22-09-2016, 12:52 PM
[attachment=71468]
INTRODUCTION:
Cloud computing is an on-demand infrastructure that enables users to access computing resources and services from anywhere and anytime.
There are three types of services in cloud. They are
1. SaaS ( Software-as-a-service ) :
The Cloud provider offers software on-demand.
2. PaaS( Platform-as-a-service) :
The Cloud provider offers a platform to customer for their projects.
3. IaaS ( Infrastructure - as- a- service ):
The Cloud providers offer hardware resources or infrastructure to customer.When the user access the data from cloud service provider, there is a possibility of attacking the data. Preventing unauthorized access resources in the cloud is a major security problem.
Cloud characteristics for security
1. Multi -tenancy :
By Multi-tenancy, cloud provides services for various customers using utilizing the same cloud infrastructure resources. More than one tenants of cloud occupies the provider’s infrastructure. Multi-tenancy allows cloud service providers to manage resource utilization more effective by partitioning infrastructure among different customers.
2. Elasticity:
In cloud computing, customers use resources as needed while being able to increase or decrease resource consumption based on actual demands. For this, cloud services are scalable i.e., the required resources can be decreased or increased based on customer needs. Elasticity means scale up or down resources assigned to services based on demand.
Elasticity of tenant’s resources gives opportunity to other tenants to use the tenant’s previously assigned resources. This may lead to confidentiality issues.For example, tenant A scaled down, so it releases some resources, these resources now assigned to tenant B. Then tenant B uses it to deduce the previous contents of tenant A.
3. Multiple stakeholders:
Stake holders are different types in cloud computing
1. Cloud provider(entity that delivers infrastructure to customers)
2. Service provider(entity that uses the infrastructure to deliver services to end users)
3. Customer (entity that uses services hosted on cloud infrastructure)
Each stake holder has their own security systems and their own requirements and capabilities. This leads to following issues
1. Providers and customers need to agree the security properties. But there is no standard security specifications are available that can be used by stake holders to represent security properties.
2. Each customer has trust relations with provider. But some customers are actually malicious attackers. There are generating complex trust issues.
4. Third party control:
The owner of data has no control of their own data. But cloud services require the customer have control over his infrastructure. For this, cloud providers should make the management and maintenance of cloud services is transparent to customers. This should include recording logs and administration.
Third party access can lead to potential loss of secret information. This is also issue of attacker who abuses access rights to customer information.
General requirements of cloud security
1. Confidentiality
Confidentiality refers to only authorized users or systems having the permissions to access protected data. Confidentiality can be achieved using encryption techniques. Cloud providers should ensure that encryption standards are properly deployed or not. Data confidentiality in the cloud is correlated to user authentication. Lack of authentication can lead to unauthorized access to users account in cloud.
2. Integrity
Data Integrity refers to protecting data from unauthorized deletion or modification. When data is maintained confidential, there is no guarantee that data has not been altered.
3. Availability
Availability refers to data being accessible on demand by authorizing entity. It is to ensure that users can use services at any time and any place.
4. Privacy
Every user has control over their personal information. Privacy is important issues for cloud computing, both in terms of legal compliance and user trust.
5. Trust
Trust was used in process of convincing users that system was secure. In cloud, the user is dependent on provider for various services. In these services, the customer has to store his confidential data on provider’s side.
6. Audit
Auditing is process of reviewing the details of customer that when he accessing the data, details of customer.
SECURITY ISSUES IN DIFFERENT CATEGORIES
1. NETWORK SECURITY
---problems associated with network communications and configurations.
a. Transfer security
Distributed architectures, resource sharing, virtual machine instances synchronization imply more data transit in the cloud. It requires virtual private network mechanisms for protecting the system against sniffing and spoofing.
Sniffing: it is act of capturing packets of data flowing across a computer network.
Spoofing: Act of forging the header information on an email so that it appears to have originated from somewhere other than its source.
b. Firewall
Firewalls protect the provider’s internal cloud against insiders and outsiders. A firewall is software utility or hardware device that limits network access to computer by blocking or restricting network ports.
c. Security configuration:
Configuration of protocols, Systems, Technologies is to provide the required levels of security.
2. INTERFACES
a. API (Application programming interfaces):
These are used for accessing virtualized resources must be protected inn order to prevent attacks.
b. Administrative interface:
It enables VM management for IaaS, development for PaaS (coding, deploying, testing) and application tools or SaaS (user access control).
c. User interface:
It is for discussing resources and tools, implying the need of acquiring measures for securing the environment.
d. Authentication :
Some mechanisms required to enable access to the cloud.
3. DATA SECURITY
a. Confidentiality: Ensuring that information is not accessed by unauthorized persons.
b. Integrity: ensuring that information is not altered by unauthorized persons in a way that is not detectable by authorized persons.
c. Availability: ensuring that authorized persons are able to access the information when needed.
4. VIRTUALIZATION
Creation of virtual(rather than actual) version of something such as server.
a. Isolation: Although separated logically, all VM’s share the same hardware and same resources.
b. Hypervisor vulnerabilities: the hypervisor is main software component of virtualization. Even, they are security vulnerabilities for hypervisors, solutions are still insufficient.
c. Data leakage: Make use of hypervisor vulnerabilities and lack of isolation controls in order to leak data form virtualized infrastructures.
5. GOVERNANCE:
These issues are related to administrative and security controls in cloud computing solutions.
a. Data cloud:Losing control over the redundancy, location,file systems.
b. Security cloud: loss of governance over security mechanisms and policies.
c. Lock-in: user potential dependency on a particular service provider due to lack of standards.
6. COMPLAINCE:
This includes requirements related to service availability and audit capabilities.
a. Service level agreements: mechanisms to ensure the required service availability and basic security procedures to be adopted.
b. Loss of service: service outages are not exclusive to cloud environments.
c. Audit: allows security and availability assessments to be performed by customers.
7. LEGAL ISSUES:these are theaspects related to judicial requirements and law
a. Data location: user data located in multiple jurisdictions depending on geographic locationare affected by law-enforcement measures.
b. E-discovery: as a result of law-enforcement measures, hardware might be seized for investigations related to particular user.
INTRODUCTION:
Cloud computing is an on-demand infrastructure that enables users to access computing resources and services from anywhere and anytime.
There are three types of services in cloud. They are
1. SaaS ( Software-as-a-service ) :
The Cloud provider offers software on-demand.
2. PaaS( Platform-as-a-service) :
The Cloud provider offers a platform to customer for their projects.
3. IaaS ( Infrastructure - as- a- service ):
The Cloud providers offer hardware resources or infrastructure to customer.When the user access the data from cloud service provider, there is a possibility of attacking the data. Preventing unauthorized access resources in the cloud is a major security problem.
Cloud characteristics for security
1. Multi -tenancy :
By Multi-tenancy, cloud provides services for various customers using utilizing the same cloud infrastructure resources. More than one tenants of cloud occupies the provider’s infrastructure. Multi-tenancy allows cloud service providers to manage resource utilization more effective by partitioning infrastructure among different customers.
2. Elasticity:
In cloud computing, customers use resources as needed while being able to increase or decrease resource consumption based on actual demands. For this, cloud services are scalable i.e., the required resources can be decreased or increased based on customer needs. Elasticity means scale up or down resources assigned to services based on demand.
Elasticity of tenant’s resources gives opportunity to other tenants to use the tenant’s previously assigned resources. This may lead to confidentiality issues.For example, tenant A scaled down, so it releases some resources, these resources now assigned to tenant B. Then tenant B uses it to deduce the previous contents of tenant A.
3. Multiple stakeholders:
Stake holders are different types in cloud computing
1. Cloud provider(entity that delivers infrastructure to customers)
2. Service provider(entity that uses the infrastructure to deliver services to end users)
3. Customer (entity that uses services hosted on cloud infrastructure)
Each stake holder has their own security systems and their own requirements and capabilities. This leads to following issues
1. Providers and customers need to agree the security properties. But there is no standard security specifications are available that can be used by stake holders to represent security properties.
2. Each customer has trust relations with provider. But some customers are actually malicious attackers. There are generating complex trust issues.
4. Third party control:
The owner of data has no control of their own data. But cloud services require the customer have control over his infrastructure. For this, cloud providers should make the management and maintenance of cloud services is transparent to customers. This should include recording logs and administration.
Third party access can lead to potential loss of secret information. This is also issue of attacker who abuses access rights to customer information.
General requirements of cloud security
1. Confidentiality
Confidentiality refers to only authorized users or systems having the permissions to access protected data. Confidentiality can be achieved using encryption techniques. Cloud providers should ensure that encryption standards are properly deployed or not. Data confidentiality in the cloud is correlated to user authentication. Lack of authentication can lead to unauthorized access to users account in cloud.
2. Integrity
Data Integrity refers to protecting data from unauthorized deletion or modification. When data is maintained confidential, there is no guarantee that data has not been altered.
3. Availability
Availability refers to data being accessible on demand by authorizing entity. It is to ensure that users can use services at any time and any place.
4. Privacy
Every user has control over their personal information. Privacy is important issues for cloud computing, both in terms of legal compliance and user trust.
5. Trust
Trust was used in process of convincing users that system was secure. In cloud, the user is dependent on provider for various services. In these services, the customer has to store his confidential data on provider’s side.
6. Audit
Auditing is process of reviewing the details of customer that when he accessing the data, details of customer.
SECURITY ISSUES IN DIFFERENT CATEGORIES
1. NETWORK SECURITY
---problems associated with network communications and configurations.
a. Transfer security
Distributed architectures, resource sharing, virtual machine instances synchronization imply more data transit in the cloud. It requires virtual private network mechanisms for protecting the system against sniffing and spoofing.
Sniffing: it is act of capturing packets of data flowing across a computer network.
Spoofing: Act of forging the header information on an email so that it appears to have originated from somewhere other than its source.
b. Firewall
Firewalls protect the provider’s internal cloud against insiders and outsiders. A firewall is software utility or hardware device that limits network access to computer by blocking or restricting network ports.
c. Security configuration:
Configuration of protocols, Systems, Technologies is to provide the required levels of security.
2. INTERFACES
a. API (Application programming interfaces):
These are used for accessing virtualized resources must be protected inn order to prevent attacks.
b. Administrative interface:
It enables VM management for IaaS, development for PaaS (coding, deploying, testing) and application tools or SaaS (user access control).
c. User interface:
It is for discussing resources and tools, implying the need of acquiring measures for securing the environment.
d. Authentication :
Some mechanisms required to enable access to the cloud.
3. DATA SECURITY
a. Confidentiality: Ensuring that information is not accessed by unauthorized persons.
b. Integrity: ensuring that information is not altered by unauthorized persons in a way that is not detectable by authorized persons.
c. Availability: ensuring that authorized persons are able to access the information when needed.
4. VIRTUALIZATION
Creation of virtual(rather than actual) version of something such as server.
a. Isolation: Although separated logically, all VM’s share the same hardware and same resources.
b. Hypervisor vulnerabilities: the hypervisor is main software component of virtualization. Even, they are security vulnerabilities for hypervisors, solutions are still insufficient.
c. Data leakage: Make use of hypervisor vulnerabilities and lack of isolation controls in order to leak data form virtualized infrastructures.
5. GOVERNANCE:
These issues are related to administrative and security controls in cloud computing solutions.
a. Data cloud:Losing control over the redundancy, location,file systems.
b. Security cloud: loss of governance over security mechanisms and policies.
c. Lock-in: user potential dependency on a particular service provider due to lack of standards.
6. COMPLAINCE:
This includes requirements related to service availability and audit capabilities.
a. Service level agreements: mechanisms to ensure the required service availability and basic security procedures to be adopted.
b. Loss of service: service outages are not exclusive to cloud environments.
c. Audit: allows security and availability assessments to be performed by customers.
7. LEGAL ISSUES:these are theaspects related to judicial requirements and law
a. Data location: user data located in multiple jurisdictions depending on geographic locationare affected by law-enforcement measures.
b. E-discovery: as a result of law-enforcement measures, hardware might be seized for investigations related to particular user.