Cloud Computing Security Issues And Mitigation Techniques For SMEs

Security issues

The cloud computing security has been quick progressing service providing various functionalities. This includes the safeguarding of the critical data from deletion, data leakage, and theft.

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

The focus of the report is against the SMEs needing to protect the development the software technologies and keeping the data in-house. The report investigates the present methodologies and principles about the Private Cloud provider organization.

A small view of the current issues for the cloud-based services is described below according to priority.

The issues

Priorities

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

Discussion

1. Data breaches

High

 The data breaches in all forms have existed for years. There is a rising concern with the sensitive information stored online instead than on-premise has the cloud been less safe inherently. The overall data breaching has been three times to occur more likely for the business utilizing the cloud than those that have not. The cloud has come with the unique set of properties that have been more vulnerable (Choo 2014).

 2. Hijacking of Accounts

High

 The advent and implementation of the cloud have opened a whole new set of challenges in the account hijacking. The attackers are able to use others computers to access the sensitive information stored remotely on the cloud.

 3. Insider Threat

Medium

 The attacker from the inside of the organization has seemed unlikely. However, no insider threat has existed. The employees have been able to the unauthorized access to the cloud-based services for misusing or accessing data like the financial forms, customer accounts and the other sensitive data (Albakri et al. 2014).

4.  Malware Injection

Short

 They are codes or scripts embedded within the cloud services and running as the SaaS to the cloud services.

5. Abuse of Cloud Services

Short

 The widening of the cloud-based serviced has made that possible for both the enterprise-level and small organizations in hosting the huge amount of data with ease.

6. Insecure APIs

Short

 The API s could be the threat to the breaches of cloud security of their very nature. They have been providing the organizations the capability to customize features within the cloud services for fitting the business necessities.

7. Denial of Service Attacks

Short

 These assaults make the servers and the websites unavailable to the legitimate users.

8. Shared Vulnerabilities

Short

 The cloud security has been the shared responsibility of the client and the provider. The partnership has been between the providers and the clients needing the client o undertake the preventive measures for protecting the data.

9. Data Loss

Short

 The data on the cloud services could be lost by the malicious attacks, data wiped by the service provider and the natural disasters (Goettelmann et al. 2014). The loosing of the important data could be devastating to the business that never possesses any recovery plan.

The technology of cloud computing has been becoming the solution for the issues that have plagued various organizations and taxed the various IT departments. The managing and maintaining of the IT-house have been a heavy burden for every small and large organization. The smaller and medium-sized business possesses smaller budgets and fewer resources. The large organizations, on the other hand, have the huge quantity of data to control and high quantity of traffic, various devices operating over the network and various internal and external applications to operate.

The risks

Process of mitigations

Data breaches

 It can be mitigated through prioritizing the data protection. This increases the effectiveness through identifying to secure the most important resources.

Hijacking of accounts

 This can be fought by using the scanning software. This proactively defends and recognizes the phishing attacks. There can be also the updating of the current single-factor customer authentication based on passwords to the two-factor authentication.

Insider Threat

 This could be defended by detecting the anomalous behavior to recognize the suspicious activities out of the normal standard of the employees (Ali, Khan and Vasilakos 2015). Further the hybrid analytics is also helpful here referring to the assimilation of the threat detecting techniques with the informed behavioral analytics.

Malware Injection

 The WAF or Web Application Firewall could be deployed at the boundary of the network. This must also include the reputational and behavioral analysis for blocking every malware injection attacks on the web applications and sites (Latif et al. 2014). Moreover, the backdoor protect is useful intercepting the communication attempts with the backdoor shells on the web server. Through tracing the requests, the service points out the most dangerous obfuscated malware.

Abuse of Cloud Services

 A single sign-on SSO is needed to be utilized in the organization (Latif et al. 2014). The organization should be using various applications and cloud service along with the individual users having various sets of credentials. All of them could be exposed. The SSO indicates that there have been lesser accounts for managing the users entering and leaving the organization.

