Many organizations have adopted cloud computing. In this assignment, you will research cloud computing and explore its advantages and disadvantages. You will

Patel & Alabisi – Volume 17, Issue 2 (2019)

© JNBIT Vol.17, Iss.2 (2019)

11

Journal of New Business Ideas & Trends Vol. 17 Iss.2, September 2019, pp. 11-19. ”http://www.jnbit.org”

Cloud Computing Security Risks: Identification and Assessment

Kumar Patel Managing Director Enovasions Limited, Fiji Antonina Alabisi Westmead Hospital, NSW, Australia

Abstract

Purpose – The purpose of this paper is to explore the issues of security risks for the various types of cloud computing in an endeavour to provide a succinct overview. Design/methodology/approach – The approach employed in this paper involves an assessment of the literature relating to cloud computing security risks in order to provide a synthesis of the issues. Originality/value – The assessment leads to a concise focus of the security issues for cloud computing services and guidance for considering the practical application of cloud computing risk evaluation. Keywords: Cloud computing; security risks; risk management. JEL Classifications: O33 PsycINFO Classifications: 4120 FoR Codes: 0803 ERA Journal ID #: 40840

Patel & Alabisi – Volume 17, Issue 2 (2019)

© JNBIT Vol.17, Iss.2 (2019)

12

Introduction

Cloud computing is arguably both an innovation in technology and an avenue for

new business ventures. However, the revelations made by Snowden that the USA had been

conducting mass surveillance and data collection through the US National Security Agency

(NSA) and various other national intelligence agencies has created additional concerns

about security when it comes to the cloud (Landau, 2013; Bauman, et al, 2014). As early as

2013 the German government adopted a particularly aggressive stance by seeking to

mitigate the dangers of cloud technology by creating secure data centres in Germany

specifically for email traffic. The use of SSL encryption was viewed as a way in which to

restrict foreign jurisdictions from gaining access. It was on August 31, 2014, that a collection

of almost 500 private pictures of various celebrities, mostly women, were hacked from the

online storage offered by Apple's iCloud platform which is the source for automatically

backing up photos from iOS devices, such as iPhones (Satti, 2015; Bai, Xing, Zhang, Wang,

Liao, Li & Hu, 2017).

Cloud computing has been heralded as an innovation in information system

architecture, with efficient usage of computer hardware resources (Zissis & Lekkas, 2010).

However, with the exponential growth in the development and use of web based systems

and computer technology brings with it an increased risk for security breaches from hacking

(Monrose & Rubin, 1999; Choo, 2011; Teh, Teoh & Yue, 2013). The banking industry is a

prime example of a high profile industry sector that has been the focus of the greatest

number of attacks (Choo, 2011). In this regards the security of cloud based systems is also

becoming a high risk prospect for cyber crime (Kaufman, 2009).

Subsequently, there has been a growth in the literature regarding risks and concepts

for dealing with cloud security. For the most part it is important to bring these disparate

concepts of the issues and the various approaches together in an effort to better understand

the recognition of the risks and the various methods for dealing with security. This paper is

therefore concerned with drawing the information from the literature together in an effort

to present a general overview.

Background

The National Institute of Standards and Technology (NIST) proposed a broad

ranging definition of cloud computing and set out what they considered to be five essential

features, three service models and four deployment models (Mell & Grance, 2011). The five

essential features encompass; virtualized computing resource pool, broad network access,

rapid elasticity, on-demand self-service, measured service. The three service models are

Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS);

the four deployment models are private cloud, community cloud, public cloud and hybrid

cloud.

With regards to the service models Infrastructure as a Service (IaaS) as the name

implies involves a single tenant cloud layer where the Cloud computing vendor’s dedicated

resources are only shared with contracted clients at a pay-per-use fee. Software as a Service

(SaaS) also operates on the pay-per-use costing model with software applications being

Patel & Alabisi – Volume 17, Issue 2 (2019)

© JNBIT Vol.17, Iss.2 (2019)

13

leased out to contracted organisations by specialised SaaS vendors. Platform as a Service

(PaaS) works on a similar basis to IaaS however, it provides an additional level of “rented”

functionality. So there are different types of cloud computing services in much the same way

as there are different types of clouds that exist in the sky1.

