EVALUATIVE STANDARD THAT ADDRESS CLOUD-SPECIFIC VIRTUALIZATION SECURITY CONCERNS

Size: px
Start display at page:

Download "EVALUATIVE STANDARD THAT ADDRESS CLOUD-SPECIFIC VIRTUALIZATION SECURITY CONCERNS"

Transcription

1 EVALUATIVE STANDARD THAT ADDRESS CLOUD-SPECIFIC VIRTUALIZATION SECURITY CONCERNS MAKANGA, VICTOR WESONGA Research thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Information Technology at Strathmore University MASTER OF SCIENCE IN INFORMATION TECHNOLOGY 2013

2 Declaration I declare that this work has not been previously submitted and approved for the award of a degree by this or any other University. To the best of my knowledge and belief, the thesis contains no material previously published or written by another person except where due reference is made in the thesis itself. VICTOR WESONGA MAKANGA Approval The thesis of Victor Makanga was reviewed and approved by the following: Dr. Vincent Omwenga Supervisor, Faculty of Information Technology Strathmore University Dr. Reuben O. Marwanga Dean, Faculty of Information Technology Strathmore University Prof. Ruth Kiraka Dean, School of Graduate Studies Strathmore University ii

3 Abstract Cloud computing is an emerging technology that offers an efficient delivery of computing resources through pooling of storage, network and software. These computing resources are critical to business functions, since they aid in storage and processing of data. Lack of effective cloud-computing standards has made it difficult for cloud customers to effectively evaluate different cloud offering as well as limiting interoperability among cloud platforms and therefore causing inconsistency in areas of security. From the reviewed literature, different approaches to virtualization have been adopted to offer flexibility in terms of securing customer s data and offering access control granularity. These include software, partial and hardware virtualization. The descriptive research method used was conducted using survey questionnaires with cloud users as the target population. The research seeks to find out how people implement virtualization and the challenges they face. Their perception on security of their data in the cloud as well as how they would like to amended to safe guard this data. The survey results are analyzed qualitatively and results presented in various forms. This research finds out that though there are some form of rule that guide virtualization, these have been compromised due to lack of strict enforcement. As a result, research focuses on standard which proposes guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization. Therefore this research proposes an approach that established a new security layer that ensures compliance and enforcement of standards to address security concerns related to virtualization as applied in the cloud. iii

4 TABLE OF CONTENTS Declaration... ii Approval... ii Abstract... iii List of Tables... vii List of Figures... vii Acknowledgments... viii Dedication... ix Abbreviations... x Chapter 1: Introduction Cloud computing basics Security Cloud and security Background Security Challenges in both Cloud and Virtual Environments Problem Statement Research Objectives Research Questions Justification Scope Limitations... 6 Chapter 2: Literature Review Literature Rev Introduction Cloud computing characteristics Cloud delivery models Cloud deployment models Cloud Reference Model Cloud Security Core Cloud computing technologies iv

5 2.6.2 Core-Technology Vulnerabilities Virtualization Virtual System Components Virtualization Approaches Security Concern in virtualization Prototype evaluative standards for security in virtualization Cloud Security Reference Model Cloud Cube Model ISO/IEC Beyond Architecture: The Areas of Critical Focus The Future of Cloud Computing Level of Competition in Cloud Computing Industry Standardization of Services Security Chapter 3: RESEARCH METHODOLOGY RESEARCH METHODOLOGY Introduction Research Design Population and sampling Calculating the Sample Size Steps in Selecting a Sample-Size Data Collection Methods Questionnaire Data Analysis Research Quality Participant confidentiality Ethical Standards PRESENTATION OF RESEARCH FINDINGS Survey Results Analysis Discussions v

6 5.1 Introduction Current virtualization approaches Inherent weaknesses in technology that can lead to a violation of security and privacy concerns What evaluative standard can be used to address these security and privacy concerns? Architectural overview of the proposed framework Virtualization platform Security Checklist Conclusion and Recommendation Further Research References APPENDIX A Section A: Introduction (Bio Data) SECTION B: VIRTUALIAZATION APPROACH IN CLOUD COMPUTING APPENDIX B Research Budget vi

7 List of Tables Table 2-1 : Government (Cloud Security Alliance, 2009) Table 2-2: Operational Domain (Cloud Security Alliance, 2009) Table 4-1: Preferred cloud model Table 4-2: Threats specific to the Virtual environments Table 4-3: Addressing threats in a virtualized environment Table 4-4: Evaluation of existing standards Table 4-5: Vulnerabilities in VM Table 4-6: Addressing threats in a Virtual Environment TABLE C-0-1: Budget List of Figures Figure 2-1: Cloud reference model (Cloud Security Alliance, 2009)... 8 Figure 2-2: Cloud Reference Model (Cloud Security Alliance, 2009) Figure 2-3: Multi-tenancy (Cloud Security Alliance, 2009) Figure 2-4: Cloud Virtualization (VMware, 2010) Figure 2-5: Full Virtualization (Smyth, 2012) Figure 2-6: Para virtualization (Microsoft, 2009) Figure 2-7: Security Model (Cloud Security Alliance, 2009) Figure 2-8: The Cloud Cube Model (Cloud Security Alliance, 2009) Figure 2-9: Mapping the Cloud Model to the Security Control & Compliance Model (Cloud Security Alliance, 2009) Figure 3-1: Formula for Calculating a Sample for Proportions ((Mathews, 2010) Figure 4-1: Cloud utilization survey results Figure 4-2: Reason for engaging in cloud computing Figure 4-3: Virtualization Approach Figure 4-4: Regulatory measures Figure 5-1: Proposed architecture for enforcing virtualization security Figure 16: Detailed component of the Management Layer API vii

8 Acknowledgments I would like to express the deepest appreciation to my thesis supervisor Dr. Vincent Omwenga for his constant support and meticulous supervision of this work: he continually and persuasively conveyed professional genius in regard to research. In the same breath I would like to acknowledge my parents Oddah and Peter Makanga for their abundant support throughout my studies. Finally without God, this accomplishment would not have been possible. viii

9 Dedication This thesis is dedicated to my late sisters, Claire Makanga and Linda Makanga from whom I learnt the virtues of hard work and discipline. The common knowledge and values I borrowed from them has seen me grow into who I am today. ix

10 Abbreviations CIO Chief Information Officer CIA- Confidentiality, Integrity and Availability OS Operating System SOAP- Simple Object Access Protocol SAML - Security Assertion Markup Language TLB - Translation Look aside Buffer RISC - Reduced Instruction Set Computing ROI Return On Investment UML Unified Modeling Language VM- Virtual Machine XML- Extensible Markup Language SNMP Simple Network Management Protocol Definition of Terms AMD - Advanced Micro Devices is a semiconductor design innovator company. VMware: is a hypervisor that runs on x64 computers; it enables users to set up multiple virtual machines (VMs) and use them simultaneously along with the actual machine. X86 is a series of computer microprocessor instruction set architectures based on the Intel 8086 CPU. x

11 Chapter 1: Introduction Introduction 1.1 Cloud computing basics For decades, computers and associated infrastructure have evolved from standalone machines into smaller, powerful and more scalable devices. This exponential growth is in part as a result of Moore s law, which states that that processor speeds, or overall processing power for computers will double every two years (Moore, 2005). This evolution has seen the computer design change from a 1-tier to 3-tier architecture, with the concept of abstraction taking root. This abstraction has seen separation of storage, computation, network among other services thus enabling interoperability. Over a period of time, technological advances have enabled sharing of resources over the network. Organizations have opted to either host their IT services in-house while others due to tight budgets have decided to outsource their hosting needs. (Opusinteractive, 2011). This is what is otherwise known as Traditional hosting services. Its trademark characteristic includes a dedicated server offering complete resources which the customer pays for. On the other hand rapid in technological advances have seen the inception of cloud computing. Cloud computing refers to hosting of services. These are majorly storage and computing services that are accessed over the internet and are normally paid for on utility basis. This is also referred to as usage based billing. Rahul (2011) gives the distinct characteristics of cloud services are; 1. On demand access 2. Hosted service infrastructure is owned and maintained by the provider 3. Elasticity- service consumption can be increased or reduced. Cloud implementation s success is based on the ability of using the Internet to connect a grid computing applications. The first practical cloud computing implementation was done in 1999 by Salesforce.com. This introduced the concept of one delivering enterprise services through a Web site (Kaufman, 2009). 1

12 1.2 Security Computer Security is the protection or defense of computer information resources against threats. This threats can range from theft, destruction, publication, corruption or collapse by unauthorized activities or untrustworthy individuals. Therefore computer security objectives can be summarized as aiming at preserving the integrity, availability and confidentiality of information system resources (National Institute of Standards and Technology, 1995). Data integrity is a measure to ensure that information and software programs are not changed not unless that change is authorized and it is done only in a specified manner. Availability is an objective intended to assure that systems is operational (service requests) promptly and that service is not denied to authorized users. Confidentiality as a requirement ensures that private information is only available to intended owners and that it cannot be disclosed to unauthorized individuals. Broadly it can be categorized on to physical and logical security. Security needs to be cost effective and be an integral part of the business objectives Cloud and security The key concern to the would-be cloud users is the security concern. Hanna, (2011) asserts that security in the cloud is challenging, due to varied degrees of security features and management schemes within the cloud entities. Security threats on the cloud can be formulated in form of simple questions that need to be addressed. This can be 1. Failures in Provider Security 2. Attacks by Other Customers 3. Availability and Reliability Issues. 4. Legal and Regulatory Issues. 5. Perimeter Security Model Broken. 6. Integrating Provider and Customer Security Systems 1.3 Background Virtualization is emerging as a key mechanism of scaling the IT infrastructure (Ludmila, Diwaker & Vahdat, 2007). Consequently, this has seen Virtual Machines rapid adoption in many 2

13 computing environments. Server virtualization provides the ability to slice larger, underutilized physical servers into smaller, virtual ones. At the core of cloud computing is the virtualization technology that is used to provide computing resources as a service or utility over public, semipublic, or private infrastructures. Using a pool of clustered systems, a cloud based service offering is able to service multiple tenants or entities thus providing service-based access to shared computing resources (Khan & Malluhi, 2010).Virtual machines allow users to create, copy, save (checkpoint), read and modify, share, migrate and rollback the execution state of machines with all the ease of manipulating a file (Garfinkel & Rosenblum, 2010). On the other hand, Cloud computing is a concept that significantly enhances collaboration, agility, and scale through consolidating computing technologies, networks, and storage resources (Hassan et al, 2010). However, Hassan et al (2010) notes that without appropriate security and privacy solutions designed for clouds, this could lead to huge failure. A key standardization issue involves virtualization, which plays a critical role in most cloud-computing approaches. Virtualization flexibility would allow vendors to optimize workload among the various hardware resources. Unfortunately systems using different hypervisors won t interoperate because of different data formats. Other VM won t use a standard way to communicate with different network and storage architectures. (Ortiz 2011) This flexibility though provides significant value, pave way for platforms that replace real hardware thus providing radically different and dynamic computing environment. Useful mechanisms that virtual machines provide (e.g. rollback) can have unpredictable and harmful interactions and this can undermine the security architecture of many organizations (Garfinkel & Rosenblum, 2010) Security Challenges in both Cloud and Virtual Environments Since a virtual machine entirely encapsulates the state of the guest operating system running inside it, the guest operating system state can be copied and shared over networks and removable media like a normal file (Garfinkel & Rosenblum, 2010). Springer, (2011) suggests that middleware upon which this virtualization is done should uphold rigorous coding standards to avoid coding vulnerabilities. Most often these are caused as a result of few relatively common software defects. 3

14 Rapid scaling in virtual environments, which is restricted by the available storage, can tax security systems. Upgrades, patch management, and configuration can exacerbate management tasks and significantly multiply the impact of catastrophic events, e.g. worm attacks where all machines should be patched, scanned for vulnerabilities, and purged of malicious code (Garfinkel & Rosenblum, 2010). Providers often outsource the provision of middleware, which further complicates accountability and responsibility for errors (Springer, 2011) In a virtual environment machine state is more akin to a tree: at any point the execution can fork off into N different branches, where multiple instances of a VM can exist at any point (Checkpoints). These allow machines to be rolled back to previous states in their execution (e.g. to fix configuration errors). This makes patch management and maintenance difficult for example, rolling back a machine can re-expose patched vulnerabilities, reactivate vulnerable services, re-enable previously disabled accounts or passwords, use previously retired encryption keys. (Garfinkel & Rosenblum, 2010) The key concern to the would-be cloud users is the security concern. Hanna, (2011) asserts that security in the cloud is challenging, due to varied degrees of security features and management schemes within the cloud entities. Cloud computing is a maturing field and control challenges typically highlight situations in which otherwise successful security controls are ineffective in a cloud setting(grobauer, Walloschek & Stöcker, 2011). Security implementation in the three key cloud delivery models, software as a service, platform as a service, and infrastructure as a service, differs from model to model. In software as a service (SaaS), providers typically enable services with a large number of integrated features, resulting in less extensibility for customers. In platform as a service (PaaS), the customers are primarily responsible for protecting the applications they build and run on the platforms. In infrastructure as a service IaaS is the most extensible delivery and the consumers secure the operating systems, applications, and content (Hassan et al, 2010). In the context of virtualization, the key security issues include identity management, data leakage (caused by multiple tenants sharing physical resources), access control, virtual machine (VM) protection, persistent client-data security, and the prevention of cross-vm side-channel attacks (Khan & Malluhi, 2010). 4

15 1.4 Problem Statement Cloud computing is an emerging technology that offers an efficient delivery of computing resources through pooling of storage, network and software. Failure of comprehensive cloudcomputing standards could make cloud computing trickier to use. This is due to lack of effective cloud-computing standards has made it difficult for cloud customers to effectively evaluate different cloud offering as well as limiting interoperability among cloud platforms and therefore causing inconsistency in areas of security. In fact more often buyers are faced with a difficulty of comparing and evaluating different cloud offering without standardization (Ortiz, 2011). Cloud offering interoperability and service portability does enable competition which in turn makes the customer realize a maximum return on investment. Due to the heterogeneous nature of the cloud, there are no standard benchmarks upon which security can be objectively and effectively evaluated. Therefore this study will review the existing strategies and develop a standard model for the evaluation of security associated with virtualization. Currently, there are no cloud-specific security standards that cloud customers can use to monitor the security status of their cloud resources. Until such standard security metrics are developed and implemented, controls for security assessment, audit, and accountability are more difficult and costly, and might even be impossible to employ (Grobauer et al, 2011) 1.5 Research Objectives The main objective of the research is to; i. Identify the virtualization approaches used in cloud computing. ii. Evaluate security vulnerabilities present in the virtualization technologies used in the cloud computing. iii. Develop evaluative standard that address cloud-specific virtualization security concerns. iv. Validate the developed evaluative standard. 1.6 Research Questions i. What are the current virtualization approaches being used in cloud computing? 5

16 ii. iii. iv. What are the inherent weaknesses in these technologies that can lead to a security breach and privacy concerns? What evaluative standard can be used to address these security and privacy concerns? How does the developed standard can be evaluated? 1.7 Justification The research aim is to provide an insight into the security challenges in the cloud environment with focus on one of the core technologies; Virtualization. These are evaluative standards, which essentially test and certify the proper use of best-known practices. The need for cloud standards have been given as: to promote interoperability, permit open middleware, prevent vendor lock-in, and ease the transition of users to cloud-based services (Blake & Borenstein, 2011) Policy makers as well as potential cloud customers are able to use these standards to evaluate the security performance using standard metrics that provide a uniform approach to evaluation. This would give organizations a guideline to develop a secure, strong, robust, scalable and a competitive cloud computing industry. 1.8 Scope In the context of virtualization, the key security issues include identity management, data leakage (caused by multiple tenants sharing physical resources), access control, virtual machine (VM) protection, persistent client-data security, and the prevention of cross-vm side-channel attacks (Khan & Malluhi, 2010). All these areas are broad areas of study hence require a dedicated research in each category. The research will focus on data leakage in a virtualized environment and cross-vm side-channel attacks. 1.9 Limitations This research aims to develop a standard that promotes confidentiality, integrity and authenticity. This model could enable each cloud to offer a measured and standardized service. The obvious difficulty is that obtaining security data is difficult, if not impossible. It might be exacerbated in 6

17 cloud computing because of the need to provide data confidentiality which can also impact incident reporting. Another challenge is that few organizations are willing to share detailed information on mechanisms and structures they have in place to implement security in their business. Such information might be a closely guarded trade secret that few if any are willing to share freely. 7

18 Chapter 2: Literature Review 2 Literature Rev 2.1 Introduction Cloud computing as a fundamental concept has transformed existing computing technologies, including distributed services, applications, and information infrastructures consisting of pools of computers, networks, and storage resources (Hassan et al, 2010). According to US National Institute of Standards and Technology (Mell & Grance, 2011) Cloud computing is defined as: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. Figure 2-1: Cloud reference model (Cloud Security Alliance, 2009) 8

19 In order to be able to understand the fundamental concepts of the cloud and the purpose it serves, it is necessary to know its delivery and deployment models among other principal characteristics. 2.2 Cloud computing characteristics Mell & Grance, (20011) illustrates the five key characteristics of cloud computing as on-demand self-service, ubiquitous network access, location-independent resource pooling, rapid elasticity, and measured service, all of which are geared toward using clouds seamlessly and transparently. i. On-demand self-service ensures users can order and manage services without human interaction with the service provider, using, for example, a Web portal and management interface. Provisioning and de-provisioning of services and associated resources occur automatically at the provider ii. Ubiquitous network access is because cloud services are accessed via the internet using standard mechanisms and protocols. iii. Resource pooling is derived from using a homogeneous infrastructure that s shared between all cloud users. iv. Rapid elasticity. Resources can be scaled up and down rapidly and elastically. v. Measured service is meant to bill service usage constantly, supporting optimization of resource consumption, as well as reporting to the customer (Grobauer, et.al. 2011). 2.3 Cloud delivery models Cloud computing delivery models are often roughly classified as software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS). According to (Hilley, 2009) Infrastructure as a Service (IaaS) is providing general on-demand computing resources such as virtualized servers or various forms of storage (block, key/value, database, etc.) as metered resources. These additional resources such as images in a virtual-machine image-library, raw (block) and file-based storage, firewalls, load balancers and virtual local area networks (VLANs) among others. Cloud users install operating-system images; apply patches, as well as maintaining their application software on the cloud infrastructure (IBM, 2012). This could pose a security threat especially if users do not have strict security checks. 9

20 Sometimes referred to as Hardware as a Service (HaaS). This can often be seen as a direct evolution of shared hosting with added on-demand scaling via resource virtualization and usebased billing. Platform as a Service (PaaS) is providing an existent managed higher-level software infrastructure for building particular classes of applications and services. The platform includes the use of underlying computing resources, typically billed similar to IaaS products, although the infrastructure is abstracted away below the platform (Hilley, 2009) The consumer has control over the deployed applications and possibly configuration settings for the application-hosting environment (Mell & Grance, 2001). Software as a Service (SaaS) is providing specific, already-created applications as fully or partially remote services. Sometimes it is in the form of web-based applications and other times it consists of standard non-remote applications with Internet-based storage or other network interactions. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings (Mell & Grance, 2011) 2.4 Cloud deployment models Cloud deployment models include public, private, community, and hybrid clouds. Public clouds are external or publicly available cloud environments that are accessible to multiple tenants, whereas private clouds are typically tailored environments with dedicated virtualized resources for particular organizations (Hassan, et. al. 2010) a. Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises (Mell & Grance, 20011). b. Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, 10

21 managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises (Mell & Grance, 20011). c. Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider (Mell & Grance, 20011). d. Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds - NIST, 2011) 2.5 Cloud Reference Model Understanding the relationships and dependencies between Cloud Computing models is critical to understanding Cloud Computing security risks. IaaS is the foundation of all cloud services, with PaaS building upon IaaS, and SaaS in turn building upon PaaS as described in the Cloud Reference Model diagram (Cloud Security Alliance, 2009). 11

22 Figure 2-2: Cloud Reference Model (Cloud Security Alliance, 2009) In this way, just as capabilities are inherited, so are information security issues and risk. It is important to note that commercial cloud providers may not neatly fit into the layered service models. Nevertheless, the reference model is important for relating real-world services to an architectural framework and understanding the resources and services requiring security analysis.iaas includes the entire infrastructure resource stack from the facilities to the hardware platforms that reside in them. It incorporates the capability to abstract resources (or not), as well as deliver physical and logical connectivity to those resources. Ultimately, IaaS provides a set of 12

23 APIs which allow management and other forms of interaction with the infrastructure by consumers. PaaS sits atop IaaS and adds an additional layer of integration with application development frameworks; middleware capabilities; and functions such as database, messaging, and queuing; which allow developers to build applications upon to the platform; and whose programming languages and tools are supported by the stack (Cloud Security Alliance, 2009). SaaS in turn is built upon the underlying IaaS and PaaS stacks; and provides a self-contained operating environment used to deliver the entire user experience including the content, its presentation, the application(s), and management capabilities. Cloud Security Alliance, (2009) states that therefore it is clear that there are significant trade-offs to each model in terms of integrated features, complexity vs. openness (extensibility), and security. Trade-offs between the three cloud deployments models include; Generally, SaaS provides the most integrated functionality built directly into the offering, with the least consumer extensibility, and a relatively high level of integrated security (at least the provider bears a responsibility for security). PaaS is intended to enable developers to build their own applications on top of the platform. As a result it tends to be more extensible than SaaS, at the expense of customer ready features. This tradeoff extends to security features and capabilities, where the built-in capabilities are less complete, but there is more flexibility to layer on additional security (Cloud Security Alliance, 2009). IaaS provides few if any application-like features, but enormous extensibility. This generally means less integrated security capabilities and functionality beyond protecting the infrastructure itself. This model requires that operating systems, applications, and content be managed and secured by the cloud consumer (Cloud Security Alliance, 2009). The key takeaway for security architecture is that the lower down the stack the cloud service provider stops, the more security capabilities and management consumers are responsible for implementing and managing themselves. 13

24 In the case of SaaS, this means that service levels, security, governance, compliance, and liability expectations of the service and provider are contractually stipulated; managed to; and enforced. In the case of PaaS or IaaS it is the responsibility of the consumer s system administrators to effectively manage the same, with some offset expected by the provider for securing the underlying platform and infrastructure components to ensure basic service availability and security. It should be clear in either case that one can assign/transfer responsibility but not necessarily accountability. Narrowing the scope or specific capabilities and functionality within each of the cloud delivery models, or employing the functional coupling of services and capabilities across them, may yield derivative classifications. For example Storage as a Service is a specific sub-offering within the IaaS family (Cloud Security Alliance, 2009). 2.6 Cloud Security There is a need for cloud environment to provide data integrity and application security in entirety. Security needs to be in built into the architecture and during implementation so as to ensure that security policies are integrated at all stages (Macias & Thomas, 2011) A lack of appropriate security and privacy solutions designed for clouds, could jeopardize the adoption and expansion of cloud computing. This is evident from surveys that indicate that prospective cloud adopters are hesitant due to security and privacy concerns (Hassan, et.al.2010) The unique architectural design of cloud gives raise to various security and privacy concerns. Data and application outsourcing which is unique to cloud computing poses a challenge of ensuring that only authorized persons have access to this data (Hassan, et.al.2010). There lacks some means to completely ensure that these third parties entrusted with customer s data do not misuse it. Extensibility and shared responsibility for security between the customer and the cloud vendor needs to be mutual. Nevertheless the sharing levels with differ for different models thus having an impact on extensibility. For example, in Saas, the vendor is largely responsible for security as they offer services with a range of integrated features. Paas on the other hand allows the customer to develop their own applications. This follows that they should be responsible for the 14

25 security of their applications. In Iaas, the customer is expected to secure the OS, the application and content hence being the most extensive delivery models (Hassan, et.al.2010). Multi-tenancy is another intrinsic feature of the cloud. This means that multiple, separate customers share same resources through partitioning of a virtual shared infrastructure. Users may be aware of this fact or even they might not as this would raise a huge concern. The pitfall would be that user s may- knowingly or unknowingly access private data belonging to others. In some instances, modification of clients unique identifier sent over a browser can result with access to the other client s data (Grimes, 2011). Therefore vendors must account for issues such as data access protection and access policies so as to provide some level of secure environment. Figure 2-3: Multi-tenancy (Cloud Security Alliance, 2009) This architectural design should be modeled to enable leveraging shared infrastructure, availability, operational efficiency, management and segmentation, economies of scale, metadata, services, and applications across many different consumers. Multi-tenancy can also take on different definitions and this would differ among different multitenant implementation. Depending upon the cloud service model of the provider e.g. IaaS and SaaS would provide the features described above but still be different (Cloud Security Alliance, 2009). 15

26 Broad authentication schemes have to be implemented in cloud computing. This is anywhere access over the internet coupled with multi-tenancy poses a great challenge. Conventional authentication services do provide access to shared resources by default which the cloud vendor would not want to do (Grimes, 2011). Initial cloud providers who turned to private authentication services were frustrated by a lack of scalability and functionality of these vendors. This meant that users had to have separate log on account for each website they visited. This was clearly not scalable hence the move to one SSO (Single Sign On) which came to be known as Web Identity 1.5 (Grimes, 2011).Discontent among users who decried the idea of a single entity managing every SSO account. This lead to a federated identity services also known as identity metasystems. Also known as Web Identity 2.0 allows a large number of identity services interoperate with a large number of websites. Common protocols such as XML, SOAP, Web service, SAML are used by this authentication services ensuring interoperability. The new Web 2.0 Identity, websites have the freedom to choose which Identity federated services to work with and accept. This allows for the flexibility of choosing an identity assurance before a user can be allowed access. A core requirement of a good identity metasystem is that users need only have a bare minimum of identity information necessary to be given access to the offered services or transaction (Grimes, 2011). Pseudo-anonymity is possible where a trusted 3 rd party knows the user s real identity and uses it to authenticate him, but deliberately chooses to provide a different identity credential that is trusted by the Web service provider. This means a user can have access to the Web services without revealing their true identity Core Cloud computing technologies Cloud computing combines heterogeneous technologies in an ingenious way to provide IT services using economies of scale (Grobauer et al, 2011). Therefore it is worth noting that there are individual core technologies that together make up the cloud. It is important to highlight each of these individual technologies and their unique characteristic that affect security in the cloud. Cloud computing is modeled based on capabilities of other several core technologies: i. Web applications and services Software as a service (SaaS) and platform as a service (PaaS) are unthinkable without Web application and Web services technologies: SaaS offerings are typically implemented as Web 16

27 applications, while PaaS offerings provide development and runtime environments for Web applications and services. For infrastructure as a service (IaaS) offerings, administrators typically implement associated services and APIs, such as the management access for customers, using Web application/service technologies (Grobauer et al, 2011). ii. Virtualization IaaS offerings These technologies have virtualization techniques at their very heart; because PaaS and SaaS services are usually built on top of a supporting IaaS infrastructure, the importance of virtualization also extends to these service models. In the future, we expect virtualization to develop from virtualized servers toward computational resources that can be used more readily for executing SaaS services (Grobauer et al, 2011). iii. Cryptography Many cloud computing security requirements are solvable only by using cryptographic techniques (Grobauer et al, 2011). Cloud customers and providers need to guard against data loss and theft. Today, encryption of personal and enterprise data is strongly recommended, and in some cases mandated by laws and regulations. Cloud customers want their providers to encrypt their data to ensure that it is protected no matter where the data is physically located. Likewise, the cloud provider needs to protect its customers sensitive data. Cloud Security Alliance, (2009) states that strong encryption with key management is one of the core mechanisms that Cloud Computing systems should use to protect data. While encryption itself doesn t necessarily prevent data loss, safe harbor provisions in laws and regulations treat lost encrypted data as not lost at all. The encryption provides resource protection while key management enables access to protected resources. Cloud environments are shared with many tenants, and service providers have privileged access to the data in those environments. Thus confidential data hosted in a cloud must be protected using a combination of access control, contractual liability and encryption (Cloud Security Alliance, 2009). 17

28 Encryption involves 3 different areas i. Encrypting data in transit over networks. There is the utmost need to encrypt multi-use credentials, such as credit card numbers, passwords, and private keys, in transit over the Internet. ii. Encrypting data at rest. Encrypting data on disk or in a live production database has value, as it can protect against a malicious cloud service provider or a malicious co-tenant as well as against some types of application abuse. iii. Encrypting data on backup media. This can protect against misuse of lost or stolen media. Ideally, the cloud service provider implements it transparently Beyond these common uses of encryption, the possibility of exotic attacks against cloud providers also warrants further exploration of means for encrypting dynamic data, including data residing in memory (Cloud Security Alliance, 2009) Core-Technology Vulnerabilities Cloud computing s core technologies Web applications and services, virtualization, and cryptography - have vulnerabilities that are either intrinsic to the technology or prevalent in the technology s state-of the-art implementations (Grobauer, et.al. 2011). These vulnerabilities that are cloud specific include insecure cryptography, virtual machine escape, session riding and hijacking. Web application security has inherent security challenge since it relies on the HTTP protocol which is a stateless protocol. This can lead to vulnerability due to session riding and session hijacking. Finally, cloud computing relies on cryptography for data confidentiality and integrity. It would be unthinkable to have cloud without the use of cryptology. On the other hand advances in computing power and better cryptanalytic algorithms, well known and secure cryptographic techniques can be rendered in effective within a very short time. This means that better techniques need to be developed with the evolution of the cloud. 18

29 2.7 Virtualization This concept was firstly introduced by IBM in the 1960s to provide concurrent, interactive access to a mainframe computer IBM 360, which supports many instances of OSes running on the same hardware platform (Rosenblum & Garfinkel, 2010). Virtualization technology supports multiple OS s running on a single hardware platform, and provides a convenient means to manage the OSes. The OS and applications running on the virtualization management platform are considered as VMs (Feng, Hai, