This article has been written by Suchandra Mukherjee, pursuing a Diploma in Law Firm Practice: Research, Drafting, Briefing and Client Management from LawSikho. It has been edited by Zigishu Singh (Associate, LawSikho) Ruchika Mohapatra (Associate, LawSikho).
Table of Contents
Introduction
“For every lock there is someone out there, trying to pick it or break in” — David Bernstein
When we hear the term cloud computing, we wonder why it is called so.
Is it a kind of cloud-processing procedure? Or is there any connection between this operation and the clouds? Because the information being accessed is located remotely in the cloud or a virtual place, cloud computing is termed as such. Cloud service providers allow customers to store files and programs on remote servers and then access the information via the Internet. This means that the user does not need to be at a specific location to access it, allowing them to work from anywhere.
Just like a “cloud” caters to various individuals when it rains, similarly cloud computing caters to various individuals by providing services to a diverse range of people. While cloud computing definitely makes our lives easier, there also emerges a problem of cyber attacks since for any offender who hacks into a system, all the data stored is at their disposal. This can lead to several risks and issues with respect to personal information, prominent loss to a company and even damage to a country’s infrastructure. This article will highlight the need of cyber security and its relation with cloud computing.
An insight into cloud computing
Cloud computing is available in both public and private forms. Public cloud services offer their services on the internet by charging a fee. Private cloud services provide their services to a limited number of customers. These services are network systems that provide hosted services. A hybrid option is also available, which is a combination of both the public and private services.
Illustration
We have a computer in our home which is basically used for storing certain data and for playing games, but if we think of using our computer for playing high-end games or storing a large amount of data or for using software for which we have to pay a huge amount of money. then we have 3 options in our hands:
- Upgrade our computer to one where all these functions will be present; or
- We can buy the software for which we can get the licenses and make a new setup; or
- Have high-speed internet so that we can rent a computer where all the features are present and use the power out of that computer and get our work done.
So, which one is more convenient?
Option C, right?
Cloud Computing is not just used for storage like as seen in one drive, drop box, google cloud, etc. It is much more than storage. There are several kinds of applications and softwares present in cloud computing.
For example, there’s a company where a huge numbers of employees work, so in order to store all the information, the company requires to keep a separate dedicated unit with a huge amount of in-house expense, but instead of that if the company takes all such services from a cloud service provider in exchange for a fee that is much lower as compared to the previous set up. There will be no problem when the company needs to scale up or scale down employees because in cloud computing, the amount of storage can easily be modified according to the requirement.So, all the services like online storage, database management, and the software can be easily accessed from different devices.
Important features of cloud computing
- Cloud computing facilitates the supply of various services, concerning servers, databases, software, data storage, and networking over the Internet.
- Cloud storage allows users to save files to a remote database and retrieve them whenever required.
- Public services are available online for a price whereas private services are hosted on a network for specific clients.
Now before proceeding further into discussing cyber-crime related to cloud computing, we need to know about the various types of cloud service models.
Cloud Service Models
The 3 kinds of cloud service models are as follows: –
IaaS (Infrastructure as a service)
It is also known as ‘Hardware as a Service’. It is a computer infrastructure that is managed via the internet. The primary benefit of adopting IaaS is that it allows consumers to avoid the cost and complexity of acquiring and managing physical servers.
This provides clients with access to cloud storage, connection, and other fundamental computer tools. It simply boosts the computational capability of the consumers by enabling them to run their own devices and programmes on the cloud platform.
IaaS is used by network architects (responsible for security of networks).
The advantages of IaaS are:
- Dynamic and flexible
- GUI and API based access
- Resources are available as a service
- Automated administrative tasks
- Services are highly scalable
Examples of IaaS are – Google Compute Engine (GCE), Amazon Web Services (AWS), Linode, Cisco Metacloud.
PaaS (Platform as a Service)
The PaaS cloud computing platform was designed to allow programmers to develop, test, execute, and manage applications. This grants the user access to the computer interface or operating systems of the cloud instances, as well as an underlying database, allowing them to construct or acquire software.
It provides virtual platforms and tools for developing, testing, and deploying programmes.
PaaS is used by developers (responsible for developing of software)
Advantages of a PaaS are:
- It can grant access to several users while using the same development application.
- Based on virtualization technology, resources can be readily scaled up or down to meet the needs of the company.
- Multiple languages and frameworks are supported.
- Connects to web services and databases.
Example – Google app engine, Windows Azure, Open shift
SaaS (Software as a service)
It is popularly known as ‘On demand-software’. It is basically a kind of software through which users can access the applications which are hosted by a cloud service provider by using their internet and web browser.
It offers web tools and applications to help with corporate needs.
SaaS is used by the End-users (the person who uses the product).
Advantages of SaaS are:
- It is hosted by a remote server
- It is managed from a central location
- It is accessed using the internet
- The updates are automated and users are not responsible for all the hardware and software updates.
- Users can purchase the services as their usage.
For example: DropBox, Google apps, Slack, go to meetings etc.
Cloud Cyber Security
In today’s technology-operated world, it would be difficult to locate an organisation that has not implemented PaaS, IaaS or SaaS. As companies seek simpler management, utility-based payments, and lower reliance on traditional data centres and management teams, more and more IT services and applications are being used by companies.
Cloud-based cybercrime is a broad notion that includes all sorts of internet criminality committed by using the known cloud computing models including television and film piracy, and smartphone-based crime. Therefore, an efficient cloud security mechanism is required in order to secure the cloud computing systems and keep the data safe. Now the questions arise:
- What are the most significant threats that we see in a cloud?
- What are the technologies that an organization can deploy to ensure protection from the potential threats in the cloud?
The core threats that we see in a cloud are as follows:
- Misconfiguration – When a user or team sets settings that do not guarantee proper security for their cloud data, this results in cloud misconfiguration. In the absence of effective security measures, attackers can take advantage of misconfigurations to steal cloud data. Protect yourself against cloud misconfigurations to improve your cloud protection techniques. Having the correct tools to apply security controls to cloud data, in particular, is crucial.
- Unauthorized Access – According to a recent Cloud Security Spotlight Report, the biggest threat to cloud security, according to 53% of firms polled, is illegal access via the misuse of employee credentials and ineffective access restrictions. The good news, as stated in the research, is that access control can be addressed using cloud security solutions in conjunction with identity and access management regulations.
- Insecure Interfaces and APIs – For developers, public cloud APIs provide up a plethora of new and useful possibilities. These interfaces add key functionalities to applications and connect them to external services. APIs that are properly integrated help all users and improve a service’s value proposition in the software market. Insecure APIs in cloud computing, on the other hand, can expose environments to malicious threats. Businesses are responsible for providing safe products, but missteps can lead to security risks.
- Hijacking of accounts – Cloud account hijacking is the process by which an attacker steals or hijacks a person’s or organization’s cloud account. Cloud account hijacking is a typical strategy used in identity theft schemes in which the attacker uses stolen account information to engage in illegal or unauthorized behavior. When a cloud account is hijacked, an attacker often impersonates the account owner by using a compromised email account or other credentials.
- Lack of visibility – One of the most significant cloud security concerns is a lack of visibility, which affects an organization’s ability to implement incident response plans, validate the efficacy of its security policies, and appropriately assess information about its data, services, and users. It is critical for enterprises to have a cloud usage policy in place, complete with approved means for getting approved servers up and running, deployment processes, and so on. In addition to compliance, governance, and security problems, a lack of visibility in the public cloud poses business hazards. This is necessary to determine how much visibility and control the cloud computing solution will provide.
- Malicious Insiders – Malicious insiders are employees, former employees, contractors, or business associates who have lawful access to your systems and data and use that access to damage, steal, or disrupt your systems. It does not cover well-meaning employees who inadvertently jeopardize your cyber security or leak data. Recovering from a malicious insider is dependent on the extent of the harm they have caused. If they have harmed your website, introduced malware, or otherwise rendered your systems inoperable, you can implement technological solutions to those issues. However, once they’ve taken your data, there’s not much you can do to recover it. If your systems have unique logins and auditing (see information below), you or the police may be able to identify the hostile insider. However, this will not result in the recovery of the stolen data. Therefore prevention is important.
- Data loss/leakage – The unlawful communication of data from within an organization to an external destination or recipient is known as data leakage. The phrase can refer to data that is transported either electronically or physically. Data leakage threats are most commonly transmitted over the web and email, but they can also be transmitted via mobile data storage devices such as optical media, USB keys, and laptops.
- Data privacy/confidentiality – Data security has long been a serious concern in the field of information technology. It is particularly risky in the cloud computing environment because the data is spread across multiple locations, even the entire world. Users’ biggest concerns about cloud technology are data security and privacy protection. Data security and privacy protection are becoming increasingly important for the future growth of cloud computing technology in government, industry, and business, despite the fact that several techniques on cloud computing themes have been investigated in both academia and industry. Data security and privacy concerns apply to both hardware and software in the cloud.
- Accidental exposure to credentials– Data breach assaults occur as a result of poor password management and the use of expired or third-party certificates. Methods such as one-time passwords, call authentication, and smartcard use are recommended to protect against attackers.
Remedies
MFA- Multi-Factor Authentication
Traditional username and password combinations are frequently insufficient to secure user accounts from hackers, and stolen credentials are one of the most common ways hackers get access to your online business data and apps. They can log into all of the cloud-based programs and services that you use every day to run your business once they have your user credentials. MFA may be used to secure all of your cloud users, ensuring that only authorised employees can access vital data in your on-premise or off-premise environment. MFA is one of the most basic yet effective security measures for preventing unwanted access to your cloud services.
User Access in order to improve Cloud Computing Security
Most employees do not require access to every program, piece of data, or file on your cloud infrastructure. Using an IAM (Identity and Access Management) plan to set appropriate levels of authorization guarantees that each person can only view or alter the applications or data required to execute their job.
Access control not only prevents an employee from mistakenly editing information that he or she isn’t permitted to see, but it also protects you from hackers who have stolen an employee’s credentials.
Protecting Against Departing Employees with a Comprehensive Off-boarding Process
When an employee leaves your organization, ensure that they no longer have access to your cloud storage, systems, data, client information, and intellectual property. This is an important security job that is frequently postponed for days or weeks after someone has left.
Because each employee is likely to have access to a variety of cloud apps and platforms, a systemized deprovisioning procedure is required to ensure that all access permissions for each departing employee are revoked.
Again, if you are unable to manage this internally, do not be afraid to outsource this duty to someone who is knowledgeable about how to properly set up, implement, and maintain this process.
Anti-Phishing Training for Employees
Through social engineering techniques like phishing, impersonating websites, and social media monitoring, hackers can get access to secure information by stealing employees’ login credentials.
The best approach to prevent employees from falling prey to these scams and jeopardizing your company’s critical data is to provide continual training. Phishing training is not a one-time event; it is a continuous activity that must be handled by someone within the business to be effective.
Consider Cloud-to-Cloud Back-Up Solutions
You have a very low chance of losing data due to a cloud provider’s error, but you have a very high possibility of losing data due to human error. It’s worth mentioning that most cloud providers, including Microsoft, preserve deleted data for a short time in their data centres.
However, check with your cloud provider to see what this time range is and whether there are any fees involved with data restoration. Businesses that must adhere to strict laws or are afraid about being held liable due to lost or corrupted data are increasingly turning to cloud-to-cloud backup solutions. A lot of these solutions are available on the market today that may help you safeguard your organization, so go to a trustworthy IT consultant to figure out which one is right for you.
Conclusion
We can’t stop cybercriminals from running their company using cloud services or attacking you by using cloud-hosted servers and systems (including secured servers). But to ensure that these attacks are not part of our cloud server, we can take significant efforts as mentioned above to make sure that we don’t have our IT services account when mounting these attacks.
More importantly, government training opportunities and training for law enforcement officers to improve their cloud skills and cloud knowledge (including public general education) on emerging technologies crimes, such as cloud and smart mobile phone crimes, and learning to work with the private sector or companies to reduce crime) is very essential. There is a lot of cloud security research underway to tackle your difficulties, but researchers and security engineers have failed to offer competitive solutions to the rapidly rising problems on the ground with the fast rise of this technology.
References
- https://www.legalserviceindia.com/legal/article-6343-cyber-crime-in-the-purview-of-cloud-computing-the-interpretation-of-security.html
- https://www.geeksforgeeks.org/cyber-security-in-cloud-computing/
- https://www.mondaq.com/india/data-protection/1088962/cloud-computing-in-india–the-state-of-play-and-what39s-next
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:
https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.