Cloud computing security risks

What are the security risks of cloud computing?

Private cloud security risks. A private cloud configuration is a legacy configuration of a data center, often with distributed computing and BYOD capabilities. The organization controls the entire infrastructure (hardware, software, facilities, administrative personnel, security controls, and so on).

What are the security risks found in Private cloud?

A private cloud configuration is a legacy configuration of a data center, often with distributed computing and BYOD capabilities.

The organization controls the entire infrastructure.

These components might be owned, leased, or some combination thereof.

Many of the potential operating risks are somewhat attenuated by maintaining this level of control.

Policy promulgation and enforcement, network performance and security monitoring, personnel management, physical security and access, privileged account management, and auditing capability are all enhanced by ownership.

However, this entails a great deal of overhead expense and effort and does not attenuate all risks.

Personnel Threats

This includes both inadvertent and malicious threats. In the private cloud, personnel controls remain at the behest of the organization, which can be reassuring.

Natural disasters

In the private cloud, the organization knows exactly how prepared they are to cope with this situation and how often, what kind, and where backups are done.

External Attacks

These attacks can take many forms, such as unauthorized access, eavesdropping, DOS/DDoS, and so on.

Regulatory Noncompliance

In private configurations, full control resides internally, and the organization can know its exact regulatory exposure and confidently ensure that it is complying with all relevant regulations.

Malware

This can be considered an external or internal threat, depending on the source of the infection.

None of these risks are unique to the private cloud, but handling them internally provides the organization with complete knowledge and control of how each of these threats is being managed.

Important note to understand what are the security risks for cloud computing

Private cloud deployments are probably best suited to large organizations that have their own internal IT and security capabilities.

While there will be a variety of risks to the enterprise, the organization retains autonomy and authority for all aspects of the production environment.

This can be costly, but it is an excellent way to ensure all risks of concern to the organization are being addressed to the satisfaction of the organization.

What are the security risks found in Community cloud?

In a community cloud configuration, resources are shared and dispersed among an affinity group.

Infrastructure can be owned and/or operated jointly, individually, centrally, across the community, or in any combination and mixture of these options.

The benefits of the Cloud community deployment model each come with attendant security risks for cloud computing.

Resiliency Through Shared Ownership

Because the network ownership and operation are scattered among users, the environment is more likely to survive the loss of a significant number of nodes without affecting the others.

However, this introduces additional risks because each node is its own point of entry, and vulnerability in any one node can result in an intrusion on the others.

This, of course, means that the unity of configuration management and baselines is almost impossible.

With distributed ownership comes distributed decision making in terms of policy and administration.

Shared Costs

Overhead and cost of the infrastructure are shared among the members of the community, but so is access and control.

No Need for Centralized Administration for Performance and Monitoring.

Although this removes many burdens of centralized administration, it also removes the reliability of centralized and homogenized standards for performance and security monitoring.

What are the security risks found in Public cloud?

This is the deployment model that has the most focus in all blogs and the model most likely to provide the most benefit to the greatest number of cloud customers.

In the public cloud, a company offers cloud services to any entity that wants to become a cloud customer, be it an individual, company, government agency, or other organization.

Many of the same security risks for cloud computing exist in the public cloud as in the private cloud.

personnel threats, external threats, natural disasters, and so forth.

Some of them are obviated by the public cloud’s similarity to the community cloud, such as distributed infrastructure, shared costs, and reduced need for an administrative capability.

However, it is these same benefits that entail the additional security risks for cloud computing of the public cloud.

There are some additional security risks for cloud computing and that is unique to the public cloud that also must be considered.

We’ll discuss those in some detail in the following subsections of security risks for cloud computing.

Vendor Lock-In

Vendor Lock-In in cloud
Vendor Lock-In in cloud

In ceding control of the production environment and data to an external party, the organization creates a dependency on that provider.

The expense and trouble of moving the data out of the provider’s data center could be crippling to the organization, especially if the organization chose to do so before the end of the contract term.

In a sense, this can make the organization a hostage of the provider and allow the provider to decrease service levels and/or increase prices as the provider sees fit.

It’s important to stress that this is not a commonplace occurrence.

We do not mean to suggest that cloud providers are maliciously luring customers into unfavorable arrangements.

However, the possibility exists for that dependency, and dependency is a risk.

Vendor lock-in can be caused by other circumstances as well.

There are several things an organization can do to enhance the portability of its data

Ensure favorable contract terms for portability

Make sure the organization considers an exit strategy, even while creating the initial agreement with the provider at the outset of migration.

Is there a reduced-rate trial period in the provider environment?

What is the penalty for early transfer (severing the contract)?

At the end of the contract term, will there be any difficulty, contractually, or in terms of performance, in moving the data to another provider?

