Public Cloud computing security issues
In the last few years, cloud computing has grown from being a promising business concept to one of the fastest growing segments of the IT industry. Now, companies are increasingly realising that simply by tapping into the cloud they can gain fast access to best-of-breed business applications or drastically boost their infrastructure resources, all at lower cost.
But as more and more data is placed in the cloud, concerns are beginning to grow about just how safe public cloud environments are.
Every breached security system was once thought infallible
The front end of the public cloud is SaaS applications. Software as a service applications from vendors including Google, Amazon, salesforce.com and many lower profile providers have all suffered from security concerns or system availability issues.
While cloud service providers face similar security issues as other sorts of organisations, analysts warn that the cloud is becoming particularly attractive to cyber crooks:
“The richer the pot of data, the more cloud service providers need to do to protect it,” says an IDC research analyst.
Best practice for companies using cloud computing
- Ask where the data will reside and how it is protected
- Inquire about adherence to data protection laws in the relevant jurisdictions
- Only deal with service providers that have recognised security certifications
- Ask prospective suppliers about their physical security and staff vetting controls
- Find out which third parties the supplier deals with and whether they can access your data
- Inquire about exception monitoring systems and processes
- Does the supplier provide a 24×7 ITIL based support and service desk
- Ask about service level availability guarantees and penalties
- Find out whether the cloud provider will accommodate your own security policies
- Seek an independent security audit of the host
The Public Cloud – Side Channel attacks
As Public Cloud is built on shared infrastructures, services may introduce new security problems that have yet to be fully explored. In experiments security experts showed that they could pull off some very basic versions of what are known as side-channel attacks. A side-channel attacker looks at indirect information related to the computer — the electromagnetic emanations from screens or keyboards, i.e. to determine what is going on in the machine.
The researchers were able to pinpoint the physical server used by programs running on the public cloud and then extract small amounts of data from these programs, by placing their own software there and launching a side-channel attack. Other examples of side-channel attacks are:
- Determine the actual physical machine your virtual server is sitting on
- Placing malicious code on the same physical machine as you are hosted on
- Directly attack your virtual machine from another virtual machine on the same physical server
- Viewing what your machine is doing and the data it is processing
- Denial of Service attacks
For more information on the Security in the Cloud request a copy of our Cloud Computing Security Issues white paper when completing the form below.
