Data Security Issues In Cloud Computing

Cloud computing is the key driving force in many small, medium and large sized companies and as many cloud users seek the services of cloud computing, the one question that remain their major concern is the security of their data in the cloud.

Data management, data privacy and security are concerns for every cloud user, and the cloud provider too. With more and more companies looking into cloud computing, understanding cloud data security issues is important.

Every cloud service(s) seeker either individual or a company should be bold enough to ask the right questions to the cloud provider before hosting their data or applications on the cloud.

Prospective cloud providers should let you know; Are they financially sound? Do they have good security policies and procedures in place? Is the infrastructure meant to host your data shared with lots of other users, or will it be segregated by virtualization? Asking the right questions will present a clear overview of the cloud provider and what level of services to expect.

Let us get some facts right, according to Ponemon Institute research of 2010, the primary reasons why customers purchase cloud resources are lower cost and faster deployment of applications. In contrast, improved security or compliance with regulations is viewed as an unlikely reason for choosing cloud services.

Today it is estimated that 52% of cloud applications targets business applications services. By 2013, 80% of companies will spend between 7% and 30% of their IT budget on Cloud Services.

The research go on to state that majority of cloud computing service providers do not consider cloud computing security as one of their most important responsibilities.

So the question is; How is your data protected on the cloud and in the event of failure how do you recover your data?

Take a scenario; If you have your data on a laptop or a desktop and your hard drive fails or your data get corrupted or is missing, what do you do? You source for the services of a data recovery provider, remove the hard drive and take it to them. Chances are that your data might be recovered.

With cloud computing what are you supposed to do? Your data is stored online; you can’t remove the hard drive. If the online service has hard drive failures, you can’t get the hard drive.

If hackers break into the online servers and erase your data, you can’t get the hard drive. If your files are lost, damaged or stolen from a cloud server, you can’t be helped by services of data recovery service provider!

Please note that am not trying to defame cloud service providers. Many cloud computing service providers are reliable and they will even give you a high security guarantee for your data on cloud but the fact is that when an occurrence such as data failure occurs and it affect your online data then you will be forced to work according to their schedule and probably be put on a waiting queue like many other thousands cloud users, all these at the expense of your business.

Then, it all zeros down to the basics of data security, if your data is that important, cloud or not, just make sure you have a local copy in your machine as well as the backup just in case.

As many companies move their data to the cloud the data undergoes many changes and there are many challenges to overcome as business applications have to be re-designed differently. The result of this is that data security almost stops being the primary concern.

Attaining the requirements for cloud data security entails applying existing security techniques and following sound security practices.

To be effective, cloud data security depends on more than simply applying appropriate data security procedures and countermeasures.

Computer based security measures mostly capitalizes on user authorization and authentication. Data encryption is highly used in cloud data security but even then, the most resilient data encryption is pointless if the keys are exposed or if encryption endpoints are insecure.

Some of the cloud data security issues are discussed below:-

• Phishing

Phishing is a human or software action that trick end users into providing their credentials for access to a protected data and therefore break the authentication and encryption.

Although phishing is not a new threat in data security and it is considered infeasible to break a public key infrastructure, it does actually pose a major threat to cloud data.

Many cloud service providers have strict countermeasures against phishing for example Google App randomly prompt users for their passwords, especially in response to when a suspicious event has been observed and display the IP address from the previous login session along with automatic notification of suspicious events.

Amazon Web Services create cryptographically strong PKI keys and require those keys to be used for authentication in cloud resources. Key-based authentication is more preferred in cloud security than use of static passwords.

Employees and subscribers need to be aware of suspicious and fraudulent login or capturing events and be able to monitor for phishing attempts by use of anti phishing mechanisms.

• Privacy and Confidentiality

Once the client host data to the cloud there should be some guarantee that access to that data will only be limited to the authorized access. Inappropriate access to customer sensitive data by cloud personnel is another risk that can pose potential threat to cloud data. Assurances should be provided to the clients and proper practices and privacy policies and procedures should be in place to assure the cloud users of the data safety.

The cloud seeker should be assured that data hosted on the cloud will be confidential. As a cloud user, ask what mechanisms are there to ensure data protection and secure delivery of logs, what you will be able to log, what activities will be recorded within your cloud and whether privacy and confidentiality to those logs will be assured, (remember the Amazon's cloud outage?).

Cloud users also need to consider the host country of the cloud provider company. Some countries have policies that give them authority to intercept and inspect any stored or processed data. Microsoft recently admitted that their data centre is subject to the US Patriot Act as Microsoft is a US headquartered company.

• Data integrity

With providing the security of data, cloud service providers should implement mechanisms to ensure data integrity and be able to tell what happened to a certain dataset and at what point. The cloud provider should make the client aware of what particular data is hosted on the cloud, the origin and the integrity mechanisms put in place.

For compliance purposes, it may be necessary to have exact records as to what data was placed in a public cloud, when it occurred, what virtual memories (VMs) and storage it resided on, and where it was processed.

When such data integrity requirements exists, that the origin and custody of data or information must be maintained in order to prevent tampering or to prevent the exposure of data beyond the agreed territories (either between different servers or different networks), it may be completely inappropriate to use a public cloud or even a low-assurance private cloud while a hybrid cloud may be a better option because it combines the best cloud qualities.

• Storage, Backup and Recovery

When you decide to move your data to the cloud the cloud provider should ensure adequate data resilience storage systems. At a minimum they should be able to provide RAID (Redundant Array of Independent Disks) storage systems although most cloud providers will store the data in multiple copies across many independent servers.

In addition to that, most cloud providers should be able to provide options on backup services which are certainly important for those businesses that run cloud based applications so that in the event of a serious hardware failure they can roll back to an earlier state.

Ask the cloud provider what data recovery options are available and how long it can take to restore your data back to good working condition in the event of failure. If your data is very critical you may consider the services of more than one cloud service provider and especially if you are going to use Software as a Service (SaaS) as the services are delivered through a common point.