A public cloud allows users’ access to the cloud via interfaces using mainstream web

browsers. Public clouds are less secure than the other cloud models because of the

additional need to ensure that all applications and data accessed on the public cloud are not

subjected to malicious attacks. A private cloud is established within an organisation and is

therefore easier to align with the security, compliance, and regulatory requirements,

providing greater control over deployment and use. In contrast, a hybrid cloud is a private

cloud which is linked to one or more external cloud services, although it is centrally

managed, acts as a single unit, and has a secure network. It consists of a mix of both public

and private clouds. Hybrid Clouds provide greater secure control over the data and

applications even though it allows various parties to access information over the Internet.

Access to any of the Cloud services is gained from two main technologies. Firstly,

Web Services are commonly used to provide access to IaaS. Secondly, Web browsers are

used in order to access SaaS applications. When it comes to PaaS environments both

approaches are used. The common thread here is the use of the internet to gain access to

any of the cloud models and it is this aspect that raises the risk factor when it comes the

potential for hacking to occur. Thus, the complexity of security risk is further compounded

by the reliance on the internet/web as the over-riding intermediary (see figure 1).

Figure 1:

Cloud Delivery Models and Deployment Models in the Internet / Web

Security Risks

There are various types of security risks and these vary according to the distinguishing types of cloud computing environment models. To commence this introspective analysis Chea, Duanb, Zhanga, and Fana, (2011) proposed that security risks

1 This is an interesting metaphor and arguably shares some similarities with actual cloud formations of which notably there are

10 types of cloud formations – 3 high level; 4 mid-level; and 3 low level. The use of metaphors in the computing discipline is not surprising and is a common occurrence with examples being – the mouse; the memory (RAM); the speed (Chip speed); and of course, artificial intelligence (AI).

Patel & Alabisi – Volume 17, Issue 2 (2019)

© JNBIT Vol.17, Iss.2 (2019)

14

could be identified as falling within the requirements for three specific parties that is customers, service providers and government.

Security risks – customers:

The security risks that customers face in the cloud environment are generally:

1) Potential downtime with an impact on business – this cannot be totally avoided; 2) Exposure of commercial secrets – this cannot be totally avoided; 3) The privilege status of the cloud service provider gives rise to concerns over issues

such as fault elimination, damage compensation and business migration etc.

Security risks – service providers:

The security risks that service providers face in the cloud environment encompass:

1) Assurance of the long-term secure operation of the cloud data center – isolate potential fault to reduce or minimise their influence;

2) Protection against the numerous and aggressive network hackers is a disturbing security problem;

3) Need to effectively and securely manage demands of customers – identify and block any malicious customers (an unavoidable task).

Security risks – government:

The security risks that government departments face in the cloud computing environment are likely to be:

1) Need to enhance the security protection of a mass-scale data center; 2) A means to securely manage the numerous and various scale cloud service providers; 3) Evaluation and ranking of the security level of cloud service providers which extends

to include the security credit of other cloud customers, and a proactive alarm mechanism for malicious programs.

Whilst these are intuitively obvious in most respects, they are broad in their application

to those specific groups and as such remain as general concerns to be aware of in the assessment process. With regards to the deployment models the security risks have been summarised in a number of papers in particular Subashini and Kavitha (2010) and Chou (2013). Now whilst various terminology and issues are involved it is reasonable to assume that the concepts remain virtually consistent. In essence these can be briefly summarised in regard to the particular service model to which they apply: SaaS security issues:

• Data security – which in itself requires attention be paid to: o Cross-site scripting (XSS); o Access control weaknesses; o OS and SQL injection flaws; o Cross-site request forgery (CSRF); o Cookie manipulation; o Hidden field manipulation; o Insecure storage; o Insecure confirmation.

Patel & Alabisi – Volume 17, Issue 2 (2019)

© JNBIT Vol.17, Iss.2 (2019)

15

• Network security – which requires assessment be made of: o Network penetration and packet analysis; o Session management weaknesses; o Insecure SSL trust configuration.

