Welcome!

Weblogic Authors: Yeshim Deniz, Elizabeth White, Michael Meiner, Michael Bushong, Avi Rosenthal

Related Topics: Industrial IoT, IBM Cloud, Weblogic, Recurring Revenue, Artificial Intelligence, Log Management, Server Monitoring, @CloudExpo, Cloud Security, Government Cloud

Industrial IoT: Article

A Security Analysis of Cloud Computing

In a cloud environment, all security depends on the security of the cloud provider

Security Pavillion at Cloud Expo

With its ability to provide users dynamically scalable, shared resources over the Internet and avoid large upfront fixed costs, cloud computing promises to change the future of computing. However, storing a lot of data creates a situation similar to storing a lot of money, attracting more frequent assaults by increasingly skilled and highly motivated attackers. As a result, security is one - if not the - top issue that users have when considering cloud computing.

Cloud Security Concerns
Storing critical data on a cloud computing provider's servers raises several questions. Can employees/administrators at the cloud provider be trusted to not look at your data or change it? Can other customers of the cloud provider hack into your data and get access to it? Can your competitors find out what you know: who your customers are, what customer orders you are bidding on, pricing and cost information, and other critical data from your business? This information in the wrong hands would be devastating for a business. And what about privacy issues and government regulations?

In its young life, there already have been several cloud security breaches that show the threat is real. One of the more notable security incidents occurred in March 2009 with Google Docs, when a system error allowed the content of private documents to be exposed to everyone for a brief period of time. As a result of this security breakdown, a public interest group, The Electronic Privacy Information Center (EPIC), filed a detailed complaint with the Federal Trade Commission requesting an injunction against Google offering this cloud service until "safeguards are verifiably established" claiming Google's inadequate security is a deceptive business practice.

Situations like this one and other possible security problems have prompted numerous articles (for example The Twitterhack Is Cloud Computing's Wake-Up Call: Time for Security That Works) and white papers on cloud security. The Cloud Security Alliance, a non-profit organization comprised of security and technology experts, published an in-depth 83-page white paper Security Guidance for Critical Areas of Focus in Cloud Computing in April 2009. In addition to articles and white papers, research firm Gartner reports data access privileges, regulatory compliance, data location and data segregation/encryption among the top seven security concerns in cloud computing. Also, cloud computing security is one of the top ten 2009 trends identified in a survey conducted by CloudComputing.

Fortunately, there are several tools already developed for computer, network and storage security in a traditional enterprise environment that can provide security solutions for cloud computing. To establish a basis for the use of these tools, it is essential to understand one key difference between cloud computing and conventional data centers. Figure 1 shows the rather simple yet significant difference between an enterprise's data center and cloud computing. In cloud computing, several users' data is co-located and processed on shared equipment. In spite of the differences, there are similarities to enterprise concerns: access through the internet, critical storage requirements and potential for software attacks. If existing enterprise solutions are implemented and adapted to the cloud, cloud computing providers can create the security that customers require.

The difference between a conventional data center (see Figure 1a) is that it's just used by one enterprise and a cloud computing model (see Figure 1b) is that a single cloud provider hosts applications and data used by several enterprises.

A More Detailed Look at Cloud Computing Security Risks
Start-up companies, small businesses, mid-size and even large enterprises are interested in cloud computing. As a result, all of these potential users should be extremely interested in cloud computing security. A good starting point for assessing the risks in cloud computing is identifying all of the existing risks that cloud users from individuals to the largest companies and even governments encounter. Specific threats to security include:

