Categories Topics
Description
Cloud Computing Security

Overview
Cloud computing can be described as a shared pool of configurable computing resources (e.g., servers, applications, networks, storage, etc.) that is scalable and can be rapidly provisioned and released with minimal management effort or service provider interaction.  Although Cloud computing offers many advantages, organizations should also understand there are cloud computing risks and implement appropriate security procedures to protect their information.

Guidelines
Cloud computing offers several advantages to organizations to include: On-demand self-services, rapid deployment of resources, broad network access, resource pooling, scalability, lower costs and ability to monitor and meter performance to name a few.  However, organizations should understand the risks involved and implement appropriate security procedures when using cloud computing.

Just as you would need to protect data that is hosted in your own facility, many of the same security controls will need to be implemented when using cloud computing providers.  For example, documented policies, securely developed applications, hardened systems, monitoring, and  access controls, to name a few, are required. 

Listed below is a brief summary of some of the safeguards when considering cloud computing:
  • Browser-based security: cloud-based services are highly reliant on safe and secure client browsers, applications and devices.  Access to cloud services usually will require end-users to connect via browser to access business applications or for employees to gain administrative access to manage the business on the cloud.  Securing the client browser experience should include encrypted communication (e.g. HTTPS), securely coded client web applications and end user device protections (e.g. anti-malware) to name a few.  End-users and cloud service administrators should take extra precautions to ensure he or she visits trusted sites when conducting company business to reduce risk of downloading malware or to be tricked into using fraudulent sites.
  • Business Continuity Plan (BCP): companies should have plans in place to recover business services in the event a cloud provider goes out of business or cloud services become unavailable.  Monitoring the financial health and service performance of cloud providers and also having a backup cloud service provider should be considered as part of BCP.
  • Data protections: ensure cloud-based applications hosted in the cloud utilize data encryption and to ensure confidentiality, integrity and availability of information.  Data hosted in the cloud should be isolated from other companies (e.g., firewall controls, dedicated VLAN, restricted access control to only authorized individuals).
  • Legal considerations: ensure cloud providers can support ad hoc legal requests for e-Discovery for litigation freezes as well as preservation of data. 
  • Performance: organizations should periodically measure performance of cloud providers to ensure the provider is meeting service level agreements and security requirements.  Discovered security gaps should be closed.
  • Regulations: ensure international laws, to include those for data protection and privacy, are followed when hosting data for customers from different countries. Some international and state statutes may prohibit the storage of data outside certain physical boundaries, so the selection of a physical hosting facility may need to take such statutes into consideration.
  • Remote Administration: Controlling privileged access to cloud services is extremely critical since unauthorized access can lead to complete compromise of business resources to include availability of VM's, business applications and sensitive financial information.  Remote access controls should include two-factor authentication (e.g., Google Authenticator), limit the number of cloud administrators, and secure web browser connectivity.  Systems used to access cloud administrative consoles should be separate from systems used for personal browsing (to limit potential of malware compromising the client computer used for business activities).  Access to systems, data and encryption keys must also be restricted to authorized roles within the organization and restricted to anyone outside of the organization (to include cloud provider personnel).
  • Secure data backup and deletion: sensitive data that is backed up should be encrypted and access to data limited to the cloud customer administrators or custodians.  Data should be deleted securely (e.g., one-pass overwrite with random data) to ensure it can not be recovered by unauthorized individuals.
  • VM and network isolation: Virtual Machines (VM) offer cloud customers the ability to host applications or services on individual server instances that are separate from other cloud customers.  It is imperative that the VM's are securely configured and controlled, just as systems hosted in non-cloud facility. VM's should also be isolated on dedicated VLAN segment with appropriate firewall and access control rules to protect VM's from other VM's, hosts or networks.
For more information, please see NIST publication SP 800-146 "Cloud Computing Synopsis and Recommendations" under Standards.
 

