Irena Bojanova - Home

Addressing Cloud Security

Irena Bojanova
MAY 20, 2013 12:12 PM

painting of cowboy wrangling wild horses

It's the High-Tech Wild, Wild West out there!
Although the Cloud Computing marketplace is still chaotic, it is:

Exciting
Fast-growing
Full of opportunities

Understanding cloud security risks is related to understanding the relationships and dependencies between cloud computing models and how they are deployed. IaaS forms the foundation of the service model architecture, PaaS builds upon IaaS, and SaaS in turn builds upon PaaS; and information security issues and risks are inherited just as capabilities are.

There are significant trade-offs to each cloud computing model in terms of integrated features, complexity versus openness (extensibility), and security. The lower down the stack, the cloud service provider stops bearing responsibility, and the consumer becomes responsible for more security capabilities and management. Table 1 provides concise information in this direction.

Table 1. Cloud Service Models — Integrated features, Extensibility, and Security

Service Model	Integrated Features	Extensibility	Security
SaaS	Most integrated functionality built directly into the offering	Least consumer extensibility	Relatively high level of integrated security - provider responsible Negotiated into contracts for service (service levels, privacy, compliance)
PaaS	Customer ready futures	More extensible than SaaS	Less complete built-in capabilities Securing the platform -- provider responsible More flexibility to layer on additional security Applications developed on platform and developing them securely -- consumer responsibility
IaaS	Few if any application-like futures	Enormous extensibility	Protecting underlying infrastructure and abstraction layers -- provider responsible Less integrated security capabilities and functionality beyond that Reminder of stack -- OSs, applications, content -- managed/ secured by consumer

Note: CSA points that derivative classifications may yield when scope or capabilities and functionality within each model is narrowed, or functional coupling of services and capabilities across models is employed. For example, Storage as a Service is a specific IaaS sub-offering.

So, cloud computing may present different risks than traditional IT solutions, because of the cloud service models employed, the operational models, and the technologies used to enable cloud services. As discussed in previous posts, multi-tenancy allows seemingly limitless scalability and an alternative to expensive data-center infrastructure. However, it requires building adequate security into every aspect of a SaaS application, as well as for every IaaS virtual service. This can be achieved through:

Filtering — creation of an intermediary layer between a tenant and data source
Permissions — use of access control lists
Encryption — obscure each tenant's critical data
Or some combination of the above techniques.

A concise version of the discussed by NIST multi-tenancy risks is provided in Table 2.

Table 2. Multi-tenancy Risks and Mitigation

Deployment Model		Multi-tenancy Risks and Mitigation
General		Implications: Workloads of different consumers may reside: Concurrently on same computer system and local network, Separated only by access policies implemented by provider's software. Consumers security could be compromised by flaw in: Implementation or Provider’s management and operational policies and procedures. Multi-tenancy risks: Reliability – failure may occur Security – attack may be perpetrated by consumer
Private	On-site	Implications: General risks apply, as there could be authorized but malicious insiders Different organizational functions, such as payroll, storage of sensitive personally identifiable information, or generation of intellectual property can become accessible to not authorized users and specific classes of data disclosed. Risks mitigation: Logical segregation techniques at network layer, such as VPN Routing and Forwarding (VRF) Clients are restricted to members of organization or authorized guests or partners.
	Outsourced	Implications: On-site private cloud risks apply. Risks mitigation: FISMA and OMB policy require external cloud providers to handle federal information or operating information systems on behalf of the federal government meet same security requirements as federal agencies.
Community	On-site	Implications: On-site private cloud risks apply, but more organizations are encompassed. Risks mitigation: Restricted number of possible attackers, but more than with private on-side cloud.
	Outsourced	Implications: On-site community cloud risks apply. Risks mitigation: Restricted number of possible attackers, but more than with private cloud.
Public		Implications: Workloads of any combination of consumers may be sharing a single machine Workload may be co-resident with workloads of competitors or adversaries. Risks: Large collection of potential attackers, as public clouds aim scaling in consumers and resources to achieve low costs and elasticity. Risks mitigation: Limited kinds of data for computations in the cloud Data encryption (but then data needs to be unencrypted to be processed) Physical separation – rent entire computer systems rather than VMs (mono-tenancy), VPNs, segmented networks, or advanced access controls.

Anyone have thoughts or sources that will help readers understand cloud security? Please share here!

Irena Bojanova

Irena Bojanova, Ph.D., is Founder of IEEE CS Cloud Computing STC, an Associate editor of IEEE Transactions on Cloud Computing, and an Editorial Board Member of IEEE CS IT Professional. She is a professor and program director, Information and Technology Systems, at University of Maryland University College, managed academic programs at Johns Hopkins University and PIsoft Ltd., and co-started OBS Ltd., (now CSC Bulgaria). Her current research interests include cloud computing, web-based systems, and educational innovations. She is a member of the IEEE and can be reached at ibojanova@umuc.edu.

FIRST

LAST

Page(s):

[%= name %]

[%= createDate %]

[%= comment %]

Preview of Encyclopedia of Cloud Computing – Part 1

Wednesday, Feb 17, 2016

ARTICLE: The book covers broad range of topics aimed at helping you gain an informed and comprehensive understanding of the promises and the potential of cloud computing.

