Security of data at rest, in transit, and use in the cloud computing

Introduction

A cloud computing environment can be realized as a graph of nodes connected over networks where some nodes act as clients and the rest as servers or intermediaries to the servers[11]. It is a computing model where users can access a vast pool of computing resources over a network. The resources can be configured and used based on individual requirements, with minimal management or provider interaction. This allows for greater flexibility in computing and eliminates the need for users to invest in expensive infrastructure and maintenance. Cloud computing is defined by several key features: broad network access, on-demand self-service, resource pooling, rapid elasticity and scalability, and measured or metered service[3] and while it has several advantages, it also poses challenges to privacy and data security[10][16][19]. As the cloud computing environment can be realized as a network of nodes, each node has the potential to generate, store, and/or process data which means the security of data cannot be localized to a set of nodes but rather should be expanded to the means or channels of inter-communication, processing and storing data within a single node.

Let's take two imaginary characters Bob and Alice to understand data-in-use, data-in-transit, and data-at-rest. Let’s say Bob wants to share a picture of a delicious cheeseburger with Alice. Bob took the photo on his smartphone and it has been stored there since then. This means that the cheeseburger photo is currently at rest. Bob opens the picture and attaches it to an email. This action loads the photo into memory, and it becomes data in use, specifically by his phone’s photo viewer and email applications. Once Bob hits ”Send,” the email with the attached photo travels over the Internet to Alice’s email service, and it
becomes data in transit [5].

In this post, we will go through key challenges in achieving the said goals and ways to mitigate them.

The CIA triad

The CIA triad, which stands for confidentiality, integrity, and availability, is a foundational concept in data security. It provides a framework for understanding and addressing the key security challenges involved in protecting data. The CIA triad was originally developed in the context of information security, but it is also applicable to the security of data in the cloud. Confidentiality refers to the protection of sensitive information from unauthorized access. This means that only authorized users should be able to access and use the data. In the cloud, confidentiality can be achieved through a variety of means, such as:

1. Access control
2. Data encryption

Integrity refers to the assurance that data is accurate and complete. This means that the data has not been tampered with or altered in any way. In the cloud, integrity can be achieved through a variety of means, such as:

1. Hashing
2. Digital signatures

Availability refers to the assurance that data is accessible to authorized users when they need it. This means that the data is not unavailable due to outages, downtime, or other
disruptions. In the cloud, availability can be achieved through a variety of means, such as:

1. Redundancy: Redundant data storage ensures that data is available even if one storage system fails. This can be done through replication, which copies data to multiple locations
2. Disaster recovery: Disaster recovery plans allow organizations to restore data and applications in the event of a disaster. This can include backup and recovery procedures, as well as the ability to failover to a secondary site.

Cloud computing layers and data security

Cloud computing layers define how cloud computing resources and services are delivered to users. The three layers are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Each layer manages different aspects of the computing stack and offers a unique level of abstraction[17].

1. IaaS: IaaS provides virtualized computing resources over the Internet. It offers fundamental computing infrastructure, such as virtual machines, storage, and networking[13]. Access to such critical resources can pose potential threats to data security due to shared resources, network security challenges, user access controls, hypervisor security, data residency and compliance, and many others.
2. PaaS: PaaS is a platform that allows users to create, run, and manage applications without having to deal with the complexities of infrastructure management. This model entails offering Infrastructure as a Service as well as operating systems and server applications like web servers [18]. Although PaaS offers benefits such as increased productivity and more efficient development processes, it also has certain features and considerations that may pose potential threats to data security. These include limited control over the infrastructure, a shared environment, reliance on the security of the service provider, data transmission security, as well as authentication and authorization issues.
3. SaaS: SaaS software applications are delivered over the internet, removing the need for users to install, maintain, and update software locally [15]. However, the SaaS model raises certain data security concerns for data transmission over the Internet, data storage on third-party servers, identity and access management (IAM), shared resources in multi-tenant environments, etc.

Security challenges to Data-in-transit

1. Man-in-the-Middle Attacks
   • Challenge: Attackers can intercept and manipulate data during transmission without the knowledge of the sender or recipient.
   • Mitigation: Implement secure communication protocols such as HTTPS, which encrypts data during transmission, and uses digital signatures to verify the authenticity of the transmitted data.
2. Packet Sniffing
   • Challenge: Unauthorized individuals may use packet sniffing tools to capture and analyze data packets flowing over the network.
   • Mitigation: Encrypt data using protocols like SSL/TLS to prevent the interception of sensitive information. Use virtual private networks (VPNs) to create secure communication channels.
3. Data Interception
   • Challenge: Data transmitted over unsecured channels can be intercepted by malicious actors.
   • Mitigation: encryption mechanisms (e.g., SSL/TLS) to protect the confidentiality of data. Avoid transmitting sensitive information over unsecured networks.
4. Distributed Denial of Service (DDoS) Attacks
   • Challenge: DDoS attacks can disrupt internet traffic, affecting the availability and performance of data transmission.
   • Mitigation: Implement DDoS mitigation strategies, use content delivery networks (CDNs), and deploy firewalls to filter and manage incoming traffic.
5. DNS Spoofing
   • Challenge: Attackers can manipulate the Domain Name System (DNS) to redirect users to malicious websites.
   • Mitigation: Use DNS security measures, such as DNS Security Extensions (DNSSEC), to ensure the integrity and authenticity of DNS information.
6. Insufficient Authentication
   • Challenge: Weak or absent authentication mechanisms can lead to unauthorized access to transmitted data.
   • Mitigation: Implement strong authentication protocols and mechanisms, such as multi-factor authentication, to ensure that only authorized users can access and transmit data.

Security Challenges to Data at Rest

1. Data Encryption
   • Challenge: Ensuring that data is adequately encrypted when at rest can be challenging. Organizations need to implement strong encryption mechanisms to protect against unauthorized access.
   • Mitigation: Use robust encryption algorithms and key management practices. Cloud providers often offer encryption services, such as server-side encryption for storage resources.
2. Key Management
   • Challenge: Effectively managing encryption keys is critical. If keys are compromised, it could lead to unauthorized access to the encrypted data.
   • Mitigation: Implement secure key management practices, such as using hardware security modules (HSMs), rotating keys regularly, and restricting access to key management systems.
3. Access Controls
   • Challenge: Unauthorized access to data can occur if access controls are not properly configured. Misconfigured permissions may result in data exposure.
   • Mitigation: Implement granular access controls, regularly review and audit permissions, and follow the principle of least privilege. Utilize Identity and Access Management (IAM) features provided by the cloud provider.
4. Cloud Provider Security
   • Challenge: Relying on a third-party cloud provider introduces concerns about the security practices and measures implemented by the provider.
   • Mitigation: Choose reputable cloud providers with robust security certifications. Regularly assess the provider’s security controls and audit reports.
5. Insider Threats
   • Challenge: Insider threats, whether intentional or accidental, can pose risks to data security at rest.
   • Mitigation: Implement monitoring and auditing mechanisms to detect unusual or suspicious activities. Educate users on security best practices and enforce strong authentication.

Security challenges of data in use

1. Data Encryption
   • Challenge: Ensuring the encryption of data while it is actively being processed poses challenges, especially in scenarios where data needs to be decrypted for computation. While ”memory encryption” or ”runtime encryption” involves protecting data while it is actively being processed in a computer’s memory adding an extra layer of security, it comes with its own set of challenges such as computation cost in terms of latency and throughput, application compatibility, performance overheads, ability to debug a program, etc.
   • Mitigation: Implement homomorphic encryption [7] or secure enclaves to perform computations on encrypted data without exposing the raw information.
2. Secure Processing Environments
   • Challenge: Protecting data during processing requires secure execution environments to prevent unauthorized access or tampering.
   • Mitigation: To create secure processing environments, it is recommended to use technologies like Trusted Execution Environments (TEEs) or hardware-based security solutions. However, remote cryptographic attestation is also an essential part of confidential computing [12]. The attestation process evaluates the trustworthiness of a system and ensures that confidential data is only released to a TEE after it provides verifiable evidence of being genuine and operating with an acceptable security posture. If a system lacks attestation, it can trick others into trusting it, pretend to run specific software in a TEE, and potentially compromise the security and accuracy of the data being processed or the trusted code [1].
3. Access Controls
   • Challenge: Implementing granular access controls for data in use is complex, especially in multi-tenant cloud environments.
   • Mitigation: Leverage Identity and Access Management (IAM) solutions to enforce least privilege access and regularly audit and update access policies.
4. Memory-based Attacks
   • Challenge: Data processed in memory is susceptible to memory-based attacks, such as buffer overflows or injection attacks.
   • Mitigation: Employ secure coding practices, conduct regular code reviews, and use tools to detect and mitigate memory-based vulnerabilities.
5. Secure APIs and Interfaces
   • Challenge: Insecure application interfaces can expose data in use to unauthorized access or manipulation.
   • Mitigation: Regularly assess and secure APIs, enforce proper authentication and authorization mechanisms, and monitor API activities.
6. Compliance and Auditing
   • Challenge: Meeting compliance requirements for data in use involves continuous monitoring and auditing, which can be resource-intensive.
   • Mitigation: Implement automated compliance checks, conduct regular audits, and use tools to ensure ongoing adherence to regulatory standards.

Conclusion

Cloud computing has become increasingly popular in recent years, and as a result, the need for robust security measures to protect data at rest, in transit, and in use has also grown. Cloud computing has become increasingly popular in recent years, and as a result, the need for robust security measures to protect data at rest, in transit, and in use has also grown.

References

1. Pradipta Banerjee and Samuel Ortiz. Understanding the confidential containers attestation flow. 12 2022. Retrieved 2023-03-12.
2. Stephane Bressan and Thomas Lee. Information brokering on the world wide web. Technical report, Sloan School of Management, Massachusetts Institute of Technology, June 1997. Accepted at the WebNet 97 World Conference.
3. Mike Chapple and David Seidl. (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide. Syngress, 2022.
4. Te-Shun Chou. Security threats on cloud computing vulnerabilities. International Journal of Computer Science and Information Technology, 5:79–88, 06 2013.
5. Cloudflare.
6. FireEye. Apt17: Hiding in plain sight - FireEye and Microsoft expose obfuscation tactic. May 2015. PDF.
7. Kevin Foltz and William R. Simpson. Erp homomorphic encryption performance evaluation. Technical report, Institute for Defense Analyses, 2019. Accessed 21 Nov. 2023.
8. J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. Lest we remember: cold-boot attacks on encryption keys. Communications of the ACM, 52(5):91–98, 5 2009.
9. Danish Javeed and Umar Mohammed Badamasi. Man in the middle attacks: Analysis, motivation and prevention. International Journal of Computer Networks and Communications Security, 8:52–58, 07 2020.
10. Heena Kausar Khan, Rubika Pradhan, and B. R. Chandavarkar. Hybrid cryptography for cloud computing. In 2021 2nd International Conference for Emerging Technology (INCET), pages 1–5, 2021.
11. A. Kira. Managing uber’s data workflows at scale. Uber Blog.
12. Dominic P. Mulligan, Gustavo Petri, Nick Spinale, Gareth Stockwell, and Hugo J. M. Vincent. Confidential computing—a brave new world. In 2021 International Symposium on Secure and Private Execution Environment Design (SEED), pages 132–138, September 2021.
13. Anas Abu Taleb Shadi R. Masadeh Nidal M. Turab. Cloud computing challenges and solutions. International Journal of Computer Networks and Communications, 5, 09,2013.
14. Sara Qaisar and Kausar Fiaz Khawaja. Cloud computing: Network/security threats and countermeasures. Interdisciplinary Journal of Contemporary Research in Business, 3:1323–1329, 01 2012.
15. Harshitha K. Raj. A survey on cloud computing. International Journal of Advanced Research in Computer Science and Software Engineering, 4(7), July 2014.
16. Sattar B. Sadkhan. Security of cloud networks – status, challenges and future trends. In 2022 8th International Engineering Conference on Sustainable Technology and Development (IEC), pages 247–252, 2022.
17. Ahmed Salih. A survey of cloud computing security challenges and solutions. International Journal of Computer Science and Information Security, 14, 01 2016.
18. Dr. Jayant Shekhar. An analysis on security concerns and their possible solutions in cloud computing environment. In 3rd International Conference on Role of Engineers as Entrepreneurs in Current Scenario - 2014 (ICREECS-2014), 2014.
19. K. Zunnurhain and S. Vrbsky. Security attacks and solutions in clouds. In 2nd IEEE International Conference on Cloud Computing Technology and Science, Indianapolis, December 2010.