  1. Failures in Provider Security
    In a cloud environment, all security depends on the security of the cloud provider. They control the hardware and the hypervisors on which data is stored and applications are run. Cloud provider security must be top-of-the-line.
  2. Attacks by Other Customers
    The cloud environment is shared among customers. If the barriers between customers break down, one customer can access another customer's data or interfere with their applications.
  3. Availability and Reliability Issues
    Cloud data centers are generally as reliable as enterprise data centers or more so. However, outages do occur. Also, the cloud is only usable through the Internet so Internet reliability and availability is essential.
  4. Legal and Regulatory Issues
    The virtual, international nature of cloud computing raises many legal and regulatory issues. First, export of data out of a jurisdiction may be restricted. If such export is permitted, which jurisdiction's rules apply in case of conflict? And who is liable for errors such as security breaches? These issues must be addressed for any sensitive applications of cloud computing.
  5. Perimeter Security Model Broken
    Many organizations use a perimeter security model with strong security at the perimeter of the enterprise network. This model has been weakening over the years with outsourcing and a highly mobile workforce. Cloud computing strikes its death knell. The cloud is certainly outside the perimeter of enterprise control but it will now store critical data and applications.
  6. Integrating Provider and Customer Security Systems
    Enterprises have spent decades developing a unified directory and other components of their security architecture: automated provisioning, incident detection and response, etc. Cloud providers must integrate with these systems or the bad old days of manual provisioning and uncoordinated response will return.

While there are proprietary solutions to these security problems, open solutions are easier to integrate with cloud providers and existing systems. Therefore, we must gain a better understanding of the security available through open technologies.

Countermeasures to Mitigate Risks
Addressing the six broad security threats identified previously entails a variety of countermeasures.

Threat 1 (Failures in Provider Security) encompasses most of the threats encountered in a typical enterprise. People are the greatest threat and countermeasure in security so screening, training, and monitoring of provider personnel is the most fundamental step to be taken. Physical and network security for cloud data centers are also essential.

However, cloud data centers introduce a new element that enterprise data centers have not traditionally faced: Attacks by Other Customers, threat 2 in the list above. In a cloud environment, customers are co-located in a single data center or even on a single server. These customers may be competitors. Some of them may even be hackers! Cloud providers are responsible for ensuring that one customer can't break into another customer's data and applications. The most common techniques used are virtualization (preferably via a hypervisor) and network separation (via firewalls, VLANs, and/or encryption).

The best way to ensure the reliability and availability of cloud services (addressing threat 3) is to work closely with your cloud provider and network service providers to verify and monitor their uptime. Today, uptime for most cloud providers is good but not perfect. Every major cloud provider has suffered significant downtime: Salesforce, Amazon, Google, etc. Many cloud providers don't provide Service Level Agreements (SLAs) guaranteeing uptime and the SLAs that are available provide meager recompense in case of outages. Don't forget to consider network uptime when determining cloud availability. If the network is down, who cares if the cloud is up?

Addressing legal and regulatory concerns (threat 4) generally requires calling in the lawyers and compliance experts. However, that doesn't mean that technical measures won't help. Many data breach laws include safe harbor provisions saying that if loss of encrypted data does not need to be reported. Whether this applies in your jurisdiction, using a Self Encrypting Drive (SED) is generally a no-brainer. With an SED, there's no need to worry about a hard drive or backup media being lost or stolen. Software encryption provides similar protection but with higher complexity, lower performance, and less security.

With security threat 5, the solution is as simple as eliminating the perimeter model and relying on alternate approaches. This apparently simple solution is not as easy as it sounds. It requires rethinking long-held architectural assumptions. But it also yields side benefits. By abandoning the assumption that all threats are external, we can achieve stronger protection against internal threats and greater flexibility to position trusted assets outside the traditional perimeter.

Cloud computing may seem different but in many ways it's just a simple extension of enterprise computing as we have known it for decades. As such, it should integrate with existing enterprise security systems. There's no need to reinvent the wheel. That's the essence of threat 6 and the basis for addressing it. Don't let cloud providers convince you that "it's different this time". Demand that they integrate with your existing systems such as your enterprise directory and your monitoring systems. Some cloud providers can do this and some cannot at this time. When comparing cloud vendors, be sure to factor in the cost of maintaining a new directory and monitoring system per cloud provider. If you don't consider this now, you'll soon find yourself with a mishmash of incompatible systems. Deprovisioning a user will take days or weeks. What a nightmare and security hole! Don't let it happen.

