Kleiman when Brute Force Fails Summary

What risks does the use of cloud computing entail for companies?

Saved by Jessica Kathage on March 1st, 2017 - 10:30 pm

Many potential users perceive cloud computing to be risky, especially when it comes to storing data. These security concerns are currently one of the main reasons many companies are reluctant to use cloud computing1. But what risks does a company face if it wants to use cloud computing?


General Risks

Cloud computing systems are basically complex, distributed systems that offer numerous possibilities for malfunctions, attacks, failures or control panels. In principle, the same risks can therefore be assumed to which a classic IT system is exposed. These include e.g. B.2:

risk

Explanation

Accidentally or deliberately wrongdoing

e.g. through unauthorized copies of systems or data, manipulation, shutdown of hosts, changes to configuration settings and deletion of data by employees or subcontractors of the cloud service provider.

Use of security gaps at the provider by internal or external attackers

z. B. through access of other customers to the file system, unauthorized storage access or denial-of-service attacks. In the case of external attackers, e.g. through theft of data or program code or the manipulation or deletion of data, accounts, configuration settings, etc.

A denial-of-service attack (DoS attack or DoS attack) is an attack by hackers in which one or more server services are overloaded. The aim is to make a website inaccessible or to provoke the web server to crash.

Abuse of the provider's platform

e.g. through brute force attacks on passwords, botnets or malware.

A brute force attack is often used to crack passwords. This can be done by trying out all possible combinations of letters or numbers or by so-called dictionary attacks. Dictionary attacks assume that many users use familiar words as passwords. Terms from dictionaries are used to find passwords.

In a botnet, users' computers are loaded with malware, often in the ignorance of the user. This malware forms the basis for massive amounts of spam being sent.

Use of security gaps on the transmission paths

When transmitting via the Internet between customer and provider, e.g. by eavesdropping on the data traffic or for man-in-the-middle attacks as well as provided interfaces and APIs.

In a man-in-the-middle attack, an attacker latches onto the data traffic between the sender and recipient and manipulates it.

Security deficiencies in the technical infrastructure

Due to missing or inadequate security concepts, security deficiencies can arise in different areas of the technical infrastructure, e.g. through incomplete access control, improper handling of data backups, inadequate deletion of defective storage media before replacement or separation, etc.

Table 1: General Risks
Source: Own illustration

Cloud-specific risks

In addition to the general risks, other cloud-specific risks result from the conditions of cloud computing:

risk

Explanation

Lack of transparency with regard to data management

As a rule, the physical data storage cannot be checked by the customer, as this is the responsibility of the provider. Thus, among other things, the proper deletion of data but also successful complete storage of data by the provider can only be checked with difficulty by the client. Furthermore, the user has no insight into the underlying infrastructure.

Insufficient control options

Controls for data processing can often only be carried out by the provider and not by the responsible user. The corresponding protocols and documentation are in the provider's territory, an explicit control option for the user must be provided or the data and documents made available must be trusted. On the part of the provider there are established standards for how corresponding information can be made available to the user.

Duplication and distribution of data

As a rule, it is not clear to the user where their data is being processed. Such processing or storage can also take place in a distributed manner, especially if a cloud provider procures parts of its resources from third parties3.

Availability of services

There is an increased risk for the availability of services. The stability of the interfaces is of great importance, as numerous services interlock. When changes are made to an interface, a number of the services based on it may no longer function. This risk also exists in the event of a failure or loss of services. If a cloud provider ceases to operate a service or makes use of a termination with usually very short notice periods, it is necessary to quickly find an equivalent replacement.

Complexity of the IT landscape

The use of cloud computing as complex, distributed systems increases the complexity of an IT landscape. This means that a much more complex IT security management is required. Aspects that have so far been neglected, e.g. reacting to security gaps in the browsers of mobile devices, play an important role in the course of cloud computing4.

Dependency on the cloud provider

With outsourcing, a company enters into a more or less strong dependency relationship with the provider, depending on the scope of the project. The user is dependent on the reliability of the provider. If the agreed services are not reliably provided or if the outsourced data is not handled appropriately, the provider is responsible for this, but it also has an impact on the company using it. There is also the risk of a so-called “vendor lock-in”. If the result of a user-specific technology is that the service cannot be provided by another provider, this harbors the risk of "blackmail" by the provider.

Uncertainty about the legal framework

The legal requirements for cloud computing are very complex, and in some cases there are no specific jurisdictions. This carries the risk of subsequent consequences. For example, it has not yet been sufficiently clarified under criminal law whether the outsourcing of data to a contractor according to § 11 BDSG is affected by a disclosure of a secret according to § 203 StGB.

Loss of know-how

When IT functions are outsourced, the know-how about the provision of these functions is lost in a company. Although this is usually desirable, it can lead to problems if the functions are brought back into the company and thus exacerbate a vendor lock-in.

Risk of profiling and passing on data

Due to the on-demand usage, some data is logged in cloud computing for billing purposes. It cannot be ruled out that a provider creates usage profiles. Content data can also be viewed and evaluated. Unauthorized disclosure to third parties is also conceivable.


Footnote index:

1 See Haselmann, Till, Hoeren, Thomas, Vossen, Gottfried, Cloud Computing for Companies, 2012 p.175.
2 See Haselmann, Till, Hoeren, Thomas, Vossen, Gottfried, Cloud Computing for Companies, 2012 p.176.
3 See Haselmann, Till, Hoeren, Thomas, Vossen, Gottfried, Cloud Computing for Companies, 2012 p.178.
4 See Haselmann, Till, Hoeren, Thomas, Vossen, Gottfried, Cloud Computing for Companies, 2012 p.178.


Source:

[1] Haselmann, Till; Hoeren, Thomas; Vossen, (cloud computing for companies) cloud computing for companies. Technical, economic, legal and organizational aspects, 1st edition, Heidelberg, 2012.