An Analysis of Cloud Security Frameworks, Problems and Proposed Solutions
Abstract
:1. Introduction
- Network related
- Confidentiality and privacy
- Data-related issues
- Virtualization-related issues
- Others
- What is the procedure for implementing a cloud security architecture in an organization? What tools are needed to carry out each step?
- What are the important issues for organizations when establishing a cloud security strategy in terms of training, awareness, and change management?
- A Historical Overview of Cloud Computing
- A critical examination of the history and context of cloud security frameworks
- Description of gaps, prior study’s findings, cloud security framework discussion areas and views, cloud security concerns and solutions
- A description of why this study is vital and how it will help the field.
2. Literature Review
2.1. Cloud Security Frameworks
2.1.1. Ability of Framework
2.1.2. Use of Framework
2.1.3. Implementation Challenges
2.2. Cloud Security Problems and Solutions
2.2.1. Cloud Security Problems
2.2.2. Cloud Security Solutions
3. Cloud Security Frameworks
- 1.
- COBIT 5 for Cloud Computing:
- 2.
- NIST SP800-144:
- 3.
- ISO 27017:
- 4.
- FedRAMP:
- 5.
- AWS Well-Architected Framework:
- 6.
- CSA STAR:
- 7.
- ENISA Cloud Security Guide:
- 8.
- CIS Controls for Cloud:
- 9.
- Cloud Controls Matrix (CCM):
- 10.
- CSA Security Guidance:
- COBIT 5 (Control and Assurance in Cloud: Using COBIT5)
- NIST (National Institute of Standards and Technology)
- ISO 27017 (International Organization of Standardization)
- CSA STAR (Cloud Security Alliance Security, Trust, and Assurance Registry)
- AWS Well-Architected Framework
3.1. COBIT 5 for Cloud Security
3.1.1. Principles
3.1.2. Strengths
- Holistic Approach: COBIT 5 provides a comprehensive approach to cloud control and assurance, encompassing topics like governance, risk management, control goals, and performance assessment. It provides a complete framework for managing cloud security in a methodical and integrated manner.
- Risk Focus: COBIT 5 emphasizes a risk-oriented approach to cloud control and assurance. It assists businesses in identifying, assessing, and prioritizing risks connected with cloud services, data security, and regulatory compliance. This helps organizations to properly allocate resources and prioritize risk reduction activities.
- Alignment with Industry Standards, Frameworks, and Laws: COBIT 5 is aligned with industry standards, frameworks, and laws, allowing organizations to satisfy compliance needs. It advises on how to apply best practices from standards such as ISO 27001, the NIST Cybersecurity Framework, and GDPR. This alignment makes it easier to implement a uniform and effective control and assurance program.
- Control Objectives: COBIT 5 provides a set of specified control goals targeted to cloud settings. Access management, data protection, incident response, and vendor management are among the important control objectives addressed. They serve as realistic guidance for building cloud security policies.
- Continual Improvement: COBIT 5 encourages a culture of continuous development in cloud control and assurance. It promotes businesses to evaluate their control system, measure performance, and identify opportunities for improvement. This iterative strategy assists organizations in adapting to changing cloud security concerns and continuously improving their control environment.
3.1.3. Limitations
- Complexity: To implement COBIT 5 for cloud control and assurance, a complete grasp of the framework and its components is required. It can be difficult, particularly for organizations with few resources or technical knowledge. Adequate training and assistance may be required to properly capitalize on the benefits of COBIT 5.
- Customization Issues: COBIT 5 provides a broad framework that must be customized to an organization’s individual needs and cloud environment. Customizing the framework to meet specific needs and cloud service providers may necessitate more effort and skill.
- Tools Dependency: COBIT 5 gives guidelines on control and assurance operations but does not advocate specific tools or technology. Organizations must rely on outside sources or expertise to choose and deploy appropriate cloud control and assurance systems.
- Dynamic Cloud Environment: Cloud environments are ever-changing and dynamic. COBIT 5 may need to be updated and adjusted on a regular basis to accommodate new technology, emerging risks, and changing regulatory requirements. Organizations must stay current in order to keep their control and assurance practices relevant.
3.1.4. COBIT 5 Process for Securing Cloud Infrastructure
- Define and Align IT Goals: Clearly identify IT goals and match them with the wider business objectives of the organization. Understanding the potential advantages and dangers of cloud adoption, as well as aligning cloud plans with business goals, are all part of this process.
- Assess Cloud Readiness: Conduct a complete assessment of the organization’s technical, operational, and security skills to determine its preparedness to utilize cloud services. This evaluation should take into account considerations such as data sensitivity, regulatory requirements, and business continuity.
- Establish Cloud Governance: Put in place a solid governance structure to assist cloud decision-making. This involves developing rules and processes, defining roles and duties, and assuring compliance with relevant laws, regulations, and standards.
- Vendor Selection and Management: Develop a systematic strategy for selecting cloud service providers (CSPs) based on stated criteria such as security measures, service dependability, and compliance capabilities. Contracts and service level agreements (SLAs) that explicitly explain expectations, duties, and performance indicators should be established.
- Risk Management: Risk management includes identifying and assessing the hazards connected with cloud adoption, as well as developing risk mitigation techniques. This involves examining security procedures, determining the dependability and availability of cloud services, and dealing with data privacy and confidentiality problems.
