configuration that do not exist in other models.
These include the following
Conflict of Interest
Provider personnel who administer your data and systems should not also be involved with any of your competitors who might also be that provider’s customers.
The provider should be careful to not create these situations or even the perception that they might exist.
Escalation of Privilege
Authorized users may try to acquire unauthorized permissions. This might include users from organizations other than your own.
A user who gains illicit administrative access may be able to gain control of devices that process other customers’ data.
Information Bleed
With multiple customers processing and storing data over the same infrastructure, there is the possibility that data belonging to one customer will be read or received by another.
Moreover, even if this does not happen with raw data, it might be possible for one customer to detect telltale information about another customer’s activity.
Such as when the customer is processing data, how long the procedure takes, and so on.
Legal Activity
Data and devices within a data center may be subpoenaed or seized as evidence in a criminal investigation or as part of discovery for litigation purposes.
This is of concern to any cloud customer because of the possibility that a particular asset might not only contain data that is the specific target of the investigation/litigation, but it might also include data belonging to other customers.
In other words, your data might be seized because it’s on the same box as the data of another customer who is a target of law enforcement or plaintiffs.
What are the security risks found in Hybrid cloud?
Hybrid cloud configurations, of course, include all the risks of the various models they combine.
An organization considering migration into a hybrid cloud ought to be aware of all the security risks for cloud computing discussed in each of the previous sections that are applicable to their particular choice of hybrid.
What are the security risks found in IaaS cloud computing?
In the IaaS (Infrastructure as a Service) model, the customer will have the most control over their resources, which might alleviate some concerns about trusting the provider or lacking insight into the environment.
However, there are still security risks for cloud computing that exist in the IaaS motif, although they are not usually unique to that configuration
Personnel Threats
Again, a malicious or negligent insider may cause a significant negative impact on the customer, in large part because they have physical access to the resources within the datacenter where the customer’s data resides.
External Threats
These include malware, hacking, DoS/DDoS, man-in-the-middle attacks, and so forth.
Lack of Specific Skillsets
Because so much of the environment will be administered by the customer, and all access will be via remote connections, there will be a significant burden on the customer’s administrators and staff to provide both operational and security functions in IaaS.
An organization that does not have sufficient personnel with the training and experience necessary for conducting these tasks in a cloud environment is introducing a sizable risk to its operations.
What are the security risks found in Security risks in PaaS cloud computing?
The PaaS (Platform as a Service) model will have other security risks for cloud computing in addition to those included in the IaaS model.
Interoperability Issues
Because the OS will be administered and updated by the provider, the customer’s software may or may not function properly with each new adjustment to the environment.
Persistent Backdoors
PaaS is often used for software development and development operations (DevOps) efforts because the customer can install any software over the infrastructure within the cloud environment.
This model lends itself well to serving as a testbed for new applications.
It can mimic the production environment with a structured sampling of all the systems from the live enterprise, and it also tests the interface with multiple various platforms through the remote access capability and opportunity to spread the test over multiple OSs.
With all these benefits for DevOps, it is important to remember a significant risk that comes with that industry
A Backdoors left by developers after the final product ships.
These are used for efficient editing and test cases so that the developer doesn’t have to run the program all the way from the beginning to find the particular function that needs to be addressed.
However, backdoors also serve as attack vectors if discovered and exploited by malicious parties. What was yesterday’s development tool is tomorrow’s zero-day exploit.
Virtualization
Because most PaaS offerings utilize virtualized OSs, the threats and risks associated with virtualization must be considered in this model.
Resource Sharing
Programs and instances run by the customer will operate on the same devices used by other customers, sometimes simultaneously.
The possibility of information bleed and side-channel attacks exists and must be considered.
What are the security risks found in SaaS cloud computing?
All the risks inherent in the PaaS and IaaS models remain in the SaaS (Software as a Service) environment, along with these additional risks
Proprietary Formats
The provider may be collecting, storing, and displaying data in a format owned by and unique to that provider.
This can lead to vendor lock-in and decrease portability.
Virtualization
The risks from virtualization are enhanced in the SaaS environment because even more resource sharing and simultaneous multitenancy are going to occur.
Web Application Security
Most SaaS offerings will rely on access through a browser, with some kind of application programming interface (API).
Potential weaknesses within web apps pose a wide variety of risks and threats.
Risks associated with Virtualization
We have discussed the importance of virtualization throughout the blogs.
In this section, we’ll discuss the risks related to the use of virtualization in the cloud.
Many of these possibilities require attenuation through the use of controls that can only be implemented by the cloud provider, so the cloud customer must rely on contractual provisions for implementation and enforcement.
Attacks on the Hypervisor
Instead of attacking a virtualized instance, which might only result in successfully breaching the content of one (virtualized) workstation, malicious actors might attempt to penetrate the hypervisor,
Which is the system that acts as the interface and controller between the virtualized instances and the resources of the given host devices on which they reside.
There are two types of hypervisors, known as Type 1 and Type 2.
Type 1 is also called a baremetal or hardware hypervisor. It resides directly on the host machine, often as bootable software.
Type 2 is a software hypervisor, and it runs on top of the OS that runs on a host device.
Attackers prefer Type 2 hypervisors because of the larger surface area.
They can attack the hypervisor itself, the underlying OS, and the machine directly, whereas Type 1 attacks are restricted to the hypervisor and the machine.
OSs are also more complex than hypervisors, creating the increased potential for included vulnerabilities.
Guest Escape
An improperly designed or poorly configured virtualized machine or hypervisor might allow for a user to leave the confines of their own virtualized instance.
Information Bleed
This is another risk stemming from malfunctions or failures. The possibility exists that processing performed on one virtualized instance may be detected, in whole or in part, by other instances on the same host.
In order for this risk to be detrimental, the loss does not even have to be the raw data itself.
It might instead be only indicative of the processing occurring on the affected instance.
Data Seizure
The legal activity might result in a host machine being confiscated or inspected by law enforcement or plaintiffs’ attorneys, and the host machine might include virtualized instances belonging to your organization, even though your organization was not the target.
