Professional Documents
Culture Documents
ABSTRACT
“Cloud computing is an evolving paradigm with tremendous momentum, but its unique
aspects exacerbate security and privacy challenges, (Takabi, et. al. 2010).” This statement really
defines the overall current state of cloud computing and the biggest concerns of its users and
providers. Cloud computing is quickly becoming the next tech phrase that is inundating
mainstream computing advertising. It is being touted as the economic and technological savior
for organizations large and small; economically savvy or simply inexperienced. The business of
cloud computing is still considered in its infancy according to server providers like Dell
Computer yet there are hundreds of billions of dollars now being invested in the supply side of
the equation. This paper will attempt to discuss vulnerabilities as well as policies for effective
In order to discuss the vulnerabilities and policies to mitigate risks associated with cloud
computing, it is important to understand the basic framework associated with the environment.
Cloud computing comes in three varieties; private, public and hybrid clouds. The public cloud is
typically a data center environment run by a third party organization providing varying computer
services for a variety of customers. Private clouds are typically a shared computer environment
created within an organization but in some cases are simply private servers and network
connections allocated to an organization by a third party. The last type of cloud, the hybrid, is
typically a combination of private and public computing and can actually be the most complex to
secure and the most risk associated with. There are several cornerstone technologies associated
with the cloud. Virtualization technologies are the most pronounced signature of the cloud
environment; the operating system and the network environments are typical virtual
1
Cloud Computing Vulnerabilities and Policies
environments which afford efficiency and promote greater availability for cloud vendors and
customers. The virtual environments also create natural disaster recovery environments with use
Another element of cloud computing that needs to be understood when determining the
vulnerabilities are the architectural services offered by the environment. There are three
prominent services which will be included in the discussion on vulnerability and policy. These
services are: Software as a Service (SaaS); Platform as a Service (PaaS); and Infrastructure as a
Service (IaaS). To save time, this paper assumes the reader is basically educated in these terms
and technologies so we will not explore detailed definitions of these service types.
Beyond the architecture there are essential characteristics of the cloud which are well
defined by the US National Institute of Standards and Technology (NIST). Again, this
information is offered to provide the reader an understanding that standards exist which define
the cloud itself which are the areas being examined. NIST classifies these characteristics as: On-
demand self service; Ubiquitous network access; Resource pooling; Rapid elasticity; and
Measured service. The reader can reference, Understanding Cloud Computing Vulnerabilities
VULERABILITIES
Based on the overview of the cloud environment presented, we can now turn our
2
Cloud Computing Vulnerabilities and Policies
or impossible to implement, or
2011).
We will now explore the vulnerabilities themselves; there are many types of cyber
security attacks which clouds are exposed to on a regular basis. According to Christoph Schuba
of Sun Microsystems, some of the more common vulnerabilities which cloud computing is
subject to include:
Network
o IP Spoofing
o Port Scanning
o Packet Sniffing
Storage Security
o Encrypted storage
3
Cloud Computing Vulnerabilities and Policies
Diving deeper into the indicators discussed earlier, let’s shed some more light on types of
relative vulnerabilities. Beginning with the core technology itself there are areas that are known
to be vulnerable to attacks. Web services and applications, encryption (if weak), and the
virtualization itself are all intrinsic to being vulnerable. Three examples of these vulnerabilities
are virtual machine escape, sessions riding and hijacking, and insecure or obsolete cryptology,
(Grobauer, et. al., 2011). Virtualization is probably the most common signature within a cloud
environment. The nature of the virtualized platform lends itself to self contained systems which
can be copied and removed from the cloud premise, whereas the classic non-virtualized server
configuration lives in a stack environment where the operating system software, application,
network, etc configuration created a much more challenging environment to copy and remove.
As a result we must consider the virtual aspect of the design to be intrinsically susceptible and in
protocol which is characteristic of HTTP. Because web applications require a notion of session
insecure as methods of breaking them are discovered. Cryptology flaws are often commonplace
exposing weaknesses in the algorithms themselves which can make strong encryption weak or
even useless. As the business and use of cloud computing increases the need for stronger
We will now address a few vulnerabilities related to the essential characteristics of cloud
4
Cloud Computing Vulnerabilities and Policies
There are other vulnerabilities we have not touched on but for sake of time let’s
finish with identity management (IDM) before moving on to discuss policy. “Cloud
computing environments are multi domain environments in which each domain can use
different security, privacy, and trust requirements and potentially employ various
mechanisms, interfaces, and semantics, (Takabi, et. al., 2010).” When it comes to IDM
there are many concerns in the cloud; interoperability drawbacks that can result in
inherited limitation and poses significant risks, (Takabi, et. al., 2010).” Takabi brings to
light how multi-tenant cloud environments can protect the privacy of identity information
is still not well understood. This poses a significant risk in preventing systems that may
be interconnected to the user interface system and how those interconnected systems may
POLICIES
security, (Bhasker, et. al. via Vaaca, 2009).” Of course there are many vulnerabilities not
yet discussed that cloud computing environments are subjected to but those discussed
provide enough incite to discuss how policy provisions can be used to mitigate associated
5
Cloud Computing Vulnerabilities and Policies
risks. When it comes to cloud computing and in general IT, policies need to address the
following functional levels: access control standards, accountability, audit trails, backups,
should provide general guidance for process, technical and ethical aspects of the cloud IT
environment. Policy should exist for both cloud users and providers with varying aspects
depending on the use type and level of service. One of the vulnerabilities discussed above
internal risks associated with physical access. “ A robust physical-security policy will
have many facets for surveillance, personnel, continuity of operations, and architectural
resilience, (Spring, 2011).” This policy area involves the facility level and is important in
determining how and insuring that things like physical access is controlled, monitored
and process oriented to deal with issues that may occur in the event of a breach. Typical
mitigation measures include: controlled entry systems, perhaps biometric controls and
access; closed-circuit cameras and patrolling security guards. Policy for facility layer can
also go as far as delegating machine access for technicians like database and systems
analysts. Facility related policy should include conduct guidelines and non-disclosure
protocol for intellectual property. Procedures for operations personnel including back
ground checks and routine screening are all critical policy elements which need to be
standards. There should be a plan to help integrate or provide a liaison to help assist with
6
Cloud Computing Vulnerabilities and Policies
cooperative use with customer’s COOP. There may need to be security measures to
protect the data center from physical attack, depending on the value of the data housed.
