Content deleted Content added
m Open access bot: doi updated in citation with #oabot. |
Rescuing 2 sources and tagging 0 as dead.) #IABot (v2.0.9.5 |
||
Line 8:
Cloud [[computing]] and storage provide users with the capabilities to store and process their data in third-party [[data center]]s.<ref name="cloudid">{{cite journal |last1=Haghighat |first1=Mohammad |last2=Zonouz |first2=Saman |last3=Abdel-Mottaleb |first3=Mohamed |title=CloudID: Trustworthy cloud-based and cross-enterprise biometric identification |journal=Expert Systems with Applications |date=November 2015 |volume=42 |issue=21 |pages=7905–7916 |doi=10.1016/j.eswa.2015.06.025 }}</ref> Organizations use the cloud in a variety of different service models (with acronyms such as [[SaaS]], [[PaaS]], and [[IaaS]]) and deployment models ([[Cloud computing#Private cloud|private]], [[Cloud computing#Public|public]], [[Cloud computing#Hybrid|hybrid]], and [[community cloud|community]]).<ref name="Srinivasan">{{cite book |doi=10.1145/2345396.2345474 |chapter=State-of-the-art cloud computing security taxonomies |title=Proceedings of the International Conference on Advances in Computing, Communications and Informatics - ICACCI '12 |year=2012 |last1=Srinivasan |first1=Madhan Kumar |last2=Sarukesi |first2=K. |last3=Rodrigues |first3=Paul |last4=Manoj |first4=M. Sai |last5=Revathy |first5=P. |pages=470–476 |isbn=978-1-4503-1196-0 |s2cid=18507025 }}</ref>
Security concerns associated with cloud computing are typically categorized in two ways: as security issues faced by cloud providers (organizations providing [[Software as a service|software-]], [[Platform as a service|platform-]], or [[Infrastructure as a service|infrastructure-as-a-service]] via the cloud) and security issues faced by their customers (companies or organizations who host applications or store data on the cloud).<ref>{{cite news|url=http://security.sys-con.com/node/1231725|title=Swamp Computing a.k.a. Cloud Computing|publisher=Web Security Journal|date=2009-12-28|access-date=2010-01-25|archive-date=2019-08-31|archive-url=https://web.archive.org/web/20190831163708/http://security.sys-con.com/node/1231725|url-status=dead}}</ref> The responsibility is shared, however, and is often detailed in a cloud provider's "shared security responsibility model" or "shared responsibility model."<ref name="CSACloudCont4">{{cite web |url=https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/ |format=xlsx |title=Cloud Controls Matrix v4 |publisher=Cloud Security Alliance |date=15 March 2021 |access-date=21 May 2021}}</ref><ref name="AWSShared20">{{cite web |url=https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/shared-security-responsibility-model.html |title=Shared Security Responsibility Model |work=Navigating GDPR Compliance on AWS |publisher=AWS |date=December 2020 |access-date=21 May 2021}}</ref><ref name="TozziAvoid20">{{cite web |url=https://www.paloaltonetworks.com/blog/prisma-cloud/pitfalls-shared-responsibility-cloud-security/ |title=Avoiding the Pitfalls of the Shared Responsibility Model for Cloud Security |author=Tozzi, C. |work=Pal Alto Blog |publisher=Palo Alto Networks |date=24 September 2020 |access-date=21 May 2021}}</ref> The provider must ensure that their infrastructure is secure and that their clients’ data and applications are protected, while the user must take measures to fortify their application and use strong passwords and authentication measures.<ref name="AWSShared20" /><ref name="TozziAvoid20" />
When an organization elects to store data or host applications on the public cloud, it loses its ability to have physical access to the servers hosting its information. As a result, potentially sensitive data is at risk from insider attacks. According to a 2010 [[Cloud Security Alliance]] report, insider attacks are one of the top seven biggest threats in cloud computing.<ref name="Top Threats to Cloud Computing v1.0">{{cite web|date=March 2010|title=Top Threats to Cloud Computing v1.0|url=http://www.itsecure.hu/library/file/Biztons%C3%A1gi%20%C3%BAtmutat%C3%B3k/Felh%C5%91%20szolg%C3%A1ltat%C3%A1sok/Top%20threats%20to%20cloud%20computing%20v1_0.pdf|access-date=2020-09-19|publisher=Cloud Security Alliance}}</ref> Therefore, cloud service providers must ensure that thorough background checks are conducted for employees who have physical access to the servers in the data center. Additionally, data centers are recommended to be frequently monitored for suspicious activity.
Line 14:
In order to conserve resources, cut costs, and maintain efficiency, cloud service providers often store more than one customer's data on the same server. As a result, there is a chance that one user's private data can be viewed by other users (possibly even competitors). To handle such sensitive situations, cloud service providers should ensure proper [[Isolation (database systems)|data isolation]] and logical storage segregation.<ref name="Srinivasan"/>
The extensive use of [[virtualization]] in implementing cloud infrastructure brings unique security concerns for customers or tenants of a public cloud service.<ref name="Cloud Virtual Security Winkler">{{cite web|last=Winkler|first=Vic|title=Cloud Computing: Virtual Cloud Security Concerns|url=https://technet.microsoft.com/en-us/magazine/hh641415.aspx|publisher=Technet Magazine, Microsoft|access-date=12 February 2012}}</ref> Virtualization alters the relationship between the OS and underlying hardware – be it computing, storage or even networking. This introduces an additional layer – virtualization – that itself must be properly configured, managed and secured.<ref name="virtualization risks hickey">{{cite web|last=Hickey|first=Kathleen|title=Dark Cloud: Study finds security risks in virtualization|date=18 March 2010
== Cloud security controls ==
| |||