**4.5 Insecure interfaces and poor APIs implementation**

Application Programming Interfaces (APIs) as name suggests is an interface between the system and outside un-trusted entities most exposed parts of a system accessible via the Internet, facilitates users to customize their cloud experience and also indirectly provide the safe conduit or entry points for strangers. A poorly designed weak set of interfaces exposes organizations precious sensitive resources to various security issues related to confidentiality, integrity, availability, and accountability. Apart from giving programmers the tools to build and integrate their applications with other job-critical software, API also serves to authenticate, provide access, and effect encryption. The cloud assets can be compromised if the vulnerability of an API which lies in the communication that takes place between applications is exploited. Thus standard and open API frameworks must be referred while designing the interfaces which may help to protect against both accidental and malicious attempts to circumvent security.

#### **4.6 Insider threats**

The human intervention in data security has many faces and many sources. The insider human element may be from any hierarchy; both service provider and client organizations can abuse their authorized access to the organization's or cloud provider's networks, systems, and data as they are uniquely positioned to cause damage without even breaking the firewalls and other security defense mechanism. The human element of data security has many faces and being authorized and operated on a trusted level, these insiders may misuse information or perform nefarious activities through malicious intent, accidents, carelessness or malware. Various measures to mitigate the consequences of insider threats includes routine audits of on-offsite servers, frequent change in passwords, confined privileged access to security systems and central servers to limited numbers of employees apart from controlling access and offering business partnerships to the employees. Prevention is better than cure; dealing with such category of threat would become more expensive and complex as it involves containments, forensic investigation, escalation, surveillance and monitoring.

#### **4.7 Insufficient credentials and identity/compromised accounts**

Inadequate credential, identity or key management may leads to unauthorized access to data and information. As a result, malicious intruders camouflaged as genuine users can manipulate the sensitive data. If the impostor manages to gain access to cloud user's credentials, it can target the entire resource s of cloud along with the user organization's assets and even influence the organization's administrative user as well. Other tenants of the same cloud are also at high risk to security

**9**

*Introductory Chapter: Cloud Computing Security Challenges*

**4.8 Weak control plane/insufficient due diligence**

and stability of data may be stake.

**4.10 Nefarious use or abuse of cloud services**

**4.9 Shared vulnerabilities**

incidences and breaches. An Automated regular rotation of cryptographic keys and passwords, removal of unused credentials, implementation of proper scalable central programmatic credential management system, and use of multifactor authentication process are some of the measures which must be undertaken by the cloud provider to deviate the risk of data breaches. Moreover, due diligence should be taken to ensure that third parties to whom cloud provider may have outsources operations or maintenance work satisfy the requirements of security as contracted by cloud service provider because it indirectly levitate the threats and compromised the overall security. Strictest credential access, multifactor authentication, segregated and segmented accounts are some of the suggested measures one should opt for to mitigate the risk.

Non-standard data formats, non-standard APIs, and excessive reliance on loud provider's proprietary tools make it difficult and expensive affaires to migrate from one vendor to other. This may results in either cloud provider will start exploiting or in case if for some reason cloud provider ceases its operation and goes out of business, moving data to other in timely manners becomes hectic and eventually may result in loss of data too. Thus to avoid such grim situation of Vendor lock-in, adequate control plan and due diligence should be in place before making decision migrating to any cloud. Any hasty decision without anticipating the quality and nature of services from cloud provider may pose security risk, especially when the desired services are bound and control under legal and statutory obligations or services hired for handling highly sensitive or personal or financial data. Cloud service user must perform due diligence and ensure that proposed cloud service provider possesses an adequately strong control plane in place; absence of this could results in data loss, either by theft or corruption. Apart from technical issues discussed above, one equally important parameter which must be given due weightage in decision making process is people factor. If a person in charge is unable to exercise full control over data security, infrastructure and verification, then security, integrity

Multi-tenancy feature of cloud makes cloud services cost effective for individual organization but incidentally it leads to yet another security issue. Exploitation of system and software vulnerabilities within cloud infrastructure, services results into failure to maintain physical and logical separation among different tenants in multi-tenant environment. This failure to maintain separation can further be exploited by intruders to gain un-authorized access from one tenant's resource to others. Such attacks can be accomplished by exploiting the vulnerabilities of either cloud provider or any of the tenants whose security is more vulnerable. This may results in increasing the attack surface, leading to an increased chance of data leakage. Moreover, the cloud security by default is a shared responsibility of both cloud service provider and client organization, so proper understanding is imperative to implements effective security. Failure to achieve this seamless integration for security implementation can result in data and resources being compromised.

Intruders by exploiting the vulnerabilities of cloud computing resources may target user's cloud provider's resources to host malware activities. Intruder either may launching DoS attacks and thus makes services unavailable to legitimate

*DOI: http://dx.doi.org/10.5772/intechopen.92544*

*Introductory Chapter: Cloud Computing Security Challenges DOI: http://dx.doi.org/10.5772/intechopen.92544*

*Cloud Computing Security - Concepts and Practice*

technique becomes ineffective in cloud environment.

and malicious attempts to circumvent security.

escalation, surveillance and monitoring.