- Data Management: Establish data management practices to assure the confidentiality, integrity, and availability of cloud-stored data. Data classification, encryption, backup and recovery procedures, and adherence to data protection requirements are all part of this.
- Incident Response and Forensics: Create cloud-specific incident response strategies, including methods for identifying and reacting to security problems. When creating investigative methods, keep in mind the particular problems of cloud forensics, such as data dispersion, shared resources, and multi-tenancy.
- Performance Measurement: Define and monitor key performance indicators (KPIs) to assess the efficacy and efficiency of cloud services. Assess and report on the performance and value supplied by cloud services on a regular basis to ensure they fulfill business needs.
- Continuous Improvement: Implement a continuous improvement process for cloud services, including regular reviews and assessments to identify areas for enhancement. Continuously monitor emerging cloud technologies, industry trends, and regulatory changes to ensure ongoing alignment with best.
3.2. NIST SP 800-144
3.2.1. NIST’s Advantages in Cloud Infrastructure Security
- Comprehensive and Proven: In the cybersecurity field, the NIST framework is well-recognized and accepted. It provides a complete and organized approach to cloud security, including risk assessment, security controls, incident response, and continuous monitoring. Based on industry input and evolving security concerns, the framework is constantly updated and optimized.
- Flexibility and adaptability: The NIST framework is intended to be adaptable to various organizations and cloud settings. It allows organizations to adjust security controls and to their individual demands and regulatory requirements. This adaptability enables organizations to build security measures tailored to their own cloud architecture and business activities.
- Vendor-neutral perspective: NIST SP 800-144 is vendor-neutral, concentrating on the basic security and privacy principles that organizations should consider while adopting public cloud services. This enables organizations to use the recommendations independently of the cloud service provider they select, increasing flexibility and adaptability.
- Practical advice: The paper provides practical advice and the best for safeguarding public cloud systems. It offers practical advice on setting security controls, analyzing cloud service provider’s security capabilities, and meeting compliance requirements. This assists organizations in translating advice into actionable steps to improve cloud security.
3.2.2. NIST’s Limitations in Protecting Cloud Infrastructure
- Rapidly emerging Threat Landscape: Threats and weaknesses to cloud security are continually emerging. Although routinely updated, the NIST framework may not always keep up with developing risks. To successfully manage the shifting threat landscape, organizations should augment the NIST framework with continuous monitoring, threat information, and industry-specific security.
- NIST SP 800-144 has limited coverage of foreign standards and regulations since it is primarily aimed at US government organizations and may not handle international standards and regulations completely. Organizations having worldwide operations or those operating in many countries may need to consider extra regulatory frameworks and norms particular to their geographical location.
3.2.3. NIST Best Practice
- Understand the Cloud Environment: Gain a thorough awareness of the cloud environment, including the types of cloud services utilized (e.g., Software as a Service, Platform as a Service, and Infrastructure as a Service) and the security and privacy issues that come with them.
- Security and Privacy standards: Determine and record your organization’s security and privacy standards. Data sensitivity, compliance needs, legal concerns, and other industry-specific standards are all part of this.
- Selection and Evaluation of Cloud Service Providers (CSP): Examine possible CSPs’ security capabilities and practices. Consider the CSP’s security certifications, incident response methods, data encryption systems, and adherence to relevant standards.
- Data Protection: Put in place suitable safeguards to secure data in the cloud. This involves encrypting sensitive data at rest and in transit, imposing least privilege access rules, and putting in place data backup and recovery methods.
- Implement robust identity and access management (IAM) controls to guarantee that only authorized personnel have access to cloud resources. To efficiently manage user rights, employ multi-factor authentication, strong password rules, and role-based access controls (RBAC).
- Secure Configuration Management: Securely configure cloud resources by adhering to industry best practices and CSP standards. Review and update setups on a regular basis to meet emerging threats and vulnerabilities.
- Continuous Monitoring and Logging: Implement strong monitoring and logging methods in the cloud environment to follow activities and detect security occurrences. To discover possible risks and abnormalities, monitor system logs, network traffic, and user actions.
- Incident Response and Recovery: Create and implement a cloud-specific incident response plan. Create protocols for identifying, reacting to, and recovering from security events. To ensure the plan’s efficacy, test and update it on a regular basis.
- Compliance and Governance: Ensure that appropriate legislation, standards, and contractual commitments are followed. To manage cloud security, create a governance structure that includes roles and duties, policies, and processes.
- Security Awareness and Training: Provide ongoing security awareness and training to educate employees about cloud security risks and best. Foster a culture of security awareness and accountability within the organization.
3.3. ISO 27017:2015
3.3.1. Security Controls for Cloud
3.3.2. Benefits
- Within the Cloud computing environment, they must safeguard their information assets.
- Comply with all applicable laws and regulations.
- Reduce the likelihood of data security problems.
- Reduce the need for redundant controls to save money.
3.3.3. Required Steps to Implement
- Acquaint yourself with the Standard: Obtain a copy of ISO 27017 and thoroughly read it. Understand the standard’s objectives, requirements, and recommendations.
- Examine Your Present Cloud Environment: Assess your current cloud infrastructure, platforms, and services. Determine how ISO 27017 might assist in addressing possible risks and gaps in security controls.
- Form a Project Team: Within your organization, form a team that will be in charge of implementing ISO 27017. Stakeholders from IT, security, legal, compliance, and other relevant areas should be included.
- Conduct a gap analysis to match your present security practices to ISO 27017’s standards and recommendations. Determine which areas require improvement or extra controls.