Avoid proprietary formats

Don’t sign with a provider unless the raw data can be recovered in a format that could be used at another provider’s site.

This might involve using some form of conversion before moving the data, and that conversion should be simple and inexpensive if the customer chooses to move.

Ensure there are no physical limitations to moving

Make sure that the bandwidth leaving the old provider is sufficient for the purposes of moving your organization’s entire data set and that the new provider can handle that size of importation.

Check for regulatory constraints

There should be more than one cloud provider that can handle your organization’s specific compliance needs.

If your needs are bizarrely unique and restrictive.

Vendor Lock-Out

Vendor Lock-Out in cloud
Vendor Lock-Out in cloud

Another problem associated with ceding control of the organization’s data and production environment is referred to as vendor lock-out also known as provider lock-out.

Vendor lock-out can be caused when the cloud provider goes out of business, is acquired by another interest, or ceases operation for any reason.

In these circumstances, the concern is whether the customer can still readily access and recover their data.

We cannot really plan for all the possible reasons vendor lock-out might occur.

We can, however, be aware that the possibility exists and make decisions accordingly.

Some of the factors we may want to consider when selecting a cloud provider include the following for minimizing associated security risks for cloud computing

Provider Longevity

How long has the provider been in business?

Do they seem to be a market leader?

This aspect may be more difficult than others to assess because IT is an extremely volatile field and new entrants are constantly entering while stalwarts often leave with little warning.

Cloud technology and services on a large scale, in particular, are a fairly recent development and may be more prone to significant and unexpected turbulence.

Core Competency

Can this provider offer your organization what it needs?

Are they capable of meeting all your service requirements?

Do they have the staff, resources, and infrastructure to handle your organization’s demands, as well as those of their other customers?

One measure of the possible strength and suitability of a given provider is whether a cloud service is central to their offerings or is an additional function for their company.

Jurisdictional Suitability

Jurisdictional Suitability in cloud
Jurisdictional Suitability in cloud

What country is the provider in, and which state?

This question must be asked in terms of both where it is chartered and where it operates. Where is the data center?

Where is its long-term storage and backup capability?

Will your organization’s data by crossing boundaries and borders?

Can your organization use this provider and remain compliant with all applicable regulations?

Supply Chain Dependencies

Does the provider rely on any other entities for its critical functions, both upstream and downstream?

Are there essential suppliers, vendors, and utilities without which the provider could not perform?

This aspect will be very difficult to investigate without considerable disclosure on the part of the provider.

Legislative Environment

What pending statutes might affect your organization’s ability to use that provider?

This facet might carry the most potential impact for cloud customers and also be the most challenging to predict.

Multitenant Environments

Multitenant Environments in cloud
Multitenant Environments in cloud

Going into a public cloud means entering a multitenant environment.

There will be no providers that will host your organization as their sole customer.

Indeed, you should be wary of any provider that would want to be in that position. It doesn’t scale and wouldn’t be profitable.

There are therefore specific security risks for cloud computing in the public cloud configuration that do not exist in other models.

These include the following

Conflict of Interest

Provider personnel who administer your data and systems should not also be involved with any of your competitors who might also be that provider’s customers.

The provider should be careful to not create these situations or even the perception that they might exist.

Escalation of Privilege

Authorized users may try to acquire unauthorized permissions. This might include users from organizations other than your own.

A user who gains illicit administrative access may be able to gain control of devices that process other customers’ data.

Information Bleed

Information Bleed in cloud
Information Bleed in cloud

With multiple customers processing and storing data over the same infrastructure, there is the possibility that data belonging to one customer will be read or received by another.

Moreover, even if this does not happen with raw data, it might be possible for one customer to detect telltale information about another customer’s activity.

Such as when the customer is processing data, how long the procedure takes, and so on.

Legal Activity

Data and devices within a data center may be subpoenaed or seized as evidence in a criminal investigation or as part of discovery for litigation purposes.

This is of concern to any cloud customer because of the possibility that a particular asset might not only contain data that is the specific target of the investigation/litigation, but it might also include data belonging to other customers.

In other words, your data might be seized because it’s on the same box as the data of another customer who is a target of law enforcement or plaintiffs.

What are the security risks found in Hybrid cloud?

Hybrid cloud configurations, of course, include all the risks of the various models they combine.

An organization considering migration into a hybrid cloud ought to be aware of all the security risks for cloud computing discussed in each of the previous sections that are applicable to their particular choice of hybrid.

What are the security risks found in IaaS cloud computing?

Security risks in IaaS
Security risks in IaaS

In the IaaS (Infrastructure as a Service) model, the customer will have the most control over their resources, which might alleviate some concerns about trusting the provider or lacking insight into the environment.

