CLOUD COMPUTING Lecture 2

SECURITY ISSUES IN CLOUD

COMPUTING
Cloud Computing is a type of technology that provides remote services on the internet
to manage, access, and store data rather than storing it on Servers or local drives.
This technology is also known as Serverless technology. Here the data can be
anything like Image, Audio, video, documents, files, etc.
NEED OF CLOUD COMPUTING :
Before using Cloud Computing, most of the large as well as small IT companies use
traditional methods i.e. they store data in Server, and they need a separate Server
room for that. In that Server Room, there should be a database server, mail server,
firewalls, routers, modems, high net speed devices, etc. For that IT companies have to
spend lots of money. In order to reduce all the problems with cost Cloud computing
come into existence and most companies shift to this technology.
SECURITY ISSUES IN CLOUD
COMPUTING :
There is no doubt that Cloud Computing provides various Advantages but there are
also some security issues in cloud computing. Below are some following Security Issues
in Cloud Computing as follows.
1.Data Loss –
Data Loss is one of the issues faced in Cloud Computing. This is also known as Data
Leakage. As we know that our sensitive data is in the hands of Somebody else, and
we don’t have full control over our database. So, if the security of cloud service is to
break by hackers then it may be possible that hackers will get access to our sensitive
data or personal files.
2. Interference of Hackers and Insecure API’s –
As we know, if we are talking about the cloud and its services it means we are talking
about the Internet. Also, we know that the easiest way to communicate with Cloud is
using API. So it is important to protect the Interface’s and API’s which are used by an
external user. But also in cloud computing, few services are available in the public
domain which are the vulnerable part of Cloud Computing because it may be
possible that these services are accessed by some third parties. So, it may be possible
that with the help of these services hackers can easily hack or harm our data.
HACKERS CAN EXPLOIT VULNERABILITIES IN APIS AND CLOUD
SERVICES THROUGH VARIOUS ATTACK METHODS, PARTICULARLY IF
APIS OR CLOUD INTERFACES ARE LEFT UNSECURED. BELOW ARE SOME
REAL-WORLD SCENARIOS OF HOW HACKERS CAN EXPLOIT INSECURE
APIS AND INTERFACES IN CLOUD ENVIRONMENTS:

a. Broken Authentication
In this scenario, if an API is not properly secured with strong authentication mechanisms (like
OAuth2 or multi-factor authentication), a hacker can use brute force or credential stuffing to
gain unauthorized access to the API.
Real-World Scenario:
Imagine a cloud storage service API that allows users to authenticate with only a username
and password, without enforcing strong password requirements or using MFA. A hacker could
attempt to exploit this by trying thousands of common username/password combinations
(credential stuffing). Once they find valid credentials, they gain access to sensitive cloud
data.
•Case Example: In 2019, Facebook's API was found to expose personal user data due to
weak access controls on a specific endpoint, allowing third-party apps to access user
information without proper authorization.
b. Exposed API Keys
Developers sometimes hard-code API keys in their applications or expose them in
client-side code, making them easily accessible to anyone who views the code or
network traffic.
Real-World Scenario:
A company might store sensitive business data in a cloud database. The mobile
application that accesses this data has API keys embedded in the app’s source code.
Hackers decompile the mobile app, extract the API key, and use it to access the
company’s database, potentially stealing or manipulating sensitive information.
•Case Example: In 2018, a Tesla cloud environment was compromised because API
keys for their Amazon Web Services (AWS) were exposed in a Kubernetes admin
console that wasn’t password-protected. Hackers used this to mine cryptocurrency
using Tesla’s computing power.
C. Lack of Rate-Limiting
If APIs do not have proper rate-limiting or throttling mechanisms in place, a hacker
can launch Denial of Service (DoS) or brute force attacks by overwhelming the API
with excessive requests.
Real-World Scenario:
An API that allows login attempts but doesn’t limit the number of requests per IP can
be targeted for brute force attacks. A hacker could bombard the API with millions of
login attempts in a short period of time, guessing usernames and passwords until they
gain access.
•Case Example: In the Instagram API vulnerability discovered in 2017, attackers
exploited a lack of rate-limiting on the API’s password reset feature to send massive
amounts of password reset requests, which ultimately led to unauthorized access to
user accounts.
D. Insecure Data Transmission
Without encryption in place, data sent between the client and the server over an
insecure network (e.g., HTTP instead of HTTPS) can be intercepted by attackers,
allowing for man-in-the-middle (MitM) attacks.
Real-World Scenario:
A cloud service’s API communicates over an unencrypted HTTP connection. Hackers
intercept traffic using a man-in-the-middle attack, where they capture sensitive
information like API keys, usernames, and passwords. This allows them to authenticate
as a legitimate user and compromise the system.
•Case Example: The Equifax breach in 2017 exposed the personal information of
147 million people, partly because of insecure transmission of data and improper
encryption in some of the APIs that were used.
E. Insufficient Access Controls
APIs without proper access controls allow unauthorized users or applications to access
or modify sensitive resources. Attackers can exploit open APIs by accessing endpoints
that were not properly restricted.
Real-World Scenario:
A cloud service exposes an API that allows users to upload files. However, the API
lacks proper authorization checks to ensure that only authenticated users can upload
files. A hacker identifies this open API and uploads malicious files or malware to the
cloud storage, which then spreads through the system when accessed by users.
•Case Example: In the Uber API breach of 2016, hackers exploited an endpoint that
did not have sufficient access controls. They were able to access personal data of
over 57 million users and drivers by gaining access to Uber’s GitHub repository, which
stored AWS credentials in plaintext.
F. Injection Attacks APIs that do not properly sanitize user inputs are vulnerable to
SQL injection or command injection attacks. Hackers can inject malicious code into API
requests, allowing them to access, modify, or delete sensitive data.
Real-World Scenario: A poorly coded API that interacts with a cloud database takes
user input and directly executes it in SQL queries. A hacker sends a malicious API
request with SQL commands, such as DROP TABLE, which deletes the entire database.
Case Example: In 2019, the Cloudhopper attack targeted multiple cloud service
providers using injection attacks and credential theft to access sensitive data in
customer environments.
G. Third-Party Service Exploitation
Cloud services often rely on third-party APIs for enhanced functionality. However, if
these third-party services are compromised or lack security, they can become entry
points for hackers.
Real-World Scenario:
A cloud-based e-commerce platform integrates a third-party payment service using
its public API. The payment service has a vulnerability in its API that allows hackers to
bypass transaction verification. Hackers exploit this vulnerability to alter payment
amounts or steal financial data during transactions.
•Case Example: In the Capital One breach of 2019, a misconfigured web application
firewall (WAF) in the Amazon cloud allowed a hacker to exploit a vulnerability in an
external service to access over 100 million customer records.
WAYS TO PROTECT APIS AND CLOUD SERVICES
FROM HACKERS
•Implement Strong Authentication:
•Use OAuth 2.0, OpenID Connect, or API keys with proper validation. Ensure proper session
handling and token management.

•Use HTTPS/SSL(secure socket layer):

•Always encrypt data in transit with HTTPS to protect against man-in-the-middle attacks.

•Rate Limiting:
•Apply rate-limiting to restrict the number of API requests from a single IP or user in a short period.

•Input Validation and Sanitization:

•Validate all inputs to prevent SQL injection, cross-site scripting (XSS), and command injection.

▪Access Control and Role-Based Permissions: Use role-based access control (RBAC) to ensure
users and applications have only the minimum privileges they need.

