Curator's Note: The content of this article was originally written by Pravin Anchan over at the Cloud Computing Path blog.
Cloud computing brings convenience and cost savings but at the same time, it raises issues about security. Cloud computing security issues arise at the provider’s end where he has to implement a variety of features to assure the data servers are covered by a high level security blanket. Since virtualization introduces another layer, providing security becomes more complicated. The customer implicitly trusts service providers to keep data safe and secure and at their end they may relax security implementation. Fears about cloud security have led companies to go in for private cloud. Even these environments cannot be said to be completely secure though protected by firewalls.
Privacy, Data Security and data integrity
Privacy was, and remains, one of the chief concerns in cloud architecture that has not been satisfactorily resolved. One reason is that different countries have different laws concerning privacy in respect of data stored in servers operating in their country, though the person to whom that data belongs may be in another country. A cloud service provider may assure clients that data is absolutely safe but he may be obligated by law to give officials access to that data whether the client agrees or not. Another vexing matter is that laws have not been amended to cover all forms of data and may consider only emails and text messages for the purpose of private information. Data, unfortunately, is not given the same consideration as physical property. If, by law, data is accessed, officials can also lay their hands on data of other clients stored on the same hard disk raising risk of collateral damage.
Data confidentiality in the cloud
Another contentious issue is that staff of the cloud service provider has access to data and even though encrypted, such data could easily be accessed and tampered.
Data streaming security
In a cloud environment data is streamed through the internet. If it travels through secure “https” channels, data can be said to be safe and secure. However, when data streams over open lines, even though encrypted, the packets can be accessed. Access to data depends on the expertise of the hacker in decryption data packets. Additionally, since data in the cloud is accessed frequently, the chances of errors can lead to data corruption or illegal access by eavesdroppers.
IAAS, SAAS and PAAS each with its own set of issues
Cloud computing has three different pathways: infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (Saas). Each has vulnerabilities that are not fully resolved. For instance, software as a service deploys the same software used in networked and desktop environments and developers have yet to develop secure coding that will plug loopholes and guard against penetration.
Service Level agreements
Cloud service providers have their own service level agreements aligned to fit in with their method of operation. These SLAs may not perfectly match client expectations in terms of security and safety.
There are plenty of contentious, unresolved questions such as who shares physical and logical resources and about audits and assessments. Is there any mechanism in place to safeguard data in case of a lockout caused by legal action against another client sharing the same hard disk space? Do cloud service providers have a mechanism in place for assured data destruction on all servers if a client wishes to discontinue services? Of course, the permanent question is about a service provider’s continued viability to be up and available at all times. A couple of cloud service providers have folded over and users are understandably concerned about security of their data.
As existing issues are addressed and resolved to some extent or even completely, and as cloud services expand, as yet unforeseen issues are likely to arise. In the present scenario, it is caveat emptor, or let the service user be extremely careful and cautious.