To mitigate against the threats discussed in the previous section, the following security measures must be taken into consideration to secure the cloud:
Protection from Data Breaches
- Encrypt sensitive data before the actual storage on cloud and in the network using some efficient key management algorithm.
- Implement proper isolation among virtual machines to guide against information leakage.
- Ensure proper access controls and implemented against unauthorized access.
- Conduct a risk assessment of the cloud environment to identify the storage of sensitive data and its transmission between various services and networks.
- Use attributed-based encryption to secure data before storage such that only users with access attributes and keys can access the data.
- Use fine-grained and scalable data access control.
Protection from data loss
- Maintain backup of all cloud data for replication purpose in the event of data loss.
- Protect data backup to maintain data metadata security properties such as integrity and confidentiality.
Protection from account or service hijacking
- Monitor network traffic and nodes in cloud to detect malicious activities via network security features like the intrusion detection systems (IDS).
- Ensure proper implementation of identity and access management to avoid unauthorized access to account credentials.
- Implement multi-factor authentication for remote access using at least two credentials.
- Audit all users’ privileged activities along with their associated information security events.
Protection from DoS
- Identify and implement all the basic security requirements of cloud network, applications, databases, and other services.
- Verify and close very potential loop hole that can be exploited by attackers by testing applications after designing.
- Prevent DDOS attacks by having extra network bandwidth, using intrusion detection system (IDS) that verify requests before reaching the cloud server, and maintaining a backup of IP pools for urgent cases.
- Secure cloud from DDOS using IDS in a virtual machine such that when an intrusion detection system detects an abnormal increase in inbound traffic, the targeted applications are transferred to VMs hosted on another data center.
Protection from insecure Interfaces and APIs
- Developers should design APIs via the principles of trusted computing.
- Cloud providers must ensure that APIs implemented in the cloud are designed securely and checked before deployment for possible flaws.
- Implement strong authentication mechanisms and access controls to secure data and services from insecure interfaces and APIs by following the Open Web Application Security Project (OWASP)
- Customers must analyze the interfaces and APIs of cloud providers before migrating their data to cloud.
Protection from malicious insiders
- Limit the hardware and infrastructure access to the authorized users only.
- Service providers must implement and enforce strong access control and segregation of duties in the management layer to restrict administrator access to only their authorized data and applications.
- Audit employees routinely for possible suspicious behavior.
- Make the employee behavior requirements a part of legal contract and take appropriate action(s) against anyone involved in malicious activities.
- Implement appropriate encryption in storage and public networks.
Protection from abuse of cloud services
- Identify malicious customers via strict initial registration and validation processes.
- Make policies that allow the protection of critical organizational asset a part of the SLA between the user and service provider.
- Ensure the network monitoring process is comprehensive enough to detect malicious packets.
- Install all the updated security devices in the network.
Protection from insufficient due diligence
- Organizations should fully understand the scope of risks associated with cloud before migrating their business and critical assets to it.
- Service providers must disclose the applicable logs and infrastructure such as a firewall to consumers to take measures for securing their applications and data.
- The provider must set up requirements for implementing cloud applications and services using industry standards.
- A cloud provider must conduct risk assessment using quantitative and qualitative methods periodically to check the storage, flow and processing of data.
Protection from Shared Technology Vulnerabilities
- A hypervisor must be secured to ensure proper functioning of other virtualization components and implementing isolation between VMs.
- Create and use baseline requirements for all cloud components in the design of the cloud architecture.
- A service provider should monitor the vulnerabilities in the cloud environment and release patches to fix those vulnerabilities periodically.