Different Security for Different Users
The attractiveness of cloud computing for a broad range of users may require differing approaches for use and security. At the one extreme, low-end users, such as start-ups, can use clouds for just about everything. The cloud provider's security and reliability generally exceeds that of a small enterprise. At the other extreme, high-end users such as large enterprises are more likely to employ a hybrid model. For legal and risk management reasons, they will keep especially sensitive data and applications in-house and may use an internal cloud. In between, mid-size enterprises can use clouds for many purposes including compute cycles for R&D projects, online collaboration, partner integration, social networking, new business tools and more.

Trust, but Verify
Cloud computing providers that can prove the trustworthiness of their resources will differentiate themselves from their competitors. To do this, they must have a way for customers to independently verify the security of the cloud service. Customers need to do more than just take the cloud provider's word for security.

To trust the security of a cloud provider, customers should be able to:

  • Verify the integrity of the machines at the cloud provider
  • Verify the identity of those machines as well as users, administrators and cloud customers
  • Verify what kind of network security measures are being used

The cloud provider that implements these types of security measures offers small and medium size enterprises improved security over what they probably have or would set up within their own organization. For many large enterprises, these steps are similar to ones that have already been or should be implemented.

Be Prepared
As computing takes a step forward to cloud computing, security should not move backward.  Users certainly should not accept moving backwards in terms of security. Going forward, computing technology and security must both advance together. Educate yourself about cloud security and you will be well prepared for the new world of the cloud.

