You are on page 1of 14

Vincen Arivannoor, Chaitanya

Midsala, Narasimha Murty &


Rishab Dhariwal
BCO6672-The Information Systems
Profession

The Security of Cloud Services


ISP-Assignment 1B (s4597312, s4601831, s4594461 & & s4587554)

Table of Contents
Introduction ................................................................................................................................................... 1
Cloud Architecture and Cloud Security ........................................................................................................ 1
Characteristics of Cloud services .............................................................................................................. 2
Cloud services Security............................................................................................................................. 2
Cloud Security threats ............................................................................................................................... 2
Cloud security services ............................................................................................................................. 3
Benefits ......................................................................................................................................................... 3
Beneficiaries & Security Implications ...................................................................................................... 3
Stakeholder benefits of cloud security ...................................................................................................... 5
Challenges faced by ISP ............................................................................................................................... 6
Internal Challenge: Compliance issues ..................................................................................................... 6
External Challenge- Advanced Persistent Threats (APTs) ....................................................................... 7
Cloud Security & the Future ......................................................................................................................... 8
Evolution of Security Model-Security as a Service (SecaaS) ................................................................... 8
User vs. Cloud Service- User’s Responsibility ......................................................................................... 8
Conclusion .................................................................................................................................................. 10
ISP-Assignment 1B (s4597312, s4601831, s4594461 & & s4587554)

Introduction
Cloud computing is increasing its momentum as it gains in critical mass of adoption, because of both
market and technology related factors. Rapidly evolving business environment is driving a pivot in the
digital infrastructure of many companies and that is enabling many firms to make the move to the cloud.
Therefore, cloud services are becoming a key factor contributing towards achieving competitive
advantage in a global scale for companies aiming to succeed in the age of digitisation.

In a business context, Cloud services provide a large variety of services through internet which are
accessible globally. Cloud services are usually provided by trusted third party providers which arises
security threats to the cloud services. However, inspite of cloud computing being seen as a major driver of
growth for companies in the coming years, the migration of IT assets, such as virtualized IP, data,
applications, services and the associated infrastructure from physical to the cloud is marred by security
concerns of the users. For instance, financial services companies are still laggards when it comes to
adopting the cloud, despite the deep interest seen, because of lack of confidence in securing the data of
customers and financial transactions. Recent attacks such as the hack in 2014 of the premier cloud storage
solution provider, Dropbox, where around 60 million user accounts were compromised (Conger &
Lynley, 2019), prove that cloud security has become a matter of concern for companies that aim to
become more digital. Therefore, as the relevance of cloud computing increases throughout society in
general, it is now paramount that cloud service providers and users keep security and privacy safeguards
of the cloud assets as a major concern.

The literature will explore in-depth how the prevalence of cloud, results in more emphasis on the security
of the data stored in the cloud. In this report we will discuss the cloud architecture of cloud services,
security threats and challenges in implementing cloud security.

Cloud Architecture and Cloud Security


To understand how cloud security operates, one needs to understand how the cloud computing
architecture is framed. The National Institute of Standards and Technology (NIST) defines cloud
computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers, storage, applications and services) that can be
rapidly provisioned and released with minimal management effort or service provider interaction (Puthal
et al., 2015).
ISP-Assignment 1B (s4597312, s4601831, s4594461 & & s4587554)

Characteristics of Cloud services


One major characteristic of Cloud is that services are self-accessed by the user from multiple devices
through internet without the need of network administrators. This feature lets users to access services
without being physically present in the infrastructure. Another aspect is that cloud enables organizations
to migrate resources from one cloud to another, providing cost effective resource pooling. Aside from
ease of migration, cloud also enables elasticity where resources are to be scaled up and down rapidly as
per the demand and eliminating the infrastructure implementation cost for the client (A. Jula, 2014).

