What are some of the best security practises we should adopt for our cloud computing endeavors? Cloud computing has come a long way since its introduction into the mainstream internet with services such as dropbox, and now Microsoft Office online. With more companies now using cloud computing as part of their enterprise solutions, it’s a must that you have proper security in place.
The Cloud Security Alliance (CSA) identified a number of security issues facing users of cloud computing. One of the biggest issues was reported to be data loss, and data leakage. The solution to this was considered to be encrypted data, as a way to reduce the impact of a breach. However if you lose the data encryption key then you also lose the data too. If instead you try to use offline backups through tape, or multiple servers then you expose yourself to the possibility of a data breach, and someone gaining access easily.
Another big security concern with cloud computing is data loss. With cloud computing you are relying on the service provider to have a good enough system in place that backups happen automatically, and the servers that they use are secure from hacking. You have to consider that they might be vulnerable to natural disasters, such as a flood, fire, or even an earthquake. You have to also check with your local government regulations to see if you have to comply with local legislation as to where you store your data, especially if you are in the public sector.
Service traffic hijacking is another cloud computing security issue. An attacker can easily intercept your traffic via an outside network connection and then eavesdrop on your traffic with a program such as wireshark. They could easily manipulate transactions and data, and return false information such as links to illegitimate sites. This could be something like fake online banking sites to a large staff base, where their login information is captured. The key to preventing this security risk is to protect your login credentials, and limit access to certain parts of systems that users don’t require. There should be strong 2 factor authentication used when there is access between users and services.
Interfaces & API’s
The CSA identified another threat to cloud computing security in business. This threat was through insecure interfaces and API’s. IT network administrators rely on the interface to provide them with the ability for management, provisioning, and monitoring. API’s play an important part in the customization of services to companies through cloud computing. Various plugins by third party developers are created and used without giving a second thought on possible code injections. Through API access many credentials are given out that provide an immediate security risk. Managing this risk could be done through a layered API approach.
A popular approach by hackers is to try to bring down a web service via denial of service (DoS) attacks. This has become easier with the free software such as backtrack 5 which is free to download and use to launch a DoS attack on any site.
In the age of cloud computing, organizations are dependant on access to applications and services 24/7. If your service is based on compute cycles or disk space consumed then this can become a drastic security & cost problem. Preventing this requires limiting access to certain IP ranges that your business has, or your cloud provider using cloud hosting themselves to host the applications that your run. They can then ban access from certain bad ip ranges, and continue service uninterrupted.
Another security risk to your cloud computing setup can come from previous employees, or contractors. A malicious insider can sometime have unrestricted access to parts of your system that are the most vulnerable, without you even knowing it. Its important to source staff that help you with your cloud setup, or provide services that are the mainstream of your operations, that you vet them properly. They should have reputations and be able to supply you with previous client testimonials. There is nothing stopping them from accessing your data after their contract has finished, so be sure to review your security policy on a regular basis, and keep changing passwords for critical systems and remote access.
As cloud computing becomes more popular, so does the solutions and methods of prevention require to evolve. If there is one thing you can be assured of as an IT administrator, is that your job won’t be getting hacked any time soon.