The legal service providers must consult with the experts of the computer prior to the user of cloud services. They must make sense of the effective security threats they have been facing. They must recognize the best available measures of security and the security standards that are generally accepted. The legal service providers must analyze the various levels of the security sensitivity related to the communications and data. They must develop the proper plans for managing the various kinds of communications and data appropriately. Then the organizations should also find what materials must be retained in the paper form or the hard-copy.

The proper relationships with the providers of cloud services are needed to be established. Various substantial cares must be applied to select the cloud service providers. Just only the reliable and reputable service providers must be used. The fully enforceable agreements in written format must be utilized for defining every term of the service. The legal service providers must fully make sense of every aspect of the terms of services (Pearson 2013). This is, in particular, the provisions that are applicable to the procedures, data security related to the security breaches, enhancements. This must also include the backing-up of systems and the processes in the event of the security breaches and the other failures in services. The terms of the service must also deliver the extreme control on the data involved. This must also include the control and ownership of the data while the service arrangements get ended. This must include the resting with the legal service providers, not the cloud service providers. The enforceable and the adequate non-disclosure provisions regarding the proprietary and confidential material must be included within the terms of the services (Goettelmann,  Mayer and Godart 2014).

The security risks and mitigation techniques

Cloud security principles

Description

Its application

The data in the transit protection

 The consumer data transiting networks must be sufficiently protected against the eavesdropping and tampering through the assimilation of encryption and network protection

 As the principle is not implemented, in that case, the confidentiality or the integrity of the data might be compromised while in transit.

Asset resilience and protection

 The consumer data and the resources processing or storing that must be safeguarded against the physical damage, loss, tampering or seizure

 While the principle is implemented, the improperly protected consumer data could not get compromised (Ahmed and Hossain 2014).

Separation between the consumers

 The separation must be present between various consumers to prevent the malicious or the compromised consumer from being affected by the service or any other data of another

 As the principle is applied, the service providers are able to prevent the consumer of the service impacting the integrity of confidentiality of another service or data of the consumers.

The governance framework

 The providers of service must have been the framework of security framework coordinating and directing the overall approach to the management of the information and service in it. Further, the staffs should be trained well for the governance

 As this is implemented the personnel, physical, procedural and the technical; controls in the place would never remain effective while reacting to the changes in the services and to the threats and the technology developments.

The operational security

 The providers must have the framework for security framework coordinating and directing the overall approach to the controlling of the service and the information under it

 As the principles are not implemented the service could not be managed and manages securely for impeding detecting or preventing the attacks against that (Duncan and Whittington 2016).

Personnel security

     The service provider staff must be subjected to the personnel security screening and the security awareness of their responsibilities. Anti-virus software could be implemented effectively.

 As the principle gets implemented the happenings of the malicious or the accidental activities by the service provider can be decreased.

The secure development

 The services must be developed and designed to mitigate and recognize the threats to the security.

 The services could be vulnerable to the security challenges that must compromise with the consumer data. They could cause the loss of service o enable the other malicious activities.

The organizations are able to pursue the risk management in various frameworks. There have been various differences in the frameworks with few underlying principles. The risk mitigation has been could be included typically in the wider risk management processes. The steps could be retrieved from the process of risk management. They could be considered as their individual risk in the process of mitigation.

The actionable risk mitigation steps are:

It indicates the analyzing the kinds of services and the data handled. Then the threats are considered against those services and the data. The IT leaders have been meeting various questions while analyzing those threats for every services and data set. Those steps have been including the implementation of the fundamental management and the operational security controls for the data and services (Luna et al. 2015). Those controls have been including the related procedures and security policies, basic audit controls, service-level agreements SLAs and with other forms of governances.

Analyzing the application securities has been a critical step in risk mitigation process. Further, it has been important to find out what has been featuring the application that has been offered regarding the mitigation risks. It has been important that the IT managers must consider how robust the features have been. For instance, as the application has been encrypting the data at rest for protecting the confidentiality, the encryption coding and the key length has been used is needed to be determined. Along with this how strong the key combination and the algorithm has been needed to find out.

