Overview of Security Challenges in Cloud Computing Presented by Zayyad Isa Sulaiman Department of Computer Science NICTM, Uromi August, 2021 Introduction to Cloud Computing • The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management, effort or service interaction. • It could be web-based email systems like google and yahoo, social networking sites like twitter and Facebook, or on-demand subscription services like Netflix and Hulu, cloud storages like Dropbox or OneDrive, or collaborative tools like google docs, or online backup tools like jungle Disk and Mozy. Key Takeaways from the presentation 1. General understanding of cloud computing. 2. Cloud computing models. 3. Cloud computing features and benefits. 4. Security threats in cloud computing. 5. Suggested solutions to threats. Cloud Service Models Software as a Service (SaaS): In this model, software applications are provided to end users (clients and customers) based on their requirements and needs. These are provided through the web and can be accessed by clients from various devices through a web browser. Companies such as Google, Zoho and Microsoft provide SaaS to users. Platform as a Service (PaaS): here, the cloud provider provides a platform for users and clients to develop or customize their own software applications. This model provides tools and libraries required by clients to develop, control and deploy their applications. Infrastructure as a Service (IaaS): here, resources including infrastructure of servers are provided to clients and consumers to run and deploy their operating systems and applications. With the use of virtualization technology, IaaS provides virtual machines that allow clients to build computer network infrastructures. Amazon’s EC2 is a good example of cloud computing that offers IaaS. It provides the user with the infrastructure that enables him/her to deploy various OS on virtual computing environment and run different applications. Features and Benefits of Cloud Computing Broad Network Access and Ubiquity: users can access cloud services over the network through their various devices. These devices could be laptops, mobile phones or PDAs – regardless of the platform and location. Flexibility and Elasticity: Cloud computing’s ability to provide its clients with scalability feature makes it possible for enterprises to rapidly scale up or down as the demand change. This is made possible by the feature of scalability of infrastructure where very little modification is needed on the infrastructure to allow scaling in or scaling out. Measured Service / pay-per-use: Resource usage is monitored and measured enabling users to only pay for the services they subscribe to alone. This reduces the cost if cloud computing usage, hence making it more attractive to individual users as well as cooperate organizations and enterprises. Payments could be per minute, hourly, monthly or by workload or per service. Features and Benefits of Cloud Computing Reduced Cost: this is achieved by clients through the measured service, pay per usage, and also the absence of the need and requirement to purchase in-house infrastructures. Self Service: with various services offered by the cloud computing infrastructures, users’ needs are met. On-demand self-service provides users with resources to meet their demand regardless of type e.g. server time or storage. Increased Storage: in this age of big data and data mining, enterprise and organizational needs for massive storage is taken care of. With large storage facilities and services offered by cloud providers, storage of large quantity of data is no more a major concern. These cloud providers also take responsibility of managing and maintaining such data and infrastructures are well built to scale dynamically. Challenges to Cloud Computing Data Security Threats: these are threats that directly or indirectly affect data’s integrity, confidentiality and availability. Data Remanence Threat: (the residual physical representation of data that has been deleted) Data Breach: due to multitenancy feature of cloud, It could be due to infrastructure flaws or deliberate actions of a user or attacker. Data Loss: the intentional or unintentional deletion or corruption of data caused by malicious user or employee. It could also be caused my malware attacks. Network Threats: attacking the vulnerability in the CSP’s network to commit further malicious acts such as: Account or Service Hijacking: through phishing or fraud, this is an intentional attempt to steal user credentials or login details in order to gain access to user account and take control of user’s computing service and privileges. Denial of Service, DOS: As a form of attack that focuses on availability, DOS are done to prevent legitimate users from accessing cloud network, storage, data and other services. Challenges to Cloud Computing Cloud Environment-Specific Threats: attacks and threats that arise primarily from the CSP environment. Arguably the most dangerous of all the threats and it is on the rise. They are as follows: Insecure Infrastructures and APIs: Application Programming Interface (API) is a set of protocols and standards that define the communications between software applications through the internet. They are a means of communication