Académique Documents
Professionnel Documents
Culture Documents
Data Replication
Every business faces this challenge. Snapshots and data backups are taken on a daily
basis. They automatically stored in the cloud. Are you aware where they have been
stored and who can see and access them? Can you identify and control unauthorised
copying of your data?
Data Loss
Data loss can be a disaster for any business. Virtual data can be easily lost or exposed
as it moves between VMs or in the cloud. Are you sure that authorised users are
accessing your data within predefined policies? Do you have the authority to block
any user who is violating data use policies?
New Class of Users
Never keep this point out of your mind. You may be thinking data is safe inside. But
this is one of the biggest challenge company’s face. Employees can use their access
to an organisation’s cloud-based services to misuse or access information related to
finance, customer details etc.
How to Protect your Data?
You can protect your business data in the cloud from unauthorised access. All you
need is a sharp eye and an extra effort. Here are few practical tips to keep your cloud
data safe and secure.
Always keep backup locally
When it comes to business data, you have to be extra conscious. Always have a
backup for your data. It is always good to create hard copies of your business data
and keep it with yourself so that you can have access them even if you lost the
original one. You can use any cloud storage solutions to store your data. You can set
up a cloud account & can keep the backup copies. You have another option of
keeping the backup data in an external storage device also like a hard disk or a
thumb drive. This will allow you to access the information even if without the
internet.
Don’t store sensitive data
Technology is changing. Businesses are also changing as per the technology. Data is
playing an important role in businesses today. So, data privacy is one of the primary
aspects of any business. But if something is there on the internet, it is hard to trust it
is safe. So, one should avoid storing the most sensitive files or information in the
cloud. Identity theft is on rising and you can’t take any risk. You should keep those
files in cloud platform which you access frequently and should avoid putting
information related to financial details, competitor details, client details, contact
details like phone number/address etc. If you are keeping these files, make sure you
encrypt them before uploading.
Data encryption
One of the best ways to protect your data while using cloud storage is to do data
encryption. This is the best form of security because you need decryption before
accessing the data. This will protect data against service providers and users also. To
make it more protected, you can also ensure cloud encryption during uploading and
downloading phases. But, this will make data sharing and sync in the cloud platform
little slow.
Encrypted cloud service
There are few cloud services which provide local encryption and decryption of your
files and information inside that other than storage and backup. This means the
service takes care of both encrypting your files and storing them safely in the cloud.
This will ensure that no one including the service provider or the administrators can
have the access to your data files. There are many free versions and also trial
versions available in the market. You can use them to learn how it works and later
can upgrade to enjoy more space.
Using password
The first thing which can be done is to put strong password which can stand a
hacking. You can take the help of internet to learn how to create a strong password.
It is very important to change your password frequently and never use the same
password for all the accounts or folders. You can opt for 2-step verification for login
if your cloud service offers that option. Google drive use 2 phase log in option,
consist of password & code sent to the registered number. This added security will
make your data much safer.
Keep an eye on what you do online
The security of your cloud data largely depends on your online behaviour. While
using a public computer, never save your password, and always ensure that you
logged out properly. Another biggest concern is accessing cloud data in unsecured or
open Wi-Fi hotspots. Such connections are unencrypted, hackers can target your
data easily. Never save your password in any of the public forum or social media.
Change Wi-Fi passwords frequently.
Anti-virus is a must
Sometimes the weakest link happens to be the computer or device you use for cloud
data access. You need to put proper protection in your system/device. It will help in
securing your business data. If you expose yourself to bugs and viruses, hackers can
access your system easily. You need to choose a very effective and robust anti-virus
system for your system, which will protect all the files and information inside that. If
your system isn’t well protected, and if the system is not encrypted and secured
from bugs, hackers can get hold of your information.
Read your user agreement
If you are new to the world of cloud computing and not sure what cloud storage to
choose or how it really work, you have to read the user agreement of the service you
are going to sign up for. Initially, it will be difficult to understand and at times it will
test your patience, but you need to face this. User agreements always carry essential
information which can help you understand things in detail.
Access limitation
Give access to those users who really need. Internal users and third party vendors
should only get access to those files which will help them to do their jobs. Use
encryption keys if required. Make sure to evaluate the users and vendors regularly
and add/remove users as per the requirement.
