Content deleted Content added
reformatted refs and prep for citation bot cleanup |
Citation bot (talk | contribs) Alter: template type, journal. Add: url, isbn, pages, date, title, chapter, s2cid, authors 1-2. | Use this bot. Report bugs. | Suggested by Chris Capoccia | #UCB_toolbar |
||
Line 6:
==Security issues associated with the cloud==
Cloud [[computing]] and storage provide users with the capabilities to store and process their data in third-party [[data center]]s.<ref name="cloudid">{{cite journal |last1=Haghighat |first1=Mohammad |last2=Zonouz |first2=Saman |last3=Abdel-Mottaleb |first3=Mohamed |title=CloudID: Trustworthy cloud-based and cross-enterprise biometric identification |journal=Expert Systems with Applications |date=November 2015 |volume=42 |issue=21 |pages=7905–7916 |doi=10.1016/j.eswa.2015.06.025 |s2cid=30476498 }}</ref> Organizations use the cloud in a variety of different service models (with acronyms such as [[SaaS]], [[PaaS]], and [[IaaS]]) and deployment models ([[Cloud computing#Private cloud|private]], [[Cloud computing#Public|public]], [[Cloud computing#Hybrid|hybrid]], and [[community cloud|community]]).<ref name="Srinivasan">{{cite book |doi=10.1145/2345396.2345474 |chapter=State-of-the-art cloud computing security taxonomies |title=Proceedings of the International Conference on Advances in Computing, Communications and Informatics - ICACCI '12 |year=2012 |last1=Srinivasan |first1=Madhan Kumar |last2=Sarukesi |first2=K. |last3=Rodrigues |first3=Paul |last4=Manoj |first4=M. Sai |last5=Revathy |first5=P. |pages=470–476 |isbn=978-1-4503-1196-0 |s2cid=18507025 }}</ref>
Security concerns associated with cloud computing are typically categorized in two ways: as security issues faced by cloud providers (organizations providing [[Software as a service|software-]], [[Platform as a service|platform-]], or [[Infrastructure as a service|infrastructure-as-a-service]] via the cloud) and security issues faced by their customers (companies or organizations who host applications or store data on the cloud).<ref>{{cite news|url=http://security.sys-con.com/node/1231725|title=Swamp Computing a.k.a. Cloud Computing|publisher=Web Security Journal|date=2009-12-28|access-date=2010-01-25|archive-date=2019-08-31|archive-url=https://web.archive.org/web/20190831163708/http://security.sys-con.com/node/1231725|url-status=dead}}</ref> The responsibility is shared, however, and is often detailed in a cloud provider's "shared security responsibility model" or "shared responsibility model."<ref name="CSACloudCont4">{{cite web |url=https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/ |format=xlsx |title=Cloud Controls Matrix v4 |publisher=Cloud Security Alliance |date=15 March 2021 |access-date=21 May 2021}}</ref><ref name="AWSShared20">{{cite web |url=https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/shared-security-responsibility-model.html |title=Shared Security Responsibility Model |work=Navigating GDPR Compliance on AWS |publisher=AWS |date=December 2020 |access-date=21 May 2021}}</ref><ref name="TozziAvoid20">{{cite web |url=https://www.paloaltonetworks.com/blog/prisma-cloud/pitfalls-shared-responsibility-cloud-security/ |title=Avoiding the Pitfalls of the Shared Responsibility Model for Cloud Security |author=Tozzi, C. |work=Pal Alto Blog |publisher=Palo Alto Networks |date=24 September 2020 |access-date=21 May 2021}}</ref> The provider must ensure that their infrastructure is secure and that their clients’ data and applications are protected, while the user must take measures to fortify their application and use strong passwords and authentication measures.<ref name="AWSShared20" /><ref name="TozziAvoid20" />
Line 21:
;Deterrent controls
:These controls are administrative mechanisms intended to reduce attacks on a cloud system and are utilized to ensure compliance with external controls. Much like a warning sign on a fence or a property, deterrent controls typically reduce the threat level by informing potential attackers that there will be adverse consequences for them if they proceed.<ref>{{cite
;Preventive controls
:The main objective of preventive controls is to strengthen the system against incidents, generally by reducing if not actually eliminating vulnerabilities, as well as preventing unauthorized intruders from accessing or entering the system.<ref>{{cite
;Detective controls
Line 85:
Data confidentiality is the property in that data contents are not made available or disclosed to illegal users. Outsourced data is stored in a cloud and out of the owners' direct control. Only authorized users can access the sensitive data while others, including CSPs, should not gain any information about the data. Meanwhile, data owners expect to fully utilize cloud data services, e.g., data search, data computation, and [[data sharing]], without the leakage of the data contents to CSPs or other adversaries. Confidentiality refers to how data must be kept strictly confidential to the owner of said data
An example of security control that covers confidentiality is encryption so that only authorized users can access the data. Symmetric or asymmetric key paradigm can be used for encryption.<ref>{{cite journal |last1=Tabrizchi |first1=Hamed |last2=Kuchaki Rafsanjani |first2=Marjan |title=A survey on security challenges in cloud computing: issues, threats, and solutions |journal=The Journal of Supercomputing |date=December 2020 |volume=76 |issue=12 |pages=9493–9532 |doi=10.1007/s11227-020-03213-1 |s2cid=255070071 |url=http://elartu.tntu.edu.ua/handle/lib/39663 }}</ref>
=== Access controllability ===
Line 121:
There are several different types of attacks on cloud computing, one that is still very much untapped is infrastructure compromise. Though not completely known it is listed as the attack with the highest amount of payoff.<ref>{{cite book |doi=10.1145/2484313.2484357 |chapter=Towards preventing QR code based attacks on android phone using security warnings |title=Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security - ASIA CCS '13 |year=2013 |last1=Yao |first1=Huiping |last2=Shin |first2=Dongwan |page=341 |isbn=9781450317672 |s2cid=1851039 }}</ref> What makes this so dangerous is that the person carrying out the attack is able to gain a level of privilege of having essentially root access to the machine. It is very hard to defend against attacks like these because they are so unpredictable and unknown, attacks of this type are also called [[zero day exploits]] because they are difficult to defend against since the vulnerabilities were previously unknown and unchecked until the attack has already occurred.
[[Denial-of-service attack|DoS]] attacks aim to have systems be unavailable to their users. Since cloud computing software is used by large numbers of people, resolving these attacks is increasingly difficult. Now with cloud computing on the rise, this has left new opportunities for attacks because of the virtualization of data centers and cloud services being utilized more.<ref>{{cite journal |last1=Iqbal |first1=Salman |last2=Mat Kiah |first2=Miss Laiha |last3=Dhaghighi |first3=Babak |last4=Hussain |first4=Muzammil |last5=Khan |first5=Suleman |last6=Khan |first6=Muhammad Khurram |last7=Raymond Choo |first7=Kim-Kwang |title=On cloud security attacks: A taxonomy and intrusion detection and prevention as a service |journal=Journal of Network and Computer Applications |date=October 2016 |volume=74 |pages=98–120 |doi=10.1016/j.jnca.2016.08.016 |s2cid=9060910 }}</ref>
With the global pandemic that started early in 2020 taking effect, there was a massive shift to remote work, because of this companies became more reliant on the cloud. This massive shift has not gone unnoticed, especially by cybercriminals and bad actors, many of which saw the opportunity to attack the cloud because of this new remote work environment. Companies have to constantly remind their employees to keep constant vigilance especially remotely. Constantly keeping up to date with the latest security measures and policies, mishaps in communication are some of the things that these cybercriminals are looking for and will prey upon.
Line 131:
The attacks that can be made on cloud computing systems include [[Man-in-the-middle attack|man-in-the middle]] attacks, [[phishing]] attacks, authentication attacks, and malware attacks. One of the largest threats is considered to be malware attacks, such as [[Trojan horse (computing)|Trojan horses]].
Recent research conducted in 2022 has revealed that the Trojan horse injection method is a serious problem with harmful impacts on cloud computing systems. A Trojan attack on cloud systems tries to insert an application or service into the system that can impact the cloud services by changing or stopping the functionalities. When the cloud system identifies the attacks as legitimate, the service or application is performed which can damage and infect the cloud system.<ref>{{cite journal |last1=Kanaker |first1=Hasan |last2=Abdel Karim |first2=Nader |last3=A.B. Awwad |first3=Samer |last4=H.A. Ismail |first4=Nurul |last5=Zraqou |first5=Jamal |last6=M. F. Al ali |first6=Abdulla |title=Trojan Horse Infection Detection in Cloud Based Environment Using Machine Learning |journal=International Journal of Interactive Mobile Technologies (
==Encryption==
| |||