What are security issues which are specific to cloud computing?

Question

Moving almost everything to the Cloud gradually becomes a mainstream.

Are there any security issues, which appeared together with this trend?

What everybody should check out, from the security point of view, before moving its webapps and databases to the Amazon Cloud, Azure, etc.?

Answer 1

There's an infinite amount of security issues with the cloud. To see a nasty laundry list, check out ENISA's documents.

Answer 2

From the ENISA pdf that @atdre already linked to in his answer.

LOSS OF GOVERNANCE: in using cloud infrastructures, the client necessarily cedes control to the Cloud Provider (CP) on a number of issues which may affect security. At the same time, SLAs may not offer a commitment to provide such services on the part of the cloud provider, thus leaving a gap in security defences.
LOCK-IN: there is currently little on offer in the way of tools, procedures or standard data formats or services interfaces that could guarantee data, application and service portability. This can make it difficult for the customer to migrate from one provider to another or migrate data and services back to an in-house IT environment. This introduces a dependency on a particular CP for service provision, especially if data portability, as the most fundamental aspect, is not enabled..
ISOLATION FAILURE: multi-tenancy and shared resources are defining characteristics of cloud computing. This risk category covers the failure of mechanisms separating storage, memory, routing and even reputation between different tenants (e.g., so-called guest-hopping attacks). However it should be considered that attacks on resource isolation mechanisms (e.g.,. against hypervisors) are still less numerous and much more difficult for an attacker to put in practice compared to attacks on traditional OSs.
COMPLIANCE RISKS: investment in achieving certification (e.g., industry standard or regulatory requirements) may be put at risk by migration to the cloud:
if the CP cannot provide evidence of their own compliance with the relevant requirements
if the CP does not permit audit by the cloud customer (CC).
In certain cases, it also means that using a public cloud infrastructure implies that certain kinds of compliance cannot be achieved (e.g., PCI DSS (4)).
MANAGEMENT INTERFACE COMPROMISE: customer management interfaces of a public cloud provider are accessible through the Internet and mediate access to larger sets of resources (than traditional hosting providers) and therefore pose an increased risk, especially when combined with remote access and web browser vulnerabilities.
DATA PROTECTION: cloud computing poses several data protection risks for cloud customers and providers. In some cases, it may be difficult for the cloud customer (in its role as data controller) to effectively check the data handling practices of the cloud provider and thus to be sure that the data is handled in a lawful way. This problem is exacerbated in cases of multiple transfers of data, e.g., between federated clouds. On the other hand, some cloud providers do provide information on their data handling practices. Some also offer certification summaries on their data processing and data security activities and the data controls they have in place, e.g., SAS70 certification.
INSECURE OR INCOMPLETE DATA DELETION: when a request to delete a cloud resource is made, as with most operating systems, this may not result in true wiping of the data. Adequate or timely data deletion may also be impossible (or undesirable from a customer perspective), either because extra copies of data are stored but are not available, or because the disk to be destroyed also stores data from other clients. In the case of multiple tenancies and the reuse of hardware resources, this represents a higher risk to the customer than with dedicated hardware.
MALICIOUS INSIDER: while usually less likely, the damage which may be caused by malicious insiders is often far greater. Cloud architectures necessitate certain roles which are extremely high-risk. Examples include CP system administrators and managed security service providers.

Answer 3

A small subset of security issues (not necessarily new per se to cloud, but definitely more difficult) :

• Access control
• Privacy and confidentiality
• Availability (how strong is your SLA, really? does your provider indemnify for any damages resulting from being offline?)
• connection with internal systems - you'll often have to punch open holes in your firewall to allow some other protocols to get to your sensitive, internal systems.
• Compliance - there are some regulations, notably PCI-DSS, that you currently cannot reach compliance with, if you are using cloud-based systems. Note that they might not explicitly disallow cloud-systems, but it is simply impossible to be compliant while using cloud-systems as they are today.
• There are certain laws, in some countries, that forbid you from moving private data of their citizens out of their country. There are other countries, where you don't want to move your data into, as you do not want to be subject to their laws... When you're clouding, you don't really know where your systems and data are located, so how can you ensure your users anything wrt their location? For that matter how do you know which laws you must comply with at which time? And how do you know you're not already illegal?

Answer 4

I can highly recommend this survey of security issues with cloud-based hosting: Self Hosting vs. Cloud Hosting: Accounting for the security impact of hosting in the cloud.

Answer 5

There was just a blog post from Lenny Zeltser on this topic: Top 10 Cloud Security Risks

Most of his points talk about the problem that you don't have full control over the infrastructure anymore, and might not even know how it works internally. One also doesn't know anymore who else is on the same system, and a vulnerability in their system might leak over to your data.

Another problem is that you have to trust an outsider to secure your data. A wrong configuration and all your data might leak.

Answer 6

In order to ensure that data is secure and that data privacy is maintained, cloud computing providers attend to the following areas:

Data protection - To be considered protected, data from one customer must be properly segregated from that of another; it must be stored securely when “at rest” and it must be able to move securely from one location to another. Cloud providers have systems in place to prevent data leaks or access by third parties. Proper separation of duties should ensure that auditing and/or monitoring cannot be defeated, even by privileged users at the cloud provider.

Identity management - Every enterprise will have its own identity management system to control access to information and computing resources. Cloud providers either integrate the customer’s identity management system into their own infrastructure, using federation or SSO technology, or provide an identity management solution of their own.

Physical and personnel security - Providers ensure that physical machines are adequately secure and that access to these machines as well as all relevant customer data is not only restricted but that access is documented.