- Create an Implementation strategy: Develop a thorough strategy including the actions, milestones, and dates for adopting ISO 27017. Determine the risk and criticality of the actions.
- Implement Security Controls: Follow ISO 27017’s specified security controls and procedures. Access controls, encryption, data segregation, incident response protocols, and supplier management are some examples.
- Provide training and awareness programs to educate staff on the significance of cloud security and their duties under ISO 27017. This ensures that everyone knows their duties in safeguarding information assets in the cloud.
- Documentation and Policies: Create and maintain documentation that proves ISO 27017 compliance. Policies, processes, risk assessments, incident response plans, and records of security occurrences and their resolution may be included.
- Regular evaluation and Improvement: Monitor and evaluate your cloud security on a regular basis to guarantee continuing compliance with ISO 27017. Conduct audits, risk assessments, and evaluations on a regular basis to identify areas for improvement and execute necessary adjustments.
- Third-Party Evaluation: Consider hiring a third-party auditor or consultant to evaluate your cloud security practices in relation to ISO 27017. They may conduct an impartial assessment of your compliance and make recommendations for improvement.
3.4. Cloud Security Alliance (STAR)
3.4.1. Strengths
- Standardized Assessment: The CSA STAR framework provides a standardized way to evaluate CSP security posture. It offers a standardized set of control objectives and criteria that organizations may use to evaluate and compare various cloud service providers.
- Transparency and accountability: The framework encourages CSPs to give thorough information about their security, data handling methods, and regulatory compliance. Customers may thus make educated judgments when purchasing and using cloud services.
- Third-Party Certification: The CSA STAR program provides a certification mechanism for CSPs to certify compliance with the CSA’s security principles and best. This accreditation gives clients peace of mind about the security of their selected cloud services.
- Collaboration among Industry Experts: The CSA STAR framework is developed through collaboration among industry experts, ensuring that it contains a diverse variety of viewpoints and experiences. This contributes to the development of a comprehensive and strong framework for addressing numerous security risks in cloud computing.
3.4.2. Limitations
- Reliance on Self-Assessment: The CSA STAR methodology is based on self-assessment by cloud service providers. While CSPs are urged to submit accurate and full information, the framework makes no guarantees regarding the quality or completeness of the information given. Customers must use caution and check the promises provided by CSPs.
- Developing Technology Coverage Is Limited: The CSA STAR framework may not adequately address the security problems associated with developing technologies or niche cloud services. As technology advances, new security issues that are not expressly addressed in the framework may emerge.
- Lack of Enforcement: CSPs’ compliance with the CSA STAR framework is entirely voluntary. Although the framework promotes openness and best, it lacks legal or regulatory enforcement measures. Organizations must evaluate the credibility of a CSP’s promises and adopt extra security measures depending on their unique needs.
3.4.3. How an Organization Can Use the Framework?
- 4.
- Become acquainted with the CSA STAR Program: Understand the CSA STAR structure, its aims, and the certification criteria. To obtain a thorough grasp of the program, go over the CSA STAR materials, including the STAR Certification Control Objectives and Criteria.
- 5.
- Determine Who Your Cloud Service Providers (CSPs) Are: Determine which cloud service providers (CSPs) your organization is presently utilizing or contemplating for cloud services. Examine their security practices, certifications, and openness about their security procedures.
- 6.
- Perform Due Diligence: Perform due diligence on CSPs by seeking information on their security, certifications, independent audit reports, and any other relevant paperwork. Examine their security disclosures for completeness and correctness.
- 7.
- Implement Risk Mitigation Measures: Identify any risks or vulnerabilities connected with the identified CSPs based on the evaluations. Implement risk-mitigation strategies such as extra security controls, data encryption, access controls, or legally binding security promises.
- 8.
- Establish Contractual Agreements: Contractual agreements should be negotiated and established with CSPs to explicitly outline security expectations, duties, and compliance requirements. Ensure that the contract addresses issues such as data protection, incident response, service-level agreements (SLAs), and regulatory compliance.
- 9.
- Monitor and Review: Continuously monitor and review the performance and security posture of your CSPs. Conduct frequent evaluations and audits to ensure compliance with the CSA STAR framework and the efficacy of the security measures in place.
- 10.
- Stay Updated with CSA STAR Program: Keep up to date with the CSA STAR Program: Keep up to speed with CSA STAR program updates and adjustments. Review the most recent CSA STAR documentation, control goals, and criteria on a regular basis to ensure continued alignment and compliance with the framework.
3.5. AWS Well-Architected Framework
3.5.1. Pillars
3.5.2. Advantages
- The following are some of the advantages of adopting the AWS Well-Architected Framework:
- Best Practices: The framework includes a collection of tried-and-true best practices for creating, deploying, and running AWS applications. Following these best practices will help you enhance your system’s overall architecture, security, dependability, performance, and cost-efficiency.
- Mitigation of Risks: The framework assists in identifying possible risks and vulnerabilities in your architecture. By tackling these risks early on, you may improve your systems’ security, compliance, and resilience, minimizing the possibility of security breaches, downtime, or performance difficulties.
- Cost Optimization: By implementing the Cost Optimization pillar, you will be able to analyze and optimize your AWS resource utilization and expenses. This assists in identifying possibilities to cut needless spending, remove inefficient resources, and enhance overall cost efficiency, potentially saving money.
