2020 International Conference on Computational Science and Computational Intelligence (CSCI)

Cloud Incident Response: Challenges and Opportunities

Murat Ozer Said Varlioglu Bilal Gonen School of Information Technology School of Information Technology School of Information Technology University of Cincinnati University of Cincinnati University of Cincinnati Cincinnati, Ohio, USA Cincinnati, Ohio, USA Cincinnati, Ohio, USA [email protected] [email protected] [email protected]

Victor Adewopo Nelly Elsayed Selcuk Zengin School of Information Technology School of Information Technology Security Engineer University of Cincinnati University of Cincinnati San Jose, California, USA Cincinnati, Ohio, USA Cincinnati, Ohio, USA [email protected] [email protected] [email protected]

Abstract—Many organizations migrate their on-premise infras- cloud configuration step. It is expected that this addition will tructure to the cloud for its known advantages such as low promote familiarity to the cloud systems which in turn enhance cost and flexibility. However, a dilemma appears that despite the incident response capacity of organizations. The second the increased usage of cloud computing among small and mid- size businesses, the reported number of cyber attacks does not goal of the study is to introduce main challenges of the reduce and even astronomically increases. Recent studies explain cloud incident response and provide solutions using cloud the source of this dilemma as having scarce familiarity with cloud technological opportunities. computing. Scholars basically stress that cloud computing offers better malware and DDoS attack protection; however, limited II. CLOUD INFRASTRUCTURE knowledge of cloud computing infrastructure and the complex nature of cloud systems contribute to the high number of cyber Though the term cloud computing recently coined, it has attacks. In this context, this study attempts to add one more step started with the beginning of internet use. Technological to the traditional incident response plan to adapt it to cloud advancements in networking and storage devices gradually computing. In addition, the current study introduces certain formed internet usage for massive computing and storage solutions to gather dispersed data from complex cloud computing purposes as well. In this context, first Amazon Web Service’s infrastructure which past studies cited as the main challenges of effective cloud incident response. (AWS) Elastic Compute Cloud (EC2) technology (2006) ap- Index Terms—Incident response, cloud security, cyber security, peared in the market to offer computing and storage services cloud computing, cyber-attack to organizations. Following Amazon, other big tech companies [4], such as Google Cloud (2008), AliBaba Cloud (2009), I. INTRODUCTION Microsoft Azure (2010), DigitalOcean (2013), and IBM Cloud 1 Today, cloud computing is highly popular among small (2014), have also started to offer cloud computing and storage. and mid-size businesses due to its ability for providing reliable In recent years, cloud systems have evolved rapidly and infrastructure [1] without investing in computer software and dominated the field over on-premise infrastructures. hardware (e.g., physical servers, power suppliers, high-speed Therefore, cloud computing changed how information ser- internet connection). The real benefit of having cloud comput- vices are accessed, stored, delivered, and managed. Especially ing services is to have the luxury of a worry-free infrastructure startup companies find it more feasible to utilize cloud com- system in terms of its management and maintenance [2]. puting services rather than buying their own servers [5]. De- Cloud-computing; however, does not automatically solve pending on what part of services being managed by customers, our security concerns [3] because most of the threats related to and what part is managed by cloud providers, there are mainly information security CIA triad, confidentiality, integrity, and three classes of cloud services. These are Infrastructure as a availability, are still present and require careful eyes to respond Service (IaaS), Platform as a Service (Paas), and Software as to any security threats. a Service (SaaS). Given this context, the aim of this study is twofold: The first Infrastructure is the physical hardware needed to run the one is to modify traditional incident response plan by adding software, operating systems, and database systems. In reality, the physical hardware corresponds to the data centers thousand 1Preprint. This paper was presented in 7th Annual Conference on of server rack cabinets. When a customer rents a Linux server, Computational Science & Computational Intelligence (CSCI’20); Publisher: IEEE; Dec 16-18, 2020; Las Vegas, Nevada, USA; https://www.american- it is simply a virtual form of a server somewhere in those data cse.org/static/BOOKLET.pdf centers. When the customer rents a virtual machine without

978-1-7281-7624-6/20/$31.00 ©2020 IEEE 49 DOI 10.1109/CSCI51800.2020.00015 any operating system, this service is called Infrastructure as a Service (IaaS). Some customers may develop an application, and they want to host this application in the cloud. They need some infras- tructure, e.g., virtual machine, virtual networking, however, they may not want to manage operating systems, database management systems. If we formulate this; IaaS and an operating system form Paas. Software as a Service (SaaS) usually refers to applications used by the customers. Some examples are web-based emails, online storage systems, such as Dropbox, Google Drive, etc. SaaS is completely managed by the service providers.

