Risk and Challenges in Cloud Computing

Despite all the development and potential of cloud computing services, there
are multiple challenges of cloud computing services that businesses face.
Motivation
• In a survey report in March 2022, 80% of organizations store sensitive
data in the cloud, 53% of respondents faced a cyber attack on their
cloud infrastructure within 12 months, and 49% of cyber professionals
believe that cyberattack leads to unplanned expenses to fix.
1. Information Security
It is concerned with protecting the confidentiality, integrity and
availability of data regardless of the form the data may take .
2. Data integrity is assurance that data
changes only in response to authorized transactions.
3.Incompatibility Issue: Storage services provided by one cloud vendor
may be incompatible with another vendor’s services should you decide
to move from one to the other. Vendors are known for creating what
the hosting world calls
“sticky services” – services that an end user may have difficulty
transporting from one cloud vendor to another.
CIA Traits in Security
Types of attack

• Interruption

• Interception

• Fabrication

• Modification
Interruption
• In an interruption attack, a network service
is made degraded or unavailable for
legitimate use. They are the attacks against
the availability of the network
• Examples of Interruption attacks :
• Overloading a server host so that it
cannot respond.
• Cutting a communication line.
• Blocking access to a service by
overloading an intermediate network or
network device.
• Redirecting requests to invalid
destinations.
• Theft or destruction of software or
hardware involved.
Interception-
• An interception is where an unauthorized
individual gains access to confidential or
private information. Interception attacks are
attacks against the confidentiality objective
of the CIA Triad.
• Examples of Interception attacks:
• Eavesdropping on communication.
• Wiretapping telecommunications
networks.
• Illicit copying of files or programs.
• Obtaining copies of messages for later
replay.
• Packet sniffing and key logging to capture
data from a computer system or network.
Modification
• Modification is an attack against the integrity • Examples of Modification attacks include:
of the information. Basically there is three
types of modifications.
• Modifying the contents of messages in the
• Change: Change existing information. The network.
information is already existed but incorrect.
Change attacks can be targeted at sensitive • Changing information stored in data files.
information or public information. • Altering programs so they perform differently.
• Insertion: When an insertion attack is made, • Reconfiguring system hardware or network
information that did not previously exist is topologies
added. This attack may be mounted against
historical information or information that is
yet to be acted upon.
• Deletion : Removal of existing information.
Fabrication
• A fabrication attack creates illegitimate • Examples of Fabrication attacks
information, processes, communications or
other data within a system. include:

• SQL Injection
• Route Injection
• User / Credential Counterfeiting
• Log / Audit Trail Falsification
• Email Spoofing
Other Risks and Challenges
1. Security
2. Passwords
3. Cost Management
4. Lack of Expertise
5. Internet Connectivity
6.Control or Governance
7. Compliance
8.Multiple Cloud Management
9.Interoperability and Flexibility
10. Resource Management
11. Reliability and Availability
Risks in Cloud Computing.
Cloud services are dependent on a high-speed internet connection. So
businesses that are relatively small and face connectivity issues should ideally
first invest in a good internet connection so that no downtime happens. It is
because internet downtime might incur vast business losses.

6.Control or Governance
Another ethical issue in cloud computing is maintaining proper control over
asset management and maintenance. There should be a dedicated team to
ensure that the assets used to implement cloud services are used according to
agreed policies and dedicated procedures. There should be proper maintenance
and the assets are used to meet your organization’s goals successfully.
7. Compliance
• Another major risk of cloud computing is maintaining compliance. By
compliance we mean, a set of rules about what data is allowed to be
moved and what should be kept in-house to maintain compliance.
The organizations must follow and respect the compliance rules set
by various government bodies.
8.Multiple Cloud Management
Companies have started to invest in multiple public clouds, multiple
private clouds or a combination of both called the hybrid cloud. This
has grown rapidly in recent times. So it has become important to list
the challenges faced by such organizations and find solutions to grow
with the trend.
9.Migration
Migration is nothing but moving a new application or an existing application to
a cloud. In the case of a new application, the process is pretty straightforward.
But if it is an age-old company application, it becomes tedious.
10.Interoperability and Flexibility
When an organization uses a specific cloud service provider and wants to
switch to another cloud-based solution, it often turns up to be a tedious
procedure since applications written for one cloud with the application stack
are required to be re-written for the other cloud. There is a lack of flexibility
from switching from one cloud to another due to the complexities involved.
Handling data movement, setting up the security from scratch and network also
add up to the issues encountered when changing cloud solutions, thereby
reducing flexibility.
11.Hybrid-Cloud Complexity
For any company, a hybrid cloud environment is often a messy mix of
multiple cloud application development and cloud service providers, as
well as private and public clouds, all operating at once. A common user
interface, consistent data, and analytical benefits for businesses are all
missing from these complex cloud ecosystems. Cloud computing
challenges such as scalability, integration, and disaster recovery are
magnified in a hybrid cloud environment.
Cloud Security
• Cloud security encompasses the technologies, controls, processes,
and policies which combine to protect your cloud-based systems, data,
and infrastructure. It is a sub-domain of computer security and more
broadly, information security.
• The Cloud Security Alliance (CSA) is a non-profit organization
dedicated to developing and raising awareness of best practices to
maintain a secure cloud computing environment.
Why Cloud Security is Required
• The mass adoption of cloud technology combined with an ever-
increasing volume and sophistication of cyber threats is what drives
the need for cloud security.
• Cyber Security Threats Continue to Increase
• Preventing Data Breaches and Data Loss
• Avoid Compliance Violations
• Maintaining Business Continuity
Cloud Security
• Authentication
• Authorization and Access control
• Confidentiality
• Data Integrity
• Availability
• Accountability
• Privacy
Authentication.
• Authentication is the process involved in verifying ones identity,genuineness,
and credibility.
• The two main components of cloud identity and authentication are
Authentication as a Service (AaaS) and Identity as a Service (IDaaS).
• Cloud Identity is an IDaaS solution offered by Google. It allows user identity
management within the Google Cloud and across third-party services.
• Password based Authentication
• Biometric based Authentication
• Token/dongle based Authentication
• Multifactor Authentication
• Out of band Authentication
Password based Authentication
• Between user and cloud service provider.
• E.g., password, security secrets, digital signature, digital certificates
Disadvantage of Password based Authentication
Easy to guess or find,
• It can be stolen
• User may share passoword
• Password can be forgotten
Biometric Based Authentication

