31-01-2013, 09:42 AM
Cloud Computing Security Issues and Challenges
1Cloud Computing Security.pdf (Size: 269.4 KB / Downloads: 72)
Abstract
Cloud computing is a set of IT services that are provided to a customer over a network on a
leased basis and with the ability to scale up or down their service requirements. Usually cloud
computing services are delivered by a third party provider who owns the infrastructure. It
advantages to mention but a few include scalability, resilience, flexibility, efficiency and
outsourcing non-core activities. Cloud computing offers an innovative business model for
organizations to adopt IT services without upfront investment. Despite the potential gains
achieved from the cloud computing, the organizations are slow in accepting it due to security
issues and challenges associated with it. Security is one of the major issues which hamper the
growth of cloud. The idea of handing over important data to another company is worrisome; such
that the consumers need to be vigilant in understanding the risks of data breaches in this new
environment. This paper introduces a detailed analysis of the cloud computing security issues
and challenges focusing on the cloud computing types and the service delivery types.
INTRODUCTION
For years the Internet has been represented on network diagrams by a cloud symbol until 2008
when a variety of new services started to emerge that permitted computing resources to be
accessed over the Internet termed cloud computing. Cloud computing encompasses activities
such as the use of social networking sites and other forms of interpersonal computing; however,
most of the time cloud computing is concerned with accessing online software applications, data
storage and processing power. Cloud computing is a way to increase the capacity or add
capabilities dynamically without investing in new infrastructure, training new personnel, or
licensing new software. It extends Information Technology’s (IT) existing capabilities. In the last
few years, cloud computing has grown from being a promising business concept to one of the fast
growing segments of the IT industry. But as more and more information on individuals and
companies are placed in the cloud, concerns are beginning to grow about just how safe an
environment it is. Despite of all the hype surrounding the cloud, customers are still reluctant to
deploy their business in the cloud. Security issues in cloud computing has played a major role in
slowing down its acceptance, in fact security ranked first as the greatest challenge issue of cloud
computing as depicted in figure 1.
RELATED WORKS
Gartner 2008 identified seven security issues that need to be addressed before enterprises
consider switching to the cloud computing model. They are as follows: (1) privileged user access
- information transmitted from the client through the Internet poses a certain degree of risk,
because of issues of data ownership; enterprises should spend time getting to know their
providers and their regulations as much as possible before assigning some trivial applications first
to test the water, (2) regulatory compliance - clients are accountable for the security of their
solution, as they can choose between providers that allow to be audited by 3rd party
organizations that check levels of security and providers that don't (3) data location - depending
on contracts, some clients might never know what country or what jurisdiction their data is located
(4) data segregation - encrypted information from multiple companies may be stored on the same
hard disk, so a mechanism to separate data should be deployed by the provider. (5) recovery -
every provider should have a disaster recovery protocol to protect user data (6) investigative
support - if a client suspects faulty activity from the provider, it may not have many legal ways
pursue an investigation (7) long-term viability - refers to the ability to retract a contract and all
data if the current provider is bought out by another firm.
SECURITY ISSUES IN CLOUD COMPUTING
Cloud Deployments Models
In the cloud deployment model, networking, platform, storage, and software infrastructure are
provided as services that scale up or down depending on the demand as depicted in figure 2. The
Cloud Computing model has three main deployment models which are:
Private cloud
Private cloud is a new term that some vendors have recently used to describe offerings that
emulate cloud computing on private networks. It is set up within an organization’s internal
enterprise datacenter. In the private cloud, scalable resources and virtual applications provided
by the cloud vendor are pooled together and available for cloud users to share and use. It differs
from the public cloud in that all the cloud resources and applications are managed by the
organization itself, similar to Intranet functionality. Utilization on the private cloud can be much
more secure than that of the public cloud because of its specified internal exposure. Only the
organization and designated stakeholders may have access to operate on a specific Private
cloud.[12]
Public cloud
Public cloud describes cloud computing in the traditional mainstream sense, whereby resources
are dynamically provisioned on a fine-grained, self-service basis over the Internet, via web
applications/web services, from an off-site third-party provider who shares resources and bills on
a fine-grained utility computing basis. It is typically based on a pay-per-use model, similar to a
prepaid electricity metering system which is flexible enough to cater for spikes in demand for
cloud optimization.[13] Public clouds are less secure than the other cloud models because it
places an additional burden of ensuring all applications and data accessed on the public cloud
are not subjected to malicious attacks.
Infrastructure as a Service (IaaS)
Infrastructure as a Service is a single tenant cloud layer where the Cloud computing vendor’s
dedicated resources are only shared with contracted clients at a pay-per-use fee. This greatly
minimizes the need for huge initial investment in computing hardware such as servers,
networking devices and processing power. They also allow varying degrees of financial and
functional flexibility not found in internal data centers or with collocation services, because
computing resources can be added or released much more quickly and cost-effectively than in an
internal data center or with a collocation service [2]. IaaS and other associated services have
enabled startups and other businesses focus on their core competencies without worrying much
about the provisioning and management of infrastructure. IaaS completely abstracted the
hardware beneath it and allowed users to consume infrastructure as a service without bothering
anything about the underlying complexities. The cloud has a compelling value proposition in
terms of cost, but ‘out of the box’ IaaS only provides basic security (perimeter firewall, load
balancing, etc.) and applications moving into the cloud will need higher levels of security provided
at the host.
Software as a Service
Software-as-a-Service is a software distribution model in which applications are hosted by a
vendor or service provider and made available to customers over a network, typically the Internet.
SaaS is becoming an increasingly prevalent delivery model as underlying technologies that
support web services and service-oriented architecture (SOA) mature and new developmental
approaches become popular. SaaS is also often associated with a pay-as-you-go subscription
licensing model. Meanwhile, broadband service has become increasingly available to support
user access from more areas around the world. SaaS is most often implemented to provide
business software functionality to enterprise customers at a low cost while allowing those
customers to obtain the same benefits of commercially licensed, internally operated software
without the associated complexity of installation, management, support, licensing, and high initial
cost. The architecture of SaaS-based applications is specifically designed to support many
concurrent users (multitenancy) at once. Software as a service applications are accessed using
web browsers over the Internet therefore web browser security is vitally important. Information
security officers will need to consider various methods of securing SaaS applications. Web
Services (WS) security, Extendable Markup Language (XML) encryption, Secure Socket Layer
(SSL) and available options which are used in enforcing data protection transmitted over the
Internet.[8]
CONCLUSION
Although Cloud computing can be seen as a new phenomenon which is set to revolutionise the
way we use the Internet, there is much to be cautious about. There are many new technologies
emerging at a rapid rate, each with technological advancements and with the potential of making
human’s lives easier. However, one must be very careful to understand the security risks and
challenges posed in utilizing these technologies. Cloud computing is no exception. In this paper
key security considerations and challenges which are currently faced in the Cloud computing are
highlighted. Cloud computing has the potential to become a frontrunner in promoting a secure,
virtual and economically viable IT solution in the future.