III. THE SCOPE OF THE CYBER SECURITY PROBLEM Fig. 1. Traditional Steps of Incident Response Recent statistics suggest that cyber attacks are increasingly a serious risk for organizations. Moreover, the World Economic Forum (2019) considered cyber attacks among the top five 2) Identification: This involves identifying anomalies and risks to global security [6]. Even though many businesses detecting unusual patterns of operation organization using cloud computers think that they are not on the radar of network. Activities in this phase include monitoring attackers, they may already be the victim of a data breach, but of sensitive IT systems and infrastructures, analyzing they do not know yet about it. Mandiant Security Effectiveness events, spontaneous notification of appropriate author- Report (2020) reports that 53% of successful cyber attacks ities, and adequate documentation. Standard documen- have not been detected, and 91% of all incidents did not gen- tation practices include documentation of Who, What, erate any alert during the intrusion [7]. The report altogether Where, Why, and How questions. suggests that the ignorance itself exceeds the cyber attacks 3) Containment: The goal of this phase is to limit the threat. The report published by IBM in 2019 [8] supports this damage of current security incident and also prevent claim that the average time to identify a data breach is 206 further damage, activity list for this step includes, system days. back up long term and short term containment strategy. 2020 Identity Force [9] statistics suggest that data breaches 4) Eradication: The eradication stage intends to reverse are increasing year by year despite cloud computing and changes induced by attackers and fully restore the af- advanced cyber security tools. For instance, 2019 is not better fected system to its full functions. than 2018, and 2020 is the worst compared to any year. 5) Recovery: the recovery phase ensure all system are fully Interestingly, while cyber attackers target big tech companies back in operation based on the CSIRT recommendation such as Facebook, they also target small to mid-size agencies and assessment. as well (e.g., Family Locator). That is the rationale that 6) Lesson Learned: The last steps involve an appraisal attackers mostly target known big companies but also use bots of the incident, completing documentation, publishing to indiscriminately scan network-connected devices to find of incident reports, and identifying ways of preventing out any known vulnerabilities for attacking. For this reason, recurrence. any network-connected device, either belonging to a big tech company, or small-size company does not have the luxury V. I NCIDENT RESPONSE IN CLOUD to ignore security threats that they may face. Therefore, it is Contrary to the common belief that cloud systems are important to increase cloud-computing awareness by sharing more secure, the high volume of incident attacks on cloud the best practices to promote security implications against infrastructures show that current methodologies are not ade- likely cyber attacks. quate in addressing the sophistication of attacks and detecting IV. TRADITIONAL INCIDENT RESPONSE malicious activities before system compromise [11]. Given this context, incident reporting and response capacity Traditional incident response relies on a six (6) step plan as has been adversely impacted since the evolution of cloud seen in Fig. 1 [10]. computing. Part of the problem is the complicated incident 1) Preparation: This is the first crucial step in incidence response due process of cloud providers and complex cloud response which should have been established prior to infrastructure. Therefore, researchers, in recent years, have the incident report. This phase involves defining orga- raised concerns about challenges associated with the outsourc- nizational policies, risk assessment, critical assets iden- ing of data required for basic incident response. Scholars tification, and building of Computer Security Incident constantly suggest that cloud computing technology rapidly Response Team (CSIRT) with expert knowledge in pre- evolved; however, the scarcity of cyber security personnel vention and mitigation strategy during an attack. understanding underlying cloud technology have led to poor

50 the cloud, the main concern is related to the data isolation due to the lack of physical separation (e.g., having virtual machines with others on the same host machine). This is really a serious concern that should be managed through correct network segmentation and encryption which we will cover below. Identity and Access Management: The golden rule for access management is to enforce the least privilege rule. For instance, closing all ports that are unnecessary and limiting access to only authorized source IPs. Remember that any open port exposes the system to the world which then increases the risk of cyber attacks. If possible, limit the port access (e.g., secure copy and secure shell protocols) to only specific IP addresses to minimize the threat under a white-listing Fig. 2. Incident Response Steps in Cloud approach. Apply multifactor authentication for the cloud com- puting services and regularly monitor the access log. Encryption: Data at rest and data in transit encryption incident response plans which then triggered a high number are very important to protect data from unauthorized people of cyber attacks [12]. including cloud provider (e.g., we cannot control who work This study shares the similar concerns of the above studies for the cloud provider). For this purpose, first, check whether and proposes to add one more step to the traditional incident the cloud provider offers a customer private key to encrypt the plan to increase familiarity of cyber security personnel for data at rest. If yes, the entire virtual instance or server can be the underlying technology of cloud systems [13]. Inherently, encrypted using this key to maintain data at rest encryption the incident response term implies a reactive response to any policy. If this service is unavailable, encrypt the instance by identified risk or anomaly; however, our proposed step will yourself using NSIT guidelines [14]. Data in transit encryption aim to gain a proactive approach to the traditional incident is also critical, therefore, enable encrypted ports such as response plan by blocking any vulnerabilities upfront related Hypertext Transfer Protocol Secure (HTTPS) and SSH File to cloud configuration. Transfer Protocol (SFTP) and never allow non-encrypted data Therefore, in addition to the traditional six steps, we added transfer to prevent man in the middle attack. the cloud configuration step as seen in Fig. 2 in order to ensure Availability: Availability includes many different compo- security CIA triad principles with the cloud computing system. nents but here we will stress the importance of automated This step resembles a surgery safety checklist prior to any backups in case of any ransomware attacks [15]. First of all, operation which is one of the most important pre-conditions cloud users should keep a clean copy of the server/instance of a successful operation. Hence, we will first cover the cloud snapshot in case of a complete system restore option. In configuration step and will continue with the other six steps. addition to this, daily and every 12 hours snapshots are important to restore the system to the current state in case A. Step 1. Cloud Configuration of any emergency such as a disaster. The rule of thumb As previously stated, many small and mid-size organiza- for keeping the snapshot of the instance is that the backup tions have been migrating their systems to cloud computing should not be stored on the same machine and same cloud providers due to their known advantages such as cost and provider. Even though the chance is very rare that the current almost fully managed server benefits. However, this migration cloud provider will go completely off (while writing this is usually done with a little knowledge which then creates paper, AWS and its customers experienced a major outage), vulnerabilities for the entire system. Therefore, it is important it could be better to have an attached cloud object storage to share the best practices of cloud security as a precondition that makes it possible to store practically limitless amounts of a successful cloud incident response system. of data in its native format. This attached object storage such Network Segmentation: In a simple term, network seg- as AWS S3 bucket (Simple Storage Service) could be in the mentation is to isolate servers/instances, applications, and different services such as Wasabi or Digital Ocean to increase full systems from each other when necessary. In a physical availability and flexibility in a disaster recovery. Also, keeping network, we do this isolation through local area network in one clean copy of the snapshot in an encrypted environment cloud, we manage the same purpose by having virtual private is critical. clouds for each instance or app that need to be isolated. For Patching and Maintenance: Timely patching is very im- instance, the application server/instance can communicate over portant to prevent any known vulnerabilities. For this reason, port 80 that allows any traffic. However, another instance that we urge cloud users to have Linux machines which offer holds sensitive data should be at another virtual private cloud instant patching services without restarting the entire system. so that incoming network traffic will not directly access/touch Configuring ports against DDoS attacks: Distributed the network segment of the data instance. Before moving to Denial-of-Service (DDoS) attacks undermine the availability

