Security Risks in the Cloud

September 30th, 2010

Security risks are concrete negative expressions businesses face when considering moving critical business systems to the cloud. Enterprises should make “demands” and ensure compliance of the cloud provider through the use of contracts or third party audits, but in reality the market will determine the amount of security provided to Enterprises by cloud service providers and the level of acceptable risk.

It may turn out that the cheaper price of cloud computing comes with necessarily increased risk, which may be a self-limiting factor in itself to the pervasive use of cloud computing by Enterprises.

Insecure, Porous APIs: Most cloud services offer two categories of web accessible APIs: Those based on web services (called SOAP) and those based on pure HTTP (called REST). REST style APIs lack robust “Enterprise class” message level security and authentication mechanisms and should be avoided.

Logical Multi-Tenancy: With shared cloud computing infrastructure, the division of Enterprise data is now logical rather than physical. This logical separation is typically achieved through the use of virtualized infrastructure which is a cheap and easy way to support a multi-tenant architecture at the cloud service provider. The perceived risk in this scenario is for an attacker to subvert the logical division provided by the guest virtual machine and gain access to the data of another tenant. A number of attacks on virtual machines, from detecting the presence of a hypervisor to running arbitrary code on the host have been documented. These attacks highlight the uncertain security of multitenant, shared environments for critical data. Technology and virtualization software will improve his security uncertainty.

Data Protection and Confidentiality: Data stored, processed or indexed in a remote cloud service defines the extent of the new perimeter for the Enterprise. This new boundary changes and moves with the data itself. The Enterprise may have to give up encryption and data privacy requirements for some of its data but should also recognize the option of applying selective field or message level protection mechanisms for data before it reaches the cloud. The point is that the Enterprise can control security characteristics on data before it reaches the cloud service provider.

Data Loss and Reliability: When critical business data is moved to a cloud service, there is some inherent risk of data loss. It may be argued that this is a false risk because the Enterprise has a similar risk of catastrophic data loss inside its own datacenter and simply moving the data to the cloud doesn’t change the equation. Quantifying this risk over time may very well turn out that this may the lowest risk.

Audit and Monitoring: The first step in managing the security of any system to know when specific events occur. Enterprises need to audit when these services are accessed to evaluate risk and to know when data flows to and from the cloud. Enterprises need to know who is making the service request, when the request is happening, how much data is sent or received and how the data is used. Methods of audits will likely need to improve, because none of these points are new.

Cloud Provider Insider Threats: A potential weak spot with cloud services is the mismatch between the security requirements inside the Enterprise as compared to those employed by the cloud service provider. This applies to any outsourced service provider and is not new.

Account Hacking, Tiered Access Control and Authorization: Hacking an account through a stolen password or compromised credential is not new. This is a benefit of the somewhat localized security inherent in individual operating systems and the uses of role based (RBAC) and attribute based access control (ABAC) within the Enterprise. If an attacker gains root access to a networked system or database they may have access to other assets, but the breach of a single system is more often than not directly localized to the breached system.

There will always be reasons to outsource to external service provider and reasons that do not justify the risk. Enterprises need to logically weigh the risk and benefits and have an approach that examines these risks with some degree of rigor.

Let Daniel L. Ruggles and the team at PM Kinetics, LLC help you navigate the complexities of IT Governance, Cloud Computing, Sourcing & Capital Planning, Vendor Management, IT Security, and Infrastructure planning & execution.