- The Performance Efficiency pillar is concerned with optimizing the performance of your applications. You may increase the responsiveness, scalability, and performance of your systems by using best practices such as auto-scaling, caching, and efficient data storage.
- The framework emphasizes operational efficiency, allowing organizations to optimize their procedures and workflows. You may improve system dependability, streamline processes, and save manual work by integrating automation, monitoring, and effective incident response systems.
- Scalability and Flexibility: By following the guidelines of the framework, you may build your applications to be highly scalable and adaptable, allowing them to handle variable workloads and adapt to changing business requirements. This allows you to adapt to market needs fast and grow your systems as needed.
- AWS Service Alignment: The Well-Architected Framework is compatible with a variety of AWS services, features, and technologies. You may use the framework to construct powerful, scalable, and cost-effective solutions by using AWS’s vast spectrum of services.
3.5.3. Limitations
- While AWS Well-Architected has many advantages, it also has several restrictions and drawbacks that should be considered:
- Adoption of the Well-Architected Framework may include a learning curve for teams who are unfamiliar with AWS or cloud architecture. To successfully comprehend and use the best, training and upskilling are required.
- Overemphasis on AWS Services: The Well-Architected Framework strongly encourages the usage of AWS services, which may result in vendor lock-in. Organizations may grow unduly reliant on AWS-specific services, making migration to alternative cloud providers difficult if necessary.
- Assessing Complexity: Performing Well-Architected reviews and evaluations can take a long time and a lot of resources. It necessitates data collection and analysis, architectural evaluations, and change implementation, which may be a big endeavor for organizations.
3.5.4. Deployment Guide
- Get to Know Framework: Understand the Well-Architected Framework’s five pillars: operational excellence, security, dependability, performance efficiency, and cost optimization. Discover the best practices related to each pillar.
- Evaluate Your Architecture: Compare your current or planned architecture to the Well-Architected Framework. Determine areas for improvement and associated dangers. For a first assessment, use AWS’s Well-Architected Tool.
- Set clear goals and priorities for your architecture based on the evaluation results and business needs. Choose your priority inside each pillar to concentrate on.
- Design for Well-Architected: Align your architecture with the Well-Architected Framework. Consider the AWS best practices and recommendations for each pillar. Address any risks or deficiencies that have been discovered.
- Create an Action Plan: Make a thorough action plan outlining the measures needed to close the identified gaps. Define tasks, assign responsibilities, and establish timetables for achieving improvements.
- Test and validate: Perform extensive testing to check that the introduced modifications have remedied the highlighted issues and that the workload is functioning as intended. Validate the architecture’s performance, security, and dependability.
- Review and Improve: Review your architecture on a regular basis to ensure that it adheres to the Well-Architected Framework. Formal Well-Architected Reviews should be conducted with AWS Solution Architects or authorized partners to obtain professional perspectives and recommendations for future enhancements.
- Foster a Culture of Best Practices: Within your organization, foster a culture of best practices and architectural excellence. Educate and train your teams on the Well-Architected Framework’s concepts and urge them to use them in their everyday work.
4. Cloud Security Challenges and Proposed Solutions
4.1. Managed Security Threats
4.1.1. Abuse of Cloud Computing
- Unauthorized Access
- Data Breaches
- Resource misuse
- Cryptocurrency mining
- Spamming and phishing
4.1.2. Malicious Insider
- Data theft or leakage
- Unauthorized Access
- Sabotage or data manipulation
4.2. Technical Security Threat
4.2.1. Insecure API
- Unauthorized access and authentication bypass
- Injection attacks
- Insecure Data Transmission
4.2.2. Virtualization Vulnerabilities
- Vulnerabilities in the Hypervisor
- DoS attacks
4.2.3. Data Loss
- Failures in hardware or infrastructure
- Accidental deletion or human error
- Malicious Activity
4.2.4. Account, Service, and Traffic High-Jacking
5. Conclusions
Author Contributions
Funding
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- Rayaprolu, A. How-Many-Companies-Use-Cloud-Computing/#gref, Techjury, February 2023. Available online: https://techjury.net/blog (accessed on 2 April 2023).
- Marston, S.; Li, Z.; Bandyopadhyay, S.; Zhang, J.; Ghalsasi, A. Cloud computing—The business perspective. Decis. Support Syst. 2011, 51, 176–189. [Google Scholar]
- Weinhardt, C.; Anandasivam, A.; Blau, B.; Borissov, N.; Meinl, T. Cloud Computing—A Classification, Business Models, and Research Directions. Bus. Inf. Syst. Eng. 2009, 1, 391–399. [Google Scholar]
- Bhushan, K.; Gupta, B.B. Security challenges in cloud computing: State-of-art. Int. J. Big Data Intell. 2017, 4, 81–107. [Google Scholar]
- Di Giulio, C.; Sprabery, R.; Kamhoua, C.; Kwiat, K.; Campbell, R.H.; Bashir, M.N. Cloud Standards in Comparison: Are New Security Frameworks Improving Cloud Security? IEEE: Honololu, HI, USA, 2017. [Google Scholar]
- Armbrust, M.; Fox, A.; Griffith, R.; Joseph, A.D.; Katz, R.; Konwinski, A.; Lee, G.; Patterson, D.; Rabkin, A.; Stoica, I.; et al. A view of cloud computing. Commun. ACM 2010, 53, 50–58. [Google Scholar]
- Gartner. Cloud-Strategy; Gartner: Stamford, CT, USA, 2020. Available online: https://www.gartner.com/en/information-technology/insights/cloud-strategy (accessed on 4 April 2023).