Topic Category
Operations and Communications Management
 
News Articles
For some cloud services more than 75% of accounts are utilized by hackers10/4/2018
Unprotected Server Exposes Weight Watchers Internal IT Infrastructurethreatpost.com6/11/2018
Massive US military social media spying archive left wide open in AWS S3 bucketswww.theregister.co.uk11/17/2017
50,000 Australian Employees’ Personal Data Exposed Onlinewww.tripwire.com11/2/2017
Verizon Engineer Exposes Internal System Datawww.securityweek.com9/25/2017
VMWare releases AppDefense to protect enterprise virtual environmentswww.zdnet.com8/28/2017
Meeting and Hotel Booking Provider’s Data Found in Public Amazon S3 Bucketthreatpost.com8/21/2017
Meeting and Hotel Booking Provider’s Data Found in Public Amazon S3 Bucketthreatpost.com8/21/2017
Don't panic, Chicago, but an AWS S3 config blunder exposed 1.8 million voter recordswww.theregister.co.uk8/17/2017
US Border Patrol isn’t allowed to search travelers’ data stored in the cloudwww.helpnetsecurity.com7/17/2017
Experts Warn Too Often AWS S3 Buckets Are Misconfigured, Leak Datathreatpost.com7/14/2017
Cloud Security Firm Netskope Raises $100 Millionwww.securityweek.com6/7/2017
U.S. Defense Contractor Exposes Sensitive Military Datawww.securityweek.com6/1/2017
Apple iCloud hack threat gets worse: Here's what we've learnedwww.zdnet.com3/28/2017
Apple iCloud ransom demands: The facts you need to knowwww.zdnet.com3/24/2017
Unpatched Western Digital Bugs Leave NAS Boxes Open to Attackthreatpost.com3/7/2017
40% of cloud services are commissioned without the involvement of ITwww.helpnetsecurity.com2/13/2017
Google reveals its servers all contain custom security siliconwww.theregister.co.uk1/16/2017
IoT is the Weakest Link for Attacking the Cloudblog.fortinet.com1/5/2017
Box.com Plugs Account Data Leakage Flawthreatpost.com1/3/2017
Cloud Security Alliance lays out security guidelines for IoT developmentwww.zdnet.com10/7/2016
Virlock ransomware can now use the cloud to spread, say researcherswww.zdnet.com9/27/2016
Oracle will acquire cloud security vendor Palerrawww.computerworld.com9/19/2016
Cloud use increases attack surface up to 100-fold; companies fail to keep up with flood of threatsbusinessinsights.bitdefender.com8/24/2016
Cisco to Expand Cloud Security Portfolio with Acquisition of CloudLockblogs.cisco.com6/28/2016
Intel Security teams with VMware, Ericsson; adds public cloud suite for McAfeewww.zdnet.com4/21/2015
PATCH FREAK NOW: Cloud providers faulted for slow responsewww.theregister.co.uk3/5/2015
Using Google Cloud Platform for Security Scanninggoogleonlinesecurity.blogspot.com2/19/2015
Serious Hypervisor Bug Fix Causes Unexpected Cloud Downtimethreatpost.com10/2/2014
Microsoft Starts Online Services Bug Bountythreatpost.com9/23/2014
Apple to add security alerts for iCloud users, says Cook: WSJwww.cnbc.com9/5/2014
Don't panic! Mega cloud biz group says NSA just one among many threatswww.theregister.co.uk7/7/2014
Concerned about Security in the Cloud? - This is what you should ask your cloud service providerwww.zdnet.com5/21/2014
Google, Microsoft agree: Cloud is now safe enough to usenews.cnet.com2/26/2014
HDS and Verizon pair up to take on Rackspace, Amazon in the cloudswww.theregister.co.uk1/15/2014
When it comes to the cloud, CIOs, CEOs prefer to keep it privatewww.zdnet.com1/9/2014
OpenSSL Hackers Used Weak Password at Web Host to Deface Sitethreatpost.com1/3/2014
Thales, Microsoft serve secure crypto in the cloudwww.zdnet.com11/25/2013
IBM gives up fight to build CIA's $600m secret cloud, hands deal to Amazonwww.theregister.co.uk10/30/2013
IBM, Akamai team up on cloud security effortwww.zdnet.com10/22/2013
Apple's iCloud cracked: Lack of two-factor authentication allows remote data downloadwww.zdnet.com10/21/2013
Salesforce launches identity service, eyes Oktawww.zdnet.com10/15/2013
Lawyers report steep rise in employee data theft casesnakedsecurity.sophos.com9/3/2013
Google now encrypts cloud storage by defaultnews.cnet.com8/15/2013
U.S. cloud industry stands to lose $35 billion amid PRISM falloutwww.zdnet.com8/6/2013
Huddle: Consumer cloud services causing 'security time-bomb' for enterpriseswww.zdnet.com5/30/2013
iPhones, iPads cleared for U.S. military use; DOD fortifies cloudwww.zdnet.com5/17/2013
DOD Works to Fortify Cloud, Acquisition, Data Processeswww.defense.gov5/17/2013
AWS takes aim at security conscious enterprises with new appliancewww.computerworld.com3/27/2013
Report: Among simple, yet effective web app attacks, cloud environments hit hardestwww.scmagazine.com3/26/2013
Cloud security service protects WordPress contentwww.zdnet.com3/19/2013
SaaS integration challenges pose security riskswww.zdnet.com3/7/2013
Cloud's risks spur 'notorious nine' threats for 2013www.zdnet.com2/26/2013
Happy now? Mobiles, cloud, big data now 'a growing security risk'www.theregister.co.uk1/11/2013
The greatest violators of IT cloud security policies: top executiveswww.zdnet.com1/3/2013
The cloud is loved, but not trustedwww.infosecurity-magazine.com12/13/2012
Using the cloud – UK companies unaware of their data responsibilitywww.infosecurity-magazine.com12/12/2012
Regaining Control Of Data In The Cloudwww.darkreading.com11/12/2012
Keeping Data Out Of The Insecure Cloudwww.darkreading.com10/15/2012
Dropbox brings in outside team to investigate spam runwww.computerworld.com7/18/2012
Backup systems ensured continuity of military networks during stormwww.nextgov.com7/2/2012
Policy would require agencies to scan for network threats every 72 hours and begin patching holeswww.nextgov.com6/14/2012
FEDRAMP Concept of Operations (CONOPS)www.gsa.gov2/7/2012
Contractors dealt blanket cloud security specswww.nextgov.com1/9/2012
Guidelines on Security and Privacy in Public Cloud Computingwww.nist.gov12/9/2011
Feds launch cloud security standards programwww.computerworld.com12/8/2011
Federal cyber rules halt LAPD's move to Google Appswww.nextgov.com10/26/2011
EU cloud vendors liable for breacheswww.scmagazine.com.au9/29/2011
White Papers
Cloud Computing Risk Assessmentwww.enisa.europa.eu11/1/2009
Standards
Information Supplement: PCI DSS Cloud Computing GuidelinesPCI2/7/2013
NIST Guidelines on Security and Privacy in Public Cloud ComputingNIST12/9/2011
The NIST Definition of Cloud ComputingNIST9/1/2011
NIST Cloud Computing Synopsis and RecommendationsNIST5/29/2012