Uncertainty about the legal and regulatory obligations related to data will increase
with the increase of the data in the cloud platform. To ensure every business and
country get full advantage of cloud computing, different countries have to cooperate
to develop a multinational framework on data privacy and security in the cloud. As
cloud computing evolves, and data flows from one country to another. For example,
data has been created in India using a software hosted in UK & stored in US with
users based in Australia. Cloud provider needs to coordinate this entire process to
make sure the data flow is going smooth & safe.
Rules on Cross-border data transfers :
To enhance the efficiency and security of cloud solutions and deliver quick results,
cloud service providers must be able to operate datacentres in multiple locations and
transfer data freely between them. Smooth data flow allows cloud providers to
optimize their service and deliver the best business solutions. However, restrictions
on cross-border data transfers can create uncertainty if the rules or the legal
framework are not followed.
Conflicting legal obligations :
Different governments have different policies when it comes to data flow in their
country. Cloud providers will be in legal trouble if they won’t follow the predefined
cyber laws. Divergent rules on privacy, data retention, law enforcement access and
other issues can lead to ambiguity. For example, one country might have certain
rules when it comes to cloud data storage, which might be in direct conflict with
another country or a particular service provider.
In order to protect data in the cloud platform, you need to keep all these above
things in mind.
In this context, access is the ability of an individual user to perform a specific task,
such as view, create or modify a file. Roles are defined according to job competency,
authority and responsibility within the enterprise.
How roles are identified in a system and how they are assigned to individuals.
Protecting the sensitive data within the system and securing the system itself.
What IAM systems should include
Identity access management systems should consist of all the necessary controls and
tools to capture and record user login information, manage the enterprise database of
user identities and orchestrate the assignment and removal of access privileges. That
means that systems used for IAM should provide a centralized directory service with
oversight as well as visibility into all aspects of the company user base.
These systems also need to balance the speed and automation of their processes with
the control that administrators need to monitor and modify access rights.
Consequently, to manage access requests, the central directory needs an access rights
system that automatically matches employee job titles, business unit identifiers and
locations to their relevant privilege levels.
Multiple review levels can be included as workflows to enable the proper checking of
individual requests. This simplifies setting up appropriate review processes for higher-
level access as well as easing reviews of existing rights to prevent privilege creep, the
gradual accumulation of access rights beyond what users need to do their jobs.
IAM systems should be used to provide flexibility to establish groups with specific
privileges for specific roles so that access rights based on employee job functions can
be uniformly assigned. The system should also provide request and approval
processes for modifying privileges because employees with the same title and job
location may need customized, or slightly different, access.
IAM technologies can be used to initiate, capture, record and manage user identities
and their related access permissions in an automated manner. This brings an
organization the following benefits:
Access privileges are granted according to one interpretation of policy and all
individuals and services are properly authenticated, authorized and audited.
Companies that properly manage identities have greater control of user access,
reducing the risk of internal and external data breaches.
In terms of security, the use of an IAM framework can make it easier to enforce
policies around user authentication, validation and privileges and address issues
regarding privilege creep.
Audits: CPs use different audit standards (e.g., SAS 70 II, FISMA, ISO 27001) to
assure users about their offered services and platforms. For example, Google
lists SAS 70 II and FISMA certification to ensure users about the security and
privacy measures taken for Google Apps. The audit SAS 70 II covers only the
operational performance (e.g., policies and procedures inside datacenters)
and relies on a highly specific set of goals and standards. They are not
sufficient to alleviate the users’ security concerns and most of the CPs are not
willing to share the audit reports, which also leads to a lack of transparency.
Endpoint Security: The weakest link for any enterprise is often the
endpoint. Cloud infrastructure allows a virtually infinite number of devices
and interfaces to connect to a network. Every device will have to be
configured according to organizational security policies, with specific
guidelines for IoT and BYOD. Therefore, the targets of security architecture
need to be astutely planned, covering IAM integration with different
endpoints, followed by security testing to reduce the number of threats.