- Amara, N.; Huang, Z.; Awais, A. Cloud Computing Security Threats and Attacks with Their Mitigation Techniques. In Proceedings of the 2017 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), Nanjing, China, 12–14 October 2017. [Google Scholar]
- Mohanan, S.; Sridhar, N.; Bhatia, S. Comparative Analysis of Various Cloud Security Frameworks. In Proceedings of the 6th International Congress on Information and Communication Technology, London, UK, 25–26 February 2019. [Google Scholar]
- Popa, D.; Cremene, M.; Borda, M.; Boudaoud, K. A security framework for mobile cloud applications. In Proceedings of the 11th RoEduNet International Conference, Sinaia, Romania, 17–19 January 2013. [Google Scholar]
- Ukil, A.; Jana, D.; Das, A. A Security Framework in Cloud Computing Infrastructure. Int. J. Netw. Secur. Its Appl. 2013, 5, 11–24. [Google Scholar] [CrossRef]
- Hashizume, K.; Rosado, D.G.; Fernández-Medina, E.; Fernandez, E.B. An analysis of security issues for cloud computing. J. Internet Serv. Appl. 2013, 4, 1–13. [Google Scholar] [CrossRef]
- Grobauer, B.; Walloschek, T.; Stocker, E. Understanding Cloud Computing Vulnerabilities; IEEE: Piscataway, NJ, USA, 2011. [Google Scholar]
- Rodero-Merino, L.; Vaquero, L.M.; Caron, E.; Muresan, A.; Desprez, F. Building Safe PaaS Clouds: A Survey on Security in Multitenant Software Platforms. Comput. Secur. 2012, 31, 96–108. [Google Scholar]
- Tsochev, G.R.; Trifonov, R.I. Cloud computing security requirements: A Review. IOP Conf. Ser. Mater. Sci. Eng. 2022, 1216, 012001. [Google Scholar]
- Ristenpart, T.; Tromer, E.; Shacham, H.; Savage, S. Hey you get off of my cloud: Exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM Conference on Computer and Communications Security, Chicago, IL, USA, 9–13 November 2009. [Google Scholar]
- European Commission. MEMO_12_713. European Commission. 27 September 2012. Available online: https://ec.europa.eu/commission/presscorner/detail/en/ (accessed on 4 April 2023).
- Subashini, S.; Kavitha, V. A survey on security issues in service delivery models of cloud computing. J. Netw. Comput. Appl. 2011, 34, 1–11. [Google Scholar]
- Kamara, S.; Lauter, K. Cryptographic Cloud Storage. In Financial Cryptography and Data Security; Springer: Berlin/Heidelberg, Germany, 2010; Volume 6054, pp. 136–149. [Google Scholar]
- Sonam Sudha, M.A. Identity and Access Management in Cloud. J. Res. Appl. Sci. 2014, 7. [Google Scholar]
- Neves Calheiros, R.; Ranjan, R.; Beloglazov, A.; De Rose, C.A.; Buyya, R. CloudSim: A toolkit for modeling and simulation of cloud computing environments and evaluation of resource provisioning algorithms. Softw. Pract. Exp. 2011, 41, 23–50. [Google Scholar]
- You, P.; Peng, Y.; Liu, W.; Xue, S. Security Issues and Solutions in Cloud Computing. In Proceedings of the 32nd IEEE International Conference on Distributed Computing Systems Workshops, Macau, China, 18–21 June 2012. [Google Scholar]
- Chang, V.; Ramachandran, M. Towards Achieving Data Security with the Cloud Computing Adoption Framework. IEEE Trans. Serv. Comput. 2016, 9, 246–258. [Google Scholar]
- Khan, M.A. A survey of security issues for cloud computing. J. Netw. Comput. Appl. 2016, 71, 11–29. [Google Scholar]
- Youssef, A.; Alageel, M. A Framework for Secure Cloud Computing. Int. J. Comput. Sci. Issues 2012, 9. [Google Scholar]
- Patel, V. A framework for secure and decentralized sharing of medical imaging data. Health Inform. J. 2019, 25, 1398–1411. [Google Scholar] [CrossRef]
- ISACA. Security Considerations for Cloud Computing; ISACA: Schaumburg, IL, USA, 2012. [Google Scholar]
- OIlloh, O.; Aghili, S.; Butakov, S. Using COBIT 5 for Risk to Develop Cloud Computing SLA Evaluation Templates. In Proceedings of the 12th International Conference on Services Oriented Computing 2014, Paris, France, 3–6 November 2014. [Google Scholar]
- Mell, P.; Grance, T. The NIST Definition of Cloud Computing (NIST Special Publication 800-145); National Institute of Standards and Technology: Gaithersburg, MD, USA, 2011.
- Jansen, W.; Grance, T. Guidelines on Security and Privacy in Public Cloud Computing; NIST: Gaithersburg, MD, USA, 2011. [Google Scholar]
- NIST. NIST US Government Cloud Computing Technology Roadmap, Release 1.0 (Draft); NIST: Gaithersburg, MD, USA, 2011. [Google Scholar]
- i.governance. ISO-27017 and ISO-27018. Available online: https://www.itgovernance.co.uk/iso-27017-and-iso-27018 (accessed on 4 April 2023).