• Data locality – this is of particular concern since the location of the data storage will be regulated by the legislation within the country in which it resides:

o Compliance and data privacy laws; o Jurisdiction for legal action.

• Data segregation – given that there are inevitably multi users storing their data at the same cloud site the issues of concern are:

o SQL injection flaws; o Data validation; o Insecure storage.

• Data access – here too the concern arises from the potential risks arising from multi users being involved:

o Security policies; o Limitations n levels of users.

• Authentication and authorization – this covers aspects of the methods of data access security levels:

PaaS security issues: This is dealt with in a much more succinct manner with the issues specifically relating to:

• Security features and capabilities – in effect consideration of degree of flexibility to layer additional security;

• Metrics on vulnerability – including patch coverage and application coding;

• Service Oriented Architecture (SOA) applications – machine to machine vulnerabilities.

IaaS security issues: Here too this is dealt with in a succinct manner and the issues in this area are identified as being:

• Public cloud versus private cloud – there being greater risks associated with the public cloud;

• Physical security – there needs to be attention to the security of infrastructure and a disaster management plan;

• Encryption and security measures – cloud systems operate through the internet and as such transmission of data is vulnerable to the same risks as face the internet.

As an alternative perspective, Zissis and Lekkas (2012) approached the security risks

and requirements for the service cloud models on two basic levels. Which they referred to as the application level and the virtual level. The application level they proposed encompassed the software as service model (SaaS) and the virtual level included both the platform as a service (PaaS) and the infrastructure as a service (IaaS) model. The details of their assessment of the security issues are therefore:

SaaS (Application level):

• Threats: o Interception; o Modification of data at rest and in transit; o Data interruption (deletion); o Privacy breach; o Impersonation; o Session hijacking;

Patel & Alabisi – Volume 17, Issue 2 (2019)

© JNBIT Vol.17, Iss.2 (2019)

16

o Traffic flow analysis; o Exposure in network.

• Security requirements: o Privacy in multitenant environment; o Data protection from exposure; o Access control; o Communication protection; o Software security; o Service availability.

PaaS and IaaS (Virtual level):

• Threats: o Programming flaws; o Software modification; o Software interruption (deletion); o Impersonation; o Session hijacking; o Traffic flow analysis; o Exposure in network; o Defacement; o Connection flooding; o DDOS; o Disrupting communications.

• Security requirements: o Access control; o Application security; o Data security (data in transit, at rest and remanence); o Cloud management control security; o Secure images; o Virtual cloud protection; o Communication security.

In essence there are a number of issues and concepts that although the terminology

may differ remain for all intense and purposes as covering the same or very similar aspects as raised in the overview of Subashini and Kavitha (2010) and Chou (2013).

Risk Management

Having determined that there are a variety of risks inherent in the use of cloud

computing it then becomes a matter of seeking to evaluate the risks in terms of their impact

upon the business emanating from the most appropriate form of cloud computing. To assist

in this the application of risk management techniques is arguably the best way forward. The

notion of risk management has links to the general insurance field dating back some

considerable time (Laing, 1992a, 1992b). In more recent times the treatment of risk

management has come under the control of the International Standards ISO 31000 which

was originally published in 2009 and then updated in February 2018. Employing the

guidelines of ISO 31000: 2009 in conjunction with the work of Fito and Guitart (2014)

developed a risk management approach for assessing cloud computing risks with attention

focusing on the application for considering a PaaS cloud model.

Patel & Alabisi – Volume 17, Issue 2 (2019)

© JNBIT Vol.17, Iss.2 (2019)

17

Whilst there is ample guidance in the ISO 31000 it is interesting to draw on the

original concepts and bring these together for the evaluation process. This is done to provide

the development of a more general framework for use in the evaluation of cloud computing

models. A specific risk management framework is presented in Figure 2.

Figure 2:

Risk Management framework for Cloud Risk Evaluation

This framework forms the basis for the risk management evaluation which follows.