**4.7 Insufficient credentials and identity/compromised accounts**

Inadequate credential, identity or key management may leads to unauthorized access to data and information. As a result, malicious intruders camouflaged as genuine users can manipulate the sensitive data. If the impostor manages to gain access to cloud user's credentials, it can target the entire resource s of cloud along with the user organization's assets and even influence the organization's administrative user as well. Other tenants of the same cloud are also at high risk to security

**4.6 Insider threats**

**4.5 Insecure interfaces and poor APIs implementation**

resources, results in making these resources soft target for vulnerable malicious undesired activities and thus entire cloud repositories may exposed to intruders. The overall business impact depends on the nature of the misconfiguration, and how quickly it has been detected and resolved. Excessive undesirable permission, unrestricted access to ports and services, unsecured data storage, unchanged default credentials & configuration settings, disabling standard security controls, logging & monitoring are some typical issues related with misconfiguration which must be dealt with utmost care by continuously scanning for misconfigured resources in real time as traditional change control and configuration management

Application Programming Interfaces (APIs) as name suggests is an interface between the system and outside un-trusted entities most exposed parts of a system accessible via the Internet, facilitates users to customize their cloud experience and also indirectly provide the safe conduit or entry points for strangers. A poorly designed weak set of interfaces exposes organizations precious sensitive resources to various security issues related to confidentiality, integrity, availability, and accountability. Apart from giving programmers the tools to build and integrate their applications with other job-critical software, API also serves to authenticate, provide access, and effect encryption. The cloud assets can be compromised if the vulnerability of an API which lies in the communication that takes place between applications is exploited. Thus standard and open API frameworks must be referred while designing the interfaces which may help to protect against both accidental

The human intervention in data security has many faces and many sources. The insider human element may be from any hierarchy; both service provider and client organizations can abuse their authorized access to the organization's or cloud provider's networks, systems, and data as they are uniquely positioned to cause damage without even breaking the firewalls and other security defense mechanism. The human element of data security has many faces and being authorized and operated on a trusted level, these insiders may misuse information or perform nefarious activities through malicious intent, accidents, carelessness or malware. Various measures to mitigate the consequences of insider threats includes routine audits of on-offsite servers, frequent change in passwords, confined privileged access to security systems and central servers to limited numbers of employees apart from controlling access and offering business partnerships to the employees. Prevention is better than cure; dealing with such category of threat would become more expensive and complex as it involves containments, forensic investigation,

**8**

incidences and breaches. An Automated regular rotation of cryptographic keys and passwords, removal of unused credentials, implementation of proper scalable central programmatic credential management system, and use of multifactor authentication process are some of the measures which must be undertaken by the cloud provider to deviate the risk of data breaches. Moreover, due diligence should be taken to ensure that third parties to whom cloud provider may have outsources operations or maintenance work satisfy the requirements of security as contracted by cloud service provider because it indirectly levitate the threats and compromised the overall security. Strictest credential access, multifactor authentication, segregated and segmented accounts are some of the suggested measures one should opt for to mitigate the risk.

### **4.8 Weak control plane/insufficient due diligence**

Non-standard data formats, non-standard APIs, and excessive reliance on loud provider's proprietary tools make it difficult and expensive affaires to migrate from one vendor to other. This may results in either cloud provider will start exploiting or in case if for some reason cloud provider ceases its operation and goes out of business, moving data to other in timely manners becomes hectic and eventually may result in loss of data too. Thus to avoid such grim situation of Vendor lock-in, adequate control plan and due diligence should be in place before making decision migrating to any cloud. Any hasty decision without anticipating the quality and nature of services from cloud provider may pose security risk, especially when the desired services are bound and control under legal and statutory obligations or services hired for handling highly sensitive or personal or financial data. Cloud service user must perform due diligence and ensure that proposed cloud service provider possesses an adequately strong control plane in place; absence of this could results in data loss, either by theft or corruption. Apart from technical issues discussed above, one equally important parameter which must be given due weightage in decision making process is people factor. If a person in charge is unable to exercise full control over data security, infrastructure and verification, then security, integrity and stability of data may be stake.

#### **4.9 Shared vulnerabilities**

Multi-tenancy feature of cloud makes cloud services cost effective for individual organization but incidentally it leads to yet another security issue. Exploitation of system and software vulnerabilities within cloud infrastructure, services results into failure to maintain physical and logical separation among different tenants in multi-tenant environment. This failure to maintain separation can further be exploited by intruders to gain un-authorized access from one tenant's resource to others. Such attacks can be accomplished by exploiting the vulnerabilities of either cloud provider or any of the tenants whose security is more vulnerable. This may results in increasing the attack surface, leading to an increased chance of data leakage. Moreover, the cloud security by default is a shared responsibility of both cloud service provider and client organization, so proper understanding is imperative to implements effective security. Failure to achieve this seamless integration for security implementation can result in data and resources being compromised.

#### **4.10 Nefarious use or abuse of cloud services**

Intruders by exploiting the vulnerabilities of cloud computing resources may target user's cloud provider's resources to host malware activities. Intruder either may launching DoS attacks and thus makes services unavailable to legitimate

users or these resources can be used for some illegitimate use for illicit purpose like mining crypto-currency, automated click trailing, brute-force attacks for security breach by intruders and while the customer foots the bill. The bill could be substantially high as activities like mining requires huge resources. Attackers may use the clouds exceptional storage capacity to store and propagate malware and illicit activities like sharing of pirated software, books, videos or music and invites legal consequences in intellectual copyright fines and settlements which can be even more cost prohibitive. Furthermore, complexity of cloud service implementation aids intruders to hide and remain undercover for prolonged period of time and such unnoticed threats, risks and vulnerabilities poses more challenges for legitimate service provider and user. To restrain the nefarious use and abuse of cloud services and mitigate the risks posed by cloud service usage one must have to procuring security technology for actively monitoring cloud infrastructure usage and devise proper security guidelines which define what are the legitimate and appropriate behavior and what leads to abuses and methods of detecting such behaviors.
