Technical Aspects of Data Security in the Cloud

Technical aspects of data security in the cloud is one of the main reason why the companies or the end users thinks to be in the cloud. Here is a discussion.
Cloud computing is no longer just a buzzword, over the years cloud computing has established itself as a serious technology as alternative resource for infrastructure, platforms and applications. Cloud computing now offers own cloud based unique solutions for certain services. The end-users, for example, have the opportunity to outsource the data stored locally to export to the cloud and for getting this advantage, an Internet connection from anywhere is enough. But that is not the only advantage cloud computing provides. Especially the small and medium sized companies can react with the provided technology flexibly to new IT requirements. In addition to the outsourcing of the data, it is possible to combine cloud services and own data center to operate on the market. Through the sharing of resources, there is customer cost savings and quality benefits through the usage of the available standardized services on the market.

The cloud service provider (CSP) benefited from the sharing of resources and the improved utilization of their system, but this poses dangers. Regardless of whether it is an infrastructure, a platform or an application, all providers have to overcome major challenge to the end user. On the one hand, having the standards and certifications did help to both the cloud service provider (CSP) to make sure systems are at par with the standards available, as well as help the user to distinguish from non-legitimate cloud service providers.

The data security must be guaranteed for all data in the first place. In addition to the availability of systems and data integrity thus includes the confidential handling of data stored in the cloud. Therefore, the cloud service provider (CSP) must make extensive technical security measures.

Table of Contents 1 Introduction 2 Problems and Objectives 3 Legislature and Standards 4 Planning Model 5 Authentication and Encryption

Go To Top of This Article

 

Technical Aspects of Data Security in the Cloud : Problems and Objectives

 

The supposedly inadequate security of cloud service provider (CSP) coupled with the uncertainty of the end users about data security shuns many clients to outsource company’s internal or personal data in the cloud. This barrier is thus confirmed by various third party driven statistics. The security survey covering over 1200 stated as the biggest obstacle is the risks of a cloud environment. This setting is quite understandable, since it is a very complex structure with a comprehensive cloud solution. Such an extensive system poses many potential sources of error and this results in a large attacking platform for the hackers. Therefore, the security of data is of vital importance for the cloud service provider (CSP), because if there is a point of leak of data, the acceptance of the customer is quickly depleted.
The ultimate goal of this article is to minimize the barriers in terms of data security by the technical safety related components are described. This is the acceptance of the end user a security risk can be reduced Compared to a cloud solution implemented without having any taken measures. It therefore addresses the role of the legislature, which resolves the legal requirements on technology and guidelines for dealing with standardizations and certifications.

 

Technical Aspects of Data Security in the Cloud : Legislature and Standards

 

Data security is the property of a functionally reliable system to accept only those states which system do not lead to unauthorized access to system resources and data. Based on this definition and using the ISO 27001 defined protection goals of confidentiality, integrity and availability of data, the security of a system is maintained. Accordingly, the provider of a system has to take care to make all the necessary measures to provide a functioning system available to the end user. Primarily the measures are to protect the system from unauthorized access. Unauthorized access could lead to the manipulation or even deleting existing data. Two important standards for any cloud service provider (CSP) are ISO 27001 and ISO 27002. These standards define the IT Baseline Protection and monitoring guidelines. However,  these are not specifically developed for the cloud standards, but only for general IT policies.

Go To Top of This Article

 

Technical Aspects of Data Security in the Cloud : Planning Model

 

If the security of a web application is considered, this assessment will almost always take place with regard to a faulty or correct programming and configuration. Even if this view is correct, this level is (the implementation level) only one of several aspects that should be considered. In order to assess a web application as fully safe, it is essential to consider all levels and to set a focus on perhaps the adverse interaction between the individual levels. The Web Application Security can be divided into 6 sections. Even if a classification to exactly one level is not always possible, this model can be very helpful in understanding the subject matter and the organization of the management of web application security.

 

Level 0 – Network and host

Although the Web Application Security is of course also dependent on the security of network, hardware and host, this level is not directly allocated to this area of ??security. The security in this plane is nowadays taken granted and is firmly anchored in the security of business processes.

Level 1 – System Level

Level 1 contains all the software components, which requires a web application to be run. This includes servers such as application servers and Web servers and databases involved as back-end systems. In order to assess the safety of a Web application, it is important to involve all components involved in the consideration. If the database is accessed via an insecure channel, it is exposed to manipulations from the web and therefore represents a target for the hackers.

Level 2 – Technology

This area includes the technologies those are used to protect an application. When a web application, for example, transmits sensitive information unencrypted over the Internet, the right technology is not used for transmission. If the Web application, transmits the data in encrypted form in this example, but uses smaller number of encryption key, the right technology is used but it is used incorrectly.
The first example shows the fact that the application is unacceptable to spying attempts on the transmission completely unprotected, in the second example, there is the danger of attacks using a cracking method. Thus, both applications are not secure, although no security vulnerabilities are included in the program code.

Level 3 – Implementation

This level is the one with the most obvious reference to web application security. In the implementation at the level of programming, errors can occur, which can lead to security problems. In addition, errors can occur when testing an application. This testing can be a one-sided approach or the neglect of quality assurance in order to save costs or to meet deadlines.

Level 4 – Logic

Level 4 is devoted to the logic of the processes within the application. These are mainly the application and business logic and the interaction with the user. If this was implemented in a “purpose-oriented” way, a vulnerability is given by the fact that too little has been honored as the application could be used differently than intended. For example, to disable an user after the fifth failed login attempt, is an easy way for an attacker to selectively lock out certain users. This is facilitated by easy-to-guess user IDs, such as the e-mail address.

Level 5 – Semantics

The semantic level concerns the communication content and related aspects. It establishes the trust context for the interaction of the application with the user. In this area, the approach is very difficult to limit to a single application. The rules and guidelines in this area rather affect entire sites or even across companies. If errors occur at the semantic level, for example, is to be expected following attacks: social engineering, phishing, identity theft, fraud, forgery, fraud, and the breaking up of data protection and the protection of privacy.

Level 6 – Rules and Regulations

At this level include all of the rules of the company, from third parties and any other legal requirements. These include compliance with the Privacy Policy or the obligations of liability issues. This level is treated as such with no questions about the IT security itself. Nevertheless, a disregard of regulations or policy breaches cause serious damage.

Go To Top of This Article

 

Technical Aspects of Data Security in the Cloud : Authentication and Encryption

 

Latest authentication technologies for identity and access management strategy requires a good planning. Appropriate technologies and products must be tested. In this previous article, we have discussed about the latest authentication technologies in terms of encryption, access control, biometrics and authentication.