Cloud computing brings convenience and cost savings but at the same time, it raises issues about security. Cloud computing security issues arise at the provider’s end where he has to implement a variety of features to assure the data servers are covered by a high level security blanket. Since virtualization introduces another layer, providing security becomes more complicated. The customer implicitly trusts service providers to keep data safe and secure and at their end they may relax security implementation. Fears about cloud security have led companies to go in for private cloud. Even these environments cannot be said to be completely secure though protected by firewalls.
1)Privacy, Data Security and data integrity
Privacy was, and remains, one of the chief concerns in cloud architecture that has not been satisfactorily resolved. One reason is that different countries have different laws concerning privacy in respect of data stored in servers operating in their country, though the person to whom that data belongs may be in another country. A cloud service provider may assure clients that data is absolutely safe but he may be obligated by law to give officials access to that data whether the client agrees or not. Another vexing matter is that laws have not been amended to cover all forms of data and may consider only emails and text messages for the purpose of private information. Data, unfortunately, is not given the same consideration as physical property. If, by law, data is accessed, officials can also lay their hands on data of other clients stored on the same hard disk raising risk of collateral damage.
2)Data confidentiality in the cloud
Another contentious issue is that staff of the cloud service provider has access to data and even though encrypted, such data could easily be accessed and tampered.
3)Data streaming security
In a cloud environment data is streamed through the internet. If it travels through secure “https” channels, data can be said to be safe and secure. However, when data streams over open lines, even though encrypted, the packets can be accessed. Access to data depends on the expertise of the hacker in decryption data packets. Additionally, since data in the cloud is accessed frequently, the chances of errors can lead to data corruption or illegal access by eavesdroppers.
4)IAAS, SAAS and PAAS each with its own set of issues
Cloud computing has three different pathways: infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (Saas). Each has vulnerabilities that are not fully resolved. For instance, software as a service deploys the same software used in networked and desktop environments and developers have yet to develop secure coding that will plug loopholes and guard against penetration.
5)Service Level agreements
Cloud service providers have their own service level agreements aligned to fit in with their method of operation. These SLAs may not perfectly match client expectations in terms of security and safety.There are plenty of contentious, unresolved questions such as who shares physical and logical resources and about audits and assessments. Is there any mechanism in place to safeguard data in case of a lockout caused by legal action against another client sharing the same hard disk space? Do cloud service providers have a mechanism in place for assured data destruction on all servers if a client wishes to discontinue services? Of course, the permanent question is about a service provider’s continued viability to be up and available at all times. A couple of cloud service providers have folded over and users are understandably concerned about security of their data.
As existing issues are addressed and resolved to some extent or even completely, and as cloud services expand, as yet unforeseen issues are likely to arise. In the present scenario, it is caveat emptor, or let the service user be extremely careful and cautious.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
The security issues decribed in this article are not particular relevant for cloud services, they exists in the “old” traditional world of out-sourcing as well. As a matter of fact I have the opinion that with cloud computing there’s more attention for security than ever before. More and more encryption of data is getting common practise these days as in the past the data often wasn’t encrypted at all, not even to speak of the usage of unsecure protocols used to get the data on the storage. Laws to access data is there for over a decade, so that’s not changed with cloud.
I absolutely agree with you that security is and will ever be a major subject within the IT, but the issues decribed in this article are not especially caused by using the cloud. It’s relevant for all components within IT. I doubt if it will ever be secure enough, as it is an ongoing “game”. The best you can do is to make it as secure as you can without losing customer usability. The most important thing is to make sure that if data is accessed by unauthorised people you know it immediatly and know what to do to resolve the security threat.
Regards,
Rick van der Mieden
These risks are real, existing both onsite and off as mentioned in the above comment. I think as we transition into the cloud, it is important to take the same precautions that we take out of the cloud, in it – developing a best practices IT strategy. What can be tricky is that SaaS applications (like Salesforce.com) aren’t always easy to add security levels to. However, having a solution in place that works with the SaaS application to backup, archive and restore your data is a best practice onsite that can follow you into the cloud, eliminating the risk of losing valuable data. Check out the blog post I wrote on the value vs. risk of moving to the cloud: http://blog.backupify.com/2013/01/14/how-will-you-make-the-jump-to-the-cloud-a-review-of-value-vs-risk/