▪API Gateway: Use an API gateway to manage, monitor, and secure APIs. API gateways like AWS
▪API Gateway, Kong, or Apigee offer features like rate-limiting, logging, and security monitoring.
3. User Account Hijacking –
Account Hijacking is the most serious security issue in Cloud Computing. If somehow the
Account of User or an Organization is hijacked by a hacker then the hacker has full
authority to perform Unauthorized Activities.
a. Understanding Account Hijacking
Account hijacking refers to the act of taking control of a user’s account without their
consent, allowing attackers to manipulate data, access sensitive information, and
perform unauthorized actions. In cloud environments, where resources are shared and
accessible via the internet, the risks associated with account hijacking are particularly
pronounced.
b. Common Techniques Used for Account Hijacking
•Phishing Attacks: Cybercriminals often use phishing techniques to trick users into
providing their login credentials. This can be done through deceptive emails, fake
websites, or SMS messages.
•Credential Stuffing: Attackers exploit the practice of password reuse by using stolen
usernames and passwords from one site to gain access to accounts on other platforms.
•Keylogging and Malware: Keyloggers can capture keystrokes and credentials, while
malware may infiltrate systems to gather sensitive information.
•Social Engineering: Attackers manipulate users into revealing their passwords or
personal information through psychological tactics.
•Weak Passwords: Accounts protected by weak passwords are more susceptible to
brute force attacks where attackers try multiple password combinations.
•Insider Threats: Current or former employees with knowledge of the organization's
security can exploit their access to hijack accounts.
Creating Phishing page of a website - GeeksforGeeks
c. Implications of Account Hijacking
•Data Breaches: Attackers can access sensitive data, leading to potential data
breaches that can affect both individuals and organizations.
•Unauthorized Transactions: Hijacked accounts may allow attackers to perform
financial transactions, modify settings, or misuse resources.
•Reputation Damage: Organizations may suffer reputational harm if customers’ data
is compromised, leading to loss of trust.
•Compliance Violations: Many industries have strict rules for protecting data (like
GDPR in Europe). If an account hijacking leads to sensitive data being exposed, the
company may face big fines or legal trouble for not following the rules.
•Service Disruption: Attackers can disrupt cloud services by changing settings, deleting
files, or overloading systems. This can cause major downtime, meaning the business
can't operate properly. Customers may also experience interruptions, which can hurt
the company's income and customer satisfaction.
d. Prevention Strategies
•Use Strong Authentication Methods: Implementing strong, unique passwords and
enabling two-factor authentication (2FA) adds layers of security.
•Educate Users: Regular training and awareness programs can help users recognize
phishing attempts and social engineering tactics.
•Monitor Account Activity: Continuous monitoring of account activities can help detect
unusual or suspicious behaviors.
•Limit Permissions: Use the principle of least privilege (PoLP) to ensure users have
only the access necessary for their roles.
•Regularly Update Security Practices: Keep security measures, software, and systems
up to date to protect against new threats.
e. Response Measures After Hijacking
If an account is suspected to be hijacked, organizations should take immediate action:
•Change Passwords: Promptly change passwords for the compromised account and
any other accounts using the same credentials.
•Investigate the Breach: Conduct a thorough investigation to understand how the
breach occurred and the extent of the damage.
•Notify Affected Parties: Inform affected users and stakeholders about the breach
and the measures being taken to secure accounts.
•Report to Authorities: Depending on the severity of the incident, report the hijacking
to appropriate authorities and comply with regulatory requirements.
•Reinforce Security Measures: After addressing the breach, organizations should
evaluate and enhance their security protocols to prevent future incidents.
4. Changing Service Provider –
Vendor lock-In is also an important Security issue in Cloud Computing. Many
organizations will face different problems while shifting from one vendor to another.
For example, An Organization wants to shift from AWS Cloud to Google Cloud
Services then they face various problems like shifting of all data, also both cloud
services have different techniques and functions, so they also face problems
regarding that. Also, it may be possible that the charges of AWS are different from
Google Cloud, etc.
a- Data Migration:
Complex Data Transfer: Moving large data volumes between AWS and Google
Cloud can be slow, costly, and challenging due to differing storage formats.
Downtime Risks: Migration may cause service downtime, disrupting business
operations.
Security Concerns: Risks include data corruption, breaches, or loss during transfer,
making security and data integrity critical.
Data migration services
b- Different Architectures and Tools:
Service Incompatibility: AWS and Google Cloud use different tools and services,
so businesses may need to adjust or rebuild their applications when switching.
Learning Curve: IT teams might need extra training to learn the new platform,
adding time and cost to the migration.
C- Cost Differences:
Different Pricing: AWS and Google Cloud charge differently for storage,
compute, networking, and data transfer. Switching between them can change your
cloud costs, and unexpected fees might come up.
Exit Fees: Some providers charge to move data out, which can be expensive and
add to the overall cost of switching.
d- Compliance and Regulatory Issues:
Legal Compliance: AWS and Google Cloud may have different rules on data storage,
security, and compliance (like GDPR or HIPAA). When switching, you may need to review
these to stay compliant.
Security Differences: Both platforms have different security policies and encryption
methods, which can make it harder to keep the same security level during and after the
migration.
e- Third-party Software Dependencies:
Integration Issues: Many cloud applications rely on third-party services that may work
well with one provider but need changes when switching to another.
Vendor-Specific Software: If a company uses software made for AWS, it may not work
on Google Cloud, limiting its options.
F- Interoperability and Standardization Issues:
Lack of Standardization: Cloud providers use different protocols and formats. Without
common standards, moving applications and data between providers often requires
major changes.
 HOW TO MITIGATE VENDOR LOCK-IN:

❑Multi-Cloud Strategy: Using multiple cloud providers simultaneously helps mitigate the
risk of vendor lock-in, ensuring that organizations aren’t entirely dependent on one
platform.
❑Containerization and Microservices: Tools like Docker and Kubernetes can make
applications more portable, allowing them to run on different cloud environments
without heavy reconfiguration.
❑Open Standards and APIs: Choosing cloud services that adhere to open standards
and open APIs can reduce the complexities of migration.
❑Hybrid Cloud Environments: Combining on-premises infrastructure with multiple cloud
providers can offer flexibility and prevent reliance on a single vendor.
 5. Lack of Skill –
While working, shifting to another service provider, need an extra feature, how to use a feature, etc.
are the main problems caused in IT Companies who doesn’t have skilled Employees. So it requires a
skilled person to work with Cloud Computing.
Lack of Skill in Cloud Computing
1.Skill Gaps:
Many IT companies struggle with migrating to or using different cloud services due to insufficiently
trained employees.
2.Feature Utilization:
Employees may lack knowledge of specific cloud features, leading to inefficiencies and errors during
implementation.
3.Continuous Learning:
Cloud computing is constantly evolving, necessitating ongoing training to stay updated on new
features and best practices.
4.Impact on Productivity:
Skill shortages can cause delays, reduced productivity, and excessive time spent troubleshooting
rather than focusing on core tasks.
5.Solutions:
Investing in regular training, workshops, and certifications can help employees acquire necessary skills,
enhancing overall cloud competency.
6.Denial of Service (DoS) attack –
This type of attack occurs when the system receives too much traffic. Mostly DoS
attacks occur in large organizations such as the banking sector, government sector, etc.
When a DoS attack occurs, data is lost. So, in order to recover data, it requires a
great amount of money as well as time to handle it.
For example, if a bank website can handle 10 people a second by clicking the Login
button, an attacker only has to send 10 fake requests per second to make it so no
legitimate users can log in. DoS attacks exploit various weaknesses in computer
network technologies. They may target servers, network routers, or network
communication links. They can cause computers and routers to crash and links to bog
down. The most famous DoS technique is the Ping of Death
PREVENTION
Given that Denial of Service (DoS) attacks are becoming more frequent, it is a good time to
review the basics and how we can fight back.