Other measures include regular VAPTs (vulnerability assessment and
penetration tests) and threat intelligence tools such as IllusionBLACK, which
activates a decoy whenever an attacker is detected.
6. Level of security
EDoS
An attack against the billing model that underlies the cost of providing a service
with the goal of bankrupting the service itself. DoS attacks on pay-as-you-go cloud
applications will result dramatic increase in your cloud utility bill, increased use of
network bandwidth, CPU, and storage consumption. This type of attack is also
being characterized as economic denial of sustainability (EDoS).
Cookie Poisoning
Cookies used to store User IDs. The two types of cookies are: persistent and non-
persistent. Persistent cookie is stored on the client hard-drive, hacker who can
access the client machine and easily access the cookies. Non-Persistent cookie is
stored in memory and more difficult to access. Another attack is unauthorized
person can change or modify the content of cookies to access the application or
web page. Cookies contain user identity credential information, one unauthorized
person access these details then they can able to forge as an authorized user. This
will be overcome by regular cookie cleanup.
Backdoor and debug options
N ormally developers will enable the
debugging option while publishing the web site. So hacker can easily enter into the
web-site and make some changes . To prevent this attack developer should disable
the debugging option.
Hidden field manipulation
While user accessing the web page some fields are hidden and its used by
developer. The hidden fields in HTML forms convey important information such
as price, user ID etc. The attacker can save the catalogue page and change the value
of hidden field and posted on web page. This will be severe security violation.
Google Hacking
G oogle search engine is the best option for the
hacker to access the sensitive information. Even the hacker hack the user's account.
Generally they try to find out the security loopholes on Google they wish to hack
and then after having gathered the necessary information of the concerned system.
A group of hackers in china hacks the login details of various g-mail users. The
security threats can be launched at the application level and cause system
downtime disabling the application access even to the authorized users.
Man in the middle attack
This attack is also a category of eavesdropping. The attacker set up the
connection between two user and tries to hear the conversation or it provide false
information between them. Tools like Dsniff, Cain, Ettercap, Wsniff, Airjack etc
have developed to protect from this attack
Dos Attack
Dos attack the services assigned to the authorized users unable
to use by them. The attack, large number of services request handled by the server
exceeds become unavailable to the authorized user. DoS attack increases
bandwidth consumption besides causing congestion, Due to overloading of the
server with the requests. Making certain parts of the clouds inaccessible to the
users.Intrusion detection system (IDS) is the most popular method of defense
against this type of attacks.
Distributed Denial of services
DDos is advanced version of DoS in terms of denying the
services running on a server is not able to handle it. Three functional units of DDos
attacks: A Master, A Sleve and A Victim. Mater being the attack launcher is behind
all these attacks causing DDoS, Slave is the network which acts like a launch pad
for the Master. It provides the platform to the Master to launch the attack on the
Victim. Hence it is also called as coordinated attack. The DDoS attack is
operational in two stages: the first one being Intrusion phase and second one DDos
tools. In intrusion phase the master tries to compromise the less important
machines to support in flooding the more important one. The installing DDos tools
and attacking the victim server or machine. DDos attack the services is unavailable
to authorized user Its similar to Dos Attack but the way of launching is different.
DDos attack was experienced with CNN news channel website is unable to access
the site for a period of three hours.
Other Security Threats:
Failures in Providers Security
Security is necessary when designing cloud because cloud service provider controls
the hardware and hypervisor on which data is stored and application also runs on
the cloud infrastructure.
Attacks by other Customer
The cloud service provider resources shared with untrusted parties. The one
customer can access the other customer sensitive information. This is highly
possible in cloud. To overcome this problem strong cryptography, application-layer
operation should be applied.
Availability and reliability issues
Cloud service is accessible through internet, so internet
availability and reliability is essential. Service accessible through internet so
complexity increase due to change of failure. The countermeasures are monitoring
the availability carefully.
Legal and Regulatory Issues
The cloud computing have many legal and regulatory issues
regarding the data exposed outside the jurisdiction.
Perimeter security model broken
Many organizations use a perimeter security model with strong security at the
perimeter of the enterprise network. Now all critical data and applications are
stored in cloud but its outside the perimeter of enterprise control.
