22-10-2016, 09:23 AM
1460409200-trmpapercloud.docx (Size: 160.42 KB / Downloads: 6)
INTRODUCTION
Cloud computing services such as Amazon EC2 and Windows Azure are becoming more and more popular but it seems many people are still unclear as to what exactly the buzzword “Cloud computing” actually means. In its simplest form, the principle of Cloud computing is the provision of computing resources via a network.
Cloud computing shifts the responsibility of configuring, deploying and maintaining computing infrastructure from clients to Cloud providers. Providers generally expose an interface for clients to interact with their resources as if they were their own standalone resource; however often a number of resources may be aggregated on the same computer or cluster of computers. The user does not necessarily know the details of the location, equipment or configuration of their resources, rather they are provided with a “virtualised” computer resource hosted in “the Cloud”.
Cloud services take care of a lot of the mundane tasks associated with hosting a service (for example, maintenance and backup tasks) and leave developers and IT administrators to concentrate on the specific details of the application they wish to provide.
EssentiallyPrivatecloudsareamarketingtermforanarchitecturethatprovideshostedservicestoparticular groupofpeople behindafirewall. Hybridcloudisan environment thata companyprovidesandcontrols someresourcesinternallyandhas someothersfor publicuse. Alsothere iscombinationofprivate and publiccloudsthatcalledHybridcloud.Inthistype,cloudproviderhasaservice that hasprivatecloudpartwhichonlyaccessiblebycertifiedstaffandprotectedbyfirewallsfromoutsideaccessingandapubliccloudenvironmentwhichexternaluserscanaccesstoit.Therearethreemajortypesofserviceinthecloudenvironment:SaaS,PaaS,andlaaS[1].Incloud,similartoeveryproposedtechnology,therearesomeissueswhichinvolveditandoneofthemisRASfactor.Forhavinggoodandhighperformance,cloudprovidermustmeetseveralmanagementfeaturestoensureimproving RAS parametersof itsservicesuchas:
• Availabilitymanagement
• Accesscontrolmanagement
• Vulnerabilityandproblemmanagement
• Patchandconfigurationmanagement
• Countermeasure
• Cloudsystemusingandaccessmonitoring
OBJECTIVES
Cloud providers place strict restrictions on what is allowed to be reviewed from a security perspective. Restrictions were applied to the security assessment due to the various legal agreements imposed by different providers. In some cases Context was restricted to the extent where we were obliged follow the Cloud provider‟s own penetration testing guidelines.
In most cases, Context was limited to testing the security of the host operating systems relating to our nodes. Any tests deemed to be potentially destructive or intrusive were not permitted. Actively attacking the hypervisor or the underlying infrastructure was prohibited by most providers. Restricted or disallowed cases are clearly marked in the findings contained in this whitepaper. In these cases more security issues may exist.
It is worth noting that a normal client can request a penetration test and normally has restrictions similar to those mentioned above placed upon them. It has been known however that Cloud providers have lifted these restrictions for client organisations with greater purchasing power.
Specific vulnerabilities discovered during this research have been fed back to the providers for them to rectify. Due to the sensitivity of these issues the specific providers have not been named within this whitepaper. Context is committed to responsible disclosure and will release details when the Cloud providers have fixed the specific issues.
Attack Vectors
The new threat landscape created by Cloud computing adds a number of potential attack vectors; this is due to the shared nature of the technical resources such as memory and disk space.
The following attack vectors were assessed within this whitepaper.
Public (Internet)
• Internal (Malicious Node-to-Trusted Node)
• Hypervisor subversion
• Shared physical resource (Memory and Hard disk)
• The Cloud Provider (Hosting Company Breach)
The following diagram provides a graphical representation of the attack vectors. The red lines show the threats to a node within the Cloud
It is also worth noting that by using a 3rd party to provide Cloud services, there is an implied trust of that 3rd party and their security practices. It is entirely possible that providers could utilise improperly configured or flawed software, improper security controls or even have legitimate backdoor access for maintenance reasons. There is the potential therefore, that a malicious employee, another node client or outside attacker could compromise a node‟s security due to 3rd party failings.
various point of cloud security
In order to secure cloud against various security threats, different cloud service providers adopt different techniques. The best solution to improve the security is that to develop the secured framework which has tough security architecture. So that we will protect user’s data, message and information against various attack. The secured framework must use strong authentication and strong access control mechanisms. So that it will provide more security to data of customers from that are currently present withinthe cloud computing services. The secured framework must use strong encryption algorithm in order to protect the sensitive data before enterig in to the cloud. There are several encryption techniques are available incryptography. Among all describe shomomorphic encryption algorithm which isused to protect the data in cloud environment. One of the most used encryption techniques is Homomorphic encryption technique, which allows specificity of computations to be carried out on cipher text and obtainan encrypted result which decrypted matches the result of operations performed on plain text. It describe homomorphic encryption which is concept of security which enables providing result so calculation so encrypted data without knowing the data on which the calculation carried out, based on the data confidentiality. The secured framework can implement homomorphic encryption technique in order to provide data confidentiality on cloud environment.
CONCLUSIONS
According to me i found that the security concerns related to this emerging technology are real. Although Cloud computing can offer significant benefits, this new set of technologies presents challenges to those wishing to secure it. Cloud computing is a relatively immature technology and experience in securing it is limited given the short time it has existed. Context found serious security flaws, which allowed in some cases full compromise of half of the Cloud providers‟ Client‟s nodes. In total, around half of the tests conducted identified security issues and a quarter of the tests could not be conducted due to contractual restrictions placed upon us by the providers. As a result, further vulnerabilities could exist that could not be tested for. It should also be noted that certain issues can never truly be tested: as the node can be moved around the Cloud by the provider, the surrounding infrastructure, and the security posture of that infrastructure, can change.