The data governance has been involving the managing of data via the enterprise like performing the backups, archiving the old data and then controlling the requests of e-discovery. It has been researched that about half of the enterprises have no policy of data governance (Modi et al. 2013). It has been increasing the chances that the data would be placed at the wrong place. It has been making that more susceptible in compromising.

As the data-centric governance plan gets implemented the IT staffs could test that periodically. It has been including the actions like verification of the integrity of the backups. It has been assuring that the achieved data has been stored securely and assuring the unnecessary data has been destroyed efficiently.

Policies

The risks to be mitigated.

Discussion

ISO standards

to be used

Type of the standard

Reason to use  the standard

It should be easy to understand

Abuse of cloud services.

The security policies should meet the perquisites of the intended clients. The procedures, standards, and policies should be pinned down by the subject matter experts. For instance, the security policy stating that patching uptime has been critical to sustaining the confidentiality, availability and the integration of the IT systems is easier to understand than just stating.

ISO/IEC 27000

Normative references

Every definitions and specialist terms are defined in the ISO/IEC 27000. It is mainly applicable around the entire ISO27 standards.

It should be applicable

Malware injection.

While generating the policy the writers must look into security policies of the others. This must include the Intent policy used acceptably (Lenkala, Shetty and Xiong 2013). Moreover, it is crucial to assure that what gets written must meet the particular needs of security of the organization.

ISO/IEC 27002

35 control objectives

This standard particularizes some of the thirty five control objectives. This is concerned about the need to secure the integrity, confidentiality and information availability.

It must be enforceable

Hijacking of accounts.

A self-defeating policy must not be written. The policy must reveal that the usage of the company generated e-mailing system is only for business purpose. This rule is basically just a policy for most of the organizations. However, most of the e-mail clients within the network are utilized for personal messages daily.

ISO/IEC 27000

Terms and definitions

It is same as the 1st policy.

It must be phased in

Insider threats.

The organizations must be allowed to read and digest the policies prior to become effective. Most of the organizations publish the security policies and then need every business unit for submitting the compliance plan under. This is done within a particular number of days spent after the publication. Thus it supplies the business unit managers the time period for reviewing the policy and find out where the organization is deficient and submit the timetable regarding compliance (Ab Rahman and Choo 2015). Thus it creates the allowance time to purchase and deploy the technologies and then train the users.

ISO/IEC 27001

(section 5.2)

Management direction for information security

The management must define the policy sets for clarifying the direction and supporting for the security of information. In the top level the policy is specifies in the section 5.2 of the standard. 

It must be proactive

Data breaches.

The things that could be done and expected must be stated to the employees. A policy could presume that a computer system has been designated for accessing by the financial system users who are authorized only. The unauthorized access attempting must be investigated and proper action till and including prosecution must be undertaken.

ISO/IEC 27001

(Section 7.2)

During employment

The managers must assure that the contractors and employees are aware of and motivated for complying with the obligations of information security.

The security has not been solely technical problems. It also depends on human using the system and behaving in a particular manner within the environment of the system. The typical human work within the organization has been falling into four sections like a customer or interested party, management, team and the individuals. The human factors within the categories are the unmanageable forces interacting with the technological elements in the interconnected world for securing the information systems (Chang and Ramachandran 2016). The ISMS or Information Security Management System is the set policies about the IT-related risks. The governing principle lying behind this is that the organizations must implement, maintain, and design the coherent set of systems, processes, and policies. This is to manage the risks for the information resources ensuring the acceptable levels of the risks of the information system.

Conforming to the external influences, the reasoning, and the application

Conclusion:

The cloud has been turning out to be the reality for various organizations migrating to the least critical section of their services and infrastructures. Regarding the security issues, the report has identified the data breaches, hijacking of accounts, insider threats and so on. For the cloud security principles, the report has discussed the governance framework, personal security and securing development and so on. With various other steps the reviewing of the application security, testing and retesting is assessed here. Lastly, the generic top-level security policy document must be easily understandable and applicable.