Another important aspect cloud has is that the users can pick and choose services as per its needs by
selecting on demand, for example processing speed, storage memory level, networking protocols, access
control and any additional new feature as needed for the user to achieve its personal or business
objectives (Fotiou et al., 2015). Finally, the cloud exhibits multi-tenancy where the same cloud
infrastructure and services are shared among different tenants.

Cloud services Security


Having an understanding of the characteristics of the cloud, one becomes aware of the context of cloud
security as it is the same characteristics that are misused to compromise the security of the assets in the
cloud. The threats and attacks directly or indirectly on cloud assets as well as breach of services will
affect the integrity, availability and confidentiality of these assets, raising concerns of security among the
users and companies (Singh and Chatterjee, 2017). With this in mind, cloud security therefore describes a
set of policies, technology, and controls that aims to protect digital assets of the users.

Cloud Security threats


To analyse the types of threats to the cloud, a threat model called STRIDE that classifies threats into six
categories (Docs.microsoft.com, 2019) is used and the types are:

● Spoofing identity: Gaining users authentication information such as passwords illegally.


● Tampering with data: Unauthorized changes to data which damages the data held in databases.
● Repudiation: Unauthorized action performed in the system which do have any traces.
● Information disclosure: Disclosing confidential information to unauthorized individuals.
● Denial of service: Servers are flooded with service requests till the point where servers crash.
These types of attacks are targeted at availability.
● Elevation of privilege: Unauthorized individual gaining privileged access to damage and
compromise the system defenses.
ISP-Assignment 1B (s4597312, s4601831, s4594461 & & s4587554)

Cloud security services

Cloud security services are the different solutions that are deployed by the service providers to make
cloud services secure and reliable and are currently used to ensure the above-mentioned types of threats
are under control. On benchmarking existing solutions against the STRIDE model, we see that different
solutions are targeted at different types of threats (Halabi & Bellaiche, 2018). In our research, we find that
certain solutions are more capable than the other by virtue of resolving at least 4 types of cloud threats.

One of the most powerful security solutions is employing multi-factor authentication technique, such as
using LDAPs and biometrics, to authenticate authorised personnel. Another solution is to have
authorisations and access control mechanisms setup where the company can set limited privileges and
permissions to users based on need. Another security measure is to have strong web application security
where the company can secure web applications with strong firewalls to prevent impersonation and
phishing attacks. Finally, the most successful current security solution is virtualization security where
isolating data, applications and network from hardware using virtual machines is capable of controlling
around 5 types of threats (Halabi & Bellaiche, 2018).

Benefits

Beneficiaries & Security Implications

To understand the benefits of cloud security one must understand the different stakeholders who are
directly benefited by implementation of cloud computing and understand how these actors are responsible
for cloud security. We will use the NIST Cloud Security Reference Architecture (ZOTA and PETRE,
2014) to study the stakeholders and the corresponding implications for cloud security.

In this report, we will not touch upon any stakeholders who are negatively affected by cloud security as
our review didn’t find any valuable insight in that regard.
ISP-Assignment 1B (s4597312, s4601831, s4594461 & & s4587554)

Fig:1- NIST Cloud Security Reference Architecture

In our literature review, we identified three main beneficiaries as per the NIST reference model:

● Cloud Consumer: A cloud consumer is a person or organisation that has a relationship with a
cloud service provider and uses the services, such as SaaS, PaaS and IaaS offered by that said
provider. Cloud consumer chooses some desired catalogue for use from the cloud provider and
set legal agreement conditions with financial and legal boundaries. The consumers are required to
study different cloud providers and their services by characterising the required cloud application
security requirements, by reviewing the service provider’s strengths and weaknesses and perform
fit analysis of the said expected security requirements against the cloud provider’s security
(Chawki, Ahmed & Zakariae, 2018).

