Cloud Computing Security Analysis and Assessment

Key Findings

Cloud computing is a computing strategy that is inevitably growing at exponential growth and has influenced approaches to ensuring the security of its infrastructure and stored in the cloud. Further, it has further been identified that cloud computing infrastructure lacks standards against which security concerns can be frugally tested despite its exponential growth. Therefore it is the concern of the customer and the service provider to enforce security at all levels.

Recommendations

Universal standards to measure security enforcements and abilities of cloud software in enforcing confidentiality, authenticity, reliability, privacy, as security measures should be developed and enforced for cloud computing service providers.

Analysis

Based on the architectural framework of cloud computing, a model characterized by measured services, resource pooling, location independence, exponential elasticity, on-demand self-service, and ubiquitous network access, security is a major issue spanning service providers and subscribers customers. The computing model faces a myriad of security issues and challenges that span policies, applications, and control measures to protect client data from unauthorized access on its computing framework.

The computing framework is characterized by organizational software platforms and the infrastructure that provides services to the customer through the cloud, thus susceptible to security leaks. On the other hand, customers need to be confident and understand that data transmission and storage on the cloud framework are secure.

Dunlap, King, Cinar, Basrai, & Chen, (2002) note that it is, therefore, the need for cloud computing service providers to provide evidence of security audits evaluated against established benchmarks is vital. These providers need to demonstrate without a doubt that the technology is firmly secure and their technologies run on a secure infrastructure. That has been exemplified by Google and Microsoft, service SAS 70, and the International Standards Organization (ISO) 27001.

It is worth exploring the security issues cloud providers encounter in their service provisions. Cloud computing service providers, both small and large organizations used in the vertical realm need to audit their systems for compliance with security standards demanded by the Federal Information Security Management, payment data security, and industry data security standards. In addition to that, the need for cloud computing service providers to subject their systems to regular security audits by consulting security firms to ensure compliance with standard security requirements to avert expensive cloud computing security incidents is vital.

Customers should be made to understand that sensitive data is never processed in another’s cloud without the necessary security protocols applied at appropriate levels of information protection. For cloud computing firms, security personnel and professionals need to be continuously evaluated against business and legal requirements while working closely with procurement specialists to develop standards for establishing the depth and reliability of security features at different service levels. It is therefore worth noting that security risks span data location, privileged user access, recovery, data segregation, regulatory compliance, long-term viability, and investigative support, vital for a customer in deciding the cloud service provider.

Jaeger, Lin & Grimes (2008) argue that it is necessary for customers to demand detailed information from the target service provider about the integrity of the security of their cloud computing infrastructure based on the above seven-point security issues, discussed in detail below. In addition to that, keen customers should design their questions about the qualifications of policymakers, risk control processes, coders and operators, architects, and the technical mechanisms involved, and the frugality of tests done to determine the degree of security for the cloud system to the customer.

Therefore, a detailed overview of the seven major security issues customers should factor when selecting a cloud computing vendor hereunder discussed lay emphasis on the security of the customer’s data when working or being transmitted on physical mediums and the satisfaction that comes to the service provider about the quality of services being offered.

Both small and large enterprises need to provide security details about their approach to managing the client’s data and the levels of privileged user access to the data through authorization and authentication mechanisms. On the other hand, regulatory compliance calls upon customers to be ultimately responsible for the security of their data irrespective of the platform on which it resides (Lamb, 2009).

Data location emphasizes the need for customers to have their data stored particular jurisdictions under a contractual agreement to ensure legal compliance to the promise. Another issue, data segregation focuses on the need for small and large enterprises to ensure security mechanisms such as encryption are incorporated with reliable schemes. Encryption mechanisms should be reliable and well tested to inspire confidence in their usage, or else unreliable mechanisms may render data to be useless. In addition to that, cloud computing service providers need to furnish customers with information on contingency measures for recovering data in the event of a catastrophic failure. That is illustrated on the diagram below on data on transit on the two encryption mechanisms (Payne, Carbone, & Lee, 2007).