For the purpose of this example the four common threats to all three deployment clouds will

be used. Given that they are common threats there is some degree of serendipity in the

evaluation concerns.

Step 1 is the establishment of the context and in this example the context is the

selection of a cloud deployment model.

Step 2 involves the identification of the threats or risks and here the four threats

common to all three are:

o Impersonation; o Session hijacking; o Traffic flow analysis; o Exposure in network.

Step 3 is the analysis phase and to assist in this the process the work done by the

European Network and Information Security Agency (2012) employing the guidelines of

Patel & Alabisi – Volume 17, Issue 2 (2019)

© JNBIT Vol.17, Iss.2 (2019)

18

ISO 31000: 2009 in conjunction with the work of Fito and Guitart (2014) are used to inform

the development of the risk matrix/grid.

The matrix / grid with an explanatory legend that is employed for this example is

presented in Figure 3.

Figure 3:

Risk Matrix / Grid

Impact

Probability Very Low Low Moderate High Very High

Almost Certain H H E E E

Likely M H H E E

Probable L M H E E

Unlikely L L M H E

Rare L L M H H

Rating Descriptor Action

E = Extreme Risk Never acceptable. Immediate action required.

H = High Risk Not acceptable. Attention required.

M = Medium Risk Acceptable risk. Monitor and review.

L = Low Risk Acceptable risk. Routine monitoring.

The analysis of the four threats / risks with reference to the evaluations provided by

the European Network and Information Security Agency (2012) with additional

consideration from the assessment undertaken by Fito and Guitart (2014) result in the

following assessments.

Impersonation – Probability: Medium; Impact: High; Risk: Medium Session hijacking – Probability: Medium; Impact: Very High; Risk: High Traffic flow analysis – Probability: Medium; Impact: High; Risk: Medium Exposure in network – Probability: Medium; Impact: Very High; Risk: High

Step 4 armed with the above risk assessments two of the threats, impersonation and

traffic flow analysis, have a medium risk and would therefore be considered as acceptable.

However, the remaining two threats, session hijacking and exposure in the network, present

as having high risk and these require further attention. The questions that need to be

asked are firstly can the risks be reduced and this would require determining exactly what

actions need to be undertaken once they are reduced at which stage they would need to be

reassessed. Should reduction not be possible then it would be necessary to consider whether

they can be transferred, either by insurance or some other form of mitigation. Failing to

obtain a satisfactory reduction in the risks the decision lead to rejecting the cloud model and

investigate an alternative (which may be an alternative cloud model).

Step 5 now on the assumption that the means to satisfactorily deal with the threats

and risks were found and implemented then the decision would be to proceed with the cloud

model and establish a policy for the monitoring of the risks on a regular basis.

Patel & Alabisi – Volume 17, Issue 2 (2019)

© JNBIT Vol.17, Iss.2 (2019)

19

Conclusion

The security and the risks associated with the various cloud computing models may well be outweighed by other matters. For example, the costs to a business can not be overlooked and the cloud computing models offer benefits that undoubtedly need to be given consideration. To that end future research may prove beneficial in incorporating the benefits into the evaluation process and extending the framework to accommodate the alternative perspectives.

Further research may also provide the means to reduce the threats and risks by

merging them into categories that share very similar properties. This might be achievable through the use of statistical evaluation techniques such as factor analysis.

References Bai, X., Xing, L., Zhang, N., Wang, X., Liao, X., Li, T., & Hu, S. M. (2017). Apple ZeroConf holes: How hackers

can steal iPhone photos. IEEE Security & Privacy, 15(2), 42-49.

Bauman, Z., Bigo, D., Esteves, P., Guild, E., Jabri, V., Lyon, D., & Walker, R. B. (2014). After Snowden: Rethinking the impact of surveillance. International political sociology, 8(2), 121-144.

Chea, J., Duanb, Y., Zhanga, T. & Fana, J. (2011). Study on the security models and strategies of cloud computing, Procedia Engineering 23, 586–593.

Choo, K. K. R. (2011). The cyber threat landscape: Challenges and future research directions. Computers & Security, 30(8), 719-731.