● Cloud Service Provider (CSP): On the other hand, CSP is an organisation which sells the cloud
services where the CSP installs, manages the features and services and give technical support for
the software application. The CSP create technical infrastructure to the application based on the
Service Level Agreement and provide the security services at SaaS level. At PaaS level, the
provider maintains infrastructure tools and utility for the customer for developing and testing. At
IaaS, the provider gives the cloud infrastructure such as storage and processing to the customers.
ISP-Assignment 1B (s4597312, s4601831, s4594461 & & s4587554)

Therefore, the provider is responsible for protecting the infrastructure, which are composed of the
hardware, software and facilities that runs all of the services. The CSP should controls access to
their data centers where the consumer data resides (Chawki, Ahmed & Zakariae, 2018).

● Cloud carriers: Carriers provides connectivity and transfer of services between cloud user and
customer as an intermediary. The security concerns of the carrier include consideration for the
exposures and threats that would be present in the transmission of data to and from a cloud
structure. For these reasons, the carrier is responsible for maintaining security control points that
span the systems they manage, as well as security testing, risk management, and preventive tasks
that would be expected to reduce vulnerabilities in transmission channels (ZOTA and PETRE,
2014).

Stakeholder benefits of cloud security

● Data Security

Cloud helps users by allowing effortless storage management and universal data access irrespective of the
location. Furthermore, cloud encrypts all data and provide a complete secure medium that enables
employees to access the data across any device and locations without any worry of the data being
compromised (Khanai, Kulkarni and Torse, 2014). Cloud security ensures the business can rely on its
mobile workforce to effortless access data and remain productive without compromising the productivity.

● Better protection against Distributed Denial of Service (DDoS)

The traditional Information systems have DDOS counter-measures that are not able to keep up with the
volume, complexity and magnitude of the attacks seen nowadays (Bhardwaj et al., 2016). On the other
hand, cloud based multi-level solutions that use the ‘cost and attack aware’ resource allocation algorithms
exist that are specifically designed to perform better as compared to traditional DDoS solutions (Somani
et al., 2017).

● Physical security

Firms realise many of their operations outside traditional IT functions are becoming dependent on the
data centres. Therefore the importance of physical security of the datacentres for businesses has grown
more than ever before as the risks of power outages and human errors affecting the datacentre physically
are ever present in a traditional IT system. With the presence of cloud, this aspect of physical security is
ISP-Assignment 1B (s4597312, s4601831, s4594461 & & s4587554)

now guaranteed. As the cloud provider isn’t located where the consumers are, the likelihood of avoiding
an incident that affects the complete production environment of a consumer is really high with cloud
security. Besides cloud security ensures that there is automatic backup of data and a prompt disaster
recovery if any untoward security incident happens affecting the data centres (Solanki et al., 2017).

● Patches and Updates

Unpatched software is said to be one of the main reasons behind rise in malware infections that exploit
the flaws in the applications and infrastructure. Earlier, in on-premise IT systems, the software were
updated at a slower rate and any such updates would have caused major disruptions to the production
environment of the businesses. But through cloud, the providers regularly are able to push updates
automatically and patch any flaw without causing any downtime of the consumers operations (Baumann,
Peinado & Hunt, 2015).

Challenges faced by ISP


As cloud security become more critical to Information Systems Professionals (ISPs), the advancement in
technology has presented different challenges that the ISPs have to address in order to ensure that the
goals and objectives of cloud security are realised. In our literature review, we identified one key internal
and external challenges faced by ISPs that are explained below.

Internal Challenge: Compliance issues


Typically for ISPs, regardless of being a Cloud consumer, CSP or cloud carrier, compliance involves
following an established set of standards, specifications, regulations or laws, ensuring quality of service
isn’t impacted.

