|
;Deterrent controls
:These controls are administrative mechanisms intended to reduce attacks on a cloud system and are utilized to ensure compliance with external controls. Much like a warning sign on a fence or a property, deterrent controls typically reduce the threat level by informing potential attackers that there will be adverse consequences for them if they proceed.<ref>Andress,{{cite J. (2014). Deterrent Control - an overviewjournal | ScienceDirect Topicsdoi=10. Retrieved October 14, 2021, from https:1016//wwwB978-0-12-800744-0.sciencedirect.com/topics/computer00009-science/deterrent-control9 }}</ref> (Some consider them a subset of preventive controls.) Examples of such controls could be considered as policies, procedures, standards, guidelines, laws, and regulations that guide an organization towards security. Although most malicious actors ignore such deterrent controls, such controls are intended to ward off those who are inexperienced or curious about compromising the IT infrastructure of an organization.
;Preventive controls
:The main objective of preventive controls is to strengthen the system against incidents, generally by reducing if not actually eliminating vulnerabilities, as well as preventing unauthorized intruders from accessing or entering the system.<ref>Virtue,{{cite T., & Rainey, J. (2015). Preventative Control - an overviewjournal | ScienceDirect Topicsdoi=10. Retrieved October 13, 2021, from https:1016//wwwB978-0-12-802043-2.sciencedirect.com/topics/computer00006-science/preventative-control9 }}</ref> This could be achieved by either ''adding'' software or feature implementations (such as firewall protection, endpoint protection, and multi-factor authentication), or ''removing'' unneeded functionalities so that the attack surface is minimized (as in [[unikernel]] applications). Additionally, educating individuals through security awareness training and exercises is included in such controls due to human error being the weakest point of security. Strong authentication of cloud users, for instance, makes it less likely that unauthorized users can access cloud systems, and more likely that cloud users are positively identified. All in all, preventative controls affect the likelihood of a loss event occurring and are intended to prevent or eliminate the systems’ exposure to malicious action.
;Detective controls
Data confidentiality is the property in that data contents are not made available or disclosed to illegal users. Outsourced data is stored in a cloud and out of the owners' direct control. Only authorized users can access the sensitive data while others, including CSPs, should not gain any information about the data. Meanwhile, data owners expect to fully utilize cloud data services, e.g., data search, data computation, and [[data sharing]], without the leakage of the data contents to CSPs or other adversaries. Confidentiality refers to how data must be kept strictly confidential to the owner of said data
An example of security control that covers confidentiality is encryption so that only authorized users can access the data. Symmetric or asymmetric key paradigm can be used for encryption.<ref>{{Citecite journal |last1=Tabrizchi |first1=Hamed |last2=Kuchaki Rafsanjani |first2=Marjan |date=2020-12-01 |title=A survey on security challenges in cloud computing: issues, threats, and solutions |url=https://doi.org/10.1007/s11227-020-03213-1 |journal=The Journal of Supercomputing |languagedate=enDecember 2020 |volume=76 |issue=12 |pages=9493–9532 |doi=10.1007/s11227-020-03213-1 |s2cid=255070071 |issn=1573-0484}}</ref>
=== Access controllability ===
The attacks that can be made on cloud computing systems include [[Man-in-the-middle attack|man-in-the middle]] attacks, [[phishing]] attacks, authentication attacks, and malware attacks. One of the largest threats is considered to be malware attacks, such as [[Trojan horse (computing)|Trojan horses]].
Recent research conducted in 2022 has revealed that the Trojan horse injection method is a serious problem with harmful impacts on cloud computing systems. A Trojan attack on cloud systems tries to insert an application or service into the system that can impact the cloud services by changing or stopping the functionalities. When the cloud system identifies the attacks as legitimate, the service or application is performed which can damage and infect the cloud system.<ref>{{Citecite journal |lastlast1=Kanaker |firstfirst1=Hasan |last2=Abdel Karim |first2=Nader Abdel |last3=A.B. Awwad |first3=Samer |last4=H.A. B. |last4=Ismail |first4=Nurul H. A. |last5=Zraqou |first5=Jamal |last6=Ali |first6=Abdulla M. F. Al ali |datefirst6=2022-12-20Abdulla |title=Trojan Horse Infection Detection in Cloud Based Environment Using Machine Learning |url=https://online-journals.org/index.php/i-jim/article/view/35763 |journal=International Journal of Interactive Mobile Technologies (iJIM) |languagedate=en20 December 2022 |volume=16 |issue=24 |pages=81–106 |doi=10.3991/ijim.v16i24.35763 |issn=1865-7923|doi-access=free }}</ref>
==Encryption==
|
