Welcome!

Weblogic Authors: Yeshim Deniz, Elizabeth White, Michael Meiner, Michael Bushong, Avi Rosenthal

Related Topics: Industrial IoT, IBM Cloud, Weblogic, Recurring Revenue, Artificial Intelligence, Log Management, Server Monitoring, @CloudExpo, Cloud Security, Government Cloud

Industrial IoT: Article

A Security Analysis of Cloud Computing

In a cloud environment, all security depends on the security of the cloud provider

Security Pavillion at Cloud Expo

With its ability to provide users dynamically scalable, shared resources over the Internet and avoid large upfront fixed costs, cloud computing promises to change the future of computing. However, storing a lot of data creates a situation similar to storing a lot of money, attracting more frequent assaults by increasingly skilled and highly motivated attackers. As a result, security is one - if not the - top issue that users have when considering cloud computing.

Cloud Security Concerns
Storing critical data on a cloud computing provider's servers raises several questions. Can employees/administrators at the cloud provider be trusted to not look at your data or change it? Can other customers of the cloud provider hack into your data and get access to it? Can your competitors find out what you know: who your customers are, what customer orders you are bidding on, pricing and cost information, and other critical data from your business? This information in the wrong hands would be devastating for a business. And what about privacy issues and government regulations?

In its young life, there already have been several cloud security breaches that show the threat is real. One of the more notable security incidents occurred in March 2009 with Google Docs, when a system error allowed the content of private documents to be exposed to everyone for a brief period of time. As a result of this security breakdown, a public interest group, The Electronic Privacy Information Center (EPIC), filed a detailed complaint with the Federal Trade Commission requesting an injunction against Google offering this cloud service until "safeguards are verifiably established" claiming Google's inadequate security is a deceptive business practice.

Situations like this one and other possible security problems have prompted numerous articles (for example The Twitterhack Is Cloud Computing's Wake-Up Call: Time for Security That Works) and white papers on cloud security. The Cloud Security Alliance, a non-profit organization comprised of security and technology experts, published an in-depth 83-page white paper Security Guidance for Critical Areas of Focus in Cloud Computing in April 2009. In addition to articles and white papers, research firm Gartner reports data access privileges, regulatory compliance, data location and data segregation/encryption among the top seven security concerns in cloud computing. Also, cloud computing security is one of the top ten 2009 trends identified in a survey conducted by CloudComputing.

Fortunately, there are several tools already developed for computer, network and storage security in a traditional enterprise environment that can provide security solutions for cloud computing. To establish a basis for the use of these tools, it is essential to understand one key difference between cloud computing and conventional data centers. Figure 1 shows the rather simple yet significant difference between an enterprise's data center and cloud computing. In cloud computing, several users' data is co-located and processed on shared equipment. In spite of the differences, there are similarities to enterprise concerns: access through the internet, critical storage requirements and potential for software attacks. If existing enterprise solutions are implemented and adapted to the cloud, cloud computing providers can create the security that customers require.

The difference between a conventional data center (see Figure 1a) is that it's just used by one enterprise and a cloud computing model (see Figure 1b) is that a single cloud provider hosts applications and data used by several enterprises.

A More Detailed Look at Cloud Computing Security Risks
Start-up companies, small businesses, mid-size and even large enterprises are interested in cloud computing. As a result, all of these potential users should be extremely interested in cloud computing security. A good starting point for assessing the risks in cloud computing is identifying all of the existing risks that cloud users from individuals to the largest companies and even governments encounter. Specific threats to security include:

  1. Failures in Provider Security
    In a cloud environment, all security depends on the security of the cloud provider. They control the hardware and the hypervisors on which data is stored and applications are run. Cloud provider security must be top-of-the-line.
  2. Attacks by Other Customers
    The cloud environment is shared among customers. If the barriers between customers break down, one customer can access another customer's data or interfere with their applications.
  3. Availability and Reliability Issues
    Cloud data centers are generally as reliable as enterprise data centers or more so. However, outages do occur. Also, the cloud is only usable through the Internet so Internet reliability and availability is essential.
  4. Legal and Regulatory Issues
    The virtual, international nature of cloud computing raises many legal and regulatory issues. First, export of data out of a jurisdiction may be restricted. If such export is permitted, which jurisdiction's rules apply in case of conflict? And who is liable for errors such as security breaches? These issues must be addressed for any sensitive applications of cloud computing.
  5. Perimeter Security Model Broken
    Many organizations use a perimeter security model with strong security at the perimeter of the enterprise network. This model has been weakening over the years with outsourcing and a highly mobile workforce. Cloud computing strikes its death knell. The cloud is certainly outside the perimeter of enterprise control but it will now store critical data and applications.
  6. Integrating Provider and Customer Security Systems
    Enterprises have spent decades developing a unified directory and other components of their security architecture: automated provisioning, incident detection and response, etc. Cloud providers must integrate with these systems or the bad old days of manual provisioning and uncoordinated response will return.

While there are proprietary solutions to these security problems, open solutions are easier to integrate with cloud providers and existing systems. Therefore, we must gain a better understanding of the security available through open technologies.