Chou, T. S. (2013). Security threats on cloud computing vulnerabilities. International Journal of Computer Science & Information Technology, 5(3), 79-88.

European Network and Information Security Agency (2012). Cloud Computing: Benefits, risks and recommendations for information security, www.enisa.europa.eu

Fito, J. O. & Guitart, J. (2014). Business-driven management of infrastructure-level risks in Cloud providers, Future Generation Computer Systems, 32, 41-53.

Kaufman, L. M. (2009). Data security in the world of cloud computing. IEEE Security & Privacy, 7(4), 61-64.

Laing, G.K. (1992 a). The Function of Risk Management, Australian Insurance Institute Journal, February, 49- 50.

Laing, G.K. (1992 b). Risk Management and the Role of the Insurance Broker, Australian Insurance Institute Journal, July, 53-54.

Landau, S. (2013). Making sense from Snowden: What's significant in the NSA surveillance revelations. IEEE Security & Privacy, 11(4), 54-63.

Mell, P. & Grance, T. (2011). The NIST Definition of Cloud – Special Publication 800-145, National Institute of Standards and Technology – U.S. Department of Commerce: Gaithersburg, MD. Computinghttps://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf

Monrose, F. & Rubin, A. (2000). Keystroke dynamics as a biometric for authentication, Future Generation Computer Systems, 16, 351-359.

Oestreicher, K. (2014). A forensically robust method for acquisition of iCloud data. Digital Investigation, 11, S106-S113.

Satti, C. (2015). A Call to (Cyber) Arms: Applicable Statutes and Suggested Courses of Action for the Celebrity iCloud Hacking Scandal. Quinnipiac Law Review, 34, 561-581.

Subashini, S. & Kavitha, V. (2010). A survey on security issues in service delivery models of cloud computing, Journal of Network and Computer Applications, 34(1), 1-11.

Teh, P., Teoh, A. & Yue, S. (2013). A Survey of Keystroke Dynamics Biometrics, Scientific World Journal, 1-24.

Zissis, D. & Lekkas, D. (2010). Addressing cloud computing security issues, Future Generation Computer Systems, 28, 583-592.

Copyright of Journal of New Business Ideas & Trends is the property of Australian Business Education Research Association and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.

TELKOMNIKA, Vol.17, No.6, December 2019, pp.2812~2817 ISSN: 1693-6930, accredited First Grade by Kemenristekdikti, Decree No: 21/E/KPT/2018 DOI: 10.12928/TELKOMNIKA.v17i6.12490 ◼ 2812

Received February 5, 2019; Revised June 6, 2019; Accepted July 2, 2019

A brief review: security issues in cloud computing and their solutions

Iqbal Ahmed Department of Computer Science and Engineering, University of Chittagong,

Chittagong-4331, Bangladesh *Corresponding author, e-mail: [email protected]

Cloud computing is an Internet-based, emerging technology, tends to be prevailing in our environment especially in the field of computer sciences and information technologies which require network computing on large scale. Cloud Computing is a shared pool of services which is gaining popularity due to its cost, effectiveness, avilability and great production. Along with its numerous benefits, cloud computing brings much more challenging situation regarding data privacy, data protection, authenticated access, Intellectual property rights etc. Due to these issues, adoption of cloud computing is becoming difficult in today’s world. In this review paper, various security issues regarding data privacy and reliability, key factors which are affecting cloud computing, have been addressed and also suggestions on particular areas have been discussed.

Keywords: cloud computing, cloud security, data encryption, data protection, digital signature

Copyright © 2019 Universitas Ahmad Dahlan. All rights reserved.

1. Introduction

Cloud computing is a service that is internet based and that gives the facility of sharing computer resources along with other devices on user demand. It is a mechanism to enable on demand shared resources. For example, server, data centre, networks, storage applications which can store data. That can be generated with minimum effort. In addition, cloud computing provides the facility to the organizations and users to keep their data on private or third-party storage location and these locations/data centres may be located far away from user, may be in some other city or country in this world. National In