Cloud computing continues to proliferate most of the worlds largest companies, governments, and organization. Its benefits create a compelling value proposition for nearly all stakeholder groups in the form of higher efficiencies, better access to data, and better reliability. Unfortunately these benefits result in a corresponding increase in security vulnerabilities. This document will address these vulnerabilities and how they impact organizations utilizing cloud computing. Emphasis will be place on the more common vulnerabilities and possible solutions to rectify them. Cloud Computing is increasing becoming a very contentious issue for businesses, governments, and communities around the world. A study initiated by Gartner found that cloud computing is considered one of the top 10 most influential technologies in the world (Gartner 2011). The prospects for the cloud are endless as adaptations can create enhancements in all industries. Industries typically use cloud computing to enhance efficiencies, reduce costs, reduce overall head, and increase returns on investment. The ability of cloud computing to provide ubiquitous and on-demand network access is also compelling for industries that require continually access throughout the day. Banks, insurance companies, and national defense organization must be all be operational throughout the entire day. Due to the ability of cloud computing to provide secure and convenient data storage over the internet, these organization can run their core processes 24 hours a day.

Cloud computing is unique in that it combines a number of varying concepts and technologies together in one package. Aspects such as Service Oriented Architecture, the Internet, and storage facilities are all used simultaneously to provide a compelling product. However, due to the sheer volume of applications and moving parts, cloud computing does present interesting security challenges. This is due primarily to the relative uncertainty regarding the adoption of new technology combined with the varying degrees of applications and materials needed for adoption. Making security more difficult is this uncertainty occurring at all levels of the cloud computing process including the (network, host, application, and data levels). As a result, many IT executives acknowledge that security is their primary concern regarding the cloud and information content (Mather, 2009).

In particular cloud-computing security risk occurs in three main areas. The areas include external data storage, the use of "public" Internet and inherent lack of control of doing so, and the overall integration process. As result of these security risks traditional methods such as identity, authentication and authorization are no longer viable. Therefore new and unique solutions are required to address the changing landscape of cloud application and their overall structure.

Literature Review/Discussion and Analysis

What security vulnerabilities and threats are the most important in Cloud Computing and how can organizations properly handle them? To begin, the traditional cloud-computing model has three separate types of services, which are described below. These definitions are taken directly from the Journal of Internet Services and Applications Journal.

1) Software as a Service- the capability provided to the consumer is to use the provider's applications running on a cloud infrastructure. In general the applications are accessible from various client devices through a thin client interface such as a web browser (Hashizume, pg 3).

2) Platform as a Service -- The capability provided to the consumer is to deploy onto the cloud infrastructure his own applications without installing any platform or tools on their local machines. PaaS refers to providing platform layer resources, including operating system support and software development frameworks that can be used to build higher-level services (Hashizume, pg 3).

3) Infrastructure as a Service.- The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications (Hashizume, pg3)

In addition to the models presented above, a very popular form of cloud computing is the hybrid cloud. Hybrid clouds are a combination of public and private cloud offerings which provides companies with much wider degree of freedom and security. It also allows for the exchange of information across disparate cloud offerings. This allows customers to use third party application in the manner in which they see fit.

In regards to security and vulnerability each has its respective strengths and weaknesses. For example with SaaS the overall security burden in on the cloud provider. This creates obvious problems for a business, as they are almost entirely dependent on the provider to provide secure access to private information. This vulnerability is the direct result of the overall intergration needed with the SaaS model. In contrast however, the PaaS and IaaS models are much more secure as the consumer...

Creating further frustration of cloud adoptors is the overall intergration between each model. PaaS and SaaS are hosting on top of IaaS. Therefore, a breach in IaaS will correspond to a breach in each of the upper two layers, thus creating systemic effects on security. For example, a SaaS provider may rent a development environment from a PaaS provider. This PaaS provider may in turn, rent the foundational infrastructure from an IaaS provider. Each provider is therefore responsible for it own security. As a result, the overall infrastructure could be prone to attack if one chain in the overall link is weak relative to the others. Further, it will be difficult to identify this weak link prior to the breach or attack occurring as each individual provider is in charge of his or her own security measures. Finally, when attack does occur the identification of the cause of the vulnerability will be difficult to access.
The relationship between threats and vulnerabilities is dynamic. Although vulnerabilities are often identifies in the overall technology and application, individuals employees are often a major vulnerability. This is particularly true for the SaaS model which relies extensively on the internet and third party providers. For example, cloud services are often accessed through API's or application programming interface. In essence, an API governs the rules in which one application can talk to another. For example, in a simple context, API's when using a laptop allow information to be moved between programs. Cutting and pasting text in a word document in excel spreadsheet is an example. API's on a more sophisticated level, allow services to use applications such as Google Maps. For example, the Internet website Yelp uses Google Maps to provide directions to a particular destination. In the context of cloud computing, API's are essential because they allow for the overall exchange of information and proper functioning of the application. The security of the cloud therefore depends on the security of these interfaces. A major security concern and vulnerability are weak credentials and insufficient authorization checks. In addition, insufficient input-data validation creates an enormous concern for security (Mather, 2009).

These vulnerabilities often occur due to insufficient safeguards on the human level. Aspects such as proper background checks, although common sense, seem to allude cloud computing providers. Privileged users often have unlimited access to cloud data, creating significant concerns. In addition, nearly anyone can open an account with a valid credit card and email. Although this accessible is an important benefit of using the cloud to begin with, it still should be monitored more rigorously. Apocryphal accounts for example, can allow hackers and other participants to perform malicious activity without detection.

In addition to the human component mentioned in detail above, Cloud Computing has vulnerabilities relating directly to its structure as well. The first, most oblivious, and highest profile threat to cloud computing occurs with service hijacking. An account theft through the cloud often occurs through social engineering (Schubert, 2009). Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. This can occur through baiting, quid pro quo, and other means. With access to a cloud users credentials, the hijacker can then conduct malicious activities designed to manipulate data and redirect transactions.

In addition with cloud computing, information is continually stored and accessed. However, once information is deleted, it is not completely removed from the system. Computing professionals can therefore use the cloud to recover data that was believed to be deleted, using it for malicious activities. Cloud computing uses the "Public" interent. Therefore, all individuals have access to the internet. Data leakage can therefore occur when data is transferred to hackers during the transition, storage of processing phase of the cloud computing process. Below is a chart summarizing both the vulnerabilities and threats discusses so far.

Vulnerabilities

Threats

Insufficient employee screening

Account and service hijacking

Insufficient customer background checks

Data Leakage

Insecure interfaces

Data Scavenging

Data related vulnerabilities

Solutions to these threats and vulnerabilities can change considerably. Hackers and those that wish ill will are constantly looking at new and innovation methods in which to obtain private information. In many instances, these individuals wish to sell this information to third parties on the black market looking to capitalize on it. Due to the lucrative nature of hacking and its ability to continually evolve, defense strategies must also evolve. Currently the solution to the threats and vulnerabilities mentioned above require a multi-faceted approach. Dynamic credentials for example…