Integrated Provider and customer Security
The problem is disconnected provider and customer security systems. If there is
any misbehaviour in cloud, not reported to the customer. The cloud service provider
should adapt Proper integrity identity management
When reviewing host security and assessing risks, the context of cloud services
delivery models (SaaS, PaaS, and IaaS) and deployment models public, private,
and hybrid) should be considered . The host security responsibilities in SaaS and
PaaS services are transferred to the provider of cloud services. IaaS customers are
primarily responsible for securing the hosts provisioned in the cloud (virtualization
software security, customer guest OS or virtual server security).
Businesses and enterprises use cloud services because they provide cost-effective
and flexible alternatives to expensive, locally-implemented hardware. But
conducting business in the cloud means that confidential files and sensitive data
are exposed to new risks, as cloud-stored data resides outside of the limits of many
safeguards used to protect sensitive data held on-premise. As such, enterprises
must take additional measures to secure cloud storage beyond the sometimes basic
protections offered by providers.
The rise of Internet of Things (IoT) technology and the connected office has also
made enterprises more reliant on cloud technology, albeit while driving security
risks. Even smart printers have been found vulnerable to data leakage, and as
more corporate devices become internet-connected, the potential for compromise
or unintended leakage increases.
CLOUD STORAGE SECURITY BASICS
As enterprises move further along the cloud adoption curve, cloud storage security
is becoming a top priority – both in enterprises’ IT architecture and information
security strategies. Companies now recognize that it’s critical to protect sensitive
data while enabling employees to enjoy the performance and flexibility of the
cloud.Cloud storage providers and enterprises share responsibility for cloud
storage security. Cloud storage providers implement baseline protections for their
platforms and the data they process, such authentication, access control, and
encryption. From there, most enterprises supplement these protections with added
security measures of their own to bolster cloud data protection and tighten access
to sensitive information in the cloud.
Data protection solutions for cloud storage security provide complete visibility and
policy-based control over how data can be moved to and from the cloud, ensuring
that only authorized data leaves the company’s environment and that data access is
limited to authorized parties. In doing so, companies can enforce stricter
protections around sensitive data than what many cloud storage providers offer and
provide a second line of defense in the event that a provider has a security
compromise.
When choosing a cloud storage security solution, enterprises should be sure that it
provides continuous monitoring and visibility for all data interactions with cloud
storage applications, provides granular control over file movement based on
browser and OS events involving file sharing and cloud storage sites, integrates
with leading cloud storage providers to be able to extend data protection measures
to data stored in the cloud, automatically encrypts sensitive data prior to egress,
accurately classifies any data downloaded from web applications, and delivers
forensic event logs for effective alerting, reporting, and policy creation.
Watch out for some cloud providers’ complex, multi-document contract structures
that may be poorly updated and oddly worded. In particular, don’t assume that you
know what’s in a provision based on its heading. For example, in some terms,
‘force majeure’ seems to be elastic-sided enough to capture “changes in the
taxation basis of services delivered via the Internet” as a force majeure event!
Some of the key issues that tend to recur in cloud contract negotiations include:
• exit provisions allowing the customer to extend service for a period after
termination or expiry to allow migration to the replacement solution.
Technical areas don’t tend to lend themselves to negotiation given the
commoditised nature of cloud solutions - and you can show your naivety by asking
for changes that directly contradict the services model.
Because of the constraints on your ability to negotiate the provider’s cloud terms,
it’s essential to carry out appropriate due diligence on the provider. Areas of focus
should include:
Location of services
Service performance and usability
Existing customers (references)
Data location, processing, portability and recovery
Security
Interoperability
Business continuity
Exit
Cloud contracts: 3 - Data privacy remains centre stage
It’s also vital to understand how responsibility for data privacy obligations will be
allocated between you and the provider, including who is responsible for data
security.
Typically, providers have been more willing to take on responsibility for network
integrity, while trying to steer clear of obligations in relation to security of the data
itself.
However, over recent years, cloud service providers have been improving their
privacy offerings. For example, there has been an increased willingness of
providers to adopt the EU model clauses for data transfer.
Ensure that you are comfortable with the level of service performance commitment
offered by the cloud provider.