51 of the system. There are different types of DDoS attack organizations cannot identify intrusion attacks by themselves sources. The first one is basic excessive ping requests that [7]. overload the instance capacity to respond to the ping requests. C. Step 3. Identification While many cloud providers automatically block the User Datagram Protocol (UDP) port for ping requests, it is better There is a myth that cloud providers are responsible for all to check whether it is in place. The other attack can be done aspects of data security. While the cloud offers better malware through the open ports that allow any traffic like HTTP port. and DDoS protections, cloud systems are not way different In order to prevent excessive requests to those ports, rate than any on-premise infrastructure. Therefore, cyber security limit applications work perfectly by blocking the access of personnel always consider monitoring the entire system even abused IP addresses after a certain number of tries/requests. though best-known cloud protections in place. Monitoring The other DDoS attack can be done through a domain name roughly involves any traffic and triple AAA (Authentication, server company which then again affects the availability of Authorization, and Accounting) watching processes. A healthy the system. In this case, the domain name server will not be cloud system should able to monitor any incoming traffic able to resolve the IP address because of excessive requests. in order to identify abused IP (including bots) access trials. For this reason, that will be beneficial to have a primary guard Regular monitoring of incoming traffic automatically creates a service for the domain server that cloud IP addresses linked pattern for normal (white-list of IP addresses) IP addresses and to. As a side note, always enable multifactor authentication on abnormal IP access trials (blacklist or suspicious IP addresses). the domain name company access dashboard portal because if This identification also enables cloud users to apply heuristic- attackers can gain access to the domain, they can easily harm based intrusion detections systems that may offer resiliency the reputation. For instance, GoDaddy (domain name provider) against zero-day attacks. had a data breach in May 2020 that 19 million users, and There are many ways of achieving this step in cloud possibly 24,000 credentials exposed [16]. computing. First, cloud users can activate log monitoring and Cloud configuration is not limited to the above best prac- intrusion detection tools provided by their cloud vendor. In tices. Organizations who think to migrate their resources to addition to this, all cloud providers allow their users to create the cloud should read and digest NIST (National Institute auto-notifications for any alert that users define. The second of Standards and Technology) special publication on cloud way is to have a third-party monitoring tool such as AWS computing before their action [17]. GuardDuty, Azure Sentinel, ExtraHop, Splunk, IBM QRadar, In addition to the NIST publication, Center for Internet LogRhythm, SumoLogic and so on. Having said that, please Security (CIS) benchmarks are useful for hardening the re- note that 91% of the data breaches – as previously stated sources. For instance, in an AWS cloud infrastructure, it is crit- – did not generate any alert during the intrusion [7]. For ical to harden instances (either Linux or Windows), databases this reason, our experience suggests that cloud users should (e.g., SQL, MySQL), web services such as AWS, Identity and collect the incoming network data by themselves and regularly Access Management (IAM), and any cloud services offered analyze the data to figure out the anomalies. Most of the by cloud vendors (e.g., AWS Config, CloudTrail, CloudWatch, time, transferring the risk to third party companies or cloud Simple Notification Service, AWS Simple Storage Service, and provider will not solve the intrusion or data-breach problems. AWS Virtual Private Network) [18]. The golden rule is to have an experienced monitoring (SOC - Security Operation Center) team that regularly monitors all B. Step 2. Preparation network data and take necessary precautions on time. The preparation step is as important as cloud configuration The open-source community provides many free-cost ef- because this step involves organizational