between cloud services and within other local services. Inadequate security in these areas will make cloud infrastructure to be vulnerable to attacks. Malicious Insider: A malicious insider is someone, employed by the CSP and has privilege access to cloud resources such as network, applications, storage, etc, and then misuses that privilege to commit questionable or illegal acts. Attack by malicious insider could be intentional and unintentional. Challenges to Cloud Computing Insufficient Due Diligence: this is most associated with the customers or individual users of the cloud system. Due diligence in the parts of clients is them having the intricate and proper understanding of the CSP environment. This is a form of negligence in the part of the customer. Abuse of Cloud Services: this sort of attack and threat is perpetrated by users. Users/customers with authorised access that tend to violate the terms of agreement and contract to commit unethical and illegal activities and attacks on cloud resources. Such attacks include brute force attacks to break passwords or by launching trojans. Defensive Measures Against Threats Data Remanence Threat: Encrypting the data initially before storage is a common one. Overwriting is another technique. By targeting the particular part of the media and overwriting the space with new data, that section can be blocked from recreation. Media Destruction is a third and arguably the most certain and effective way to counter data remanence. Data Breach Protection: : one of the many proposed techniques for this threat is to encrypt data before storage on cloud and in the network by using robust and encryption algorithm and key management. Another technique is by implementing proper isolation among VMs to prevent information leakage. Additionally it is recommended that encryption keys not be stored along with encrypted data. Data Loss prevention: Backing up data is the surest way to prevent data loss. Defensive Measures Against Threats Account or Service Hijacking Prevention: The use of Intrusion Detection Systems (IDS) is being practised to monitor network traffic. Identity and Access management should also be implemented. This ensures that encrypted and more sophisticated passwords are used, and at the same time making it more difficult to hijack. The use of multilevel authentication is also used. Regular auditing of privileged activities and logins should be done and any irregularity should be followed up and not be ignored. Denial of Service (DOS) Prevention: to avoid DOS attacks, it is important to identify and implement all the basic security requirements of cloud network, applications, databases and other service. This means better security and scalability of network. Use of IDS is also recommended. Another proposed technique is hop count filtering that can be used to filter spoofed IP packets, and helps in decreasing DOS attacks by 90 percent. Defensive Measures Against Threats Insecure Interface and API protection: by securely designing APIs using the principles of computing and double checking before deployment is critical. Regular updates and changing API keys should be practised. Malicious Insider Protection: Vetting employees and contractors to avoid hiring potential threat and also Legal contracts have to be drawn to make any defaulter liable if found guilty. Limited access and privilege, and distribution of administrator power are some other techniques. Use of machine learning and AI to monitor activities of employees are also being practised my many companies today. Encryption can also be implemented in storage, and public networks . Insufficient Due Diligence Protection: Customers and client need to ensure that they are choosing the right and compatible cloud infrastructure and model that best suits their organizations requirement and system. This allows them to understand the risks associated with shifting data to cloud. Defensive Measures Against Threats Abuse of Cloud Services Protection: it is important for CSPs to put measure in place to restrict certain actions by certain users. This is possible by the implementation of certain strict validation and registration procedures. Limiting activities and regular monitoring is another way of protection against this threat. Machine learning for proper monitoring can also be used on customers’ activities if flagged as suspicious just as in protection of malicious insider threat. Conclusion and Recommendations We’ve looked at the general overview of cloud computing, the basic features and a number of security issues that threaten cloud computing. Important techniques to curb these threats have been presented in order for us to understand and implement them when opting for cloud computing. Further investigation is needed in order to unearth more security threats not mentioned in this work. At the same time more techniques are needed to counter these threats. The threat of the malicious insider is the most dangerous and hardest to detect due to obvious reasons. This makes it an important research gap for future work. Finally, every user and provider of cloud services need to get better educated on the basics of cloud computing security to ensure safety and security of data’s integrity, confidentiality and availability. Thank you.