But it has been found in research that there is no prevalent widely accepted industry standards for the
security measures of cloud systems. Many commercial and non-profit entities, including the NIST, the
Cloud Security Alliance and the International Organization for Standardization, do provide a set of
guidelines but none of these standards have been accepted by the cloud industry. Such lack of standards,
results in ISP professionals being involved in unnecessary activities such as contract negotiation and due
diligence, considering the array of liabilities consumers can be exposed to without the presence of
industry standards in cloud security (Kandira, Mtsweni & Padayachee, 2013). Security experts have stated
that the lack of standards have resulted in time, effort and expenses spent in meeting compliance
regulations, for example compliance with PCI standard requires the experts meeting a 12-step list of
ISP-Assignment 1B (s4597312, s4601831, s4594461 & & s4587554)

requirements. Besides, with every different CSP and new advance in cloud technology, companies got to
address the added complexities seen with the new standards.

Additionally, ISPs must also consider the different regulations and laws for different jurisdictions where
the cloud service is in operation, making it difficult for ISPs to implement the cloud solution effectively
as they are subject to a number of legal limitations and regulatory compliance. Example of the European
Union General Data Protection Regulation that applies to all companies who collect, store and process
any data belonging to EU nationals will result in considerable effort and cost, for all these organisations
under the scope of the regulation. Such organisations will have to appoint additional ISPs, such as a data
controller with requisite technical skills, a data processor and a data protection officer, who are
knowledgeable of the EU regulations, adding further to the costs for the organisations.

External Challenge- Advanced Persistent Threats (APTs)


Despite all the cloud security solutions present, Advanced Persistent Threats (APTs), which usually target
business operations & protected data such as credit card details, are still growing. APTs are being a
significant external challenge for ISPs to resolve because of the sophisticated, multi-pronged & stealthy
approach used by the attackers to target an organisation in the cloud. Two of the most common APTs,
information security officers face are DDoS and Data breach.

● Data Breaches

Data breach happens when protected data has been accessed in an unauthorized fashion. The number of
data breach reported across the world has been on the increase, attributing to the shift to cloud systems.
Traditionally, the ISPs including designers of infrastructure and developers of security protocols had
greater direct control over the physical infrastructure, making it easier to secure their client's data. With
the adoption of the cloud-based systems, there has been a lack of direct control of ISPs over the cloud-
based network infrastructure that has increased the vulnerability to external unauthorised access (Hujran,
Al-Debei, Al-Lozi, & Maqableh, 2018).

● DDoS

DDoS attack is designed to overwhelm website servers with the aim of disrupting the operations of the
organisations through its websites. As a result of a majority of IT-related operations being shifted to the
cloud, because of the more reliable security measures and cost-effectiveness compared to traditional IS,
there has been an increase in the DDoS attacks on the cloud systems (Singh & Chatterjee, 2017).
ISP-Assignment 1B (s4597312, s4601831, s4594461 & & s4587554)

Therefore, ISPs are forced to address this on their day-to-day basis through strengthening the cloud based
system, ensuring that the cloud-based security is guaranteed.

Cloud Security & the Future

Based on the literature review done, we have come to the conclusion that in the future two major trends
will define how the users, organisations and the society as a whole can impact cloud security.

Evolution of Security Model-Security as a Service (SecaaS)

It was found in research that cloud security will see the prevalence of a new operating model in the form
of SecaaS. SecaaS is a new outsourcing model for security management where the security of cloud users
and cloud providers are supervised and managed all from the cloud itself (Wenge et al., 2014). Of all the
relevant solutions analysed that follows the SecaaS model, Security Information and Event Management
(SIEM) system is the one that shows the most promise. In a SIEM system logs and events are collected
from multiple sources, such as firewalls, alerting tools, and physical and virtual security systems, that
undergo steps such as correlation, aggregation, filtering, and matching (Lee et al., 2017).

Of these steps the correlation step is the most groundbreaking. SIEM systems can implement different
types of correlation rules that are responsible for detecting red flags such as disallowed actions (i.e.
security threats) and misbehaviour in a monitored system. As an e.g., Heuristic rules are used to detect
“zero-day” incidents, which are new, happens in real-time and are relatively unknown to a SIEM system.
Another e.g. of a correlation rule would be Bayesian rules that are aimed at predicting attacks in the
future.