memory, documen- fective tools that minimize the threat of intrusion. The sec- tation, and responsibility plan. The first phase of this step ond phase of monitoring is related to triple AAA. Social is to prepare a diagram that summarizes cloud configuration engineering is the most dangerous way of gaining access like network segments, firewall settings, and data at rest and to any system. Therefore, once a user is authenticated, the in-transit encryption methods. This phase serves as the orga- system should monitor for its activities and keep logs of any nizational memory because new or experienced analysts can movement. At this step, it is very beneficial to have a heuristic- evaluate the health of the overall system by only looking at this based detection system in case the authenticated person is not diagram. The second phase encompasses documentation which an authorized person (i.e., attacker). Actually, this involves basically documents system preparation for the NIST security the accounting step as well. Regularly collecting data for suggestions and risk assessment for any type of intrusion. The any action of any authenticated users in the system help to last phase includes an incident response plan such as who will identify abnormal movements of any compromised accounts do before, during, and after the identification of a cyber-attack. by comparing the current patterns with the past patterns using Many organizations ignore this step because it requires lots of the heuristic-based approach (e.g., using machine learning documentation and planning; however, this ignorance spills and AI algorithms). The final stage of identification steps over the next steps due to the fact that organizations do not is to conduct periodic vulnerability and penetration tests to know what should be done after identifying an attack. Indeed, understand whether the system has any known vulnerabilities this ignorance creates such big blindness that more than 50% against known threats. Ideally, this procedure should be done

52 by a third company that has expertise in vulnerability and penetration testing. Regular vulnerability checks will help organizations to detect and eradicate the source of likely cyber attacks.

D. Step 4-5-6. Containment, Eradication, and Recovery In case of any intrusions, the first phase is to limit the damage of the current security incidents and also prevent further damage by eliminating unauthorized access. Security personnel should evaluate the scope of the damage and prepare Fig. 3. An S3 Bucket Mounted More Than One Instances a report for risk management. If the intrusion involves malware (e.g. Trojan), it is better to restore the entire system from the implement automated procedures that promote cloud incident clean snapshot of the instance. This procedure is done under response capacity. For example, after having a Linux instance, 10 minutes in cloud computing due to the beauty of virtual users should enable secure shell protocol and familiarize them- machines. selves with the file system of Linux OS like the location/path Healthy damage control at this step is highly dependent of log files. on previous steps. For instance, if no active identification Collecting Log and User Activity Files in One Spot: system/step in the process, the scope of the damage will In cloud incident response, this is the most confusing part not be truly evaluated which then may affect the eradication for organizations and cyber security personnel. After moving of the problem. For this reason, cyber security starts with to the cloud, even a small business will have at least three monitoring and achieved by encryption and again monitoring instances for: and monitoring. • Load Balancer E. Step 7. Lesson Learned • Application The last step involves an appraisal of the incident and • Database strengthens the incident response plan by revising all incident This is the basic system we launch on the cloud. However, response steps to prevent the recurrence of such attacks. collecting log files from at least three different instances and Lesson Learned step inherently suggests that no matter how a merging them under one spot is challenging due to being new system is protected, no system is safe. Therefore, it requires to the cloud. Indeed, this is the step that many organizations constant evaluation to stay current against the dynamics of the lose track of monitoring their own systems on the cloud. This security threats. challenging task can be achieved using cloud object storage such as AWS S3, Wasabi, Digital Ocean or Google object VI. CLOUD INCIDENT RESPONSE CHALLENGES AND storages. OPPORTUNITIES Enabling Cloud Object Storage for a Successful Cloud While cloud computing offers