More Stories By Steve Hanna

Steve Hanna is co-chair of the Trusted Network Connect Work Group in the Trusted Computing Group and co-chair of the Network Endpoint Assessment Working Group in the Internet Engineering Task Force. An inventor or co-inventor of 30 issued U.S. patents, he holds an A.B. in Computer Science from Harvard University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
Join IBM November 1 at 21st Cloud Expo at the Santa Clara Convention Center in Santa Clara, CA, and learn how IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Cognitive analysis impacts today’s systems with unparalleled ability that were previously available only to manned, back-end operations. Thanks to cloud processing, IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Imagine a robot vacuum that becomes your personal assistant tha...
In a recent survey, Sumo Logic surveyed 1,500 customers who employ cloud services such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). According to the survey, a quarter of the respondents have already deployed Docker containers and nearly as many (23 percent) are employing the AWS Lambda serverless computing framework. It’s clear: serverless is here to stay. The adoption does come with some needed changes, within both application development and operations. Tha...
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, will lead you through the exciting evolution of the cloud. He'll look at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering ...
SYS-CON Events announced today that Avere Systems, a leading provider of enterprise storage for the hybrid cloud, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Avere delivers a more modern architectural approach to storage that doesn't require the overprovisioning of storage capacity to achieve performance, overspending on expensive storage media for inactive data or the overbui...
Widespread fragmentation is stalling the growth of the IIoT and making it difficult for partners to work together. The number of software platforms, apps, hardware and connectivity standards is creating paralysis among businesses that are afraid of being locked into a solution. EdgeX Foundry is unifying the community around a common IoT edge framework and an ecosystem of interoperable components.
SYS-CON Events announced today that TidalScale will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. TidalScale is the leading provider of Software-Defined Servers that bring flexibility to modern data centers by right-sizing servers on the fly to fit any data set or workload. TidalScale’s award-winning inverse hypervisor technology combines multiple commodity servers (including their ass...
SYS-CON Events announced today that N3N will exhibit at SYS-CON's @ThingsExpo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. N3N’s solutions increase the effectiveness of operations and control centers, increase the value of IoT investments, and facilitate real-time operational decision making. N3N enables operations teams with a four dimensional digital “big board” that consolidates real-time live video feeds alongside IoT sensor data a...
As hybrid cloud becomes the de-facto standard mode of operation for most enterprises, new challenges arise on how to efficiently and economically share data across environments. In his session at 21st Cloud Expo, Dr. Allon Cohen, VP of Product at Elastifile, will explore new techniques and best practices that help enterprise IT benefit from the advantages of hybrid cloud environments by enabling data availability for both legacy enterprise and cloud-native mission critical applications. By rev...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
Join IBM November 1 at 21st Cloud Expo at the Santa Clara Convention Center in Santa Clara, CA, and learn how IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Cognitive analysis impacts today’s systems with unparalleled ability that were previously available only to manned, back-end operations. Thanks to cloud processing, IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Imagine a robot vacuum that becomes your personal assistant th...
Digital transformation is changing the face of business. The IDC predicts that enterprises will commit to a massive new scale of digital transformation, to stake out leadership positions in the "digital transformation economy." Accordingly, attendees at the upcoming Cloud Expo | @ThingsExpo at the Santa Clara Convention Center in Santa Clara, CA, Oct 31-Nov 2, will find fresh new content in a new track called Enterprise Cloud & Digital Transformation.
Smart cities have the potential to change our lives at so many levels for citizens: less pollution, reduced parking obstacles, better health, education and more energy savings. Real-time data streaming and the Internet of Things (IoT) possess the power to turn this vision into a reality. However, most organizations today are building their data infrastructure to focus solely on addressing immediate business needs vs. a platform capable of quickly adapting emerging technologies to address future ...
Most technology leaders, contemporary and from the hardware era, are reshaping their businesses to do software. They hope to capture value from emerging technologies such as IoT, SDN, and AI. Ultimately, irrespective of the vertical, it is about deriving value from independent software applications participating in an ecosystem as one comprehensive solution. In his session at @ThingsExpo, Kausik Sridhar, founder and CTO of Pulzze Systems, will discuss how given the magnitude of today's applicati...
SYS-CON Events announced today that Golden Gate University will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Since 1901, non-profit Golden Gate University (GGU) has been helping adults achieve their professional goals by providing high quality, practice-based undergraduate and graduate educational programs in law, taxation, business and related professions. Many of its courses are taug...
What is the best strategy for selecting the right offshore company for your business? In his session at 21st Cloud Expo, Alan Winters, U.S. Head of Business Development at MobiDev, will discuss the things to look for - positive and negative - in evaluating your options. He will also discuss how to maximize productivity with your offshore developers. Before you start your search, clearly understand your business needs and how that impacts software choices.
SYS-CON Events announced today that Ryobi Systems will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Ryobi Systems Co., Ltd., as an information service company, specialized in business support for local governments and medical industry. We are challenging to achive the precision farming with AI. For more information, visit http:...
As popularity of the smart home is growing and continues to go mainstream, technological factors play a greater role. The IoT protocol houses the interoperability battery consumption, security, and configuration of a smart home device, and it can be difficult for companies to choose the right kind for their product. For both DIY and professionally installed smart homes, developers need to consider each of these elements for their product to be successful in the market and current smart homes.
SYS-CON Events announced today that Avere Systems, a leading provider of hybrid cloud enablement solutions, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Avere Systems was created by file systems experts determined to reinvent storage by changing the way enterprises thought about and bought storage resources. With decades of experience behind the company’s founders, Avere got its ...
High-velocity engineering teams are applying not only continuous delivery processes, but also lessons in experimentation from established leaders like Amazon, Netflix, and Facebook. These companies have made experimentation a foundation for their release processes, allowing them to try out major feature releases and redesigns within smaller groups before making them broadly available. In his session at 21st Cloud Expo, Brian Lucas, Senior Staff Engineer at Optimizely, will discuss how by using...
In this strange new world where more and more power is drawn from business technology, companies are effectively straddling two paths on the road to innovation and transformation into digital enterprises. The first path is the heritage trail – with “legacy” technology forming the background. Here, extant technologies are transformed by core IT teams to provide more API-driven approaches. Legacy systems can restrict companies that are transitioning into digital enterprises. To truly become a lead...