Mitigating Cloud Security in Modern Infrastructure

Dr Desmond Alexander
Department of Information Security Intelligence - FORESEC Security Services
desmond@foresec.org
Abstract : Cloud computing has become a global
trend in businesses today,cost benefit analysis from
business perspective has revealed that owning
cloud services is much flexible,powerful and
readily available. With cloud computing being in
place businesses has emerged and celebrated the
technology whereby the reduced IT operations and
ownership costs has dramatically reduced to a mere
fraction in comparison to an old fashion computing
method.This paper highlights the key security risk
areas and remediation strategy which impacts
businesses and operations related to cloud
computing.
1.

Introduction

Although cloud computing has become a key

business requirement for the modern operations in
setups such as government agencies, multi national
corporation as well as individuals alike. [1] Surveys
from RIGHTSCALE indicated that 55% of
Enterprise Application Portfolio are cloud
compliant and ready. The fact remains that cloud
services such as Public and Hybrid cloud could
provide a more flexible and cost effective
operational means to function with a justifiable
cost. [2]Aside the cost factor cloud computing also
provides a greater scalability in terms of growing
number of users and business functions.
The usage of cloud computing although
may prove to be beneficial in many ways, but
security aspect of the services has to be scrutinised
based on the drastically changing environment. Due
to the fact that customers data area centrally stored
and processed in a non visible infrastructure, the
key important question to ponder would be the
efficiency in security handling by administrators
and vendors in the remote end. More importantly
the risk and incident mitigation strategy imposed by
the hosting companies in terms of breach detection,
containment strategy and service recovery.
2. Risk Areas
[3] Gartner Survey revealed the 7 cardinal risks in
cloud computing which focuses upon common
security risk profiles , compliance and investigative
methodology application.
As applications and operating systems of many sort
continue to flood the cyberspace, one cant help to

wonder the security implication of cloud and

virtualisation software used in major corporate
organisations.
Table 1 : Risk and Compliance Map
Privileged Access

ISO 27001

Regulatory Compliance SSAE 16

Data Location

SSAE 16

Segregation of Data

ISO 27001

Operational Revovery

ISO 27001

Investigative Support

ISO 27001

Viability and
Sustainability

ISO 27001

3. Cloud Computing Risk Factors

3.1 Unprivileged Access
Sensitive data processed outside the enterprise
brings with it an inherent level of risk, because
outsourced services bypass the "physical, logical
and personnel controls" IT shops exert over inhouse programs. Businesses needs as much
information as they can about the people who
manage the data. Confirming with the providers
about supply specific information on the hiring and
oversight of privileged administrators, and the
controls over their access.
3.2 Regulatory compliance
Business owners are ultimately responsible for the
security and integrity of their own data, even when
it is held by a service provider. Traditional service
providers are subjected to external audits and
security certifications. Cloud computing providers
who refuse to undergo this scrutiny are "signalling
that customers can only use them for the most
trivial functions.
3.3 Data location
When in cloud , businesses owners are generally do
not have a clue on the geographical location of the
data being hosted. Conformity with the cloud

processing data in specific jurisdiction via

contractual commitment and privacy requirements
are paramount by cloud providers to ensure on
behalf of the customers.
3.4 Data segregation
This related to the data in the cloud is typically in a
shared environment alongside data from other
customers. Encryption is effective but isn't a cureall. The cloud provider should provide evidence
that encryption schemes were designed and tested
by experienced specialists. "Encryption accidents
can make data totally unusable, and even normal
encryption can complicate availability,
3.5 Recovery
By not knowing the data geographic location,
service failure isn't condoned by businesses at any
cost. "Any offering that does not replicate the data
and application infrastructure across multiple sites
is vulnerable to a total failure,". Restoration
procedure and MTR - Mean time to recovery has to
be agreed upon during the SLA agreement sign off.
3.6 Investigative support.
Investigating inappropriate or illegal activity may
be impossible in cloud computing, Gartner warns.
"Cloud services are especially difficult to
investigate, because logging and data for multiple
customers may be co-located and may also be
spread across an ever-changing set of hosts and
data centres. Contractual commitment to support
specific forms of investigation, along with evidence
that the vendor has already successfully supported
such activities would be a long shot expectation
should it was not agreed upon prior before service
engagement.
3.7. Long-term viability.
Should cloud service provider were to go out of
business , cloud service provider must ensure that
data retention should be made available as a
mandatory requirement.
4.0 Conclusion
Cloud computing represents a new computing
paradigm, where computing resources are being
offered to users as services. It comes with several
benefits for both cloud providers and consumers.
However, the need to understand the associated
risks are imperative before deciding to make the
shift towards cloud computing. Several risks need
to be accounted and addressed. This paper is started
with the definition of risk and provided a brief
description about risk management, and risk

assessment. Then we addressed risk factors related

to cloud computing and give a description for each
risk factor. The article is expected to help cloud
providers, organisations, and individual users to
understand and identify the various security related
risks when using the cloud-computing
environment.

1. http://www.rightscale.com/blog/cloud-industryinsights/cloud-computing-trends-2015-statecloud-survey
2. http://www.logicworks.net/blog/2014/10/
scalability-cloud-computing-old-problemsnew-solutions/
3.