The fundamental security challenges in cloud computing are to overcome security threats in order to fully utilize these new computing standards. Though cloud computing is a powerful and effective technology it has some security-related challenges.
Exposing your sensitive and confidential data on the cloud can put your data at a risk. Though cloud services ensure the security in their SLA (Service Level Agreement) still it is unfortunate that the security of data over the cloud is still questionable. Before putting your data on the cloud consider the security challenges and ask yourself a question can you really trust your data to the cloud vendor. In the following section, we will discuss the security challenges faced by cloud users.
Security Challenges in Cloud Computing
1. Risk of Data Seizure: Using public cloud services compels you to share the computing environment with other users. Here, you are not aware where your resources are being run from and neither you have any control over them nor you have any knowledge of the other users sharing the same cloud environment.
In case any other user of the public cloud violates any law, the government can seize your computing assets as you have been sharing the ‘same’ computing environment. So there might be the risk of data seizure on the public cloud.
2. Vendor Lock-in: While thinking of moving your computing services to another cloud vendor, you might discover that the computing environment provided by a vendor is incompatible with the computing environment of other cloud vendors. In the hosting world, this is termed as ‘Sticky Services’. In future, if you decide to move on cloud services to other vendors you might face inconvenience.
Let us for example, consider the ‘Simple Storage Service’ of Amazon is likely to be incompatible to Google, Dell cloud services. This type of situation leaves you in vendor lock-in condition.
3. Data Encryption: Data encryption ensures that there is no unauthorized access to the data and it also prevents data loss. But what about the encryption/decryption keys? Are they safe enough with the cloud vendor? Or as a customer, you must have a hold of it.
The customers’ demands the data must be encrypted in both ways i.e. while storing to cloud and while and while accessing from the cloud, using SSL (Secure Socket Layer Protocol). Even the customers’ wants that in the cloud their data must be stored in the encrypted form.
4. Data Integrity: The most important thing for users is the data they store on the cloud. What if there is a data loss? The data that you store on the cloud is not consistent at the time of retrieval. This means the integrity of data is affected. It is challenging to restore the consistency of data while transferring, storing or retrieving data to and from the cloud.
To maintain data integrity over the cloud the changes to data should occur only by an authorized transaction. Though there are ways to maintain data integrity there is no common standard to maintain data integrity.
5. Secure SDLC: Using Software as a Service (SaaS) reduces the need for software development. In case you want to use the internally developed code in the cloud you must ensure the secure software development life cycle. As the immature combination of technologies can lead to vulnerabilities issues for those applications.
While choosing the software development tool to ensure that it has a security model embedded in it which will help developers while developing the application.
6. Monitoring: For mission-critical application over the cloud, SaaS providers have to produce the log data in real-time for both their administrator and also for customer’s personnel. Someone must be responsible to ensure security and compliance of these mission-critical applications. Until the application and data are under the control of the user it is not possible.
This is because the logs are internal to the SaaS providers and it is almost inaccessible to clients or investigators. So, here monitoring is difficult. But the question here is will the customer rely on cloud vendor to put their mission-critical application on the cloud?
7. Frequent Upgrade: The cloud vendor frequently upgrades their services as a consequence to which the users have to keep up to date with the improvements in order to ensure that their information or data is secure. Frequent upgrades affect both software development life cycle and security.
Even the secure software development life cycle is unable to cope up with the frequent changes. So the user has to upgrade themselves as the older version of the application may not function properly or may create an issue over the security of data.
8. Responsibility: It is the wrong perception that data compliance is the responsibility of the cloud vendor. Data compliance ensures that the data is managed and organized in a way that it meets business rule and also satisfies legal and governmental regulation.
Though cloud providers offer you a wide variety of services but still the data compliance is the responsibility of the user who owns the data.
9. Outsourcing Services: Though outsourcing the computing services reduces your financial burden and ease your business functions but you lose control over your data and this not a good deal from a security perspective. It is then the responsibility of security managers to provide acceptable service level agreement that has a contract to protect the corporate data.
10. Virtualization Risk: Virtualization let the virtual machines belonging to multiple organizations must be located at the same physical location. Although there are physical segregation and hardware-based security you cannot resist the attack between two virtual machines located on the same server.
This is because access to these virtual machines is through the internet, it is not through the on-premise connection. So placing the sensitive data globally on the cloud also raises the risk system control and access control.
Other problems of virtualization are that it is difficult to maintain consistent security as easy cloning and distribution of virtual machine between the physical server can propagate errors and vulnerabilities. It will be very challenging to trace the insecure virtual machine.
11. Patching: When you subscribe to cloud computing, it is your responsibility to maintain a patch. Patching is the piece of code that help you fix the broken code and remove the vulnerabilities from your laptop, server and other devices.
Due to lack of cloud vendor due diligence in maintaining the patch, the task becomes unmanageable and later you are left only with ‘virtual patching’ option. In Virtual patching, the patch is established at the network level rather than on the device itself.
These are the security challenges that you must have knowledge of prior to subscribing the cloud service.