Introduction
Cloud technologies and related solutions help to achieve both significant savings and flexibility. However, when implementing these technologies in enterprises, traditional processes should not be left without attention – they need to be optimized regarding new conditions. Because of the lack of physical access to servers in public cloud environments, security issues become even more important as in case of emergency there will not be an opportunity to press a shutdown button. In public clouds, it takes only a few minutes, as well as a credit card to create new client accounts and cloud servers. According to many enterprises’ experience, companies cannot prevent situations when their employees, for example, acquire resources for modeling purposes, including their cost in travel expenses or by paying with corporate credit cards. As a result, the actual number of cloud servers on which confidential corporate data are stored can significantly exceed the amount that is under the control of responsible specialists. Therefore, ensuring security and saving valuable data is an urgent task for most large companies that value their reputation and are ready to protect their employees and clients.
Access to Cloud Servers and Control of Resources Used
Controlled Use of Resources
It is much safer to provide enterprise employees with controlled access to cloud resources than to try to block access to them entirely. Surely, it must be done within vital limits. It will not only streamline access but also manage it. According to [1], many brokers of external and internal clouds offer extensive opportunities for administering access for individuals according to a user, role, or client model in the public domain. On the one hand, in this case, only those rights that are needed by users are granted, and on the other, security at the enterprise is increased since the rights are distributed centrally and differentially.
In many cases, even a combination of local and external resources is possible. Refusal of these functions is equivalent to having one standard password for all company employees working on a shared computer. Of course, it is not the most favorable scenario. Therefore, the creation and use of roles, individual accounts, or clients should be considered mandatory. Regardless of which operating system a cloud server is working on, access to it must be protected. Certainly, it is possible to rely on random passwords provided by a cloud broker; nevertheless, users usually write these passwords somewhere or replace them with standard combinations. It should be noted that both options are not fortunate enough.
Access to Cloud Servers
One approach is to separate the internal and external confirmation of access rights [3]. It can be implemented due to personal access servers or with the help of specific commercial solutions. In this case, employees indicate their internal password for registration on an access server, and after checking the rights granted to them access to a cloud server. Thus, when applying to external resources, they can use their domain passwords without compromising security.
This option is attractive especially in Windows environments because, from many users’ point of view, domain passwords are suitable for authorization on cloud servers. External resources do not gain access to Active Directory elements, and they do not need to be included in the domain [2]. Periodic password change is also much easier (and in some cases is finally possible) since internal and external processes are divided.
Adherence to Basic Principles of Protection
The legality of personal processing data in cloud services depends on compliance with the basic principles of data protection laws. Transparency concerning data subject must be guaranteed; the specification of the target should be observed. Also, personal information must be erased as soon as the need for them disappears. Appropriate technical and organizational measures should be taken to ensure an adequate level of data protection and security. The principle of transparency is a crucial aspect that is associated with the fair and lawful processing of personal information. The client must provide any data that is necessary to ensure a just review of the rights concerning a data subject.
The principle of definition and restriction of the goal requires collecting personal data for specific, explicit, and legitimate purposes that are not subjected to additional processing, diverging from these objects. The client must determine the goal of processing until the time of the collection of personal data and be informed about this moment. It also should not transmit information for other purposes that are not compatible with the original ones. According to [3], a cloud resource can include a large number of subcontractors, and the risk of personal processing data for further incompatible purposes should be rated as high enough. The contract that is concluded between the provider and the client must contain special measures of technical and organizational security. It will reduce the possible risk and will give certain guarantees when registering and evaluating necessary operations for processing personal data. If data protection legislation is violated, fines for a supplier or subcontractor must be imposed regarding the terms of the contract.
Personal Data Deletion
All personal information must be contained in such a way that data concerning certain subjects could be used solely to draw up a general picture of users. The useless data should be deleted or translated into confidential status [5]. If these data cannot be removed due to legal storage rules, for example, tax laws, access to this information must be blocked. The responsibility for the removal of personal data that ceases to be necessary for a particular goal is vested in a cloud computing provider.
The principle of deleting information applies to personal data, regardless of whether it is stored on hard disks or other media (for example, tape with backup copies). Since personal data can be placed on different servers, the provider must ensure that each instance is deleted irreparably (i.e. previous versions, temporary files, and the fragments of the file). The client must ensure that the provider’s cloud provides a secure deletion and that the contract between the provider and the client contains clear instructions for erasing personal information. The same applies to agreements between cloud providers and subcontractors.