Cloud Mitigation Provider – Cloud mitigation providers are experts at providing DDoS
mitigation from the cloud. This means they have built out massive amounts of network
bandwidth and DDoS mitigation capacity at multiple sites around the Internet that can take
in any type of network traffic, whether you use multiple ISP’s, your own data center, or any
number of cloud providers. They can scrub the traffic for you and only send “clean” traffic to
your data center.
Firewall – This is the simplest and least effective method. Python scripts are often written to
filter out malicious traffic, or existing firewalls can be utilized by enterprises to block such
traffic.
Internet Service Provider (ISP) – Some enterprises use their ISP to provide DDoS mitigation.
These ISPs have more bandwidth than an enterprise would, which can help with large
volumetric attacks.
FEATURES TO HELP MITIGATE THESE
ATTACKS:
Network Segmentation: Segmenting the network can help prevent a DoS attack from
spreading throughout the entire network. This limits the impact of an attack and helps to
isolate the affected systems.
Implement Firewalls: Firewalls can help prevent DoS attacks by blocking traffic from known
malicious IP addresses or by limiting the amount of traffic allowed from a single source.
Use Intrusion Detection and Prevention Systems: Intrusion Detection and Prevention
Systems (IDS/IPS) can help to detect and block DoS attacks by analyzing network traffic
and blocking malicious traffic.
Limit Bandwidth: Implementing bandwidth limitations on incoming traffic can help prevent a
DoS attack from overwhelming the network or server.
Implement Content Delivery Network (CDN): A CDN can help to distribute traffic and
reduce the impact of a DoS attack by distributing the load across multiple servers.
FEATURES TO HELP MITIGATE THESE
ATTACKS:
Use Anti-Malware Software: Anti-malware software can help to detect and prevent
malware from being used in a DoS attack, such as botnets.
Perform Regular Network Scans: Regular network scans can help identify
vulnerabilities and misconfigurations that can be exploited in a DoS attack. Patching
these vulnerabilities can prevent a DoS attack from being successful.
Develop a Response Plan: Having a DoS response plan in place can help minimize
the impact of an attack. This plan should include steps for identifying the attack,
isolating affected systems, and restoring normal operations.
7.Shared Resources: Cloud computing relies on a shared infrastructure. If one
customer’s data or applications are compromised, it may potentially affect other
customers sharing the same resources, leading to a breach of confidentiality or
integrity.
8.Compliance and Legal Issues: Different industries and regions have
specific regulatory requirements for data handling and storage. Ensuring compliance
with these regulations can be challenging when data is stored in a cloud environment
that may span multiple jurisdictions.
9. Data Encryption: While data in transit is often encrypted, data at rest can
be susceptible to breaches. It’s crucial to ensure that data stored in the cloud is
properly encrypted to prevent unauthorized access.
10. Insider Threats: Employees or service providers with access to cloud systems
may misuse their privileges, intentionally or unintentionally causing data breaches.
Proper access controls and monitoring are essential to mitigate these threats.
11. Data Location and Sovereignty: Knowing where your data physically resides
is important for compliance and security. Some cloud providers store data in multiple
locations globally, and this may raise concerns about data sovereignty and who has
access to it.
12. Loss of Control: When using a cloud service, you are entrusting a third party
with your data and applications. This loss of direct control can lead to concerns about
data ownership, access, and availability.
13. Incident Response and Forensics: Investigating security incidents in a cloud
environment can be complex. Understanding what happened and who is responsible
can be challenging due to the distributed and shared nature of cloud services.
14. Data Backup and Recovery: Relying on cloud providers for data backup and
recovery can be risky. It’s essential to have a robust backup and recovery strategy in
place to ensure data availability in case of outages or data loss.
15. Vendor Security Practices: The security practices of cloud service providers
can vary. It’s essential to thoroughly assess the security measures and certifications of
a chosen provider to ensure they meet your organization’s requirements.
16. IoT Devices and Edge Computing: The proliferation of IoT devices and edge
computing can increase the attack surface. These devices often have limited security
controls and can be targeted to gain access to cloud resources.
17. Social Engineering and Phishing: Attackers may use social engineering
tactics to trick users or cloud service providers into revealing sensitive information or
granting unauthorized access.
18. Inadequate Security Monitoring: Without proper monitoring and alerting
systems in place, it’s challenging to detect and respond to security incidents in a timely
manner.