Data on transit on the two encryption mechanisms

Data on transit on the two encryption mechanisms

These encryption mechanisms ensure data integrity and confidentiality to the target destination. However, the system should provide authentication mechanisms to ensure data integrity to higher level encryption may provide adequate data confidentiality in the cloud computing network.

On the other hand, cloud computing service providers know well that their services are prone to security threats focusing on infrastructure threats and CSPS’s availability. In addition to that, service providers and customers need to know pretty well how their data is stored and mechanisms for recovering the data as discussed elsewhere.

Large and small service providers find it quite challenging to identify and investigate illegal activities within their networks. That is partly due to the dynamic nature of hosts and data centers. Therefore, it is important for customers to engage service providers in a contract with clearly spelt terms to support them when investigating any assistance or support offered by cloud computing service providers to fraud and other illegal activities.

In addition to that, service provides need to have sound financial footing reflected in their financial statements to ensure sustainability in service provision to inspire confidence in the customer of sustained services, a concept described as long terms variability. However, customers may not know the financial performance of service providers, hence the need to seek for relevant information before engaging in their services (Joshi, King, Dunlap, & Chen, 2005).

Cloud computing served providers should incorporate self regulatory measures to ensure compliance. These include privacy.

An analysis of cloud computing infrastructure evidently lays demands in meeting some of the basic security requirements. These security requirements are characterized by dependability where a software product provides security against malicious attacks, trustworthiness in which software provides logical protection against malicious attacks, and confidentiality where the software provides protection in the areas of intellectual property rights, encryption, covert channels, traffic analysis, and inference. In addition to that, cloud computing should meet standards for ensuring that data communicated through different mediums should be characterized by the three principles of data integrity.

These include security against unauthorized modification and internal and external consistency of data. Cloud computing resources should provide appropriate reliable and timely access to data and guarantee system functionality (Dunlap, King, Cinar, Basrai & Chen, 2002).

This system security should be at the level of security service provided by cloud software. These include authentication, authorization, auditing, and accountability. Authentication ensures the integrity and identity of the user, authorizations focuses on user access privileges, and auditing evaluates system security issues and intrusion detections. This security demands and paradigm discussed above can best be illustrated on a monolithic architecture of an identity and access management framework illustrated below (Miller, 2008).

Other security concerns include spoofing, a technique where an intruder uses a technique to convince the system that its communicating with a genuine and trusted party to validate a communication, back-door where dial up modems to gain access into a network without going through authorized control mechanisms and hijacking to ensure attackers or intruders do not hijack sessions between trusted communicating parties. Other security concerns include dumpster driving, social engineering, TCP hijacking, man-in-the-middle, and replay (Joshi, King, Dunlap, & Chen, 2005).

Data security is a critical component for service providers and customers and forms the central element or theme in influencing customer satisfaction at all levels. Specifically, the customer and the service provider should lay emphasis on data-in-transit, data remanence, data lineage, data-at-rest, and data provenance.

Payne et al (2008) argues that on the other hand, large enterprises have thrust themselves into cloud computing. These institutions use cooperate applications, cloud applications in critical business functions, and in the storage of sensitive organizational and individual data. The impact of cloud computing is best illustrated on the diagram below.

That is in addition to security collaborations based on the architecture of cloud computing as illustrated below (Payne, Carbone, Sharif, & Lares, 2008).

Current situation

Many companies such as Google that operates on the SaaS and PaaS infrastructure, Microsoft Azure Services Platform (PaaS), and ProofPoint (SaaS and IaaS) are service provides that use different technologies as architectural platforms whose security is of major concern. However, the current trend is for these companies to ensure security is focused as it is the way to go in the computing world.