Auditing and Assessment
Basic Rules of Assessment
The central question about cloud services is whether it is possible to use these resources safely. However, a full answer depends on a clear understanding of the degree of acceptable risk in a particular organization. Reference [4] presents information about risks; recognition of what risk level is satisfactory depends on the assessment of specific security requirements and how valuable the information assets are – data, applications, and processes. Only by focusing on these issues is it possible to make a reasonable decision about which deployment models and service delivery platforms are appropriate to the needs and acceptable risk.
Before taking a public or hybrid model, it is essential to determine personal information assets. Any choice will include at least some reduction in control over how this information will be protected, and where it may be located (a place of storage and jurisdiction). With intercorporate hosting and the presence of local private clouds, additional efforts are required to organize the necessary infrastructure. It is also essential not to forget that many information assets are not limited to data. Applications and processes can quickly prove to be as vital as the information itself. In many areas, such as analytics and finance, algorithms and programs used are often organizations’ secrets. Their disclosure can lead to catastrophic losses for an enterprise and cause a violation of corporate laws.
Risk assessment
The main problem in risk assessment is uncertainty expressed in the conditions of probability. This circumstance requires a more detailed analysis of information assets. Their identifying can be a difficult task, especially when taking into account the principle of the principle of continuous copying of digital content. A typical organization seldom controls its information reliably enough. Quite often, it implies a minimal guarantee that there are no other copies of a particular piece of information. What concerns protecting digital data, it is by far not the best option. However, in most organizations, there are many other problems in managing their information assets.
When planning the transfer of specific data to a particular cloud, it is necessary to be sure of the correct classification of information by type. As a rule, the problem lies primarily in this task. It may not be so dangerous if computing systems forcibly carry out the labeling of information; nevertheless, it is not usually done. Data marking in most computer systems is based on the real processes of individuals who need appropriate access to information. By combining the placement of unclassified data in a public cloud and deploying intercorporate systems to host confidential information, it is possible to save some money without increasing a risk level [2]. In those enterprises where the use of a private cloud does not raise new risks for information assets, the use of a hybrid or public cloud can create new threats. The transition from a traditional model of information technology to a private cloud model can reduce the possible danger.
Data Management
It is necessary to realize that the security of confidential data and its management are two different problems. In the framework of a legal process, it is essential to have a thorough understanding of the confidentiality management process, as well as the provider’s security guidelines. The processing of information is subject to privacy laws. Other types of business data and everything related to national security are associated with much more stringent rules. The safety of state information and the ways of its processing is regulated by a developed set of laws and guidelines. Although the cloud is a relatively new model, it is sufficient to understand that no classified information should be stored in a public cloud. Other government agencies that do not work with confidential or detailed data should be the object of increased attention.
Suffice it to say that when studying the possibility of using a public cloud, there are many different and independent spheres of activity – from the governments of states to local authorities. Since the size and number of levels in management structures are rather significant, it is more reasonable to use some so-called communal clouds that help to avoid using public storage and related problems. On the other hand, if state structures use a public cloud, this service should fully meet the interests of tenants and ensure the implementation of all the rules and laws [5]. It is possible that the tenant can implement additional methods of security control that meet regulatory or legislative requirements even if underlying public services do not fully meet these criteria. However, it is significant to understand that the set of additional controls that can be added by the tenant is limited and does not always allow closing gaps in some public cloud services. Whichever cloud model could be chosen; security issues should not be forgotten.
Data Security
Data Encryption
Providing a securely protected cloud server for data processing is just the first step in using cloud services. In the second and third phases, it is necessary to move specific data to a secure cloud server and take care that they are safe (that is, outside the physical access area of the client). The latter can be provided with the help of full encryption of virtual hard disks: in case of the need for access, information is decrypted during reading, and then is encrypted again when being recorded. It helps to avoid situations when unencrypted data falls into long-term storage of service providers or is stored as backup copies.
According to [1], when encrypting data, there is always a question about the keys. Their storage on a cloud server is inadvisable since anyone who has access to cloud servers or templates can get a particular key and hence decrypted data. A password input when the system is started is complicated due to the lack of any console; nevertheless, this procedure is replaced with the request that a cloud server sends to an external source – a key management server.
The server checks the identity of the cloud server that sent the request (for example, by IP addresses, templates, data center, or location) and integrity (firewall, installed patches, a useful antivirus scanner) just like a person does with traditional encryption of hard disks. In case of success, the key is provided with either automatically or after confirmation by an authorized person. After that, the cloud server gets access to specific data and functions successfully until its integrity or identity is violated. A decisive factor for ensuring the security of this solution is the separate operation of the cloud server and the key management server: if both are located at the same cloud service provider, all the information is collected in one place again [4].