However, there are still security risks for cloud computing that exist in the IaaS motif, although they are not usually unique to that configuration

Personnel Threats

Again, a malicious or negligent insider may cause a significant negative impact on the customer, in large part because they have physical access to the resources within the datacenter where the customer’s data resides.

External Threats

These include malware, hacking, DoS/DDoS, man-in-the-middle attacks, and so forth.

Lack of Specific Skillsets

Because so much of the environment will be administered by the customer, and all access will be via remote connections, there will be a significant burden on the customer’s administrators and staff to provide both operational and security functions in IaaS.

An organization that does not have sufficient personnel with the training and experience necessary for conducting these tasks in a cloud environment is introducing a sizable risk to its operations.

What are the security risks found in Security risks in PaaS cloud computing?

Security risks in PaaS
Security risks in PaaS

The PaaS (Platform as a Service) model will have other security risks for cloud computing in addition to those included in the IaaS model.

Interoperability Issues

Because the OS will be administered and updated by the provider, the customer’s software may or may not function properly with each new adjustment to the environment.

Persistent Backdoors

PaaS is often used for software development and development operations (DevOps) efforts because the customer can install any software over the infrastructure within the cloud environment.

This model lends itself well to serving as a testbed for new applications.

It can mimic the production environment with a structured sampling of all the systems from the live enterprise, and it also tests the interface with multiple various platforms through the remote access capability and opportunity to spread the test over multiple OSs.

With all these benefits for DevOps, it is important to remember a significant risk that comes with that industry

A Backdoors left by developers after the final product ships.

These are used for efficient editing and test cases so that the developer doesn’t have to run the program all the way from the beginning to find the particular function that needs to be addressed.

However, backdoors also serve as attack vectors if discovered and exploited by malicious parties. What was yesterday’s development tool is tomorrow’s zero-day exploit.

Virtualization

Because most PaaS offerings utilize virtualized OSs, the threats and risks associated with virtualization must be considered in this model.

Resource Sharing

Programs and instances run by the customer will operate on the same devices used by other customers, sometimes simultaneously.

The possibility of information bleed and side-channel attacks exists and must be considered.

What are the security risks found in SaaS cloud computing?

Security risks in Saas
Security risks in Saas

All the risks inherent in the PaaS and IaaS models remain in the SaaS (Software as a Service) environment, along with these additional risks

Proprietary Formats

The provider may be collecting, storing, and displaying data in a format owned by and unique to that provider.

This can lead to vendor lock-in and decrease portability.

Virtualization

The risks from virtualization are enhanced in the SaaS environment because even more resource sharing and simultaneous multitenancy are going to occur.

Web Application Security

Web Application Security in cloud

Most SaaS offerings will rely on access through a browser, with some kind of application programming interface (API).

Potential weaknesses within web apps pose a wide variety of risks and threats.

Risks associated with Virtualization

We have discussed the importance of virtualization throughout the blogs.

In this section, we’ll discuss the risks related to the use of virtualization in the cloud.

Many of these possibilities require attenuation through the use of controls that can only be implemented by the cloud provider, so the cloud customer must rely on contractual provisions for implementation and enforcement.

Attacks on the Hypervisor

Instead of attacking a virtualized instance, which might only result in successfully breaching the content of one (virtualized) workstation, malicious actors might attempt to penetrate the hypervisor,

Which is the system that acts as the interface and controller between the virtualized instances and the resources of the given host devices on which they reside.

There are two types of hypervisors, known as Type 1 and Type 2.

Type 1 is also called a baremetal or hardware hypervisor. It resides directly on the host machine, often as bootable software.

Type 2 is a software hypervisor, and it runs on top of the OS that runs on a host device.

Attackers prefer Type 2 hypervisors because of the larger surface area.

They can attack the hypervisor itself, the underlying OS, and the machine directly, whereas Type 1 attacks are restricted to the hypervisor and the machine.

OSs are also more complex than hypervisors, creating the increased potential for included vulnerabilities.

Guest Escape

Guest Escape in cloud
Guest Escape in cloud

An improperly designed or poorly configured virtualized machine or hypervisor might allow for a user to leave the confines of their own virtualized instance.

Information Bleed

This is another risk stemming from malfunctions or failures. The possibility exists that processing performed on one virtualized instance may be detected, in whole or in part, by other instances on the same host.

In order for this risk to be detrimental, the loss does not even have to be the raw data itself.

It might instead be only indicative of the processing occurring on the affected instance.

Data Seizure

The legal activity might result in a host machine being confiscated or inspected by law enforcement or plaintiffs’ attorneys, and the host machine might include virtualized instances belonging to your organization, even though your organization was not the target.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top