- CSA. Security Guidance for Critical Areas of Focus in Cloud Computing v3.0; CSA: Toronto, ON, Canada, 2011. [Google Scholar]
- Sharma, R.; Trivedi, R.K. Literature review: Cloud Computing—Security Issues, Solution and Technologies. Int. J. Eng. Res. 2014, 3, 221–225. [Google Scholar] [CrossRef]
- Park, S.-J.; Lee, Y.-J.; Park, W.-H. Configuration Method of AWS Security Architecture That Is Applicable to the Cloud Lifecycle for Sustainable Social Network. Commun. Secur. Soc.-Oriented Cyber Spaces 2021, 2021, 3686423. [Google Scholar]
- Suo, H.; Wan, J.; Zou, C.; Liu, J. Security in the internet of things: A review. In Proceedings of the 10th International Conference on Frontiers of Information Technology, Hangzhou, China, 23–25 March 2012. [Google Scholar]
- Rittinghouse, J.W.; Ransome, J.F. Cloud Computing: Implementation, Management, and Security; CRC Press: Boca Raton, FL, USA, 2016. [Google Scholar]
- Rackwareinc. Preventing-the-Top-9-Threats-in-Cloud-Computing. Rackwareinc. Available online: https://www.rackwareinc.com (accessed on 4 April 2023).
- Kazim, M.; Zhu, S.Y. A survey on top security threats in cloud computing. Int. J. Adv. Comput. Sci. Appl. 2015, 6. [Google Scholar] [CrossRef]
- Tessian. What-Is-a-Malicious-Insider. Tessian. 20 February 2023. Available online: https://www.tessian.com (accessed on 4 April 2023).
- CSA Top Threats Working Group. Top-Threat-2-to-Cloud-Computing-Insecure-Interfaces-and-Apis. CSA. 30 July 2022. Available online: https://cloudsecurityalliance.org/blog/2022/07/30/top-threat-2-to-cloud-computing-insecure-interfaces-and-apis/ (accessed on 4 April 2023).
- Zhu, G.; Yin, Y.; Cai, R.; Li, K. Detecting Virtualization Specific Vulnerabilities in Cloud Computing Environment. In Proceedings of the IEEE 10th International Conference on Cloud Computing, Honololu, HI, USA, 25–30 June 2017. [Google Scholar]
- Gillis, J. 10-Common-Causes-of-Data-Loss. Newera. 31 January 2023. Available online: https://www.neweratech.com/us/blog/10-common-causes-of-data-loss/ (accessed on 4 April 2023).
- Tissir, N.; El Kafhali, S.; Aboutabit, N. Cybersecurity management in cloud computing: Semantic literature. J. Reliab. Intell. Environ. 2020, 7, 69–84. [Google Scholar]
- Lord, N. What-Cloud-Account-Hijacking. Digital Gaurdian. 11 September 2018. Available online: https://www.digitalguardian.com/blog/ (accessed on 4 April 2023).
- Buyya, R.; Yeo, C.S.; Venugopal, S.; Broberg, J.; Brandic, I. Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility. Future Gener. Comput. Syst. 2009, 25, 599–616. [Google Scholar]
- Vaquero, L.M.; Rodero-Merino, L.; Caceres, J.; Lindner, M. A break in the clouds: Towards a cloud definition. ACM SIGCOMM Comput. Commun. Rev. 2009, 35, 50–55. [Google Scholar] [CrossRef]
- Dinh, H.T.; Lee, C.; Niyato, D.; Wang, P. A survey of mobile cloud computing: Architecture, applications, and approaches. Wirel. Commun. Mob. Comput. 2013, 13, 1587–1611. [Google Scholar]
- Ali, M.; Khan, S.U.; Vasilakos, A.V. Security in cloud computing: Opportunities and challenges. Inf. Sci. 2015, 305, 357–383. [Google Scholar]
- Zhang, S.; Zhang, S.; Chen, X.; Huo, X. Cloud computing research and development trend. In Proceedings of the 2010 Second International Conference on Future Networks, Sanya, China, 22–24 January 2010. [Google Scholar]
Cloud Security Framework | ||
---|---|---|
Perspective | Risk Management | These frameworks seek to give a systematic way to detect possible security threats, vulnerabilities, and risk levels. In the context of cloud settings, they frequently emphasize the significance of risk assessment, risk treatment, and risk monitoring. |
Security for organization | These frameworks provide security policies for a variety of areas, including identity and access management, encryption, network security, and incident response. | |
Compliance | These frameworks offer rules and recommendations for achieving certain compliance standards including GDPR, HIPAA, PCI DSS, and FedRAMP. | |
Perspective on Architecture and Design | These frameworks offer recommendations for developing safe cloud architectures, such as network segmentation, data isolation, multi-tenancy, and secure deployment methods. | |
Debates | standardization vs. Customization in Implementation | Standardization encourages uniformity and simplicity of implementation; customization enables organizations to adjust security policies to their individual requirements. To handle organizational requirements and particular hazards, the correct mix of standardization and customization is critical. |
Centralized vs. Decentralized Implementation | Whether the responsibility for executing cloud security frameworks should be centralized or distributed across several departments. While centralization guarantees consistency and centralized expertise, decentralization may improve agility and alignment with individual business units. | |
Gaps | Lack of knowledge and comprehension | The security policies and recommended may be improper recommendations or misinterpreted. |
Inadequate Training and Skill | Lack of training may not invest properly in growing the skills of their employees, resulting in implementation gaps and issues. | |
Inadequate Configuration and Customization | May miss this phase or fail to fully apply the appropriate configurations, exposing possible risks and holes in their security posture. |
Importance | Contribution to Field |
---|---|
Practical Guidance | The implementation guide offers practical advice and recommendations for organizations wishing to efficiently adopt cloud security frameworks. It provides step-by-step instructions, best practices, and real-world examples to assist organizations in navigating the intricacies of cloud security. |