Most cloud contracts remain pretty light in terms of service levels, with availability
being the typical measurement metric. Check the wording of the SLAs carefully –
watch out for references to ‘service levels designed to be available’, ‘target service
levels’, etc.
Also, identify the remedies available for service failure – it’s common for
providers to offer credit for additional services, despite the fact that it’s hard to see
‘more of the same’ as a valuable remedy.
You need to carry out a thorough risk/benefit analysis exercise in order to evaluate
whether the particular cloud solution is right for your business. If you perceive the
risks to be so great that significant contract negotiation seems essential before
putting services in the cloud, it may be that cloud isn’t the right solution for you
after all.
Cloud computing technology has improved significantly in the past year, making it
an appealing tool for businesses of all sizes. Cloud computing can benefit
businesses in many ways, from cutting costs, to increasing business efficiency, to
guaranteeing data recovery in case of an accident. In fact, 47 percent of medium
and large enterprises say increased efficiency is the main benefit of cloud
computing, according to a new survey data on enterprise cloud computing.
What common mistakes should companies be aware of as they begin the migration
process? What steps should they take when implementing cloud infrastructure?
Moving to the Cloud can be complicated. Not all data, applications, and files are
suited for cloud storage and security issues may arise if proper safeguards are not
implemented properly.
Some common cloud implementation mistakes include,
“The most popular cloud vendor is Amazon. They are ahead of the game because
they offer services that are easy to implement and use. Then, Microsoft Azure and
Google follow Amazon. … But, if a company or enterprise is attached to Microsoft
products, then Microsoft Azure may be a better fit for them. It depends on the
company’s requirements.” – Jose Alvarez, director of IT infrastructure, Auxis
2. CHOOSE A CLOUD SOLUTION THAT MEETS YOUR COMPANY’S
NEEDS
The three cloud systems, public, private, and hybrid, have advantages and
disadvantages. Before adopting cloud infrastructure, it is important for businesses
to understand the similarities and differences of each cloud solution in order to
select the type that is most appropriate for their business goals.
First, the public cloud provides resources publicly over the Internet. While data
scalability and price flexibility are key advantages of this cloud solution, a business
that does not know how to monitor data security risks security breaches.
Second, private cloud solutions service a single company and are managed in-
house by the IT department. The main advantage of the private cloud is the high
level of security it offers. Businesses are responsible for the infrastructure.
However, maintaining a private cloud solution is more expensive and less flexible
than the public cloud.
Third, hybrid cloud solutions combine characteristics from both public and private
clouds. However, a business needs a knowledgeable IT staff on-hand to combat the
complexities inherent in this solution.
“Many [businesses] know just enough about the Cloud to be afraid of it and say,
‘I’m not touching that.’” – David Amaya
Another explanation highlights ever-present security and compliance concerns.
Authentication
Authentication is the process that allows the user to provide proof of his
identity. It is often done through the login method, based on the using of a
username and a password. This static mechanism leaves the system vulnerable to
attacks, since hackers can use many techniques, such as sniffing and guessing, to
steal user passwords . So, to alleviate the problems associated with identity theft, it
is essential to adopt a strong form of authentication techniques.
The login and the password are confidential information that the user employs
in order to access a specific service (mailbox, shopping sites, etc.). This is the
weakest authentication and identification mechanism, because it is possible to
intercept the password in transit or when it is typed on the keyboard.
Typology of passwords
• Simple and easy to remember password: The choice of the password is often
left free to the user. Most users simply use an easy-to-remember password.
However, it is easy to be guessed.
• One time password (OTP): By adopting the OTP mechanism, the password
will be unique, automatically generated, random and can only be used once. For
each access request, a new password will be sent to the user, via SMS or email.
Uses of passwords
• Unique password: Single sign-on allows to use the same password to access
all services and applications, For example, one password can be used to access
both mailbox and social network.
• Captcha: This is a sequence of characters that the user must type to prove
that he is not a robot.
• Image scan: When a user is connected to a service from the laptop and want
to be connected from the smartphone, the system provides to him an image that
must be scanned by this smartphone to access the service without having to remake
the whole authentication procedure.
3.2.1.4. Biometrics
Fig. 2. Biometrics
• Iris scan: The detailed texture of the iris is specific to each individual.
