Cloud Computing: Security Model Comprising Governance, Risk Management and Compliance.

Transcription

1 Cloud Computing: Security Model Comprising Governance, Risk Management and Compliance. Sumit Kr. Yadav 1, Fawaz S. Al-Anzi 2, Jyoti Soni 3 1 Indira Gandhi Delhi Technical University, Delhi, India; 2 Computer Engineering Department, Kuwait University, Kuwait; 3 Computer Engineering Department, Kuwait University, Kuwait; sumitarya007@gmail.com 1, fawaz.alanzi@ku.edu.kw 2, jyotisoni261@gmail.com 3 Abstract Cloud security is a broad topic and any combination of policies, technologies, and controls to protect data, infrastructure and services from possible attacks. Security requirements in the cloud are very much different from traditional environments. Since cloud has a dynamic nature with small customer ownership of infrastructure, has broken traditional security architecture. We believe Security should be the joint responsibility of service provider and organization, no matter what kind of service model you are using. Security will be more effective when layered at each level of cloud technology and integrated with a common management platform. There is a hype of cloud in the market, but companies are not still ready to put their business in the cloud just because of security is prominent issues which does not grow the cloud computing business in the market.we focus on the area, i.e. application security, information security, infrastructure security and security monitoring by giving our own security model. This model surely protects our organizational physical as well as virtual assets by providing better security options. Keywords Cloud computing, Threat, security I. INTRODUCTION The importance of Cloud Computing is increasing day by day and receiving a huge attention in the scientific and industrial communities. Cloud Computing appears as a computational paradigm as well as a distributed architecture and its main objective is to provide secure, quick, convenient data storage and net computing service, with all computing resources visualized as services and /14/$ IEEE delivered over the Internet [1, 2].Cloud computing is affordable means of delivering IT services and get access dynamic, scalable, virtualized environment. The cloud enhances collaboration, agility, scalability, availability, ability to adapt to fluctuations according to demand, accelerate development work, and provides potential for cost reduction through optimized and efficient computing [3,4].Cloud computing is a combination of different technologies such as virtualization, web 2.0, Service oriented architecture and many more. Cloud computing has three distinct service models and three delivery models. 1.1 Service Model In this section various types of service model(s) and their characteristics have been explained. (a) Infrastructure as a Service Model, service provider provides virtual and physical hardware as a service and entire infrastructure is delivered over the internet. In this model client has more security control. Provider provides networking, virtualization, servers and storage [11]. Characteristics of IaaS are : 1. Utility computing service and billing model. 2. Automation of administrative tasks. 3. Dynamic scaling. 4. Desktop virtualization. 5. Policy-based services. 6. Internet connection

2 PRIVATE HYBRIDE PUBLIC 4. Collaboration 5. Document management 6. Service desk management SAAS(Software as a Service) PAAS(Plateform as a Service ) IAAS(Infrstructure as a Service) Figure 1. Cloud computing models (b)platform as a Service Model provides a platform for development and deployment software applications by supporting entire application life cycle. Cloud provider is responsible or security and monitoring. Provider provides runtime, middleware, OS, networking, servers, storage and virtualization. Developer takes several benefits from PaaS. OS features could be easily changed with PaaS.[9, 10] Geographically distributed development tea can obtain service from diverse source and work together on software development projects. (c)software as a Service Model, consumer use hosted application through a web browser. In the SaaS model, Security, management and control are services provider's responsibility because the customer has minimal control or extensibility. By contrast, the PaaS model offers greater extensibility and greater customer control. [13, 14] Largely because of the relatively low degree of abstraction, IaaS offers greater tenant or customer control over security than does PaaS or SaaS [15].Characteristic of SaaS are: 1. Computerized billing 2. Invoicing 3. Human Resource management Figure 2. Resources in Cloud computing environment 1.2 Delivery Models (a) Private Cloud: In this model cloud owner does not share their resources with any other organization. It is set up and maintained by an organization. Security can be very well implemented in this model [16, 17]. (b) Public Cloud: In this model services are provided on the internet that can be billed on a "pay per rule" basis and accessed by the web browser [8, 18, and 19]. (c) Hybrid Cloud: Hybrid cloud is designed to meet business and technology requirement of customer. Generally any private cloud is associated with external cloud. 2. CLOUD COMPUTNG SECURITY ISSUES Cloud computing is an emerging technology which delivers IT services online, on demand with shared resources and lower cost[11]. Cloud has lot of advantages, but still suffering from various securities

3 related issues. One of the most prominent security issues is with privacy and compliance. We discuss various such issues in Table1. Threat(According to Cloud security Alliance(CSA)[6] Abuse and Nefarious Use of Cloud Computing Insecure Application Programming Interfaces Description Top most threat of cloud computing is Abuse and nefarious use. For example botnets to spread spam and malware. Attacker can upload malware to thousands of computers and use cloud infrastructure to attack another machine. Through application programming interface customer can get access to cloud service. Security of cloud is depends on security of interface. API must be implemented by secure access control, authentication and encryption mechanism. Data Loss/Leakage Account, Service & Traffic Hijacking Data scavenging Malicious VM creation Data leakage happens when the data gets into the wrong hands while it is being transferred, stored, audited or processed. An account theft is another issue, can be performed by different ways such as social engineering and weak credentials. Examples of these threads are man-inmiddle attack, phishing, denial of service attack. Data cannot be completely removed and attacker can reconstruct data again. An attacker can create a VM image which consist of malicious code such as a Trojan horse and store it in the provider repository. Table 1. Security threat in cloud environments Malicious Insiders Customer-data manipulation Malicious insider can get unauthorized access of cloud resource which can be a greater loss of business. SQL injection, command injection, insecure direct object references, and cross-site scripting are the possible attack through which attacker manipulate customer data. 3. SECURITY MODEL FOR CLOUD For achieving business objectives all the security domains should work in an effective manner. For the same figure 3 represents how governance, risk management plan and compliance act together to effectively enforce the security program at each layer. Security in application layer is also important to enforce the access policies effectively. Physical infrastructure security is also important to provide the effective controls over the infrastructure within the organization as physical presence was an important element of identity. (otherwise physical access can easily make the security compromised)[11]. A through security model can be

4 easily made more understandable with the help of figure Protect sensitive data 3. Understand legal issues 4. Information life cycle management 5. Portability and interoperability Organization should implement framework for effective risk management and measure the performance of risk management framework by metrics. Service level agreement are implemented by an organization to ensure security requirement enforce.[12] 3.2 People & Identity management 1. Only authorized user can access assets of organization. 2. Identity federation approach is applied or authentication and authorization. 3. We should rely on Single sign-on capability for user log on. 4. Managing identities and leveraging directory service to provide access control. 5. Web based identity management is a good option. 3.3 Application Security 1. Cloud provider should follow a secure development process. 2. XML signature and XML encryption method should be used to protect applications from XML attacks and web service attacks. 3.4 Information Security Figure 3. Security model for cloud computing 3.1 Security Governance, Risk Management and Compliance The fundamental responsibility of the organization is to identify and implement process, controls and organizational structure so that effective security governance, risk management and compliance could be possibly achieved. Governance is any set of policies, law and technologies that work within organization and give direction to achieve a security objective.[5, 6, 20] Some responsibilities of the organization are: 1. Access risk of cloud provider 1. Data and information security is top most concern. 2. Need to focus how data is stored, processed, compliance and audit. 3. Standard encryption method and managing encryption key should be used to protect data privacy. 4. Policy based security or trusted virtual domain should be implemented so that data/ information problem could be solved.[7] 5. Intrusion detection and prevention system should be built. 3.5Physical Infrastructure Security 1. Safeguards including Bio metric access control, close circuit television monitoring (CTV). 2. Doors should be equipped with alarms. 3.A Computer based access controlled system (CAS) uses badge readers to restrict access to only those with approval to enter controlled areas.

5 3.6 Necessary steps for security of cloud [20] Conference on Future Networks (ICFN 10), Sanya, Hainan, China. IEEE Computer Society, Washington, DC, USA, pp [3]. Cloud Security Alliance (2011) Security guidance for critical areas of focus incloud Computing V3.0.. Available: guidance/csaguide.v3.0.pdf [4]. Khalid A (2010) Cloud Computing: applying issues in Small Business. In:International Conference on Signal Acquisition and Processing (ICSAP 10),pp [5]. Mather T, Kumaraswamy S, Latif S (2009) Cloud Security and Privacy. O Reilly Media, Inc., Sebastopol, CA [6].S. Ghemawat, H. Gobioff, and S. Leung, The Google file system, in Proceedings of the 19th Symposium on Operating Systems Principles (OSDI 2003), 2003, pp [7]. Li W, Ping L (2009) Trust model to enhance Security and interoperability of Cloud environment. In: Proceedings of the 1st International conference on Cloud Computing. Springer Berlin Heidelberg, Beijing, China, pp [8]. Rittinghouse JW, Ransome JF (2009) Security in the Cloud. In: Cloud Computing. Implementation, Management, and Security, CRC Press [9]. Kitchenham B (2004) Procedures for perfoming systematic review, software engineering group. Department of Computer Scinece Keele University, United Kingdom and Empirical Software Engineering, National ICT Australia Ltd, Australia. TR/SE CONCLUSION Cloud computing provides lots of advantages but today, cloud computing is suffering from security. Security is a biggest concern of client these days. If client want to take full advantage of cloud computing so client must ensure about data, infrastructure and application security. In this paper we provide a security model for cloud which secures organizational physical and virtual assets. 5. REFERENCES [1] Zhao G, Liu J, Tang Y, Sun W, Zhang F, Ye X, Tang N (2009) Cloud Computing: A Statistics Aspect of Users. In: First International Conference on Cloud Computing (CloudCom), Beijing, China. Springer Berlin, Heidelberg,pp [2] Zhang S, Zhang S, Chen X, Huo X (2010) Cloud Computing Research and Development Trend. In: Second International [10]. Kitchenham B, Charters S (2007) Guidelines for performing systematic literature reviews in software engineering. Version 2.3 University of keele (software engineering group, school of computer science and mathematics) and Durham. Department of Conputer Science, UK [11]. [12]. Brereton P, Kitchenham BA, Budgen D, Turner M, Khalil M (2007) Lessons from applying the systematic literature review process within the software engineering domain. J Syst Softw 80(4): [13]. Zissis, Dimitrios, and Dimitrios Lekkas. "Addressing cloud computing security issues." Future Generation Computer Systems 28.3 (2012): [14]. Bhadauria, Rohit, and Sugata Sanyal. "Survey on Security Issues in Cloud Computing and Associated Mitigation Techniques." International Journal of computer applications 47 (2012). [15]. Harnik, Danny, et al. "Secure access mechanism for cloud storage." Scalable Computing: Practice and Experience 12.3 (2011).

6 [16]. Pappas, Vasilis, et al. "CloudFence: Data Flow Tracking as a Cloud Service."Research in Attacks, Intrusions, and Defenses. Springer Berlin Heidelberg, [17]. Seccombe, A., et al. "Security guidance for critical areas of focus in cloud computing, v2. 1." Cloud Security Alliance (2009). [18]. Song, Dawn, et al. "Cloud data protection for the masses." IEEE Computer45.1 (2012): [19]. Saidi, Mustapha Ben, and Abderrahim Marzouk. "Access Control Protocol for Cloud Systems Based On the Model TOrBAC." [20]. Eludiora, Safiriyu, et al. "A User Identity Management Protocol for Cloud Computing Paradigm." International Journal of Communications, Network & System Sciences 4.3 (2011).