For over a decade, enterprises are gradually moving their data and IT services from in-house data centers to cloud computing infrastructures. Moreover, a proliferating number of organizations are nowadays subscribing to cloud services instead of building on premise infrastructures. Cloud computing comes with many benefits for modern enterprises, including simplicity in managing IT resources, ubiquitous access to applications and services, unlimited capacity and elasticity, as well as flexible cost structures based on the pay-as-you-go paradigm. Despite these benefits, some organizations are still reluctant to migrate to the cloud. Their main concerns relate to the security of the cloud infrastructure, as well as to the protection of their data assets. Even though cloud providers are heavily investing on the security of their infrastructures, a significant number of security incidents happen every year. Such incidents affect all types of cloud providers, including some of the giant IT enterprises that offer popular infrastructural, storage and social networking services. A number of notorious security attacks against famous cloud providers have taken place in recent years, resulting in damaged reputation and financial loss, while weakening users’ trust in these services. This is the reason why it’s important for both cloud providers and end-users to understand the principal security challenges of the cloud, along with ways to alleviate them.
Challenge #1: Data Breaches
Data breaches are security incidents where information is accessed without authorization. They are very common to all types of infrastructures that host or transfer data, including cloud computing infrastructures. Recent studies associate data breaches with financial losses of tens of billion dollars over the last five years. To alleviate data breaches cloud providers must implement strong authentication and authorization mechanisms such as two form factor authentication and biometric authentication. Moreover, cloud providers shall perform frequent security audits for their authentication mechanisms. They should also train and instruct their users to use strong passwords.
Nowadays, many cloud services advise their users to adopt and use two form factor authentication. Furthermore, they implement mechanisms (e.g., automated password expiry) that guide users in changing their passwords frequently and in avoiding using passwords that can be easily hacked.
Challenge #2: Securing Cloud APIs
Many organizations leverage cloud services by harnessing Application Programming Interfaces (APIs), which constitute the entry point to the cloud. Therefore, insecure APIs can be exploited by adversaries in order to compromise cloud resources. Cloud providers must perform pentesting on their APIs in order to proactively identify vulnerabilities and risks. Furthermore, API calls should require proper authentication of their users, while at the same time encrypting sensitive datasets.
Challenge #3: Distributed Denial of Service Attacks
Distributed denial of service (DDoS) attacks are malicious attempts to compromise the ability of a cloud provider to operate. Their ultimate goal is to render a cloud service unavailable to its users. They take several forms such as flooding and overwhelming the servers of the cloud with very large volumes of service requests (e.g., “SYN” or “Ping” packets), up to a point where the cloud infrastructure become unable to service regular users’ requests. In DDoS attacks, malicious requests stem from many distributed computers, which makes it extremely challenging to stop them. In order to alleviate such attacks, cloud providers implement various complementary measures such as blocking potentially “malicious” traffic, monitoring visitor behaviors, blocking bad bots and more.
Challenge #4: Data Loss
Data loss refers to cases where a dataset is destroyed as a result of failure or neglect in the scope of data storage, transmission, or processing processes. It can have an adverse impact on cloud users, as data represents one of their most valuable assets. In order to alleviate data losses, cloud providers shall put in place proper disaster recovery processes, including measures to recover lost data from back-ups. Cloud customers must therefore review thoroughly the data recovery options offered by cloud providers prior to registering with them.
Challenge #5: Meltdown and Spectre
Meltdown is a hardware vulnerability, which affects popular processors (e.g., Intel x86, IBM POWER and several ARM-based microprocessors). Its practical effect is that it allows rogue (unauthorized) processes to read all memory, which can compromise the operation of one or more cloud servers. Meltdown and Spectre can affect computers in the cloud, leading to a disruption of cloud services. In order to alleviate this vulnerability, cloud providers must ensure that all servers that comprise their infrastructures are properly patched.
Challenge #6: Insider Attacks
One of the most successful ways to attack a cloud provider is to launch an attack from the inside. It’s much easier for insiders to access internal systems and gain control over cloud resources and assets. Thus, cloud providers must implement strong firewalling solutions inside their infrastructures, while at the same time putting in place proper processes that prevent insiders to gain access to resources without proper authorization. Such processes must be clearly specified in the scope of the security policies of the cloud provider.
Challenge #7: Human Errors
Human errors are also very common, as the end-user remain the weakest link in an end to end security workflow. As cloud providers improve their security, hackers will be increasingly considering attacking end-users directly towards achieving identify theft or causing users to delete data or abuse services. Cloud providers must therefore put in place measures that minimize the possibility of a human mistake. In this direction, they need to train end-users on what to do and what to avoid when using their cloud services. At the same time, cloud providers must design and deploy effective recovery mechanisms that could allow errors to be undone. This is for example the case with deletion of data records.
The above list of security challenges in indicative, but not exhaustive. Cloud providers are faced with more challenges such as hijacking of user accounts and exploits of the shared multi-tenant cloud infrastructure. As already outlined, there are prevention measures and remedies for all types of attacks. Cloud organizations should not confront each challenge in isolation. Rather they have to implement a holistic security strategy that addresses all of them, including their correlations and cascading effects. In creating such a strategy, they can take advantage of best practices and blueprints provided by security standards organizations such as the Cloud Security Alliance (CSA).