Defining Cloud Computing

Sunday, Feb 24, 2013

BLOGPOST: Cloud computing (CC) allows pay-per-use or charge-per-use access to applications, software development and deployment environments, and computing infrastructure. It provides optimized and efficient computing through enhanced collaboration, agility, scalability...

Evaluating Initial Cloud Risks

Wednesday, Apr 10, 2013

BLOGPOST: The stages of the Cloud follow the evolution of sharing on the Internet: networking, network sharing, information sharing, resources sharing, and services sharing.

Understanding Multi-Tenancy I

Wednesday, Apr 24, 2013

BLOGPOST: NIST has defined five essential cloud characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service.

Understanding Multi-Tenancy II

Friday, May 3, 2013

BLOGPOST: Continuing our discussion on multi-tenancy, note that Gartner places multi-tenancy close to the peak of expectations in the Hype Cycle for Cloud Computing, shown on Figure 1.

Exploring Service Model Architecture

Friday, May 10, 2013

BLOGPOST: NIST lists three cloud service models: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) (please see the "As discussed in the Defining Cloud Computing" post and Figure 1).

Addressing Cloud Security

Monday, May 20, 2013

BLOGPOST: Understanding cloud security risks is related to understanding the relationships and dependencies between cloud computing models. IaaS forms the foundation of the service model architecture, PaaS builds upon IaaS, and SaaS in turn builds upon PaaS; and information security issues and risks are inherited just as capabilities are.

Cloud Interoperability and Portability

Thursday, Jun 20, 2013

BLOGPOST: Interoperability and portability are closely related to the previously discussed Cloud elasticity and multi-tenancy. Any IaaS to SaaS cloud-implemented system should have as design goals both interoperability and portability to fully gain the benefits of the Cloud elastic environment. Although interoperability and portability are not unique for cloud and the related security aspects did not emerge with cloud computing, multi-tenancy (where data and applications of different customers/companies share platforms, storage, networks) brings the need of greater precautions than those required for traditional processing models.

Cloud Interoperability and Portability II

Thursday, Jul 25, 2013

BLOGPOST: Being locked-in by a cloud provider is not what customers plan to experience. So, let’s explore a bit more on the cloud portability and interoperability topic. The Open Cloud Manifesto explains data and applications interoperability and portability

Cloud Interoperability and Federation

Thursday, Aug 8, 2013

BLOGPOST: Clouds today do not interoperate, resulting in absolute limitations in geographical coverage, resource functionality, and resource scalability. A cloud provider may not have resources where a cloud consumer needs them; a cloud provider may not offer the type of resource needed; and a cloud provider's resources cannot be infinitely elastic.

Cloud Computing in Research and Education

Tuesday, Nov 5, 2013

BLOGPOST: Cloud computing has huge potential to accelerate research, enhance collaboration, and enrich education. Educators, research administrators, IT directors, and research should realize and leverage cloud’s potential in research, teaching, and learning. They can complement their current in-house cyberinfrastructure by deploying public, private, or hybrid clouds. In fact, as a recent survey reveals, some are already benefiting by embracing the clouds.

Cloud Computing - What's Next?

Monday, Feb 3, 2014

PODCAST: Cloud computing is no longer on the horizon; it’s already here in a big way. Governments, business, industry, and individuals are increasingly using cloud computing for their information processing, and computational and developmental needs. They have begun to realize several benefits of cloud computing, including pay for the use, quick deployment of applications, variety of offerings from several cloud service providers, enhanced collaboration, agility, scalability, and availability.

CLOUD - Future of Mobility and its Impact to Cloud

Friday, Mar 28, 2014

BLOGPOST: This week, I had the honor of co-hosting the “Future of Mobility and its Impact to Cloud” breakout session at The Intersection of Cloud and Mobility Forum, which attracted more than 50 government and business experts in the fields of cloud, mobility, and measurement. Here I share some of my presentation main points, and the brainstorming questions. >>> Wearables, Scannables, Drivables, Flyables: Did your pill just call you?—Don’t be surprised! It all is coming in full speed. We will be able to monitor our health through wearables, get our houses on the phone, use the human body for data transmission, and sense the environment.

The Nexus of Forces at World Cup 2014

Thursday, Jul 10, 2014

BLOGPOST: The Nexus of Forces (defined as convergence and mutual reinforcement of social, mobile, cloud, and information) in combination with the Internet of Everything (IoE) had a game changing role at the World Cup in Brazil

It's the High-Tech Wild, Wild West out there!
Although the Cloud Computing marketplace is still chaotic, it is:

[% if(channel!='') { %][%=channel%] - [% } %][%=title%]

[%=dateTime%]

[%=title%]

[%=dateTime%]

[%=title%]

[%=dateTime%]

[%=title%]

[%=title%]

[%=dateTime%]

There are no entries that match your criteria.

It's the High-Tech Wild, Wild West out there! Although the Cloud Computing marketplace is still chaotic, it is:

[% if(channel!='') { %][%=channel%] - [% } %][%=title%]

[%=dateTime%]

[%=title%]

[%=dateTime%]

[%=title%]

[%=dateTime%]

[%=title%]

[%=title%]

[%=dateTime%]

There are no entries that match your criteria.

It's the High-Tech Wild, Wild West out there!
Although the Cloud Computing marketplace is still chaotic, it is: