Cloud security issues and emerging solutions

Security is the top concern for enterprises looking to adopt cloud. We highlight the prime cloud security issues in India as well as solutions to address them.

Despite ongoing debates on cloud computing, it is slowly gaining acceptance among India enterprises. While some have started using private clouds, others are evaluating public clouds. Discussed below are the major cloud security issues and the emerging solutions.

Data ownership: Unlike earlier server client models, where all the data and information of business systems were within the enterprise boundaries, in case of cloud (especially public cloud), data can be saved at any remote location in the world. The major difference lies in where data resides and optimization of resources. The protection of intellectual property right (IPR) thus becomes a key cloud security issue.   

Geographic location: The cloud service providers use several methods to optimally store the data across data centers; hence, one file may get saved in several parts at different locations. However, come companies are not in favor of their data crossing certain boundaries, which has emerged as a major cloud security issue. This has prompted the service providers to come up with solutions such as private cloud or a pact with the customers to store data in particular locations.     

Multi-tenancy model: The multi-tenancy model used by cloud can be explained as one house being used by multiple visiting tenets. For instance, after a user accessing a photo editor application on cloud on the Windows operating system (OS) has logged out, another user may log in. There have been cases when traces of data were found in the OS from the previous user’s session. A smart hacker could misuse this trace to get insight in to the entire session. Such loopholes under the multi-tenancy model have emerged as cloud security issues. These can be, handled by installing security software that checks for traces of any activity from the previous user’s session.

Protection of logs: The cloud logs all the activities, such as the number of people logging in, reason for logging, and others. Logs are very important for service providers, as they help them calculate service charges for customers. Logs also help in tracing inappropriate activities such as hacking. However, a smart hacker could tamper with the log itself, leaving no trace of his activity. Hence, logs should be saved in a way that they cannot be hacked or read by anyone else.

Secure immutable (cannot be broken or disfigured) logs can be used to address this cloud security issue. Immutable logs are also accepted as proof by the court of law. The logs can be made immutable by a simple hash function. Bunch of logs can be taken and hash function can be calculated. Thus, the logs will not be available in plain form, but encrypted in a way that they cannot be deciphered by the key. Hash functions are known as one-way functions; hence, even if you know the hash value, you cannot produce the original text. Hash function is often used to check the legality of a document. It is an algorithm such that even a minor modification could change the hash value, revealing alteration in the original document.   

Identity management: Earlier, identity management was an in-house problem. However, the identities of enterprise users and their passwords are saved in the cloud. This is another important cloud security issue. In the cloud environment, identity management is the service provider’s responsibility. The concern arises when certified security professionals (CSPs) fail to follow stringent security practices.

Things to look out for: Among other things, enterprises should first evaluate the uptime provided the CSP, the reaction window to any security incident and the security posture (infrastructure); check if business continuity and disaster recovery plans have been implemented as well as protection of IPR.

About the author: M S Prasad is vice president - engineering at NeoAccel. He has played a key role in creating Cloud Security Alliance India, a group that includes IT professionals from all over India.

(As told to Dhwani Pandya)

Read more on IT risk management