Assessment

Roscoe and Baumann (n.d) argue that security management in the cloud is an area demanding a two pronged approach. Both the customer and the service provider are faced with challenges and issues that demand critical attention from them. Specifically, the service provider needs to identify shared responsibilities, detection and preventive controls, and other security mechanisms. On the other hand, the customer needs to be aware of the level of security their data is subjected to in the ever dynamic world of service levels. Both the service provider and the customer need to strike a compromise on the responsibilities of either party in cloud security as illustrated here.

Assessment

However, these responsibilities heavily rely on provider-service-level agreement and the service delivery model, well explained in the Information Technology Infrastructure Library service management framework (ITIL) with its goals of realizing security requirements for service providers and realization of basic levels of security for securing customer data.

Ormandy (n.d) argues that large and small business organizations have realized the tenets of security management in the cloud defined by standards focused on vulnerability management, patch management, incident response, availability management, access control, system user and access management, and configuration management. That is in relation to cloud deployments that span public and private models.

It is well worth noting that cloud computing is an approach that is facing exponential growth in the recent past based on statistical data on its application at customer and service provider levels. However, the security issues and challenges facing the cloud computing community cannot escape attention. These issues and challenges, already discussed above indicate that the cloud community does not have well tested and established standards to ensure customer data is secure, their services are available and reliable, and that security leaks cannot access their systems, an incident that might prove fatal for both the service provider and the customer in general.

In addition to that, due to different platforms that define the architecture of cloud computing, the security issues become more pronounced as most of the architectures have not been subjected to frugal tests to ascertain their reliability and point out any security loopholes (Seshadri, Luk, Qu, & Perrig, 2007).

Conclusion

The idea of cloud computing security spanning the service provider and the customer is a concerted effort by both parties to enforce security at different levels with responsibilities spanning both parties at different levels dynamically. On the other hand, customers should be wary of cloud computing service providers’ security audits with universal standards to measure security enforcements and abilities of cloud software in enforcing confidentiality, authenticity, reliability, privacy, as security measures developed and enforced for and by cloud computing service providers. Organizations cannot fail to adopt cloud computing as a new approach to computing services.

On the other hand, customers need to ask for detailed information on data center coverage, data recovery in the event of catastrophic failures, and sensitive data should be stored in public clouds that are transparent to the technology being used there.

References

Dunlap, G. W.,King,S.T. Cinar,S., Basrai, M. A & Chen, P. M. (2002). Revirt, Enabling Intrusion Analysis through Virtual-Machine Logging and Replay. SIGOPS Operating Systems, Rev., 36(SI):211–24.

Jaeger, P. T., Lin, J., & Grimes, J. (2008). Cloud computing and information policy: Computing in a policy cloud? Journal of Information Technology & Politics, 5(3), 269-283.

Joshi, A., King, S.T., Dunlap, G.W. & Chen, P.M. (2005).Detecting Past and Present Intrusions through Vulnerability-Specific Predicates, in SOSP’05: Proceedings of the Twentieth ACM Symposium on Operating Systems Principles, pp. 91–104, New York, NY: ACM.

Lamb, J.P. (2009). The Greening of IT: How Companies Can Make a Difference for the Environment. New York: IBM press.

Miller, M. (2008). Cloud Computing: Web-Based Applications that Change the Way You Work and Collaborate Online, Que.

Ormandy, T. (n.d). An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments. Web.

Payne, B. D., Carbone, M., Sharif, M., & Lares, W.L. (2008). An Architecture for Secure Active Monitoring Using Virtualization, IEEE Symposium on Security and Privacy. (0) 233–47.

Payne, B. D., Carbone, M., & Lee, W. (2007). Secure and Flexible Monitoring of Virtual Machines. Computer Security Applications Conference, Annual, 0:38597.

Roscoe, T., Baumann, A. (n.d). Virtual Machine Applications Rethinking Synchronization Advanced Operating System Design, 263-3800-00L. Web.

Seshadri, A., Luk, M., Qu, N., & Perrig, A. (2007). SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity Os’s, in SOSP 07: Proceedings of the Twenty-First ACM SIGOPS Symposium on Operating Systems Principles, pp. 335–50, New York: ACM.