Data Availability
Ensuring accessibility means providing timely and reliable access to personal data. One of the severe threats to availability in the cloud is an accidental loss of network connection between the client and the provider or the server caused by dangerous activity: the denial of service, cyber-attacks, etc. As it is mentioned in [3], other risks include the presence of a random hardware failure both on the network and in data processing in the cloud and storage systems. Also, the hazards are related to power failures and other infrastructure problems. Data controllers must ensure that a cloud provider has taken reasonable steps to cope with such risks of violations as backing up the data on the Internet, redundant storage, and efficient data backup mechanisms.
Data Integrity
Integrity can be defined as a property that authenticates the data and is responsible for the fact that no dangerous or accidental changes occur during processing, storage, or transmission. The concept of integrity can be extended to IT-systems and requires remaining the processing of personal data in these systems unchanged. The identification of changes in personal data can be achieved by such cryptographic authentication mechanisms as message authentication codes or signatures [2]. Interference in the integrity of IT-systems in the cloud can be prevented or detected by the intrusion prevention system. It is especially vital in open-type networks, in which such resources usually work.
Isolation for Limitation
In cloud infrastructures, such resources as storage, memory, and the network are common to many tenants. It creates new risks for the data, exposing them to disclosure and processing for illegal purposes. Protecting the purpose of isolation is developed to solve this problem and assists in ensuring that specific information will not be used beyond its original purpose, as well as to maintain confidentiality and integrity.
First, achieving isolation requires adequate management of rights and roles to access personal data that are reviewed regularly. In the process of work, it is extremely important not to let the excess of corresponding privileges. It means that the client or the administrator of a specified service must not have the right to access to absolutely all information stored in the cloud. Here, the principle of the least privilege should be used when the user receives only those data to which he or she has access [4]. Secondly, isolation also depends on technical measures such as hardening hypervisors and proper management of shared resources if virtual machines are used to distribute these sources among different clients [4].
Evolving Threat Landscape
Data Theft
The theft of confidential corporate information always frightens organizations in any IT-infrastructure. However, a cloud model opens up new and significant attack routes. If such a database is not properly thought out, a flaw in the application of one client admits an attacker to the data of not only this client but also all other users of the cloud.
Every cloud resource has several levels of protection, each of which protects information from various types of theft [1]. For example, if it is about the physical security of the server, it is not connected with hacking but with the theft or damage to information carriers. Certainly, it is hard to take a server out of a particular building. Moreover, any self-respecting company stores information in data centers with security, video surveillance, and restricted access not only to outsiders but also to most employees of the company. Thus, the probability that an attacker will just come and take the information is close to zero. As a rule, large companies do not keep all the information on one server. Therefore, even if a hacking attack happens, it will not bring too much harm, and its consequences will be much less painful. As practice shows, most often, the database of email addresses is stolen. It means that the user will just receive some spam in the mailbox and will not experience severe troubles.
Data Loss
Data stored in the cloud can be stolen by intruders or lost for another reason. According to [5], if a cloud service provider does not implement proper backup measures, valuable information can be accidentally deleted by the provider, or they will suffer in case of a fire or natural disaster. On the other hand, customers who encrypt the data before uploading them to the cloud and suddenly lose their encryption keys will also lose their data.
The fear is justified, but similar problems can be avoided by a backup. Companies that care about customers and reputation automatically copy the database at least two times a day. Thus, if a user contacts technical support with a message about randomly deleted but essential files, they can be restored. Such a problem should also be addressed proactively by the user. It refers to the issue of coaching and computer literacy of colleagues, as well as limiting access rights to change and delete files. If all the measures are observed, the chances they valuable information will be lost forever are minimal, and any user will be able to work with necessary electronic resources without any fear of being robbed.
Theft of Accounts and Services Hacking
In the cloud environment, an attacker can use the stolen login information to intercept or falsify corrupted data to redirect users to malicious sites. Organizations should prohibit distributing their registration information to other employees and using the same passwords for all services. It is also necessary to introduce reliable and two-factor authentication to reduce the risk.
Weak interfaces used by customers to manage and interact with cloud services subject the organization to various threats. These models should be designed appropriately and must include authentication, access control, and encryption to provide the necessary protection and availability of cloud services. According to [1], organizations and third-party contractors often use cloud interfaces to provide additional services, which makes them more complicated and increases the risk, since it may be necessary for the customer to provide his or her registration information to such a contractor to simplify the provision of services.
Denial-of-service attacks can also occur. This threat can cause infrastructure overloading, forcing to use a lot of system resources and not letting customers use this service can. Press attention is often drawn to DoS-attacks, but there are different types of these threats that can block cloud computing [2]. For example, attackers can run asymmetric application-level DoS-attacks using vulnerabilities in web servers, databases, or other cloud resources to provide an application with a minimal payload.
An insider with unseemly intentions (for example, a system administrator) can gain access to confidential information that he or she must not use. Systems that rely solely on a cloud service provider are at risk. Even if encryption is implemented, the system is still susceptible to malicious insider actions, especially when all the keys being available only for the period of using the data are not stored just by the customer [2].
Cloud computing allows organizations of any size to use high computing power; nevertheless, anyone may want to use such possibilities with unseemly intentions. For example, a hacker can use the combined energy of cloud servers to crack an encryption key and do harm to a particular system. According to [3], cloud service providers need to consider how they will track people who use the power of the cloud infrastructure and how such violations can be detected and prevented in case of necessity.
In pursuit of lower costs and other advantages of the cloud, some organizations try to use such services and do realize all the consequences of this step. Companies and enterprises need to conduct extensive and rigorous testing of their internal systems and a potential cloud provider to understand all the risks that they are exposed to by moving on to a new model. In any cloud delivery model, there is a threat of vulnerability through shared resources. If a critical component of shared technology is hacked, it puts at risk not only an affected customer, and the entire cloud environment becomes vulnerable.
Computer Viruses
For the modern business, computer viruses are a severe threat. At the moment, almost any company has its information system and actively uses it in its work. Infecting the corporate network with computer viruses can lead to the failure of all information services, work disruptions, data theft, or destruction. The penetration of virus programs into an enterprise network can give an attacker complete or partial control over all the operations of a particular enterprise. Thus, it is necessary to develop an advanced system of protection to counteract any malware.
Natural Threats
The situation is much more evident with natural threats. This type of danger includes the theft of equipment with information, for example, a computer or another media resource. They also include all types of natural disasters: tsunamis, hurricanes, lightning strikes. As it is mentioned in [4], the threat of fire is probably the most common. In this situation, measures to ensure fire safety include not only the protection of people’s lives but also the security of valuable information.
Activities of WEll-Known Cloud Providers in Data Protection
It is necessary to consider the most popular services to navigate better in modern technologies aimed at protecting personal data in cloud storage. The analysis of their work and approach to keeping secret information will provide an accurate picture of which provider is the most reliable. This information can be useful both for ordinary users of the network and various business organizations since protecting corporate data is an essential task for them. Therefore, the three most popular cloud providers should be observed to get a full vision of their activities the process of data protection.
Features of Google Drive
Google Drive is a cloud-based data service that is a Google product. This provider allows users to store their data on servers in the cloud and share them with other users on the Internet. According to [6], it is possible to save not only documents but also various media files of large sizes, which is undoubtedly a plus. This cloud is quite convenient for storing copies of relevant documents, even if the hard drive of a computer or other electronic media will be irretrievably lost. Nevertheless, providing control over confidential data to someone else might be a problem. Before downloading necessary documents, it is significant to consider protecting them with a password. It will help to keep a specific account in safe, even if it undergoes a hacker attack, and no one will access files without a password. Even Google itself can not view encrypted data, which allows speaking of a high level of confidentiality.
There are quite a few different ways to protect files in Google Drive, but one of the easiest ones is creating an encrypted archive. Another way is to use a particular application that creates a secure folder on the space in Google Drive and allows storing necessary files there. However, it is necessary to have an access password to the application to have access to specific files. Setting up two-level authentication also increases the security of the entire space in Google, including a specific account [6]. Moreover, the service stores the previous versions of the files for 30 days. In case that they occupy too much free space, they can always be deleted. Thus, despite some difficulties in work, the Google Drive service offers quite safe protection systems and can be considered one of the reliable cloud providers.
Peculiarities of the Dropbox Service
Despite the emergence of numerous competitors, Dropbox confidently continues to hold one of the leading positions among the services for storing and synchronizing data. For those who are concerned about the security of remotely stored files when working with this service, there is a special application that allows encrypting files placed in a folder with the same name. During installation, this app automatically searches for the Dropbox directory and prompts the user to create an individual folder inside it [6]. Along with it, a virtual disk is created, where it is also possible to copy virtual data. When saving some information in a secure vault, it encrypted immediately. Once the user tries to open the file, the program decrypts it in real-time. Thus, the work of this application does not cause any inconvenience; at the same time, while on the server Dropbox, all files are transmitted in encrypted form, which excludes the possibility of access to them by third parties. Unlike other solutions for data security, individual information is encrypted, not containers. Due to it, there is no problem with synchronizing personal files, as well as changing the size of virtual storage.
Nevertheless, this solution has some drawbacks. The main one is that the corresponding application must be installed on all computers that are bound to the Dropbox account. Without it, the user will be able to see only the names of the files, and when a person tries to open them, they will get a set of unreadable characters. Moreover, as it is mentioned in [6], it will be impossible to use the web version of the service. The file downloaded into someone else’s computer will not open. Despite all these minor inconveniences, Dropbox is still one of the leading cloud services and has a large audience of users who have trusted their data to this provider for a decade.
Functional of Microsoft OneDrive
OneDrive cloud storage is one of the most popular in the world. It is necessary to acquire a Microsoft account to use this provider; otherwise, the system will be useless. During the subscription, the company takes some reliable security measures to protect the client from the actions of hackers [6]. Microsoft offers and requires entering a complex password consisting of at least eight characters with case-sensitive letters. All of it is done for the sake of safety.
Microsoft is very serious about the security of accounts. The two-step verification of the provider has quite a lot of functionality, and it is convenient to use the system both for the protection of personal data and any business information that requires increased secrecy. According to [6], in its work, OneDrive uses an HTTPS connection. The history of visits to the account can be obtained in a special section of the settings. From there, users can also manage any application. OneDrive offers a free file history viewer for office documents. Saved copies of other file formats are available for business-level users. Therefore, when making changes to Office documents, it is possible to view their previous version in OneDrive for free. All the files of this cloud provider are not available without the personal permission of the account holder. Despite this fact, OneDrive does not encrypt the files that are uploaded to its server. The user can take advantage of third-party encryption services to provide a higher level of security for certain data.
All these three cloud providers are reliable enough and offer different degrees of protection and processing of personal data. The use of these services will help to keep the necessary information secret; however, sometimes it may require some additional measures. Many users note that the capabilities of modern cloud systems are being improved from year to year, which allows using new ways of protecting information. At the same time, there are quite a few other programs that also provide information storage capabilities, but the three services mentioned are perhaps the most famous in the whole world and well-known for their serious approach to data protection.
Conclusion
Thus, ensuring security and saving essential data is an urgent task for most large enterprises and companies since the protection of employees’ and clients’ private information is significant because of cyber-attacks and other similar threats. IT-departments need to tell employees about security issues, achieve comprehensive data management and compliance policies, develop recommendations for the implementation of cloud services, and establish rules about what data can be stored in the cloud and what information is unsuitable for this purpose. Enterprises need to pay more attention to the introduction of more efficient mechanisms to control user access. It is especially necessary for all the companies that provide access to their data in the cloud. The popularity of modern cloud providers and the variety of databases is caused by users’ desire to keep their data is safe. Modern protection methods include the use of different that can ensure the security of data and save all the information from cyber-attacks and other types of crimes.
References
W. He, G. Yan, and L.D. Xu, “Developing vehicular data cloud services in the IoT environment,” IEEE Trans. on Ind. Inform., vol. 10, pp. 1587-1595, 2014, in press.
S. Pearson. “Privacy, security and trust in cloud computing,” in Privacy and security for cloud computing, S. Pearson and G. Yee, Eds. London: Springer, 2013, pp. 3-42, in press.
T.H. Noor, Q.Z. Sheng, L. Yao, S. Dustdar, and A.H.H. Ngu, “CloudArmor: supporting reputation-based trust management for cloud services,” IEEE Trans. on Ind. Inform., vol. 27, pp. 367-380, 2015, in press.
W.J. Fan, S.L. Yan, H. Perros, and J. Pei, “A multi-dimensional trust-aware cloud service selection mechanism based on evidential reasoning approach,” Int. J. Autom. Comput., vol. 12, pp. 208-219, 2015, in press.
Y. Sun, J. Zhang, Y. Xiong, and G. Zhu, “Data security and privacy in cloud computing,” Int. J. Distr. Sens. Netw., vol. 10, pp. 237-269, 2014, in press.
M.N.O. Sadiku, S.M, Musa, and O.D. Momoh, “Cloud computing: opportunities and challenges,” IEEE Potentials, vol. 33, pp. 34-36, 2014, in press.