Realm of Security for Cloud Storage
The proverb – “A chain is only as strong as its weakest link” also applies to security measures taken to safeguard the IT assets that are present in cloud or on-premise. In my previous blog ‘Is your data storage vision cloudy‘ we discussed the need for cloud storage due to emerging trends in business digitalization.
Today we would like to discuss how we assess security, trust and privacy issues that occur in the context of cloud computing and highlight ways in which they may be addressed. Security is a relative term and should always be examined from a background of threat perception.
With the increased adoption of cloud services enterprises have started to explore cloud storage solutions to cater to its ever-increasing versatility. The high demand for storage is the silver line for cloud service industry to offer multiple storage options that can cater to the needs of the customer and applications that consume the storage. The storage offerings mostly revolve around block storage, file system based and object storage that can take care of different application requirements.
With every new technology, whether physical or virtual, there are some inherent security risks associated with cloud storage which restricts its adoption across the entire spectrum of the requirements.
To understand the challenges associated with access, privacy, and security of the data stored in the cloud, it is crucial first to know how one can access cloud storage.
For accessing any cloud service, you need an account with the cloud vendor which contains credentials to access any service on the cloud. Every service needs set of keys to perform the read and write operations.
So let’s look at the security threats faced by the data that resides in the cloud:
- Data Breaches and Loss
A data breach can expose sensitive business information which can lead to severe consequences. A company can face lawsuits and hefty fines and can have damage to the brand image. Although cloud storage providers implement rigorous security measures, the same threats that impact traditional storage network also threaten the cloud world. A data breach is the result of a malicious and probably intrusive action.
Data loss may occur when a storage media fails, and no recovery is possible with no backup copy of the data. Data loss can also happen due to loss of encryption key that unlocks it. It can also occur due to human error in managing the storage infrastructure.
For example, a small set of data loss for some AWS customer as its EC2 cloud suffered “a re-mirroring storm” due to a human operator error on Easter weekend in 2011. And a data loss can also occur intentionally in the event of a malicious attack.
- Compromised Credentials
Phishing, exploitation of software vulnerabilities such as buffer overflow attacks, and loss of credentials can all lead to loss of control over a user account. An intruder with control over the account can eavesdrop on transactions, manipulate data, provide incorrect business damaging responses to customers and redirect them to inappropriate sites. Even worse, if the compromised account is connected to other accounts, you can quickly lose control of multiple accounts.
- Hacked Interfaces and Insecure APIs
Most cloud services provide APIs to communicate with it. As a result of this security of the APIs is vital. Any vulnerability of the APIs can lead to exposing the data.
- Distributed Denial of Service (DDOS) and Denial of Service (DOS) attacks
DDOS attacks often affect the availability of the application and resources in the cloud. This type of attack can be devastating, and system may slow down or time out. These attacks consume a significant amount of processing power which is chargeable to the cloud customer.
Denial of service attacks is an old tactic deployed on online operations. It is a threat which impacts cloud services equally. The assault by thousands of automated requests for service has to be detected and screened out before it ties up operation. With the passage of time these attacks have become even more sophisticated and distributed making it harder to identify the incoming traffic. For cloud customers, experiencing a DOS attack is like being caught in a traffic jam with no way to reach the destination. The DOS attacks harm the service without shutting it down with the customer paying for the resources consumed during the attack.
- Malicious Insiders
Security of the data at rest and in transit is purely dependent on the encryption keys. If keys are not stored the threat appropriately is imminent. The keys should never be in the cloud.
- Abuse of Cloud Infrastructure Services
Cloud computing is available to enterprises and hackers alike. The low cost of deploying infrastructure means that carrying out an attack is trivial from a cost perspective. Hackers can use cloud servers to serve malware, launch DOS, and DDOS attacks or distribute pirated software.
- Weak Authentication and Identity Management
Lack of proper authentication and identity management is responsible for data breaches within organizations. Businesses often struggle with this and leave gaping holes in enterprise cybersecurity. Two factor/ multi-factor authentication systems like one time passwords and phone-based authentication protect cloud services by making it harder to log in with stolen passwords.
- Insufficient Due Diligence in cloud vendor evaluation.
Due diligence is the process of evaluating cloud vendors to ensure that best practices are in place. Part of the process is to verify whether cloud service providers can offer adequate security controls and meet the level of service expected by the enterprises.
Many enterprises jump in to cloud without understanding the full scope of the undertaking. What are the contractual obligations of each party? How will the liability be divided? How much transparency can a customer expect from the provider in the face of an incident?
Out of the above threats, data breaches and loss increases with increase in compromise by the other risks. Security of the data in the cloud is a shared responsibility between enterprises and cloud vendor.