Bridging the Gap Between Theory and Practice | While research on cloud security frameworks exists, there is frequently a gap between theoretical understanding and actual application. This gap is filled by the implementation guide, which translates theoretical principles into tangible procedures and tactics that organizations can easily use for their cloud security projects. |
Cloud security is a critical concern | The research paper will offer advice on how to create cloud security frameworks, covering frequent difficulties and best practices. This will assist organizations in improving their knowledge and use of cloud security measures. |
Comprehensive Analysis of Cloud Security Problems | The research paper provides a thorough examination of the numerous security issues that exist in cloud computing. It finds and categorizes typical issues including misconfigurations, poor identity and access management, data security concerns, shared infrastructure hazards, and so on. This report gives a good overview of the unique problems that organizations face when it comes to safeguarding their cloud installations. |
Proposal of Effective Solutions | The study reports not only highlight cloud security challenges but also suggest potential remedies to these difficulties. It recommends realistic and effective security solutions, best practices, and technology breakthroughs that may be used to improve cloud security. Secure configuration practices, strong identity and access management, data encryption approaches, increased isolation and virtualization security, and continuous monitoring and incident response procedures are among the solutions offered. |
Frameworks | Description |
---|---|
COBIT 5 for Cloud Computing | The COBIT framework is extended to solve unique cloud computing concerns. |
NIST | Provides standards and best practices for cloud computing security and privacy issues. |
ISO 27017 | Code of practice for information security measures for cloud services based on ISO/IEC 27002. |
FedRAMP | A federal program in the United States provides a standardized method for cloud security evaluation and authorization. |
AWS Well-Architected Framework | Best practices and guidelines for creating and running safe and efficient cloud infrastructures are provided. |
CSA STAR | A registry that details the security practices of cloud service providers using the CSA’s Cloud Control Matrix. |
ENISA Cloud Security Guide | Addresses several security topics while providing information on analyzing and reducing threats in cloud settings. |
CIS Controls for Cloud | Based on the CIS Controls, tailored security controls and practices for safeguarding cloud environments. |
Cloud Controls Matrix (CCM) | Provides a set of cloud-specific security measures that are compliant with industry standards and legislation. |
CSA Security Guidance | Describes thorough security best practices and controls for various cloud service architectures and deployments. |
Focus | Scope | Approach | |
---|---|---|---|
COBIT 5 | COBIT5 is a comprehensive framework that provides direction for enterprise IT governance and management, including security measures. | It addresses a wide range of IT disciplines, such as security, risk management, and compliance. | COBIT5 focuses on governance, risk management, and compliance (GRC) procedures and emphasizes connecting IT with business objectives. |
NIST SP 800-144 | NIST SP 800-144 addresses security and privacy problems in public cloud computing systems particularly. | It gives guidance for organizations using cloud computing and focuses on risk management, security measures, and data privacy. | NIST SP 800-144 takes a risk-based approach and addresses particular security and privacy concerns for cloud installations. |
ISO 27017 | ISO 27017 is a standard that focuses on implementing information security measures for cloud services especially. | It addresses security issues such as data protection, access restrictions, incident management, and regulatory compliance for both cloud service providers and cloud users. | ISO 27017 adopts a risk-management approach to cloud security and provides a set of controls and recommended. |
CSA STAR | CSA STAR is a program that allows cloud service companies to show their security practices and consumer openness. | It focuses on evaluating cloud service providers’ security, privacy, and risk management skills. | CSA STAR presents a set of control goals and criteria for assessing cloud service providers’ security posture, allowing consumers to make educated decisions regarding their cloud services. |
AWS well-architected | The Amazon Web Services (AWS) Well-Architected Framework is particular to AWS and provides assistance for developing, implementing, and running safe and efficient cloud systems. | It discusses different areas of cloud architecture, such as security, dependability, performance, cost optimization, and operational excellence. | Security, dependability, performance efficiency, cost optimization, and operational excellence are the framework’s five pillars. It outlines best and design guidelines for each of the pillars. |
Process | Tools and Technique |
---|---|
Define Objectives and Scope | Document management tools (e.g., Microsoft Word, Google Docs) |
Assess the Current State | Risk assessment tools (e.g., Qualys, Nessus) |
Define Governance Framework | GRC (Governance, Risk, and Compliance) platforms (e.g., RSA Archer, MetricStream) |
Identify Risk | Risk assessment tools and methodologies (e.g., FAIR, OCTAVE) |
Define Control Objectives | COBIT 5 framework documentation and guidance materials |
Design Security Controls | Cloud security management platforms (e.g., AWS Security Hub, Azure Security Center) |
Implement Security Controls | Cloud-native security services (e.g., AWS IAM, Azure AD) |
Monitor and Measure | Security information and event management (SIEM) tools (e.g., Splunk, IBM QRadar) |
Perform Audits and Reviews | Audit management tools (e.g., ACL, TeamMate) |
Continual Improvement | IT service management (ITSM) tools (e.g., ServiceNow, Jira Service Management) |
