Cloud computing has been a revolution in how the data is stored and accessed. The excellent features like round the clock availability, flexibility of services, dynamic nature of applications and scalability has popularized cloud computing to the level it has reached now. These are the characteristics that are considered prime reasons behind the challenges faced while cloud implementation and the potential vulnerabilities endangering cloud security. In this article, we will explore how the vulnerability assessment is done in a cloud environment.
While the architecture of a cloud infrastructure has a major impact on its resistance to failure, there are other vulnerabilities that must be evaluated for a safe and secure cloud. Cloud computing has changed how the organization worked and shared data, so it is the responsibility of such organizations to come together and team up for identifying, evaluation and resolving cloud security issues. Cloud implementation is closely dependent on underlying hardware, network, storage system and connectivity. These must be monitored separately without losing focus on security issues like threats and malicious attacks on stored data and data in transit.
Like all other, IT based systems Vulnerability Assessment requires a well-organized mechanism to make the cloud secure from all vulnerabilities. It is a process defined by following steps
- Identification of vulnerabilities and their classification
- Recording and analysis of data collected for the identified and classified vulnerabilities
- A globally accepted mechanism for documentation of cloud vulnerabilities and protocol to share and assess the vulnerabilities
- A global platform for reporting vulnerabilities affecting the cloud security
- Development of tools for handling vulnerabilities.
When an organization decides to migrate data from private data center to a cloud, there should be a well defined process so that the migration is seamless and does not introduce any vulnerability that may make the cloud prone to compromise. The following are the most common things taken care of while migration to cloud.
Redefine Logging mechanism in cloud
When the data management is done at the enterprise level, to tackle the issue of unauthorized access to data, the administrators employ logging mechanism. It is an effective technique to identify the attack and the culprits since the rules and regulations are strictly enforced for privacy and access of data. Data being local and in the control of data and system administrator team is managed well by assigning authorization and access rights on data.
When such data is migrated to a cloud environment, the control on data shifts on the service provider and the existing rules and regulations enforced on the data no longer exists. In such case, if the prior log data falls into hands of a malicious user, the migrated data becomes prone to attack, leak or theft. So whenever the migration process is done, it is the responsibility of the enterprise to redefine rules for logging so that it is controlled and reconfigured to match the new environment.
Modify Communication Channels
When an enterprise maintains a local data center the policies and rules enforced to data modification, movement and security are locally implemented on the basis of the channel of communication within the organization. Considering the limited span of communication and users the policies are considered quite secure for any kind of data access. The data channels are a mixed bag of encrypted and unencrypted channels with hard-coding of IP addresses and hostnames defined in the network.
The data administrator evaluates the organizational needs and all the constraints enforced depend upon the internal factors. Such data center will be considered secure against any kind of external attacks. As soon as the data is migrated to a cloud whole equation changes and the channels which were foolproof within premises posed the biggest threat to the migrated data. The attackers could get access to the unencrypted channels and plain-text data transfers which still are not modified.
So, whenever migration is executed the data administrator must identify such loopholes and plug them so that the hardcoded and unencrypted channels do not give any option to the malicious users to misuse data in the cloud.
Virtualization with Non-uniform Encryption Keys
This is again the biggest flaw while migrating data in the cloud in a virtualized environment. If the data administrator has applied one encryption technique to the virtualization system, it becomes vulnerability since same encryption technique propagates to the virtual mirrors of the system. It is the most threatening situation since a single compromise in the cloud will give numerous paths to an attacker on the data. To overcome this problem the most preferred solution is that when the migration is being done, different virtual mirrors must have different encryption keys. If one mirror is compromised, rest of the mirrors still remain secure.
A cloud environment is totally different from a local data center. What works well there will not work in a cloud. While migrating data to a cloud it is highly essential to reassess the existing security policies, rules, communication channels, encryption and keys and security implementation mechanisms with the perspective of cloud characteristics mentioned at the beginning. Fine-tuning these with respect to the cloud is one thing that cannot be ignored at any cost.