For companies migration to cloud technologies is not a sudden action and usually virtualization is an intermediate step. After estimation all advantages of virtualization an organization decides to replace own resources to provider’s. But it is fraught with various pitfalls. The migration process from physical to virtual servers and from virtual to cloud environments is not a simple task and for specialist, who understand security in terms of traditional technologies, such as perimeter defense, network segmentation, intrusions detection and avoidance, antivirus software, etc. can cause difficulties (Rittinghouse, Ransome, 2009).
A traditional data center is a big set of servers, located on the same environment for increasing effectiveness and security. Data center’s security can be discovered from two positions: physical and network. Physical is simpler, because it includes the restriction of administrators physical access to servers and network infrastructure. From network security, it means the construction of reliable perimeter defense, including a firewall, intrusion defense. Besides the main function – protection, the firewall provides segmentation of the internal network to different security levels (servers, available from the Internet, servers, available only from the internal network, etc.) (Mather, Kumaraswamy & Latif, 2009).
After migration to virtual and cloud servers and platforms, traditional methods of providing security are limited. The term “perimeter” does not exist more, segmentation is not available and even hardware security equipment cannot be
55
used, because more traffic move within virtual machines and platforms (Rittinghouse, Ransome, 2009).
Another significant point is updating process, because if a provider creates an update or patch for a platform it is critically important that changes will not influence on customers’ applications and systems. For this reason tracing dependences between platform, environment and the customer’s security requirements is a necessary task and only work in close collaboration among customers and providers lets secure data and prevent looses. To make collaboration more efficiently, the cloud provider can accommodate customer’s security policies.
According to classification, given by Cloud Security Alliance, there are some top-threats related to PaaS services (Cloud Security Alliance, 2010):
Abuse and Nefarious Use of Cloud Computing. Providing almost unlimited compute, network and storage with some times simplified barriers to entry (valid card is enough to create an account and start using it immediately, that favors anonymity) this kind of platforms are subject to abuse usage. Intruders are able to take advantages from resources and be unpunished at the same time. Following activities, like password cracking, distributed denial of service (DDoS), hosting malicious data, spamming, etc. become easy implemented. What is needed – just write program code, that can be executed by provided platform and host it somewhere in the cloud. There are some examples when PaaS and IaaS were used for hacker’s attacks and malpractices.
Insecure Interfaces and APIs. Interfaces and APIs are created for interaction with services, therefore the security of cloud services depends on the security of provided APIs. They should be designed as well to protect services from malicious attempts to overreach provider’s policies. Other APIs are usually built on the basis of core functionality and dependencies between them are significant to confidentiality, integrity and availability to company’s resources.
56
Malicious Insiders. The cloud providers do not have any special requirements to employees and intruder can easily be in provider’s staff. What access certain employee has and how they are controlled is not available information for customers who explore abilities to use particular company as a service provider.
To prevent this type of threats is not a simple task, but accurate requirements for human resources applicable to provider’s staff can be available for customers.
Increased transparency of information security and management will allow customers to understand what company does for detecting and defending insiders and as a result the data, entrusted to provider becomes more reliable and secured.
Data loss or leakage. Data compromise is another significant issue of PaaS security in a cloud. Different ways exist to compromise it: records’ deletion and alteration, encoding key loss, unauthorized parties should not gain the access to sensitive data. That type of threats is more important in the cloud due to cloud environment architectural characteristics. Associated losses with vendor’s brand, reputation and customer’s trust besides competitive and financial problems can bring to breach of agreement and legal outcomes.
Account or Service Hijacking. That kind of threats consists of following attack methods: phishing, fraud, software vulnerabilities exploitation and others. Access gaining to credentials opens up opportunities to eavesdrop activities, transactions, manipulate data, substitute needed information for falsified. Compromised account or service becomes a new base for new attacks and customer’s reputation suffers. Breaches result to services’ confidentiality, integrity and availability, which can bring to litigations in turn.
Unknown Risk Profile. Information related to sharing infrastructure, network intrusion, redirection attempts is important for company’s security estimation. The compliance between declared security features and internal security procedures, configuration hardening, auditing and logging as well as information in case of a security incident, disclosed by vendor face customers with unknown risks, which they do not examine before.
57
All these problems constitute threats to applications and data, located in clouds.
Impossibility to gain the physical access to resources and insufficient control, obscurity, probability to compromise and loss data, human factor, that cannot be traced, create additional barriers for customers to easily adopt cloud technologies and start using them. At the same time privacy aspects which are weak points in legislation in different countries and jurisdictions are obstacles as well.