Web Technology - Cloud Based Security and Attack Vectors
ABSTRACT
A major technological development that many major organizations are currently embracing is cloud computing. Indeed, cloud computing has become a highly sought-after technology because of the benefits that it offers. Such advantages include cost-effectiveness, flexibility as well as a convenient payment system. Because of these benefits, companies can turn their attention to their priorities instead of spending time dealing with technological problems. However, it has been increasingly observed that cloud computing comes with certain risks and attack vectors. These include Denial of Service, malware injection, side channel attacks and man-in-the-middle attacks, among other things. Due to the fact that many organizations using the cloud transmit sensitive business data, there is a need to mitigate these risks.
Cloud Based Security and Attack Vectors
Cloud computing is an advanced technological development and many businesses are faced with the decision of migrating their data to a professional cloud firm to manage their data. It enables firms to harness information technology (IT) resources and applications in the form of virtual services accessible through the web, thereby eliminating the need to invest in physical resources. There are many benefits associated with cloud computing, including, reductions in capital investments, flexibility of resources, less costly services as well as efficiency. However, regardless of these appealing benefits, cloud computing has been associated with a number of risks related to the migration of previously "internal IT resources and sensitive business data to a third-party cloud vendor." Indeed, it has been increasingly observed that cloud computing has the potential to expose firms to several risks that have not been adequately investigated. As cloud based services become more widely utilized, there is also a distinct possibility that attacks on them will also rise. Moreover, attackers can utilize the power of the cloud to conduct their malicious activities.
Overview of Cloud Computing Technology
Cloud computing is no longer considered as a trend but a rush to take advantage of the benefits that this technology purportedly provides. As of 2013, it was estimated that cloud computing service providers collectively generated $14 billion. Presently, numerous companies, including those operating in regulated service sectors such as financial institutions, are using cloud computing. In many of these firms, sensitive business data are entrusted in cloud computing. A singular definition of the term "cloud computing" is elusive because experts, researchers and practitioners all have their varying definitions. Figure 1 at the Appendix provides a glimpse of some of these definitions.
For the purposes of this paper, cloud computing is defined as a service model used in the field of IT that "delivers a set of convenient, on-demand, and configurable computing services and resources, to clients over a network in a self-service fashion." These services are not dependent on device and location and cloud computing applications and services are accessible through a broad range of devices, from personal computers, to mobile devices and laptops. Cloud computing uses a basic "pay as you go" framework, so that organizations pay only for the services that they consume. By using cloud computing, organizations no longer have to invest in the establishment of their own data centers because they can migrate their data into a remote site (the the provider's site).
There are three types of cloud computing models. The first is called "Software as a Service (SaaS)," through which users run software applications, including, email systems, and other enterprise systems over the Internet, enabled by vendors using controlled infrastructure. The second is the "Platform as a Service (PaaS) model," through which users may avail of computing platform services for the purpose of supporting construction of web applications and services but solely over the Internet. Examples of these are Google Apps and 3Tera Applogic. The third model is called the "Infrastructure as a Service (IaaS)," through which hardware and IT infrastructure resources such as hard discs, servers and databases are offered to firms so that they may be used these as virtual cloud environments.
According to the National Institute of Standards and Technology (NIST), there are four types of cloud computing deployment models. The first is public cloud which the public can access provided that they pay services from providers offering such services. The second is private cloud computing, which is cloud that runs exclusively for an organization. It may be managed by either that organization or by a provider, and may be located remotely from the organization or on-site (NIST). The third deployment model is community cloud, which multiple organizations may share because they have a common purpose, such as for instance, the same mission or the same security needs. Again, it may be managed by either that organization or by a provider, and may be located remotely from the organization or on-site. The fourth deployment model is the hybrid cloud, which is comprised of at least two clouds that are actually separate entities but are unified by standards or proprietary technology that permits data and application portability.
There are a number of benefits derived from cloud computing. Primarily, cloud computing enables the reduction of capital investments in IT. This is an important consideration for organizational leaders especially since IT investments account for 50% of capitalization budgets. Notably, cloud computing permits organizations to link their costs to revenues earned, according to the demands of their relevant markets. Second, cloud computing providers offer services that are flexible enough so that firms can avoid "over-provision" or "under-provision." In other words, the use of cloud computing depends on the need of the firms such that they do not have pay for services when it is not in use. Third, cloud computing infrastructures enable efficiency because it can gather resources quickly so that specific projects that need reconfiguration can achieve this in a matter of a few days. Because of this advantage, firms are able to try out as many strategies and products as they need. Lastly, pricing of cloud computing services is reasonable because it is based on "units of resources acquired" and sometimes that upfront costs for certain services are eliminated. Because of these benefits, companies using cloud computing can concentrate more on their priorities instead of dealing with glitches. In Europe and the United States, it is estimated that roughly 91 % of organizations that have turned to cloud computing are motivated by benefits in terms of cost reduction. It is believed that cloud computing has global implications because the technology is highly useful for businesses that have to share data across time-zones in real time, among other things.
As mentioned earlier, numerous companies have migrated to the cloud because of perceived benefits. Some of these companies are large financial institutions that operate in highly regulated environments. For example, JPMorgan, Barclays, Goldman Sachs and Credit Suisse have started to turn to cloud computing in order to reduce compliance costs. Nevertheless, the Federal Financial Institution Examination Council (FFIEC) had warned about security risks presented by the outsourcing of data to the cloud. Other regulators have also warned financial institutions such as banks from exposing sensitive information when they migrate their data to cloud computing. Even small businesses, known for being late adopters of technology, have gradually been turning to the cloud because of its cost advantages.
Security Risks Associated with Cloud Computing
A review of literature reveals that there are four broad categories of risks associated with cloud computing. These are organizational, technical, legal and operational risks. Organizational risks pertains to potential adverse impacts that cloud computing can wreak on different organizational elements, such as IT governance, compliance with industrial regulations, in-house IT experts, as well as IT planning. On the other hand, operational risks are those related to the shift from internal IT resources to third party sourcing. Operational risks could impact the day to day operations of an organization as well as IT operations.
Meanwhile, technical risks are due to the complexity of cloud infrastructure as well as inherent IT flaws that have been existing within an organizatio. These combined factors can lead to technical risks that hamper operations. Legal risks are due to the nature and characteristics of cloud computing, and are associated with data privacy, intellectual property, and contracts. In the United States, the Securities and Exchange Commission (SEC) has singled out cloud computing are potentially placing firms and other stakeholders such as customers at risk because of, for instance, cyber-breaches. The SEC had emphasized how its registrants could be victimized through cyber-attacks that could lead to substantial losses.
There are multiple attack vectors observed in cloud computing. These are denial of service (DoS) attacks; cloud malware injection attack; side channel attacks; authentication attacks and man-in-the-middle cryptographic attacks.
Denial of Service (DoS)
Denial of service (DoS) attacks are perpetrated on cloud service providers but this could result in the tenants not having access to their accounts. DoS takes place when an attacker sends heavy traffic over the cloud for the purpose of overwhelming websites such that legitimate tenants can no longer have access. When a botnet is used for DoS, this is known as distributed denial of service attack (DDoS). It must be emphasized that DoS targets only a single tenant rather than all of users on cloud. DoS may also be undertaken by altering of tenant passwords such that they can no longer access their accounts.
Many security professionals assert that cloud is vulnerable to DoS attacks considering that many users share that single cloud. Thus, DoS is most harmful for cloud tenants. With DoS, an attacker does not even have to flood all of the cloud servers. Oftentimes, flooding a single cloud address is sufficient to lock out the tenant. Mitigation of DoS is in the hands of the provider, although tenants can enhance security through effective encryption policies. Cloud computing providers have to adopt multifactor authentication to fortify their authentication checks.
Cloud Malware Injection
Cloud computing servers could also be vulnerable to malware infection, including, virtual machine-based rootkits. The injection of malware into cloud computing servers can compromise account names and passwords, files being accessed and copied, and corrupt files. There is also the risk that a malware injection into a specific virtual machine could spread to the tenants' other machines. There are different motivations for cloud malware injections, including, eavesdropping though subtle data changes, blockings or modifications in functionality.
Typically, a malware injection on cloud requires that the attacker first creates its own attack mode, and this could either be SaaS or PaaS) or its own virtual machine (IaaS). These are then added to the cloud system. The attacker then deceives the cloud system into thinking that it is "one of the valid instances for the particular service attacked by the adversary." In the event that the attacker is successful, the cloud redirects its tenants to the malicious SaaS, PaaS or IaaS. It must be noted that for the attack to be successful, the attacker has to first wrest control of the relevant tenant's data in the cloud. Malware injection is one of the major service-to-cloud attack surface attacks observed over the cloud. One way of mitigating this is for the provider to perform "a service instance integrity check prior to using a service instance for incoming requests."
Side Channel Attacks
A side channel attack is also known as the "cross-guest virtual machine breach." When this happens, a tenant crosses the shared virtual machine perimeters and access data of other tenants by means of shared physical resources. Side channel attacks can only take place if the attacker shares a virtual machine with the victim; hence, such attacks are usually random and targeted. Nevertheless, targeted side channel attacks have also known to have happened. Sometimes, a clever attacker places a malicious virtual machine near the cloud server so that it is easier to launch a side channel attack. To note, side-channel attacks are effective security threats that use cryptographic algorithms. Hence, it is crucial that a cryptographic system is resilient to side-channel attacks.
