Cloud: Is our Information Secure?
Cloud computing has gained popularity in the technological circles. It simply implies a pool of virtualised and remotely accessed computing resources such as servers, storage, network, databases, applications and analytic. How safe then, are we as we acce
THE technology universally known as cloud, proffers a lot of economic benefits to the IT industry, which would not normally afford to buy or house such resources on their premises. Security in the cloud is a leading debatable issue by IT Security practitioners as some believe that cloud computing is inherently insecure as compared to the traditional computing environment.
This sensation appears to be just a myth, as a lot of cloud service providers are continuously offering diversity in cloud computing security services. Cloud security companies are now emerging, such as SecCloud, which provides companies with the protection of securing their cloud services.
Despite all these efforts, organisations and individuals still face marked security threats as cyber criminals endeavour to exploit cloud services. The topmost threats to cloud computing are account hijacking, system vulnerabilities, hacked interfaces and application program interfaces (APIs), compromised credentials and broken authentication, data breaches, advanced persistent threats(APTs), malicious insiders, cloud services abuses, denial of service (DOS) attacks and inadequate due diligence.
Hackers in the cloud also highjack accounts and masquerade as genuine owners through use of traditional tricks, among them phishing. Clicking unknown emails or attachments gives attackers a chance to tamper around users credentials and exploit cloud based accounts.
To circumvent this cloud threat, users should institute two factor authentication, coupled with strong passwords. A strong password is one with a combination of letters, figures and special characters.
Use of a personal mobile number together with a strong password for authentication (especially from an infrequently accessed location) renders it practically infeasible for attackers to hack users' accounts. Passwords should also be frequently cycled; use of one password for more than three months or years is strongly discouraged.
System vulnerabilities are exploitable bugs that exist in cloud technology programs. Hackers exploit these bugs to penetrate organisations' cloud computing services.
Bugs in the cloud are also prevalent due to shared memory, databases, and other services in the cloud. It is important for corporates and individuals using cloud to ensure that their service providers frequently conduct vulnerability scanning and be abreast with latest software upgrades. Hackers may also exploit insecure user interfaces and APIs to compromise data in the cloud.
User interfaces and APIs allow users to interact with cloud services, so their security is critical. Whilst building of secure interfaces and APIs is a vendor's issue, corporates should also conduct penetration testing to check the robustness of their systems from attacks.
In most cases information attacks in the cloud are due to lax authentication and poor credential management. Identity management is a major challenge to companies especially when it comes to handling dismissed or transferred employees. System administrators usually overlook employee job function upon dismissal or transfer and forget to allocate rights suitable to a new job or status. Dismissed employees may compromise systems if administrators fail to revoke their credentials. System administrators should ensure that former employees sign non-disclosure certificates upon dismissal or change of job function. Advanced persistent threats are sponging forms of threats which covertly infiltrate systems and exfiltrate confidential data for a long period of time.
These threats come in different forms and are difficult to detect. Common entry points of APIs include USB sticks preloaded with malwares, and compromised shared cloud services.
When attackers intrude networks or servers in the cloud through APIs it just appears as normal traffic intrusion thereby giving attackers freewheel to compromise information.
The best defence of APIs include the use of advanced security controls, user awareness and training. System administrators should also have incidents response plans in place to leak out from APIs.
Data lock in as well as vendor lock in are some disturbing threats that service providers use to tie users to their services thereby resulting in a denial of service (DOS) if users do not cooperate or adhere to their terms.
This is a practice where flexibility in the mobility of platforms is now given to the client, so as to move freely from one provider to the other.
Data lock-in also result when a service provider goes down or becomes defunct. Data becomes inaccessible and inevitably the clients suffer. DOS attacks also come as a result of cybercriminals maliciously clogging servers and services with more requests than they can handle and overwhelming them so that they become inaccessible and fail to handle genuine requests. This can be overcome by continuous system surveillance for malicious code and repeated requests.
On the whole cloud computing boasts of state of the art technology and security mechanisms, however, users are encouraged to exercise adequate due diligence when using cloud services. Logging off sessions is one way of securing one's self from exploitation.
Africom connect to success and stay secure!