Anyhow, the above-mentioned steps are efficiently used for real-time identification of any incidents that
can then trigger the relevant response such as sending alert messages and reporting to the information
security officers (Wenge et al., 2014).

User vs. Cloud Service- User’s Responsibility

As cloud security becomes more relevant, both CSPs’ and cloud users’ responsibilities in ensuring cloud
security is becoming more accurately demarcated. The Shared Responsibilities model developed by
Microsoft Azure is a testament to this shift in the cloud security space. As per the model, users are
ISP-Assignment 1B (s4597312, s4601831, s4594461 & & s4587554)

responsible for protecting the security of their data, identities, on-premises resources, and the cloud
components that users directly control (which vary by service type) and the model explains that the users
are always responsible for endpoints, account and access management (Ridgway & Simorjay, 2016).

Fig 2: Microsoft Shared Responsibilities model

This model is becoming more relevant after research have shown that by end of 2020, cloud providers
will suffer at least 60% fewer security incidents than those in traditional datacentres, showing the success
of cloud security measures at the end of the service provider. Therefore, the prevailing misconception that
CSPs are solely responsible for their customer’s cloud security will slowly lose strength as the research is
showing that enterprises are unable to take responsibility for the security incidents that are caused from
their end, as seen by how it is predicted that by 2020, 95% of cloud security failures will take place on
behalf of the consumer (Panetta, 2019).

Of such potential security failures from the consumer end, the threats caused by malicious insiders are the
most serious. The probability that a malicious insider, such as an employee or contractor, can take
advantage of his/her position within the cloud systems to access sensitive information is becoming more
and more stronger (Coppolino et al., 2017). Such insider threat is one of the major problems that worry
ISP-Assignment 1B (s4597312, s4601831, s4594461 & & s4587554)

both organisations and users about cloud security in the future. According to research, the cost of data lost
and services impacted by malicious insiders is greater than the cost lost to outsiders (Richardson, 2011).
This is because the Insiders are far more knowledgeable than the outsiders of the intricacies of the cloud
systems and security protocols that are in place. Additionally, any existing research into identifying and
solving insider threats to cloud security are almost non-existent, especially at the relational databases
level (Yaseen et al., 2016). That is why in our research we assume that the organisations in society will
emphasise improving research into insider threats, as the cloud security responsibilities get delineated
further as per the shared responsibilities model.

Conclusion
Despite tremendous level of investment seen, many organisations are still lagging in adopting the cloud as
they are concerned by the security of their data and services. Nonetheless cloud security will play a
pivotal role as more organisations move their digital operations from traditional in-house IT systems to
the cloud.

In this comprehensive literature review we were able to understand how cloud security operates, who are
the stakeholders that benefit from having cloud security system in place, the challenges faced by ISPs to
implement a robust cloud security, and how the organisations and the society will push for further
development of the cloud security in the future. The insights gained from this report should help the
stakeholders understand that despite the risks seen, cloud security is growing. Any reservations that
organisations will have in this regard are slated to be resolved as the cloud security industry matures.
ISP-Assignment 1B (s4597312, s4601831, s4594461 & & s4587554)

References

A. Bhardwaj, G. Subrahmanyam, V. Avasthi and H. G. Sastry, "Solutions for DDoS attacks on cloud,"
2016 6th International Conference - Cloud System and Big Data Engineering (Confluence), Noida, 2016,
pp. 163-167.

Baumann, A., Peinado, M. and Hunt, G. (2015). Shielding Applications from an Untrusted Cloud with
Haven. ACM Transactions on Computer Systems, 33(3), pp.1-26.

Chawki, E., Ahmed, A. and Zakariae, T. (2018). IaaS Cloud Model Security Issues on Behalf Cloud
Provider and User Security Behaviors. Procedia Computer Science, 134, pp.328-333.

Conger, K. and Lynley, M. (2019). Dropbox employee’s password reuse led to theft of 60M+ user
credentials. [online] TechCrunch. Available at: https://techcrunch.com/2016/08/30/dropbox-employees-
password-reuse-led-to-theft-of-60m-user-credentials/ [Accessed 2 Apr. 2019].

Coppolino, L., D’Antonio, S., Mazzeo, G. and Romano, L. (2017). Cloud security: Emerging threats and
current solutions. Computers & Electrical Engineering, 59, pp.126-140.

Docs.microsoft.com. (2019). The STRIDE Threat Model. [online] Available at:


https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20) [Accessed 2
Apr. 2019].

Fotiou, N., Machas, A., Polyzos, G. and Xylomenos, G. (2015). Access control as a service for the Cloud.
Journal of Internet Services and Applications.

Halabi, T. and Bellaiche, M. (2018). A broker-based framework for standardization and management of
Cloud Security-SLAs. Computers & Security, 75, pp.59-71.

J. Lee, Y. S. Kim, J. H. Kim and I. K. Kim, "Toward the SIEM architecture for cloud-based security
services," 2017 IEEE Conference on Communications and Network Security (CNS), Las Vegas, NV,
2017, pp. 398-399.

Jula, A., Sundararajan, E. and Othman, Z. (2014). Cloud computing service composition: A systematic
literature review. Expert Systems with Applications, 41(8), pp.3809-3824.

Khanai, R., Kulkarni, G. and Torse, D. (2014). Crypto-Coding as RSA-Turbo for Land Mobile Satellite
Channel. International Journal of Electronics and Electrical Engineering, 3(2).
ISP-Assignment 1B (s4597312, s4601831, s4594461 & & s4587554)

M. Kandira, J. Mtsweni and K. Padayachee, "Cloud security and compliance concerns: Demystifying
stakeholders' roles and responsibilities," 8th International Conference for Internet Technology and
Secured Transactions (ICITST-2013), London, 2013, pp. 653-658.

Panetta, K. (2019). Is the Cloud Secure?. [online] Gartner.com. Available at:


https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/ [Accessed 2 Apr. 2019].

Puthal, D., Sahoo, B., Mishra, S. and Swain, S. (2015). Cloud computing features, issues, and challenges:
a big picture. 2015 International Conference on Computational Intelligence and Networks, pp.116-123.

Richardson, R. (2011). 2010 / 2011 CSI Computer Crime and Security Survey.

Ridgway, B. and Simorjay, F. (2016). Microsoft Azure Security Response in the Cloud. Microsoft
Corporation.

Singh, A. and Chatterjee, K. (2017). Cloud security issues and challenges: A survey. Journal of Network
and Computer Applications, 79, pp.88-115.

Solanki, J., Davda, R., Jadeja, V. and Patel, C. (2017). A Survey : Cloud Computing Challenges &
Security Issues. International Journal of Modern Trends in Engineering & Research, 4(3), pp.57-61.

Somani, G., Gaur, M., Sanghi, D., Conti, M. and Buyya, R. (2017). DDoS attacks in cloud computing:
Issues, taxonomy, and future directions. Computer Communications, 107, pp.30-48.

Wenge, O., Lampe, U., Rensing, C. and Steinmetz, R. (2014). Security Information and Event Monitoring
as a Service: a Survey on Current Concerns and Solutions. PIK - Praxis der Informationsverarbeitung
und Kommunikation, 37(2).

Yaseen, Q., Althebyan, Q., Panda, B. and Jararweh, Y. (2016). Mitigating insider threat in cloud
relational databases. Security and Communication Networks, 9(10), pp.1132-1145.

ZOTA, R. and PETRE, I. (2014). An Overview of the Most Important Reference Architectures for Cloud
Computing. Informatica Economica, 18(4/2014), pp.26-39.

You might also like