17-09-2016, 10:29 AM
1455034108-CloudComputing.docx (Size: 71.92 KB / Downloads: 4)
Abstract
Cloud computing is architecture for providing computing service via the internet on demand and pay per use access to a pool of shared resources namely networks, storage, servers, services and applications, without physically acquiring them. So it saves managing cost and time for organizations. Many industries, such as banking, healthcare and education are moving towards the cloud due to the efficiency of services provided by the pay-per-use pattern based on the resources such as processing power used, transactions carried out, bandwidth consumed, data transferred, or storage space occupied etc.
There are various research challenges also there for adopting cloud computing such as well managed service level agreement (SLA), privacy, interoperability and reliability.
“This research paper outlines the main security risks and issues that are currently present within the cloud computing industry. This paper also analyzes the key research and challenges that are present in cloud computing.”
Introduction
The term “cloud” was coined from the computer network diagrams which use it to hide the complexity of infrastructure involved. Cloud computing provides software, platform and infrastructure as a service.
Its main features include resource pooling, rapid elasticity, measured service, on-demand self service and broad network access. So, a cloud is a collection of hardware and software that runs in a data centre and enables the cloud computing model. A cloud reduces capital investment, hardware cost and software license cost. Cloud computing also raises severe challenges especially regarding the security level required for the secure use of services provided by it. There are no publically available standards specific to cloud computing security. So, in this paper, we propose the following standards for maintaining security in an unsafe computing environment.
Main characteristics include:
• On-demand self-service: The ability for an end user to sign up and receive • services without the long delays that have characterized traditional IT.
• Broad network access: Ability to access the service via standard platforms • (desktop, laptop, mobile etc)..
• Rapid elasticity: Capability to cope with demand peaks.
• Measured Service: Billing is metered and delivered as a utility service.
it provides only abstraction. It can be utilized as a service of an Internet with high scalability, higher throughput, quality of service and high computing power
Building Blocks
A. Different models of cloud computing
Generally cloud services can be divided into three categories: 1. Software as a Service (SaaS)
2. Platform as a Service (PaaS).
3. Infrastructure as a Service (IaaS).
Cloud Computing Security Architecture
Security within cloud computing is an issue of concern because of the fact that the devices which are used to provide services do not belong to the users themselves. The users have no control of, nor any knowledge of, what could happen to their data.
This is of great concern in cases when users have valuable and personal information stored in a cloud computing service. Users will not compromise their privacy so cloud computing service providers must ensure that the customer’s information is safe. This, however, is becoming increasingly challenging because as security developments are made, there always seems to be someone to figure out a way to disable the security and take advantage of user information.
Some of the important components of Service Provider Layer are -SLA Monitor, Metering, Accounting, Resource Provisioning, Scheduler& Dispatcher, Load Balancer, Advance Resource Reservation Monitor, and Policy Management. Some of the security issues related to Service Provider Layer are Identity, Infrastructure, Privacy, Data transmission, People and Identity, Audit and Compliance, Cloud integrity and Binding Issues.
Some of the important components of Virtual Machine Layer create number of virtual machines and number of operating systems and its monitoring. Some of the security issues related to Virtual Machine Layer are VM Sprawl, VM Escape, Infrastructure, Separation between Customers, Cloud legal and Regularity issues, Identity and Access management Some of the important components of Data Center (Infrastructure) Layer contains the Servers, CPU's, memory, and storage, and is henceforth typically denoted as Infrastructure-as-a-Service (IaaS).
Some of the security issues related to Data Center Layer are secure data at rest, Physical Security: Network and Server.
Some organizations have been focusing on security issues in the cloud computing.
The Cloud Security Alliance is a nonprofit organization formed to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.
The Open Security Architecture (OSA) is another organizations focusing on security issues. They propose the OSA pattern, which pattern is an attempt to illustrate core cloud functions, the key roles for oversight and risk mitigation, collaboration across various internal organizations, and the controls that require additional emphasis.