• It refers to the technique that

uses unique physiological and
behavioral traits to authenticate
his or her identity.
• Example fingerprints, facial
recognition, iris scans, hand
geometry, retina scan etc.
Authorization
• Authorization is a process by which a server determines if the client
has permission to use a resource or access a file.
• Authorization is usually coupled with authentication so that the
server has some concept of who the client is that is requesting access.
• Authorization is generally preceded by authentication for customer
identity verification.
Cryptography
• Ensuring Secure Data Transfer: In a Cloud environment, the physical
location and reach are not under end user control of where the
resources are hosted.
• Ensuring Secure Interface: integrity of information during transfer,
storage and retrieval needs to be ensured over the unsecure internet.
• Have Separation of data: privacy issues arise when personal data is
accessed by Cloud providers or boundaries between personal and
corporate data do not have clearly defined policies.
• Secure Stored Data: question mark on controlling the encryption and
decryption by either the end user or the Cloud Service provider.
• User Access Control: for web based transactions (PCI DSS), web data
logs need to be provided to compliance auditors and security
managers.
Security Algorithm Classification
• Private Key / Symmetric Algorithms: Use single secret key are used for
encrypting large amount of data and are have fast processing speed. These
algorithms use a single secret key that is known to the sender and
receiver,RC6, 3DES, Blowfish, 3DES are some prime examples of this
algorithms.
• Public Key / Asymmetric Algorithms: Use a key pair for cryptographic process,
with public key for encryption and private for decryption. These algorithms
have a high computational cost and thus slow speed if compared to the single
key symmetric algorithms. RSA and Diffie Hellman are some types of public
key algorithms.
• Signature Algorithms: Used to sign and authenticate use data are single key
based. Examples include: RSA, DH
• Hash Algorithms: Compress data for signing to standard fixed size. Examples
include: MD5, SHA
Symmetric Algorithm
Symmetric Key Cryptography
• Symmetric algorithms involve a single shared secret key to encrypt
as well as decrypt data and are capable of processing large amount of
data and from computing standpoint are not very power intensive, so
has lower overhead on the systems and have high speed for
performing encryption and decryption.
• Symmetric algorithms encrypt plaintexts as Stream ciphers bit by bit
at a time or as Block ciphers on fixed number of 64-bit units.
Limitation of Symmetric Algo
Assymetric Algorithm
• Asymmetric Algorithms a pair of related key, one key for encryption
called the Public key and a different but inter related key for
Decryption called the Private keys when performing transformation of
plain text into cipher text.
• The main asymmetric algorithms are ECC, Diffie-Hellman and RSA.
RSA Algorithm
• RSA Algorithm named after its inventers (Rivest, Shamir, and
Adelman) is best suited for data traveling to/from Web and Cloud
based environments.
• In working with Cloud Computing, the end user data is first encrypted
and then stored on the Cloud. When the data is required, the end
user simply needs to place a request to the Cloud Service provider for
accessing the data.
• For this the Cloud service provider first authenticates the user to be
the authentic owner and then delivers the data to the requester using
RSA Asymmetric Algorithm.
RSA Algorithm
 Diffie–Hellman (DH) Algorithm
• The Diffie–Hellman (DH) Algorithm
is a key-exchange protocol that
enables two parties
communicating over public
channel to establish a mutual
secret without it being transmitted
over the Internet.