One of the biggest reasons why cloud euphoria has not lived up to its name is security. Are the concerns about security real? Have we separated cloud specific security issues from generic security issues? Today we try to discuss the various vulnerabilities of cloud. However before we get started I need to formally define unambiguously certain commonly (mis) used terms in security literature. Many articles on cloud security tend to use terms like vulnerability, risk and threat interchangeably. However each of these terms means very different things.
Risk in general is defined as a product of likelihood of an undesirable event and the severity of such an event.
Risk = Likelihood of Occurrence × Severity of Occurrence
For example if a denial of service attack which is nominally likely to occur every month but can be rectified in two minutes with no loss in data or customer , is termed as low risk as compared to an attack that occurs once a year but mutilates or steals the sensitive customer data. The likelihood or frequency of attack in general is dependent on two factors. Firstly it is dependent on attack agents’ motivation which is in turn dependent on value of attack, Effort needed and risk for the attackers. Secondly it is dependent on access the agents have to the attack targets.
Risk in general is defined as a product of likelihood of an undesirable event and the severity of such an event.
Risk = Likelihood of Occurrence × Severity of Occurrence
For example if a denial of service attack which is nominally likely to occur every month but can be rectified in two minutes with no loss in data or customer , is termed as low risk as compared to an attack that occurs once a year but mutilates or steals the sensitive customer data. The likelihood or frequency of attack in general is dependent on two factors. Firstly it is dependent on attack agents’ motivation which is in turn dependent on value of attack, Effort needed and risk for the attackers. Secondly it is dependent on access the agents have to the attack targets.
Vulnerability is the probability that an asset will be unable to resist the actions of a threat agent. (Bernd Grobauer). Vulnerability is a attribute of a given system. For example cloud architecture is especially vulnerable to virtual machine escape (i.e - A virtual machine can be used to bypass the security protection in a host machine) .
"A Threat is a harmful act such as the deployment of a virus or illegal network penetration." (http://www.answers.com)
Now that we have got definitions out of the way , let us look at classifying cloud. This classification is useful to understand, isolate and neutralize specific security issues. Infrastructure as a service (IaaS), Platform as a service (PaaS) and Software as a service (SaaS) are three cloud computing paradigms. Each of these paradigms have different Threats, Vulnerabilities and Risks.
"A Threat is a harmful act such as the deployment of a virus or illegal network penetration." (http://www.answers.com)
Now that we have got definitions out of the way , let us look at classifying cloud. This classification is useful to understand, isolate and neutralize specific security issues. Infrastructure as a service (IaaS), Platform as a service (PaaS) and Software as a service (SaaS) are three cloud computing paradigms. Each of these paradigms have different Threats, Vulnerabilities and Risks.
In IaaS the users rent out space to place their data. They also rent out computing power to run their analytics. In this scenario one needs to ask two questions.
1. Is the data secure?
2. Is the code secure?
Data in IaaS particularly is prone to injection vulnerability. An SQL injection might rewrite or input wrong data. Also because a number of users share network infrastructure components, there is high risk of cross tenant attacks. Vulnerabilities related to Dynamic Host Con¬figuration Protocol, and IP protocol also become predominant. In IaaS model the physical security of infrastructure and disaster management to the infrastructure is also of importance. "Infrastructure not only pertains to the hardware where data is processed and stored but also the path where it is getting transmitted. "(Subashini S)
One example of PaaS is an enterprise application sitting on top of Googe App engine. In PaaS models the platform provider gives control to third parties to build applications on top of his platform. In order to enable multiple players to participate effectively, PaaS vendors generally have less built in protection capabilities. Moreover they are likely to provide access to parts of code to promote effective interface and API development.
In SaaS applications are remotely hosted by the application or service provider and made available to customers when it is demanded in a automated fashion. Here the cloud user is completely at the mercy of the cloud provider for security. There could be vulnerabilities related to data security, network security , data segregation web application security etc. Malicious users can exploit security in the cloud vendors systems by multiple means like cross site request forgery, SQL injection, cookie manipulation etc.
The next blogs will look at few of the vulnerabilities discussed above through few cases of cyber-attacks on cloud computing systems.
1. Is the data secure?
2. Is the code secure?
Data in IaaS particularly is prone to injection vulnerability. An SQL injection might rewrite or input wrong data. Also because a number of users share network infrastructure components, there is high risk of cross tenant attacks. Vulnerabilities related to Dynamic Host Con¬figuration Protocol, and IP protocol also become predominant. In IaaS model the physical security of infrastructure and disaster management to the infrastructure is also of importance. "Infrastructure not only pertains to the hardware where data is processed and stored but also the path where it is getting transmitted. "(Subashini S)
One example of PaaS is an enterprise application sitting on top of Googe App engine. In PaaS models the platform provider gives control to third parties to build applications on top of his platform. In order to enable multiple players to participate effectively, PaaS vendors generally have less built in protection capabilities. Moreover they are likely to provide access to parts of code to promote effective interface and API development.
In SaaS applications are remotely hosted by the application or service provider and made available to customers when it is demanded in a automated fashion. Here the cloud user is completely at the mercy of the cloud provider for security. There could be vulnerabilities related to data security, network security , data segregation web application security etc. Malicious users can exploit security in the cloud vendors systems by multiple means like cross site request forgery, SQL injection, cookie manipulation etc.
The next blogs will look at few of the vulnerabilities discussed above through few cases of cyber-attacks on cloud computing systems.
Bibliography
Bernd Grobauer, T. W. (n.d.). Understanding Cloud Computing Vulnerabilities.
http://www.answers.com. (n.d.). Retrieved from topic/risk-assessment.
Subashini S, K. V. (n.d.). A survey on security issues in service delivery models of cloud computing. JNetwork Comput Appl(2010),doi:10.1016/j.jnca.2010.07.006.
Bernd Grobauer, T. W. (n.d.). Understanding Cloud Computing Vulnerabilities.
http://www.answers.com. (n.d.). Retrieved from topic/risk-assessment.
Subashini S, K. V. (n.d.). A survey on security issues in service delivery models of cloud computing. JNetwork Comput Appl(2010),doi:10.1016/j.jnca.2010.07.006.