For example- the Certification, Accreditation, and Security Assessments series increase in importance to ensure oversight and assurance given that the operations are being “outsourced” to another provider. System and Services Acquisition is crucial to ensure that acquisition of services is managed correctly. Contingency planning helps to ensure a clear understanding of how to respond in the event of interruptions to service delivery. The Risk Assessment controls are important to understand the risks associated with services in a business context.
To address the challenges and to enable cloud computing, several standards groups and industry consortia are developing specifications and test beds. Some of the existing standards and test bed groups are Cloud Security Alliance (CSA), Internet Engineering Task Force (IETF), and Storage Networking Industry Association (SNIA) etc.
On the other side, a cloud API provides either a functional interface or a management interface Cloud management has multiple aspects that can be standardized for interoperability. Some possible standards are Federated security (e.g., identity) across clouds, Metadata and data exchanges among clouds, Standardized outputs for monitoring, auditing, billing, reports and notification for cloud applications and services, Cloud-independent representation for policies and governance etc.
Network Intrusion Detection System: This aims to detect a security breach. Intrusion detection can be defined as a method to detect unauthorized use of attack to a computer, network telecommunication system. The basic idea behind this system is to spot suspicious happenings on the network and sound an alarm, here the sensors collect traffic and user activity data and send them to an analyzer that looks for abnormal activities.
KEY SECURITY ISSUES IN CLOUD COMPUTING
Cloud computing consists of applications, platforms and infrastructure segments. Each segment performs different operations and offers different products for businesses and individuals around the world.
There are numerous security issues for cloud computing as it encompasses many technologies including networks, databases, operating systems, virtualization, resource scheduling, transaction management, load balancing, concurrency control and memory management.
Therefore, security issues for many of these systems and technologies are applicable to cloud computing. For example, the network that interconnects the systems in a cloud has to be secure and mapping the virtual machines to the physical machines has to be carried out securely.
Data security involves encrypting the data as well as ensuring that appropriate policies are enforced for data sharing. The given below are the various security concerns in a cloud computing environment.
• Access to Servers & Applications.
• Data Transmission
• Virtual Machine Security
• Network Security
• Data Security.
• Data Privacy.
• Data Integrity.
• Data Location.
• Data Availability.
• Data Segregation.
• Security Policy and Compliance.
• Patch management.
Access to Servers & Applications: In traditional datacenters, administrative access to servers is controlled and restricted to direct or on-premise connections which are not the case of cloud data centers. In cloud computing administrative access must be conducted via the Internet, increasing exposure and risk. It is extremely important to restrict administrative access to data and monitor this access to maintain visibility of changes in system control. Data access issue is mainly related to security policies provided to the users while accessing the data. In a typical scenario, a small business organization can use a cloud provided by some other provider for carrying out its business processes. Some organization will have its own security policies based on which each employee can have access to a particular set of data. The security policies may entitle some considerations wherein some of the employees are not given access to certain amount of data.
Data Transmission: Encryption techniques are used for data in transmission. To provide the protection for data only goes where the customer wants it to go by using authentication and integrity and is not modified in transmission. SSL/TLS protocols are used here. In Cloud environment most of the data is not encrypted in the processing time. But to process data, for any application that data must be unencrypted. In a fully homomorphism encryption scheme advance in cryptography, which allows data to be processed without being decrypted. To provide the confidentiality and integrity of data-in-transmission to and from cloud provider by using access controls like authorization, authentication, auditing for using resources, and ensure the availability of the Internet-facing resources at cloud provider. Man-in-the-middle attacks is cryptographic attack is carried out when an attacker can place themselves in the communication’s path between the users. Here, there is the possibility that they can interrupt and change communications.
Network Security: Networks are classified into many types like shared and non-shared, public or private, small area or large area networks and each of them have a number of security threats to deal with. Problems associated with the network level security comprise of DNS attacks, Sniffer attacks, issue of reused IP address, etc which are explained in details as follows.