many flexibilities to organiza- Incident Response: Cloud Object Storage firstly introduced tions/users, it also brings certain challenges that may adversely by Amazon under the Simple Storage Service (S3) technology. affect the incident response plans. For instance, Rong et It stores any data like objects rather than storing them in al. [19] discuss important security challenges and propose traditional file systems which are based on file hierarchy. An possible areas of further research in improving cloud security ID and a block are assigned for each data object in the S3 including; Trusted data sharing, Accountability, and Sales bucket and whenever users want to access the data, they call it Level Agreement issue. Similarly, Nurul et al. [10] posit that through the assigned ID in the S3 bucket system (object-based challenges in implementing incident handling are attributable storage). This simple storage service is perfect for backups, to Cloud service users’ perspectives and limitations to system data replications, and creating data lakes for any project. Also, access. Their work focus on modeling a system useful for it provides a secure and durable storage technology with low cloud service providers, and most importantly cloud service latency. The other benefit of using S3 buckets is that they users in developing an efficient strategy for incident handling are very economical compared to traditional storing systems. which allows users to undertake incident investigations and Up to this point, we introduced S3 buckets; however, the real analyze residual data from the use of cloud services. Like benefit of using S3 buckets is its flexibility when considering authors emphasized certain cyber security difficulties for cloud collecting log files from more than one instance on the cloud. computing, we have also experienced similar difficulties when Unlike traditional virtual or physical hard drives, one S3 we switched from on-premise infrastructure to the cloud. bucket can be mounted in more than one instance. This feature Therefore, we will share a couple of solutions for the concerns is very important. That means that a user can create an S3 of the authors cited in their research. bucket and mount that bucket to the load balancer, application, Accessing the Virtual Machine: The first step is to ac- and database servers. Once this mounting procedure is done, cess to the virtual machine or instance that was launched now, we will have one storage device hooked to different on the cloud. Linux servers/instances is more convenient to

53 instances as seen in Fig. 3. adding one more step, cloud configuration, to the traditional Automating Incident Response Data Collection Proce- incident response plan. With this addition, our goal is to dure: Now, the system is ready to push the data from different increase familiarity with the underlying technology of cloud instances to the same cloud object storage. For this purpose, computing and to share current best practices to harden cloud we can use a simple task scheduler (for example crontab computing resources. command in a Linux OS) to periodically push the data to Second, scholars stressed certain challenges (e.g., difficulty a cloud object storage. We prefer for every five minutes of to access instances, complex nature of the cloud, less famil- data updates/pushes, but this is totally dependent on individual iarity to cloud resources) regarding cloud computing, which preferences. In addition to this, users can push the log files pose threats to effective incident response. Regarding these in a specific format (e.g.,JSON) to easily parse it during the concerns, the current study introduces practical solutions using analysis step. cloud technology tools and resources such as employing cloud Analyzing the Collected Data: After collecting the log storage objects to overcome already identified challenges. files/data in one cloud object storage, it is easy to analyze the This study would close/narrow the current gap between cloud data and extract the usual and unusual patterns to understand computing’s complex nature and effective incident response whether the system overall has any intrusion or intrusion plan. attempt. If any abnormality is identified, then necessary pre- REFERENCES cautions like blocking the access and hardening the system (if there is any weakness) can be implemented to prevent further [1] P. Gupta, A. Seetharaman, and J. R. Raj, “The usage and adoption of cloud computing by small and medium businesses,” International similar occurrences. At this step, a developer either use self- Journal of Information Management, vol. 33, no. 5, pp. 861–874, 2013. developed algorithm or employ publicly available