The concept of security evolves in step with the changes that occur in the IT solutions themselves. The cloud solutions, besides offering a variety of services (storage, backup, office applications, web hosting, management of financial activity, contact, POS …)

They provide security improvements over traditional storage options in the companies themselves, although this does not mean that they are risk-free.

With the use of cloud computing solutions, the security of the system depends, to a large extent, on the providers of these cloud services. To better explain these aspects, we will begin by defining the different agents that participate in these cloud computing models.

• Cloud service provider: it is the company that has the necessary computing infrastructure to host the programs following the cloud computing model.
• Client: is the one who hires cloud services (individuals, organizations or companies) to benefit from the benefits for which they pay.
• User: is the person or group of people that uses the solutions. They do not necessarily have to be the customer. For example, within a company, end users are those who use the solutions, without having paid individually for them, but using them as employees of that organization.

The security mechanisms depend on collaborative work between service providers and customers. Responsibility rests with both parties and it is recommended to work together to be protected against potential threats.

What security measures should cloud solution providers follow?

The main task of cloud service providers is to prevent unauthorized people from gaining access to data. It is very important to keep the latest versions of the software up to date to deal with existing threats on the Internet. On the other hand, as mechanisms to reinforce security, virtualization and data segmentation are used.

The virtualization is the process by which multiple virtual machines running within a single server, and each running an operating system in isolation. By means of a hypervirsor (application) it is controlled which virtualization platform to use in each case and the space destined for the use of each operating system.

On the other hand, data segmentation can be exploited as another security mechanism. As the data is spread over different servers or even in different data centers, extra security is achieved against hypothetical theft at the service provider’s facilities. Furthermore, data segmentation offers the possibility of keeping copies of the data in different locations, almost simultaneously.

And the clients?

The customer is also responsible for keeping the operating system updated and installing the new security patches that appear. It is also necessary to maintain traditional security policies: user control, delete user accounts that are no longer used, or review the software to verify that it does not have vulnerabilities, among others.

Among the specific mechanisms that can be chosen are: perimeter control, cryptography and log management.

The perimeter control is carried out by installing and configuring a firewall. It is the computer application in charge of monitoring all the communications that are made from or to the computer or the network and decides whether to allow them depending on the rules established by the system administrator. To achieve a higher level of security, the installation and configuration of an Intrusion Detection System (or IDS) is recommended. It is a computer application that allows and blocks connections, analyzing them to detect if they carry dangerous content for the entire network. In addition, it is able to categorize the different threats and inform the system administrator following a list of rules.

The cryptography is another protection mechanism consisting of data encoding to avoid understanding them when the encryption mechanism is not known. There are different levels of encryption depending on the type of communication that is established: between the network and the application users, the connections between the cloud administrators themselves and the protection of data in storage. If an unauthorized user intercepts the data or has access to the cloud file system, they will not be able to interpret the hosted content without knowing the encryption key. The log management (event log file) is the only way to check computer activity, detect incidents and formulate a plan of action to prevent recurrence. The client must store and review all the logs that are under his responsibility.

For example: the registry of users who access an application, the manipulation of the data and files of the virtual machine, or the registry of potentially dangerous connections detected by the IDS and by the firewall. It is also recommended to make backup copies of these logs and even store them on a different machine, since if an attacker takes control of the system in the cloud, he could destroy the log files and all their traces.