There should also be legal measures defined to handle compromises and loss of service.
The next layer we will discuss is the network; “An essential characteristic of
cloud computing is that the provider provides and controls the network access between
the customer data and the users across the internet, (Spring, 2011).” This is typically
assumed by the customer to be the most secured aspect of the service they are purchasing
and easily can be the most vulnerable. In this layer, policy should delegate the use of
systems (IPSs) and network boarder proxies. Policies around the network layer should
include guidelines on IP domain name and address controls. Procedures such as address
masking, private connections and network protocols, security certificates and data
encryption can be discussed here. Additional policies which can help to deal with risks
on the network include logging and access analysis as well as data flow trending; which
can help determine when traffic flows may be higher than normal.
We now move on to the hardware layer where policy can delegate security
standards and controls. Proper configuration management is essential for the operation,
maintenance, and in some cases the security of servers and other hardware which may be
used in the cloud computing system. It’s important that policy dictate the assurance of
hardware integrity and control. Uses of proper access devices such as card and biometric
readers are just a few items that can be mandated to assure hardware security.
7
Cloud Computing Vulnerabilities and Policies
The operating system (OS) environment is one of the most important areas to
have secured for it generally provides the mechanisms that control software access to
testing, and security update patching are typical OS mitigation methods directed by
policy. Processes such as software security assurance (SSA) used mostly in application
development should be required when considering an OS or even vice versa. There are
additional policy items which will support a secure OS layer in the cloud. For sake of
time and breadth of this paper we will not address them all.
The final layers of the cloud environment which should have policy guidance are
There are several security standards we will review that can be delegated in cloud
Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry (PCI)
if the data and applications housed in the cloud contain or process electronic health
information. These and other compliance guidelines do and can serve as a framework for
system design and operations security for organizations even if they aren’t required by
law or contract to comply with them. The details of the guidelines are not important for
this discussion and can easily be found in many references including the internet.
8
Cloud Computing Vulnerabilities and Policies
CONCLUSION
and needs to quickly remain in balance in terms of providing economic, efficient and secured
services for internal and external customers. There is a tremendous amount of risk associated
with moving to the public and hybrid cloud environments that has not really totally existed in the
private cloud or traditional internal hosted systems. The vulnerabilities are however, similar to
the classic IT models. One major differentiator from legacy IT is that cloud computing
predominantly utilizes virtualized environments which create some unique vulnerabilities. These
and other more common technologies require protection mechanisms to avoid risk of exposure
and destructive forces. Protection is granted through various forms of intervention to threats
such as processes, mechanisms, and awareness. In order for proper intervention to effectively
exist within an organization it must be recognized and actively supported by the head of the
organization. This can be done in many ways, however only by delegating it in the form of
corporate security policy will it be taken seriously and uniformly. Policy needs to be organized
to support the characteristics of the entire IT environment in an organization. The best way to
ensure coverage is to segment it based on classic IT management while providing the flexibility
9
Cloud Computing Vulnerabilities and Policies
References
Bidgoli, H. (Ed.). (2006). Handbook of information security: Volume 2. Hoboken, NJ: John
Basescu, C., Leordeanu, C., & Costan, A. (2011). Managing data access on clouds: a generic
framework for enforcing security policies. IEEE Computer Society, X(11), 462-463.
doi:10.1109/AINA 2011.61
1
Grobauer, B., Wallowschek, T., & Stocker, E. (2011). Understanding cloud computing
http://blogs.oracle.com/schuba/resource/talks/20090324-cloud-security.pdf
Spring, J. (2011, March/April). Monitoring cloud computing by Layer, Part 1. Security and
Takabi, H., & Gail-Joon, A. (2010, November/December). Security and privacy challenges in
cloud computing environments. Security & Privacy, IEEE, 8(6), 24-31. doi
10.1109/MSP.2010.186
Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan
Kaufmann.
10