Countermeasures to Mitigate Risks
Addressing the six broad security threats identified previously entails a variety of countermeasures.

Threat 1 (Failures in Provider Security) encompasses most of the threats encountered in a typical enterprise. People are the greatest threat and countermeasure in security so screening, training, and monitoring of provider personnel is the most fundamental step to be taken. Physical and network security for cloud data centers are also essential.

However, cloud data centers introduce a new element that enterprise data centers have not traditionally faced: Attacks by Other Customers, threat 2 in the list above. In a cloud environment, customers are co-located in a single data center or even on a single server. These customers may be competitors. Some of them may even be hackers! Cloud providers are responsible for ensuring that one customer can't break into another customer's data and applications. The most common techniques used are virtualization (preferably via a hypervisor) and network separation (via firewalls, VLANs, and/or encryption).

The best way to ensure the reliability and availability of cloud services (addressing threat 3) is to work closely with your cloud provider and network service providers to verify and monitor their uptime. Today, uptime for most cloud providers is good but not perfect. Every major cloud provider has suffered significant downtime: Salesforce, Amazon, Google, etc. Many cloud providers don't provide Service Level Agreements (SLAs) guaranteeing uptime and the SLAs that are available provide meager recompense in case of outages. Don't forget to consider network uptime when determining cloud availability. If the network is down, who cares if the cloud is up?

Addressing legal and regulatory concerns (threat 4) generally requires calling in the lawyers and compliance experts. However, that doesn't mean that technical measures won't help. Many data breach laws include safe harbor provisions saying that if loss of encrypted data does not need to be reported. Whether this applies in your jurisdiction, using a Self Encrypting Drive (SED) is generally a no-brainer. With an SED, there's no need to worry about a hard drive or backup media being lost or stolen. Software encryption provides similar protection but with higher complexity, lower performance, and less security.

With security threat 5, the solution is as simple as eliminating the perimeter model and relying on alternate approaches. This apparently simple solution is not as easy as it sounds. It requires rethinking long-held architectural assumptions. But it also yields side benefits. By abandoning the assumption that all threats are external, we can achieve stronger protection against internal threats and greater flexibility to position trusted assets outside the traditional perimeter.

Cloud computing may seem different but in many ways it's just a simple extension of enterprise computing as we have known it for decades. As such, it should integrate with existing enterprise security systems. There's no need to reinvent the wheel. That's the essence of threat 6 and the basis for addressing it. Don't let cloud providers convince you that "it's different this time". Demand that they integrate with your existing systems such as your enterprise directory and your monitoring systems. Some cloud providers can do this and some cannot at this time. When comparing cloud vendors, be sure to factor in the cost of maintaining a new directory and monitoring system per cloud provider. If you don't consider this now, you'll soon find yourself with a mishmash of incompatible systems. Deprovisioning a user will take days or weeks. What a nightmare and security hole! Don't let it happen.

Different Security for Different Users
The attractiveness of cloud computing for a broad range of users may require differing approaches for use and security. At the one extreme, low-end users, such as start-ups, can use clouds for just about everything. The cloud provider's security and reliability generally exceeds that of a small enterprise. At the other extreme, high-end users such as large enterprises are more likely to employ a hybrid model. For legal and risk management reasons, they will keep especially sensitive data and applications in-house and may use an internal cloud. In between, mid-size enterprises can use clouds for many purposes including compute cycles for R&D projects, online collaboration, partner integration, social networking, new business tools and more.

Trust, but Verify
Cloud computing providers that can prove the trustworthiness of their resources will differentiate themselves from their competitors. To do this, they must have a way for customers to independently verify the security of the cloud service. Customers need to do more than just take the cloud provider's word for security.

To trust the security of a cloud provider, customers should be able to:

  • Verify the integrity of the machines at the cloud provider
  • Verify the identity of those machines as well as users, administrators and cloud customers
  • Verify what kind of network security measures are being used

The cloud provider that implements these types of security measures offers small and medium size enterprises improved security over what they probably have or would set up within their own organization. For many large enterprises, these steps are similar to ones that have already been or should be implemented.

Be Prepared
As computing takes a step forward to cloud computing, security should not move backward.  Users certainly should not accept moving backwards in terms of security. Going forward, computing technology and security must both advance together. Educate yourself about cloud security and you will be well prepared for the new world of the cloud.

More Stories By Steve Hanna

Steve Hanna is co-chair of the Trusted Network Connect Work Group in the Trusted Computing Group and co-chair of the Network Endpoint Assessment Working Group in the Internet Engineering Task Force. An inventor or co-inventor of 30 issued U.S. patents, he holds an A.B. in Computer Science from Harvard University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
BnkToTheFuture.com is the largest online investment platform for investing in FinTech, Bitcoin and Blockchain companies. We believe the future of finance looks very different from the past and we aim to invest and provide trading opportunities for qualifying investors that want to build a portfolio in the sector in compliance with international financial regulations.
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...
Imagine if you will, a retail floor so densely packed with sensors that they can pick up the movements of insects scurrying across a store aisle. Or a component of a piece of factory equipment so well-instrumented that its digital twin provides resolution down to the micrometer.
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settle...
Product connectivity goes hand and hand these days with increased use of personal data. New IoT devices are becoming more personalized than ever before. In his session at 22nd Cloud Expo | DXWorld Expo, Nicolas Fierro, CEO of MIMIR Blockchain Solutions, will discuss how in order to protect your data and privacy, IoT applications need to embrace Blockchain technology for a new level of product security never before seen - or needed.
Leading companies, from the Global Fortune 500 to the smallest companies, are adopting hybrid cloud as the path to business advantage. Hybrid cloud depends on cloud services and on-premises infrastructure working in unison. Successful implementations require new levels of data mobility, enabled by an automated and seamless flow across on-premises and cloud resources. In his general session at 21st Cloud Expo, Greg Tevis, an IBM Storage Software Technical Strategist and Customer Solution Architec...
Nordstrom is transforming the way that they do business and the cloud is the key to enabling speed and hyper personalized customer experiences. In his session at 21st Cloud Expo, Ken Schow, VP of Engineering at Nordstrom, discussed some of the key learnings and common pitfalls of large enterprises moving to the cloud. This includes strategies around choosing a cloud provider(s), architecture, and lessons learned. In addition, he covered some of the best practices for structured team migration an...
No hype cycles or predictions of a gazillion things here. IoT is here. You get it. You know your business and have great ideas for a business transformation strategy. What comes next? Time to make it happen. In his session at @ThingsExpo, Jay Mason, an Associate Partner of Analytics, IoT & Cybersecurity at M&S Consulting, presented a step-by-step plan to develop your technology implementation strategy. He also discussed the evaluation of communication standards and IoT messaging protocols, data...
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, provided a fun and simple way to introduce Machine Leaning to anyone and everyone. He solved a machine learning problem and demonstrated an easy way to be able to do machine learning without even coding. Raju Shreewastava is the founder of Big Data Trunk (www.BigDataTrunk.com), a Big Data Training and consulting firm with offices in the United States. He previously led the data warehouse/business intelligence and B...
"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...
Smart cities have the potential to change our lives at so many levels for citizens: less pollution, reduced parking obstacles, better health, education and more energy savings. Real-time data streaming and the Internet of Things (IoT) possess the power to turn this vision into a reality. However, most organizations today are building their data infrastructure to focus solely on addressing immediate business needs vs. a platform capable of quickly adapting emerging technologies to address future ...
We are given a desktop platform with Java 8 or Java 9 installed and seek to find a way to deploy high-performance Java applications that use Java 3D and/or Jogl without having to run an installer. We are subject to the constraint that the applications be signed and deployed so that they can be run in a trusted environment (i.e., outside of the sandbox). Further, we seek to do this in a way that does not depend on bundling a JRE with our applications, as this makes downloads and installations rat...
Widespread fragmentation is stalling the growth of the IIoT and making it difficult for partners to work together. The number of software platforms, apps, hardware and connectivity standards is creating paralysis among businesses that are afraid of being locked into a solution. EdgeX Foundry is unifying the community around a common IoT edge framework and an ecosystem of interoperable components.
DX World EXPO, LLC, a Lighthouse Point, Florida-based startup trade show producer and the creator of "DXWorldEXPO® - Digital Transformation Conference & Expo" has announced its executive management team. The team is headed by Levent Selamoglu, who has been named CEO. "Now is the time for a truly global DX event, to bring together the leading minds from the technology world in a conversation about Digital Transformation," he said in making the announcement.
In this strange new world where more and more power is drawn from business technology, companies are effectively straddling two paths on the road to innovation and transformation into digital enterprises. The first path is the heritage trail – with “legacy” technology forming the background. Here, extant technologies are transformed by core IT teams to provide more API-driven approaches. Legacy systems can restrict companies that are transitioning into digital enterprises. To truly become a lead...
Digital Transformation (DX) is not a "one-size-fits all" strategy. Each organization needs to develop its own unique, long-term DX plan. It must do so by realizing that we now live in a data-driven age, and that technologies such as Cloud Computing, Big Data, the IoT, Cognitive Computing, and Blockchain are only tools. In her general session at 21st Cloud Expo, Rebecca Wanta explained how the strategy must focus on DX and include a commitment from top management to create great IT jobs, monitor ...
"Cloud Academy is an enterprise training platform for the cloud, specifically public clouds. We offer guided learning experiences on AWS, Azure, Google Cloud and all the surrounding methodologies and technologies that you need to know and your teams need to know in order to leverage the full benefits of the cloud," explained Alex Brower, VP of Marketing at Cloud Academy, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clar...
The IoT Will Grow: In what might be the most obvious prediction of the decade, the IoT will continue to expand next year, with more and more devices coming online every single day. What isn’t so obvious about this prediction: where that growth will occur. The retail, healthcare, and industrial/supply chain industries will likely see the greatest growth. Forrester Research has predicted the IoT will become “the backbone” of customer value as it continues to grow. It is no surprise that retail is ...