Process | Tools and Techniques |
---|---|
Understand the cloud deployment models and service models | Cloud Service Provider assessment tools: CAIQ, CCM |
Prioritize security and privacy requirements | Risk assessment tools: Nessus, Qualys and for framework: NIST Risk Management Framework, FAIR |
Protect data in transit and at rest | Encryption tools: SSL/TLS protocol |
Implement strong identity and access management controls | Identity and access management (IAM) solutions (e.g., Okta, Azure Active Directory, AWS IAM) |
Security controls implementation | Network Security Tools: IDPS, Wireshark Secure configuration management tools: Chef, Ansible |
Continuous Monitoring and Logging | Security information and event management (SIEM) systems (e.g., Splunk, Elastic SIEM) Log management and analysis tools (e.g., LogRhythm, Graylog) Threat intelligence platforms (e.g., ThreatConnect, Recorded Future) |
Incident Response and Recovery | Incident Response tools: IBM Resilient, Service Now, EnCase, Volatility |
Compliance and Governance | RSA Archer, MetricStream |
Personnel training and education: | Security awareness training: KnowBe4, SANS Simulation tools: Cofense, Gophis |
Controls | Description |
---|---|
Asset Management Controls: | Asset inventory: Keep track of all cloud-based assets, including data, apps, systems, and infrastructure components. Classification of assets: Classify cloud assets based on their criticality and sensitivity to ensure appropriate security measures are applied. |
Access Controls | Identity and access management: Implement controls to manage user identities, authentication, and authorization for accessing cloud resources. Control and monitoring of privileged access to cloud environments to reduce the danger of unauthorised acts. |
Cryptographic Controls | Encryption: Use encryption technologies to safeguard data at rest and in transit in the cloud. Key management: Establish proper key management processes to ensure the secure generation, storage, and destruction of encryption keys. |
Incident Management Controls | Incident response planning: Create and implement a cloud incident response plan that outlines roles, responsibilities, and processes for dealing with security events. Logging and monitoring: Implement logging and monitoring mechanisms to detect and respond to security events and potential breaches within the cloud environment. |
Supplier Management Controls | Supplier evaluation: Evaluate and choose cloud service providers (CSPs) based on their security capabilities and compliance with recognised security standards. Contractual agreements: In contracts with CSPs, define specific security standards and duties, such as data protection, incident reporting, and compliance obligations. |
Compliance Controls | Legal and regulatory compliance: Ensure that all applicable laws, regulations, and contractual duties for information security and data protection in the cloud are met. Auditing and evaluation: Conduct frequent audits and evaluations to ensure compliance with security measures and standards. |
Data Protection Controls | Implement procedures to ensure the logical and physical separation of client data within the cloud environment. Establish data backup and recovery mechanisms to prevent data loss or destruction within the cloud environment. |
Process | Tools and Techniques |
---|---|
Understand CSA STAR | CSA STAR Certification Guidelines document, CSA STAR Self-Assessment Tool. |
Choose CSPs | CSA STAR Registry to identify certified CSPs, and vendor assessment tools (e.g., security questionnaires, third-party risk assessment platforms). |
Perform Due Diligence | Vendor risk management tools, and document management systems. |
Implement Risk Mitigation Measures | Risk assessment tools (e.g., risk assessment frameworks, risk assessment questionnaires), compliance management tools (e.g., GRC platforms). |
Establish Contractual Agreements | Cloud security frameworks (e.g., CSA CCM, NIST SP 800-53), contract management tools. |
Monitor and Review | Security information and event management (SIEM) tools, log management tools, and compliance management tools. |
Threats | Affected Cloud Services | Effects | Solutions |
---|---|---|---|
Abuse of Cloud Computing | PaaS and IaaS | Validation Loss, Service Fraud, Strong attacks due to unidentified sign-up | Network analysis, Robust registration and multifactor authentication |
Insecure API | PaaS, SaaS, IaaS | Improper authentication and authorization, the wrong transmission of Content | Data Encryption, Strong access control and multi-factor authentication |
Malicious Insider | PaaS, SaaS and IaaS | Assets damage, productivity loss and confidentiality break | Duty Segregation, IAM policies |
Data Loss | PaaS, SaaS and IaaS | Removal, modification and stealing of confidential and personal data | Disaster, backup and recovery management |
Service and Account hijacking | PaaS, SaaS and IaaS | Breaching into critical areas of cloud and server, access of root account | Adoption of strong authentication, and security policies. |
Problem | Risk Level |
---|---|
Abuse of Cloud Computing | Medium |
Malicious Insider | Medium |
Insecure API | High |
Virtualization Vulnerabilities | High |
Account, Service and traffic hijacking | High |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Chauhan, M.; Shiaeles, S. An Analysis of Cloud Security Frameworks, Problems and Proposed Solutions. Network 2023, 3, 422-450. https://doi.org/10.3390/network3030018
Chauhan M, Shiaeles S. An Analysis of Cloud Security Frameworks, Problems and Proposed Solutions. Network. 2023; 3(3):422-450. https://doi.org/10.3390/network3030018
Chicago/Turabian StyleChauhan, Milan, and Stavros Shiaeles. 2023. "An Analysis of Cloud Security Frameworks, Problems and Proposed Solutions" Network 3, no. 3: 422-450. https://doi.org/10.3390/network3030018