Availability - Cloud providers assure customers that they will have regular and predictable access to their data and applications.

Application security - Cloud providers ensure that applications available as a service via the cloud are secure by implementing testing and acceptance procedures for outsourced or packaged application code. It also requires application security measures (application-level firewalls) be in place in the production environment.

Privacy - Finally, providers ensure that all critical data (credit card numbers, for example) are masked and that only authorized users have access to data in its entirety. Moreover, digital identities and credentials must be protected as should any data that the provider collects or produces about customer activity in the cloud.

For more info regarding Cloud Computing in India visit - Link Removed by mod

Answer 7

Practically speaking, I've seen companies move websites into the cloud without a code review. The code was written for a single machine running ASP.NET.

The cloud mostly offers scale-out abilities. If the site wasn't made to scale out, then concurrency issues arise with data integrity or session security. To deal with these problems developers will either remove the non-concurrent code (sometimes making it less secure) or rewriting the code needed to support sessionless, concurrent deployments.

Answer 8

In addition to AviD's good points, the following are also very important:

• Availability - yes, AviD mentioned it, but I can't stress enough how critical it is that you understand your reliance on the cloud. Often cloud providers mention the invulnerability of the cloud, but in reality a denial of service attack is still valid if you can't access your application on a timely basis.
• Regulatory Compliance - on two fronts: where is your data? Can you guarantee it remains in the correct jurisdiction, and for e-discovery, can you guarantee you have retrieved every item of data connected with an individual/event?

The cloud makes both of these harder to confirm.

Answer 9

NIST came out in 2020 with NISTIR 8006, NIST Cloud Computing Forensic Science Challenges | CSRC. It documents and categorizes challenges specific to forensic investigation of cloud computing, but that includes lots of related issues.

Here is the list of challenges from section 3.2.3 Categorization of Challenges:

• Architecture (e.g., diversity, complexity, provenance, multi-tenancy, data segregation).
  • Dealing with variability in cloud architectures between Providers
  • Tenant data compartmentalization and isolation during resource provisioning
  • Proliferation of systems, locations, and endpoints that can store data
  • Accurate and secure provenance for maintaining and preserving chain of custody
• Data collection (e.g., data integrity, data recovery, data location, imaging).
  • Locating forensic artifacts in large, distributed, and dynamic systems
  • Locating and collecting volatile data
  • Data collection from virtual machines
  • Data integrity in a multi-tenant environment where data is shared among multiple computers in multiple locations and accessible by multiple parties
  • Inability to image all of the forensic artifacts in the cloud
  • Accessing the data of one tenant without breaching the confidentiality of other tenants
  • Recovery of deleted data in a shared and distributed virtual environment
• Analysis (e.g., correlation, reconstruction, time synchronization, logs, metadata, timelines).
  • Correlation of forensic artifacts across and within cloud Providers
  • Reconstruction of events from virtual images or storage
  • Integrity of metadata
  • Timeline analysis of log data, including synchronization of timestamps
• Anti-forensics (e.g., obfuscation, data hiding, malware). Anti-forensics are a set of techniques used specifically to prevent or mislead forensic analysis.
  • The use of obfuscation, malware, data hiding, or other techniques to compromise the integrity of evidence
  • Malware may circumvent virtual machine isolation methods
• Incident first responders (e.g., trustworthiness of cloud Providers, response time, reconstruction).
  • Confidence, competence, and trustworthiness of the cloud Providers to act as first responders and perform data collection
  • Difficulty in performing initial triage
  • Processing a large volume of collected forensic artifacts
• Role management (e.g., data owners, identity management, users, access control). Role
  • Uniquely identifying the owner of an account
  • Decoupling between cloud user credentials and physical users
  • Ease of anonymity and creating fictitious identities online
  • Determining exact ownership of data
  • Authentication and access control
• Legal (e.g., jurisdictions, laws, service level agreements, contracts, subpoenas, international cooperation, privacy, ethics).
  • Identifying and addressing issues of jurisdictions for legal access to data
  • Lack of effective channels for international communication and cooperation during an investigation
  • Data acquisition that relies on the cooperation of cloud Providers, as well as their competence and trustworthiness
  • Missing terms in contracts and service level agreements
  • Issuing subpoenas without knowledge of the physical location of data
• Standards (e.g., standard operating procedures, interoperability, testing, validation).
  • Lack of even minimum/basic SOPs, practices, and tools
  • Lack of interoperability among cloud Providers
  • Lack of test and validation procedures
• Training (e.g., forensic investigators, cloud Providers, qualification, certification).
  • Misuse of digital forensic training materials that are not applicable to cloud forensics
  • Lack of cloud forensic training and expertise for both investigators and instructors
  • Limited knowledge by record-keeping personnel in cloud Providers about evidence

Answer 10

Virtualization, that is the root of cloud computing technology, removes so called term "perimeter", that was like a guide in usual DC's (data centers) where to start defense and what to do. As the most data in clouds are transferred between physical servers, virtual machines, there is decreased control of such system - less possibilities for network segmentation and usage of hardware-type protection. Such new DC virtualization requires new access policy and data management software.

There was created non-profit organization Cloud Security Alliance (CSA) that aims cloud security: http://www.cloudsecurityalliance.org/. There you can find guide, best-practices of how to deal with cloud computing.

Answer 11

Multi-tenant environments are vulnerable to Related Domain Cookie attacks

• There is no practical resolution for the moment

• The RFC TLS-OBC (described in the user friendly http://www.browserauth.net/ site) has not been generally adopted