Ensuring information security of cloud storages

Bespalova Natalya Viktorovna ORCID: 0000-0003-3733-3119 PhD in Physics and Mathematics Associate Professor, Department of Data Analysis and Machine Learning, Financial University under the Government of the Russian Federation 49/2 Leningradsky Ave., Moscow, 125167, Russia NVBespalova@fa.ru

Nechaev Sergei Vasilevich ORCID: 0009-0009-8987-8648 Student, Department of Information Security, Federal State Autonomous Educational Institution of Higher Education "National Research University ITMO" 197101, Russia, Saint Petersburg, Kronverksky Ave., 49/A sergey.nechaev2018@yandex.ru

The active development of modern technologies contributes to the expansion of the range of solutions aimed at improving the efficiency and convenience of users. One of the most popular such solutions is cloud systems. Their advantages include:

· availability of information from any convenient device;

· working with large amounts of data;

· relatively low cost;

· high level of computing power

· flexible payment system for services. ^[1]

Modern cloud computing can provide a high level of protection of stored data, however, system vulnerabilities can lead to unauthorized access and lead to loss of integrity and confidentiality of information. Therefore, solving the problem of ensuring the proper level of security is one of the primary tasks when working with cloud services. According to the forecast of Stratview (Cloud Security Market), the volume of the global cloud security market in the period from 2022 to 2028 will grow from 46.36 to 100.96 billion dollars with an average annual growth rate of 13.85%. (Figure 1.) ^[2]

Figure 1. Forecast of the volume of the global cloud security market in the period from 2022 to 2028. 

Information security in the cloud should be based on ensuring the basic principles of information security: confidentiality, integrity and availability of information or means of its processing.

Regulatory legal acts regulating the operation of cloud storage

We will highlight a number of regulatory legal acts that regulate work in the field of cloud technologies:

1.                  GOST R ISO/IEC 17826-2015 "Information technologies. Cloud Data Management Interface (CDMI)".

2. GOST R 56938-2016 "Information protection. Information protection when using virtualization technologies. General provisions". The standard defines the requirements for the protection of information processed using virtualization technologies.

3. GOST ISO/IEC 17788-2016 "Interstate standard. Information technology cloud computing. General provisions and terminology of Information technology. Cloud computing. Overview and vocabulary».

4. 149-FZ "On Information, Information Technologies and Information Protection".

5.                 Federal Law "On Personal Data" dated 27.07.2006 N 152-FZ. In accordance with the Federal Law, the recording, systematization, accumulation, storage, updating, modification or extraction of personal data must be carried out on a server that is physically located on the territory of the Russian Federation. It should be borne in mind that the cloud provider is not granted access to information systems that are hosted in the cloud, respectively, the responsibility for ensuring the security of personal data rests with the operator.

6.                 Decree of the Government of the Russian Federation No. 1119 regulates the development of a personal data protection system.

7.                 Order of the FSTEC of Russia dated 02/18/2013 No. 21 "On Approval of Requirements for the Protection of Information that does not constitute a State Secret contained in State information systems".

The document defines the requirements for measures to ensure the security of personal data aimed at neutralizing current threats to the security of personal data. The composition and content of measures to ensure the security of personal data is determined in accordance with a certain level of personal data security. Order No. 17 of the FSTEC of Russia dated 11.02.2013 "On Approval of the Composition and content of organizational and technical measures to ensure the security of personal data during their processing in Personal Data information systems".

The document is aimed at forming requirements for the protection of information contained in state information systems.

Specifics of cloud storage security

Based on the results of the Cloud Computing Security Report 2022 (Cloud Security Report 2022), based on a comprehensive global study of the cybersecurity of the global community:

· Most organizations continue to use a hybrid (39% compared to 36% last year) or a multi-cloud strategy. (33%) to integrate multiple services for scalability or business continuity. (76%) use two or more cloud providers.

·        Organizations continue to move workloads to the cloud quickly. Today, 39% of respondents have more than half of their workloads in the cloud, and 58% plan to reach this level in the coming year.

