Cloud computing offers many benefits to the organization, but these benefits are likely to be undetermined by the failure to ensure appropriate information security and privacy protection when using cloud services. The aim to provide practical reference and help organizations information technology and business decision-makers to analyze information security of cloud computing.
When considering a move to cloud computing, we should have a clear understanding of security benefits and risks associated with it.
Services are segregated in 3 categories
- Infrastructure as a service(IaaS)
- Platform as a service(PaaS)
- Software as a service(SaaS)
There are a number of risks associated with cloud computing that must be addressed.
Loss of governance ownership
In a public cloud deployment, customers give authority to cloud computing providers
over a number of issues that may occur, which may affect the security and privacy of sensitive data. Yet cloud service agreements may not offer a commitment to resolve such issues as a part of the cloud service provider thus leaving gaps in security and defenses.
Responsibility for aspects of security and privacy is shared between the cloud service provider and customer, due to this there is a possibility of sensitive information that may remain unguarded, hence there is failure to allocate responsibilities to cloud providers and customers clearly. This split of responsibilities vary on cloud service model used like(IaaS, SaaS)
Authentication and Authorization
Despite the fact that sensitive cloud information can be accessed from anywhere, there is a serious need for a strong authentication and authorization algorithm for identity management to access the data. As there are employees, contractors, partners, and customers. And the data access layer of each category is different. Due to this reason Authentication and authorization becomes a critical concern.
Handling security incidents
The detection, reporting of subsequent management is outsourced to cloud service providers. And these incidents impact the customer. To resolve this Notification rules need to be negotiated clearly in cloud service agreement so that customers are not unaware or should be informed in an unacceptable delay
Traditionally application was protected by security solutions knowing all physical and virtual configurations, and in trusted zones. outsourcing this responsibility of security infrastructure to cloud service providers, reconsideration of security measures over the network should be done by applying more controls to the application at the user level.
The same level of security measures should be applied at cloud by cloud service providers.
The major concerns can be releasing personal or sensitive data, or to bear loss or unavailability of data. It is important for cloud service customers to check the data handling process of cloud service providers. This problem is worse in the situation of multiple data transfer which may result in a lack of ownership transparency in data processing.
Personal data regulation
It is common in most of the jurisdiction that personal data must be treated according to respective rules and regulations of the jurisdiction. This is something beyond the protection of personal data as well as it involves rights to, inspect, correct or delete the data and in some cases data to be transferred from one location to another. Any cloud service using personal data should meet this requirement and at the same time data should be secured
Malicious behaviors of insiders
Damage caused by malicious action of authorities working inside an organization can be substantial, given the access and authorization, this risk is compounded in a cloud computing environment. And this activity may occur from both customer organizations or cloud service provider organizations.
This could be caused by hardware, software, or any network communication failures.
Lack of portability
Dependency on cloud service providers could lead customers to be tied to the service provider. This causes a lack of portability and lack of portability poses a risk of service unavailability in case any change requests occur in an application.
Insecure or incomplete data deletion
The termination of a contract with a provider may not result in the deletion of the customer’s data from the provider’s and providers’ third-party systems. Backup copies of data usually exist, and maybe mixed on the same media with other customers’ data, making it difficult to selectively erase. thus represents a higher risk to the customer.
Analyzing the above-mentioned risk parameter for cloud security for migrating an application or moving data on a cloud service provider will help to minimize the risk of surface attacks and avoid substantial risks caused by data loss.