References:

Ab Rahman, N.H. and Choo, K.K.R., 2015. A survey of information security incident handling in the cloud. Computers & Security, 49, pp.45-69.

Ahmed, M. and Hossain, M.A., 2014. Cloud computing and security issues in the cloud. International Journal of Network Security & Its Applications, 6(1), p.25.

Albakri, S.H., Shanmugam, B., Samy, G.N., Idris, N.B. and Ahmed, A., 2014. Security risk assessment framework for cloud computing environments. Security and Communication Networks, 7(11), pp.2114-2124.

Ali, M., Khan, S.U. and Vasilakos, A.V., 2015. Security in cloud computing: Opportunities and challenges. Information Sciences, 305, pp.357-383.

Brender, N. and Markov, I., 2013. Risk perception and risk management in cloud computing: Results from a case study of Swiss companies. International journal of information management, 33(5), pp.726-733.

Chang, V. and Ramachandran, M., 2016. Towards achieving data security with the cloud computing adoption framework. IEEE Transactions on Services Computing, 9(1), pp.138-151.

Choo, K.K.R., 2014. A cloud security risk-management strategy. IEEE Cloud Computing, 1(2), pp.52-56.

Duncan, R.A.K. and Whittington, M., 2016. Enhancing cloud security and privacy: the power and the weakness of the audit trail. Cloud Computing 2016.

Goettelmann, E., Dahman, K., Gateau, B., Dubois, E. and Godart, C., 2014, June. A security risk assessment model for business process deployment in the cloud. In Services Computing (SCC), 2014 IEEE International Conference on (pp. 307-314). IEEE.

Goettelmann, E., Mayer, N. and Godart, C., 2014, July. Integrating security risk management into business process management for the cloud. In Business Informatics (CBI), 2014 IEEE 16th Conference on (Vol. 1, pp. 86-93). IEEE.

Haimes, Y.Y., Horowitz, B.M., Guo, Z., Andrijcic, E. and Bogdanor, J., 2015. Assessing Systemic Risk to Cloud?Computing Technology as Complex Interconnected Systems of Systems. Systems Engineering, 18(3), pp.284-299.

Latif, R., Abbas, H., Assar, S. and Ali, Q., 2014. Cloud computing risk assessment: a systematic literature review. In Future Information Technology (pp. 285-295). Springer, Berlin, Heidelberg.

Lenkala, S.R., Shetty, S. and Xiong, K., 2013, May. Security risk assessment of cloud carrier. In Cluster, Cloud and Grid Computing (CCGrid), 2013 13th IEEE/ACM International Symposium on (pp. 442-449). IEEE.

Luna, J., Suri, N., Iorga, M. and Karmel, A., 2015. Leveraging the potential of cloud security service-level agreements through standards. IEEE Cloud Computing, 2(3), pp.32-40.

Modi, C., Patel, D., Borisaniya, B., Patel, A. and Rajarajan, M., 2013. A survey on security issues and solutions at different layers of Cloud computing. The Journal of Supercomputing, 63(2), pp.561-592.

Nanavati, M., Colp, P., Aiello, B. and Warfield, A., 2014. Cloud security: A gathering storm. Communications of the ACM, 57(5), pp.70-79.

Pearson, S., 2013. Privacy, security and trust in cloud computing. In Privacy and Security for Cloud Computing (pp. 3-42). Springer London.

Rao, R.V. and Selvamani, K., 2015. Data security challenges and its solutions in cloud computing. Procedia Computer Science, 48, pp.204-209.

Rasheed, H., 2014. Data and infrastructure security auditing in cloud computing environments. International Journal of Information Management, 34(3), pp.364-368.

Rebollo, O., Mellado, D., Fernández-Medina, E. and Mouratidis, H., 2015. Empirical evaluation of a cloud computing information security governance framework. Information and Software Technology, 58, pp.44-57.