algorithm [2] A. Hutchings, R. G. Smith, L. James et al., “Cloud computing for small shared by the open source community. business: Criminal and security threats and prevention measures,” Trends and issues in Crime and Criminal Justice, no. 456, p. 1, 2013. Monitoring Data Using Visual Analytics: The last step [3] L. M. Kaufman, “Data security in the world of cloud computing,” IEEE is to reflect all collected data to a dashboard to monitor Security & Privacy, vol. 7, no. 4, pp. 61–64, 2009. the overall system. At this step, users can set certain alerts, [4] B. Varghese and R. Buyya, “Next generation cloud computing: New trends and research directions,” Future Generation Computer Systems, and if the conditions of those alerts are met, the dashboard vol. 79, pp. 849–861, 2018. generates the notification. Indeed, the system will always [5] A. K. Talukder, L. Zimmerman et al., “Cloud economics: Principles, generate the notifications when the data is refreshed through costs, and benefits,” in Cloud computing. Springer, 2010, pp. 343–360. [6] W. WEF, “The global risks report 2019.” World Economic Forum a task scheduler of an instance and analyzed for any threats. Switzerland, Geneva, 2019. However, it is better to monitor the system from time to time [7] M. FireEye, “Deep dive into cyber reality - security effectiveness report to visually detect any likely unusual activities that the machine 2020,” 2020. [Online]. Available: https://tinyurl.com/yyjced4p [8] I. ”Ponemon Institute” ”IBM Security”, “Cost of a data learning algorithm fails to identify at that moment. breach report, ibm security (2019),” 2019. [Online]. Available: Miscellaneous Thoughts: Enabling cloud object storage https://tinyurl.com/yykayms6 and collecting all user activity and log files in one spot are [9] E. Bekker, “2020 data breaches — the worst so far identityforce®,” Identity Force, 2020. [Online]. Available: not only limited to cloud incident response. For instance, https://www.identityforce.com/blog/2020-data-breaches cloud systems are known for their low ability to provide solid [10] “A survey of information security incident handling in the cloud,” pp. evidence for digital forensic investigations. This inability can 45–69, 2015. [11] F. Mattern and C. Floerkemeier, From the Internet of Computers to the be overcome by using cloud object storage and collecting again Internet of Things, ser. From active data management to event-based all log files as well as snapshots of the required images for systems and more. Springer, 2010, pp. 242–259. digital forensic investigations. [12] H. Tianfield, “Security issues in cloud computing,” in 2012 IEEE International Conference on Systems, Man, and Cybernetics (SMC). In summary, cloud computing comes with certain chal- IEEE, 2012, pp. 1082–1089. lenges for the incident response; however, IT professional can [13] M. Almorsy, J. Grundy, and I. Muller,¨ “An analysis of the cloud solve these problems using hardened instances such as Linux computing security problem,” arXiv preprint arXiv:1609.01107, 2016. [14] F. PUB, “Security requirements for cryptographic mod- servers, familiarizing themselves with the file system of the ules,” FIPS PUB, vol. 140, 1994. [Online]. Available: cloud instances, enabling cloud object storage to collect data nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf in one spot from any number of the instances, and analyzing [15] M. Ozer, S. Varlioglu, B. Gonen, and M. Bastug, “A prevention and a traction system for ransomware attacks,” 2019 International Conference them with their preferred analysis tools. on Computational Science and Computational Intelligence (CSCI),IEEE, 2019, 2019. VII. DISCUSSION AND CONCLUSION [16] D. Winder, “Godaddy confirms data breach: What customers need to know,” May 2020. [Online]. Available: https://tinyurl.com/yxd7bxxp Cyber security risks are increasingly threatening organi- [17] G. T. P.-C. R. Badger, Lee and V. Jeff, “Cloud economics: Principles, zations and contrary to a myth, migrating services to a costs, and benefits,” pp. 1–81, 2019. cloud provider does not automatically solve these security [18] “Cis amazon web services benchmarks version 1.3.0.” [Online]. Available: https://tinyurl.com/sopkgtw threats. Past studies highlighted that the complex nature of [19] C. Rong, S. T. Nguyen, and M. G. Jaatun, “Beyond lightning: A survey cloud computing systems coupled with the scarcity of well- on security challenges in cloud computing,” Computers and Electrical trained cyber security personnel on cloud systems, which then Engineering, vol. 39, no. 1, pp. 47–54, jan 2013. triggered a high volume of successful cyber attacks on the cloud. As a solution to this current problem, we first proposed

54