·        Cloud users confirm that the cloud provides flexible capacity and scalability (53%), and also contributes to increased availability and business continuity (45%).^[3]

Security in the cloud is still a major concern for cybersecurity experts. About 95% of respondents are concerned about the state of their security in a public cloud environment. Cloud security differs from traditional approaches to information technology security due to its specifics. Consider the main aspects:

· Data stored in the cloud is on public servers, which increases the risk of unauthorized access to data, while the responsibility for the security of information lies with the consumer organization, not the service provider. At the same time, not every organization has the means to conduct a security audit and other means of monitoring the security of the system. An unbalanced security system can dramatically affect the quality of working with data in a cloud solution.^[4]

· The use of modular infrastructure in the cloud facilitates the adaptation of the system, but the interaction of virtual machines (cloning, scalability changes, moving between servers) in the cloud can lead to a violation of the integrity of the security system. The solution to this problem is data encryption, which requires an increase in the number of resources, which affects the performance of the system, but significantly increases security. At the same time, an individual approach is required to determine the system settings, which can change based on the frequency of use of the virtual machine and the status of the information being stored and processed. Vulnerabilities of the system are beyond any control during the spread and, therefore, can occur after an unlimited time. Therefore, it is very important to constantly monitor the protection status of the system, regardless of its location.^[5]

·        The problem of vulnerability of virtual machines to infection with malicious software can be solved by intrusion detection and prevention systems. At the same time, it is important to remember that the status of the virtual machine (active/inactive) does not affect the possibility of infection with viruses. The solution to this problem may be to connect the virtual machine image storage to the network, in case of inactivity of the virtual machine, additional protection measures are required. ^[6]

·        The network coverage is not stable and has no clear boundaries, and in some cases disappears completely. Virtual machines must provide their own protection by moving the perimeter of the network directly to the virtual machine itself, thereby separating parts of the system with different levels of trust in the cloud.

· Cloud systems interact with many other systems and services that need to be protected both at the level of organizations and for individuals. Access rights must be managed at all levels. Vendors and users should monitor vulnerabilities caused by unsafe application installation and access to the system.^[7]

· Working exclusively via the Internet leads to the impossibility of access control at the physical level and, as a consequence, the need to form a policy of differentiating user access by roles with ensuring transparency of actions.

·        The cloud service provider and the client do not always work in collaboration, sharing responsibility for ensuring a high level of cloud storage security.^[8]

The best solution for building a cloud system with a high level of security is the concept of building multi-level security. This approach will not only increase the time spent, but also the complexity of the process of an attacker's penetration into the system. This will increase the chances of timely recognition and prevention of various types of attacks.

It should be borne in mind that information security becomes more complicated for a more distributed infrastructure. This is due to the large number of hosts and services that increase the range of attackers.

As a solution , the following set of actions can be proposed:

· Encryption. Choosing a reliable encryption method guarantees a large amount of computing and time resources for an attacker during the decryption process. Encryption and decryption takes place by key, usually in block encryption mode. The encryption algorithm is built-in and depends on the choice of the system (for example, the LUKS system used in a Linux kernel-based OS uses an AES-like block cipher with a key size of 256 bits). Encryption settings are made individually for all parts of the system. The reliability of encryption will depend not only on the settings and the choice of algorithm, but also on the policy of storing keys and the impossibility of compromising them.

·        Choosing a reliable authentication method. For example, OpenNebula, a hyper-converged cloud computing platform for creating and managing private, hybrid and public clouds and data centers, uses two-factor authentication, delimiting and tracking the resources used for individual user groups.

· Using a firewall to filter traffic and prevent intrusions. It is convenient to use firewalls built into the operating system kernel (for example, NetFilter or ConfigServer Security Firewall for Linux). When writing rules, it is more effective to use the approach: "what is not allowed is prohibited."

·        Provision of data transmission over the Internet in a secure version. (The reason is the location of servers outside the corporate network of the company).

· Use of intrusion detection and prevention system. (For example, the IPS/IDS Suricata system, which allows not only detecting attacks and blocking suspicious integrations, but also processing packets, changing routes based on their content.

The specifics of working with cloud computing form the security policy in the field of cloud services. The growth of security threats in the field of cloud technologies requires an individual and integrated approach to solving this problem. The analysis of the specifics of the threat to the information security of cloud systems allows us to draw conclusions about the need for the formation of a multi-level comprehensive protection, including encryption, authentication, the use of firewalls, antivirus protection, etc. A competent security policy in the field of cloud solutions will increase the volume and prospects of their use.