1 / 20

Cloud Security Challenges and Solutions for Data Protection

Learn about security issues in cloud computing highlighted by Gartner, including privileged access, regulatory compliance, data location, recovery, investigative support, and data availability. Understand vulnerabilities and solutions for data protection in the cloud.

williamsrobert
Download Presentation

Cloud Security Challenges and Solutions for Data Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CLOUD COMPUTING-3

  2. Security issues in Cloud Several security issues highlighted by Gartner • Privileged access • Regulatory compliance • Data location • Data segregation • Recovery • Investigative Support • Long-term viability • Data availability

  3. Privileged access • Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the "physical, logical and personnel controls" IT shops exert over in-house programs. Get as much information about the people who manage our data. Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access.

  4. Regulatory compliance: • Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. • Cloud computing providers who refuse to undergo this scrutiny are signalling that customers can only use them for the most trivial functions.

  5. Data location • When we use the cloud, we probably won't know exactly where our data is hosted. In fact, we might not even know what country it will be stored in. • Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers.

  6. Data segregation • Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn't a cure-all. • The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists

  7. Recovery • Even if we don't know where your data is, a cloud provider should tell us what will happen to our data and service in case of a disaster. • Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure.

  8. Investigative Support Investigating inappropriate or illegal activity may be impossible in cloud computing. Cloud services are specially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and datacenters.

  9. Long-term viability: • Ideally, cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But must be sure about the data will remain available even after such an event.

  10. Data Availability • Customer data is normally stored in chunk on different servers often residing in different locations or in different Clouds. In this case, data availability becomes a major legitimate issue as the availability of uninterruptible and seamless provision becomes relatively difficult.

  11. Common Security Requirements

  12. Fundamental cloud security challenges Data protection • Where do data physically reside, and does the data’s location have legal ramifications? • Are data safely protected (i.e., by encryption) while stationary or in motion within and across the cloud? How is availability of data assured in the cloud? • Does the provider take measures to ensure that deleted data is not recoverable?

  13. Compliance • Is the cloud complying with all the necessary guidance? • Can the provider substantiate claims that security controls are implemented sufficiently?

  14. Security challenges cont.......... Security governance • Who owns/accesses/deletes/ replicates data in the cloud? • How can the client ensure policy enforcement? • How can the client measure and track service/network performance? Security control • What security controls does the cloud provider need to implement, and how? • How are assurance levels effectively and efficiently managed in the cloud?

  15. Multi-tenancy • Are my assets vulnerable if another client is exploited by an attack? • How does the cloud provider keep different clients’ data separated and inaccessible from other clients? • If a forensic/electronic discovery procedure is conducted on one client’s data, how will the provider protect the confidentiality of other clients’ data?

  16. Vulnerabilities in cloud computing • Web application vulnerabilities, such as cross-site scripting and sql injection (which are symptomatic of poor field input validation, buffer overflow; as well as default configurations or mis-configured applications.) • Accessibility vulnerabilities, which are vulnerabilities inherent to the TCP/IP stack and the operating systems, such as Dos and DDos • Authentication of the respondent device or devices. IP spoofing, RIP attacks, ARP poisoning (spoofing), and DNS poisoning are all too common on the Internet.

  17. Vulnerabilities in cloud cont……. • Data Verification, tampering, loss and theft, while on a local machine, while in transit, while at rest at the unknown third-party device, or devices, and during remote back-ups. • Physical access issues, both the issue of an organization’s staff not having physical access to the machines storing and processing a data, and the issue of unknown third parties having physical access to the machines

  18. Cloud Computing Attacks • Denial of Service (DoS) attacks - Some security professionals have argued that the cloud is more vulnerable to DoS attacks, because it is shared by many users, which makes DoS attacks much more damaging. Twitter suffered a devastating DoS attack during 2009 • Side Channel attacks – An attacker could attempt to compromise the cloud by placing a malicious virtual machine in close proximity to a target cloud server and then launching a side channel attack

  19. Authentication attacks – Authentication is a weak point in hosted and virtual services and is frequently targeted. The mechanisms used to secure the authentication process and the methods used are a frequent target of attackers. • Man-in-the-middle cryptographic attacks – This attack is carried out when an attacker places himself between two users. Anytime attackers can place themselves in the communication’s path, there is the possibility that they can intercept and modify communications.

More Related