Cloud computing vulnerabilities basics
When discussing cloud computing vulnerabilities, it’s important to define indicators based on clear and concise definitions of risk factors concerning cloud computing. Cloud computing security has never been as crucial as it is now. Not only are the risks and threats vast, but in many cases, the security itself is cited as the main stumbling block for the adoption of cloud computing.
Breaking down cloud computing security in order to understand and defend against threats is fundamental. But an emphasis must be made on understanding and defining the terms involved with it. Failure to do so can lead to being unable to formulate a well-founded assessment of the security impact. Terms like risk, vulnerability, and threat have become so interchangeable that defining these areas can become lost in the security ecosystem. Another area where failures can arise is when some of these “threats” may not be specific to cloud computing.
To fully understand the “delta” that cloud computing adds in regard to security issues, it’s important to analyse how cloud computing influences established security issues. Understanding security vulnerabilities is key, especially in relation to cloud computing. Cloud computing makes some well-understood vulnerabilities more significant while adding new ones at the same time.
Let’s take a closer look at cloud computing vulnerabilities:
Vulnerability is one of the more prominent factors of risk. ISO 27005 outlines risk as “the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organisation,” measuring it for both the likelihood of an event and its consequence.
The frequency in which malicious actors try to exploit a vulnerability can be attributed to many factors: What can the malicious actor gain from an attack? How much effort does it take to infiltrate the system? What is the risk for the malicious actor? The attack will always depend on the difference between the malicious actor’s attack capabilities and the system’s strength to resist the attack.
A vulnerability can be defined as the probability that an asset will be unable to resist the actions of a threat agent. A vulnerability exists when there is a difference between the force being applied by the threat agent and an object’s ability to resist that force. In summary, a vulnerability must always be described in terms of resistance to a certain type of attack.
A computer vulnerability – a security-related bug that can be closed with vendor-provided patches – is a weakening or removal of certain resistance strength. For example, a buffer-overflow vulnerability weakens the system’s resistance to arbitrary code execution. Whether malicious actors can exploit this vulnerability depends on their capabilities.
Vulnerabilities and Cloud Risk
The consequences and ultimate cost of cloud computing vulnerabilities are exactly the same as whether the data breach occurred within a conventional IT infrastructure. However, cloud computing systems differ in the sense that they were/are separated on the same infrastructure, which means a loss event could entail a considerably larger impact. An extensive risk assessment protocol should be put in place to pinpoint the threats.
Cloud computing could change the probability of a harmful event’s occurrence. It also causes significant changes in the vulnerability factor. Switching over to a cloud infrastructure might also change the malicious actor’s motivation and access level. For supporting a cloud-specific risk assessment, one must start by examining the exact nature of cloud-specific vulnerabilities.
Certain factors within cloud computing’s nature will make a vulnerability cloud-specific. Cloud computing combines known technologies to provide “off the rack” IT services using economies of scale. Let’s take a closer look at cloud computing to better understand the cloud computing vulnerabilities and how to combat them.
Cloud Computing relies heavily on capabilities available through core technologies:
- Web services and applications. Software as a service (SaaS) and platform as a service (PaaS) go hand-in-hand with Web services and Web application technologies. For infrastructure as a service (IaaS), administrators typically implement associated services and APIs.
- Virtualisation IaaS. PaaS and SaaS services are almost certainly built on top of a supporting IaaS infrastructure. In the future, virtualisation is expected to develop from virtualised servers toward computational resources that can be used more readily for executing SaaS services.
- Cryptography. Cloud computing security requirements are usually only solvable by using cryptographic techniques.
Essential Cloud Characteristics
In its description of essential cloud characteristics, the US National Institute of Standards and Technology (NIST) outlines the following:
- On-demand self-service. Users are able to order and manage services without human interaction with the service provider.
- Ubiquitous network access. Cloud services are accessed via the network using the internet, alongside standard protocols and mechanisms.
- Resource pooling. Computing resources providing the cloud service are realised using a homogeneous infrastructure that is shared between all service users.
- Rapid elasticity. Resources can be scaled up and down elastically and rapidly.
- Measured service. Service/resource usage is constantly metered, supporting usage reporting to the customer, optimisation of resource usage, and pay-as-you-go business models.
NIST’s definition framework for cloud computing has now evolved into the de facto standard for defining cloud computing.
Outlined below is what constitutes a cloud-specific vulnerability. A vulnerability is cloud specific if it:
- is prevalent in or intrinsic to a core cloud computing technology
- has its root cause outlined in one of NIST’s essential cloud characteristics
- is caused when cloud innovations make tried-and-tested security controls almost impossible to implement
- is prevalent in state-of-the-art cloud offerings
Get in touch with RiskXchange to find out more about cloud computing vulnerabilities.