Moreover, this texture is stable and cannot be modified without significant loss of
visual capacities.
This is a good authentication, avoiding the identity theft and the replay of an
authentication. It implements a proof of possession of a secret element
(cryptographic key), by means of an authentication protocol guaranteeing the
confidentiality of the secret element . Encryption is also an indispensable tool for
protecting information in computer systems.
3.2.2.1. Trust
A trusted third party (TTP) is an entity used in the context of the Cloud to
facilitate and secure interactions between two parties (consumer and provider) that
both trust this third party. It can manage authentication, control access to resources,
and more.
Password
- Easily counterfeited.
- Necessity to purchase
the device.
The legal issues that frequently arise in the cloud are wide-ranging. However,
attempting a broad generalisation, mainly four types of issues arise therein:
At the outset, it may very well be clarified that though cloud computing enables the
customer access to computing, networking, storage resources just like traditional
outsourcing services and Application Service Providers (ASPs), it has a legal
nature quite different from these two owing to its distinctive features like ‘on-
demand access’, and ‘unit-based pricing’ (pay-per-use).
Seemingly, the main privacy/data security issue relating to the cloud is ‘data
breach’. Data breach may be in the generic sense defined as the loss of
unencrypted electronically stored personal information (Buyya, Broberg, &
Goscinski, 2015). A data breach can cause loss to both the provider as well as the
customer in numerous ways; with identity theft and chances of debit/credit card
fraud to the customer, and financial harm, loss of customer, loss of reputation,
potential lawsuits et cetera for the provider.
The American law requires data breach notification to be issued of affected
persons in such case of a data breach. Almost all the states in the United States
now require notification of affected persons upon the occurrence of a data breach.
Talking about the Indian scenario, most of the providers are seen to attempt at
lessening their risk liability in case of a data breach scenario. However, as more
sensitive information is entering the cloud every passing day, businesses and
corporations have started negotiating the contracts so as to insert terms that expand
the contractual obligations of the providers.
Problem arises when the data is subject to more than one jurisdictions, and the
jurisdictions have different laws regarding data privacy. For example, the
European Union Data Privacy Directive clearly states that ‘Data cannot leave the
EU unless it goes to a country that ensures an “adequate level of protection”.’
Now, although such statement makes the EU provisions easily enforceable, but it
restricts the data movement thereby reducing the data efficiency.
Contracting Issues:
However, the main issue regarding the Cloud Service agreements is ‘contract of
adhesion’. Owing to the limited expansion of Cloud Services in India, most of the
time the ‘Click-wrap agreement’ model is used, causing the contract to be one of
the contract of adhesion. It leaves no or little scope for negotiation on the part of
the user/customer.
With the expansion of the Cloud computing, gradually the negotiation power of the
large corporation will cause the Cloud Contracts to be standard and negotiated
ones. However, at an individual level, this is still a far destination.
Legal provisions clearly cannot force the cloud providers to have a negotiating
session with each and every customer. However, legal provisions may be made to
ensure that the liability and risk responsibility clauses follow a standard pattern
which compensates the user for the lack of negotiation during the formation of the
contract.
Jurisdictional Issues:
The cloud enables a great deal of flexibility in data location, which ensures
maximum efficiency in data usage and accessibility. However, it creates a number
of legal issues as well. It makes it quite possible a scenario that the same data may
be stored in multiple locations at a given time. Now, if the multiple locations are
subject to different jurisdiction and different legal system, there arises a possibility
that there may be conflicting legal provisions regarding data in the two
aforementioned different locations. This gives rise to most of the jurisdictional
issues in Cloud computing.
Also, laws relating to confidentiality and Government access to data are different
across different nations. While the Indian laws manage to strike a balance between
national security and individual privacy, most of the nations do not prefer a
balance and have adopted a biased view on this. Problem of conflict of laws arises
herein, in such cases.
It is an accepted truth that Law always lags behind technical innovations, and the
complexities of the Cloud innovations and related Cloud Services like Software as
a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service
(IaaS) will force the law and legislations to catch up in order for an effective legal
system that provides legal remedies to prevent and redress the resultant harms.