A Domain Name Server (DNS) server performs the translation of a domain name to an IP address. Since the domain names are much easier to remember. Hence, the DNS servers are needed. But there are cases when having called the server by name, the user has been routed to some other evil cloud instead of the one he asked for and hence using IP address is not always feasible. Although using DNS security measures like: Domain Name System Security Extensions (DNSSEC) reduces the effects of DNS threats but still there are cases when these security measures prove to be inadequate when the path between a sender and a receiver gets rerouted through some evil connection. It may happen that even after all the DNS security measures are taken, still the route selected between the sender and receiver cause security problems.
Sniffer attacks are launched by applications that can capture packets flowing in a network and if the data that is being transferred through these packets is not encrypted, it can be read and there are chances that vital information flowing across the network can be traced or captured. A sniffer program, through the NIC (Network Interface Card) ensures that the data/traffic linked to other systems on the network also gets recorded. It can be achieved by placing the NIC in promiscuous mode and in promiscuous mode it can track all data, flowing on the same network. A malicious sniffing detection platform based on ARP (address resolution protocol) and RTT (round trip time) can be used to detect a sniffing system running on a network . When a particular user moves out of a network then the IP-address associated with him (earlier) is assigned to a new user. This sometimes risks the security of the new user as there is a certain time lag between the change of an IP address in DNS and the clearing of that address in DNS caches. And hence, we can say that sometimes though the old IP address is being assigned to a new user still the chances of accessing the data by some other user is not negligible as the address still exists in the DNS cache and the data belonging to a particular user may become accessible to some other user violating the privacy of the original user.
Data Privacy: The data privacy is also one of the key concerns for Cloud computing. A privacy steering committee should also be created to help make decisions related to data privacy requirement. This will ensure that your organization is prepared to meet the data privacy demands of its customers and regulators. Data in the cloud is usually globally distributed which raises concerns about jurisdiction, data exposure and privacy. Organizations stand a risk of not complying with government policies. Virtual co-tenancy of sensitive and non-sensitive data on the same host also carries its own potential risks.
Virtual Machine Security: Virtualization is one of the main components of a cloud. Virtual machines are dynamic i.e. it can quickly be reverted to previous instances, paused and restarted, relatively easily. They can also be readily cloned and seamlessly moved between physical servers.
This dynamic nature and potential for VM sprawl makes it difficult to achieve and maintain consistent security. Vulnerabilities or configuration errors may be unknowingly propagated. Also, it is difficult to maintain an auditable record of the security state of a virtual machine at any given point in time.
Full Virtualization and Para Virtualization are two kinds of virtualization in a cloud computing paradigm. In full virtualization, entire hardware architecture is replicated virtually. However, in Para-virtualization, an operating system is modified so that it can be run concurrently with other operating systems. VMM (Virtual Machine Monitor) is a software layer that abstracts the physical resources used by the multiple virtual machines.
The VMM provides a virtual processor and other virtualized versions of system devices such as I/O devices, storage, memory, etc. Many bugs have been found in all popular VMMs that allow escaping from Virtual machine. Vulnerability in Microsoft Virtual PC and Microsoft Virtual Server could allow a guest operating system user to run code on the host or another guest operating system.
The other issue is the control of administrator on host and guest operating systems. Current VMMs (Virtual Machine Monitor) do not offer perfect isolation. Virtual machine monitor should be ‘root secure’, meaning that no privilege within the virtualized guest environment permits interference with the host system.
Data Integrity: Data corruption can happen at any level of storage and with any type of media, So Integrity monitoring is essential in cloud storage which is critical for any data center. Data integrity is easily achieved in a standalone system with a single database. Data integrity in such a system is maintained via database constraints and transactions. Transactions should follow ACID (atomicity, consistency, isolation and durability) properties to ensure data integrity. Most databases support ACID transactions and can preserve data integrity. Data generated by cloud computing services are kept in the clouds. Keeping data in the clouds means users may lose control of their data and rely on cloud operators to enforce access control