Authentication Attacks
Authentication has always been a weakness in both hosted and virtual environments; thus, it is a frequent target of malicious activities. There are many ways through which tenants may be authenticated, including, "based on what a person knows, has, or is." Usually, attackers target methods used to ensure security of authentication processes as well as methods used. Presently, among SaaS, IaaS,, Paas and IaaS, it is only the latter that can provide data protection and data encryption. If data being transmitted is considered as highly sensitive, then cloud computing using IaaS architecture "will be the most suitable solution for secure data communication." Moreover, enterprise data process and management stored in the cloud should only be authorized by the firm rather than the cloud service provider. To further exacerbate the risk, many users on cloud continue to use very basic usernames and passwords that are easy to crack. Financial institutions have been using secondary authentication methods, such as through site keys, virtual keyboards, and secret questions, due to the sensitive nature of the data that they store in cloud.
Man-In-The-Middle Cryptographic Attacks
A man-in-the-middle attack happens if the malicious entity intercepts traffic between a website and a browser. This takes place when the browser is deceived that the malicious entity is the legitimate website while the website authenticates the attacker as the browser. Thus, the attacker is able to read or change data that is being transmitted, such as usernames and passwords used in accessing accounts in the cloud.
Negative SEO Attacks
These types of attacks are typically related websites of vendors. An attacker is usually a direct competitor who may hire a 'negative SEO' service to build massive amounts of backlinks pointed to the vendor's website in the hopes of having it penalized by the major search engines (Google, Yahoo, and Bing). As of 2016, it is still unclear how efficient such attacks may be and whether their negative effects last long-term, but it has been proven that they do trigger either algorithmic or manual penalties.
In order to neutralize destructive effects of such inorganic backlinks, Google and Bing have designed a tool that allows webmasters to upload a 'disavow file' which contains a list of domains or URLs that are not to be counted towards a link profile of a give website. There are several useful tools that may help vendors create such a disavow file and win against the attackers.
Future Trends
An interesting development in the realm of cloud computing security is the use of insurance. Indeed, insurance coverage has become available for losses that are caused by computer fraud or theft. However, it must be noted that some of these coverage is valuable, but firms should never consider them as "customer-friendly." A current trend in insurance coverage is the use of clauses that purportedly base coverage according to any absence of "errors or omissions in the data-security measures employed by the policyholder." Such clauses have potential for exploitation especially when the insurance provider argues that the policy holder had been negligent in protecting its data. Another trend has been on efforts to address legal and technical complexities and deficiencies in the cloud environment.
CONCLUSION
Cloud computing has many benefits, including, cost-effectiveness, flexibility and a convenient pay as you go system. However, cloud computing has been associated with many risks and attack vectors, including, DoS, malware injection, man-in-the-middle attacks and side channel attacks, among others. While it is true that cloud computing service providers have to develop and adopt mechanisms to ensure the security of tenants, the latter can also implement their own policies in order to enhance security of their data.
References
Alali, F. A., & Chia-Lun, Y. Cloud computing: Overview and risk analysis.
Journal of Information Systems, 26(2), 13-33.
Dutta, A., Guo Chao Alex, P., & Choudhary, A. Risks in enterprise cloud computing: The perspective of IT experts. Journal of Computer Information Systems, 53(4), 39-48.
Gold, J. Protection in the cloud: Risk management and insurance for cloud computing. Journal of Internet Law, 15(12), 1-28.
Hutchings, A., Smith, R. G., & James, L. Cloud computing for small business: Criminal and security threats and prevention measures. Trends & Issues in Crime & Criminal Justice, (456), 1-8.
Kalyvas, J. R., Overly, M. R., & Karlyn, M. A. Cloud computing: A practical framework for managing cloud computing risk--Part I. Intellectual Property & Technology Law Journal, 25(3), 7-18.
Kalyvas, J. R., Overly, M. R., & Karlyn, M. A. Cloud computing: A practical framework for managing cloud computing risk--Part II. Intellectual Property & Technology Law Journal, 25(4), 19-27.
Modi, C., Patel, D., Borisaniya, B., Patel, A., & Rajarajan, M. A survey on security issues and solutions at different layers of Cloud computing. Journal of Supercomputing, 63(2), 561-592.
National Institute of Standards and Technology (NIST). Inventory of standards relevant to cloud computing.
Owens, D. Securing elasticity in the cloud. Communications of the ACM, 53(6), 46-51.
Ready SEO Tools. The Most Efficient Network Tools for Search Engine Optimization.
Search Engine Advice - Definitions of URL, URI, Domain Name Extraction, IPv4, IPv6, Hostnames, access schemes, and Subdomains. How to Fight Negative SEO Attacks.
Singh, A. & Shrivastava, M. Overview of attacks on cloud computing. International Journal of Engineering and Innovative Technology (IJEIT), 1(4), 321-323.
Thomas, Z. Banks and cloud computing: The risks assessed. International Financial Law Review, 32(9), 19.
Web Based Domain Tools an Technology. Definitions of Cloud Computing and Internet Protocol Design.