elcosas@home:~$

Archive

About

RSS

Security Implications Of Cloud Computing

assignment from wri 121 class

Security Implications of Cloud Computing

“Cloud computing”, utilizing off-site servers for data computation and storage, has quickly become a necessity in the internet-dominated 21st century. Services such as Google Cloud, AWS, Microsoft Azure, and a variety of others have quickly made their way into the workflows of both individual consumers and businesses. For many businesses especially, cloud computing services provide a major benefit of not having to rely on physically owning and maintaining racks of computer servers in order to host both internal IT services and potentially customer facing services if the business is running a website or any other form of Software-as-a-Service (SaaS). This ends up freeing a lot of company resources that can be allocated elsewhere in order to decrease operational costs, and subsequently has led to a variety of different IT management SaaS that threaten the jobs of many individuals in the IT workforce. While enticing, the use of these services by businesses ends up breaking a key rule in the field of cybersecurity: keeping a small attack surface. This means avoiding introducing extra access points that malicious actors can exploit, which is indirectly introduced when using a cloud computing service. Sensitive company data and potentially customer data is put in the hands of third parties, which not only requires a great deal of trust to be put into these third parties but also opens up another avenue for malicious threat actors to attack and steal said sensitive data. While cloud computing services offer a variety of benefits to commercial businesses with easily managing user data and computation power, such services can not be used blindly due to the various data privacy risks from attacks on cloud trust systems and malicious actors having a larger attack surface.

One of the most blatant consequences of shifting IT services to an external cloud provider is dealing with the notion of trust. Trust in the context of cybersecurity works just as it does in psychology, meaning it is only possible when one entity believes that another entity it’s working with will behave exactly as expected (Farsi, et al, 4). Thus, by adding another external entity that must be trusted with sensitive information, a multitude of potential security risks become possible that can easily jeopardize the sensitive information. This is effectively shown through a taxonomy of cloud service reputation attacks developed during a study at King Abdulaziz University. The proposed taxonomy mainly highlights the number of indirect mistrust attacks that can occur with cloud systems, with the taxonomy classifying 17 different categories for these attacks compared to the six in the direct mistrust attacks. These indirect mistrust attacks are further classified into malicious recommendations (where a malicious entity masquerades itself as appearing trustful) and identity management attacks (where a malicious entity impersonates another trustful entity) which can “either elevate the reputation of a unit with malicious intentions, or ruin that of a trusted one entirely” (Alshammari, Salah T., et al, 4). These two forms of mistrust attacks are what make implementing cloud services in a corporate environment such a high risk. The combined risk of not only having to deal with internal security threats but also external threats widens the attack surface and increases risk of sensitive data being stolen or operations being stopped. Furthermore, the digital-only nature makes indirect mistrust attacks incredibly easy to both setup and operate. Ultimately, cloud services can introduce a variety of specific trust issues that are both hard to, and sometimes impossible to vet and makes it outside of the corporation’s control.

As world governments have started to place more legislation on personal data protection and privacy, the methods in which data is managed on cloud services can often conflict with national data privacy laws. Lesile Willcock, a major name in the fields of both economics and information technology, conducted a survey at the University of Sydney Business School with 42 information technology leaders that found that this was one of the most difficult challenges for businesses to handle, with one CIO stating “We know that we can’t look to IBM, Microsoft and Oracle for innovation but are wary of SaaS apps as they are black boxes and the current regulations are not friendly to them” (Gozman, D., & Willcocks, L., 7). Since cloud computing services are proprietary software, it is practically impossible for anyone to know exactly how the service and its software is run, which can lead to data privacy conflicts depending on the country. For example, the European Union handles data privacy much more seriously compared to the US after the passing of GDPR. This ends up leading to a dilemma if a European business were to store customer data with an American cloud service. Such issues can make it extremely difficult to move to using a cloud service provider at the risk of potentially facing massive litigation over data protection laws from the businesses home country and international consumer base. Data privacy protection laws act as a huge roadblock toward adopting cloud services.

Security models for cloud services still have a large amount of vulnerabilities, and so far proposed solutions have either been uneconomical or lack end-user trust. Proposed solutions such as the Depsky model for multi-cloud databases implement “three types of parties […] such as writers, readers, and cloud storage service providers” which all attempt to secure data in transit while still being time efficient (Farsi, Mohammed, et al, 6). The issue with models like Depsky is that, while improving trust by creating a system of checks and balances, fails to deal with the problem of an increased attack surface by introducing even more points of failure. This is exacerbated even further by the fact that most popular cloud computing SaaS products are generally proprietary software, which means the source code of the products aren’t publicly available and thus can’t be vetted by businesses using said product for trust purposes. This is best described by a quote from a compliance officer from the previously discussed survey: “The Cloud itself is a big thing to be worrying about, and as it’s developed behind the scenes by a number of companies over the last few years it’s a scary technology from one point of view. As you don’t really know where anything is or how it works. A lot of the Cloud systems are proprietary. You have no real control over where your data is, how it’s backed up, how secure it is” (Gozman, D., & Willcocks, L., 7). Ultimately, this highlights the issue of introducing third-party proprietary software in general: it’s almost impossible to integrate without introducing more trust issues and a wider attack surface.

One common claim against this is that, instead of focusing on securing data management in cloud platforms specifically, innovations in cryptography will ultimately make concerns about an increased attack surface or trust management pointless. A recent paper published in Sustainability provides evidence that supports this by introducing a new end-to-end data security algorithm for cloud computing. The model proposed by the researchers involves making use of different data salting and hashing methods (appending random data to sensitive data before “hashing”, or scrambling it) in order to generate what is known as a “secret key” for each interaction with the cloud service. This secret key can then be used to verify the senders and receivers, and can also be used to decrypt the data so it can be processed properly. The results shown in the paper are also rather impressive, stating that “the value of [decryption throughput] was lower for the proposed algorithm in comparison with the other algorithms” (Ghosh, Soumalya, et al, 13). There are two main issues with this claim: one statical, and one logical. Firstly, while the encryption algorithm was incredibly effective it was also incredibly slow, with the researchers stating “However, the encryption and decryption times for the proposed algorithm were significantly longer than the AES and DES algorithms” (Ghosh, Soumalya, et al, 14). This makes the algorithm uneconomical from a business perspective, meaning that it likely will never see adoption from actual cloud service providers. Additionally, cybersecurity is ultimately like a game of cat-and-mouse. As more effort is put into improving cryptography methods, there are even more improvements being made to decryption methods (and potentially quantum computing) that can render the resources put into development and adoption of these algorithms rather pointless. While improved cryptography methods might seem like an effective solution on the surface, they are usually neglected by businesses due to being uneconomical and end up never seeing implementation in third party cloud services.

While cloud computing services can provide a variety of operational benefits towards reducing the amount of IT staff and equipment in a business environment, they also end up introducing a variety of data privacy issues that can lead to both a compromise of sensitive company data and induce stiff legal liability penalties. It should be noted that despite these security concerns, cloud computing is still an incredibly efficient and economical solution for a variety of businesses, so long as it is implemented with care. Being able to dynamically purchase computation power makes it incredibly easy for businesses, especially small-scale, to implement and release SaaS products and compete in the digital market. However, as discussed throughout this paper, cloud computing services cannot act as a complete replacement for a company’s IT and cybersecurity teams, as the use of these services still requires intense moderation and management. As many established companies and newly found startups have begun or are in the process of switching to a fully cloud setup, it is important for these companies to consider these in order to protect both themselves and the digital privacy of their customers and employees.

Works Cited

  • Alshammari, Salah T., et al. “Trust Management Systems in Cloud Services Environment: Taxonomy of Reputation Attacks and Defense Mechanisms.” IEEE Access, vol. 9, 2021, pp. 161488–506, https://doi.org 10.1109/ACCESS.2021.3132580. Accessed January 22, 2024
  • Farsi, Mohammed, et al. “Cloud Computing and Data Security Threats Taxonomy: A Review.” Journal of Intelligent & Fuzzy Systems, vol. 38, no. 3, 2020, pp. 2517–27, https://doi.org/10.3233/JIFS-179539. Accessed January 20, 2024
  • Ghosh, Soumalya, et al. “Improved End-to-End Data Security Approach for Cloud Computing.” Sustainability (Basel, Switzerland), vol. 15, no. 22, 2023, pp. 16010-, https://doi.org/10.3390/su152216010. Accessed January 24, 2024
  • Gozman, D., & Willcocks, L. (2019). The emerging Cloud Dilemma: Balancing innovation with cross-border privacy and outsourcing regulations. Journal of Business Research, 97, 235–256. https://doi.org/10.1016/j.jbusres.2018.06.006. Accessed January 22, 2024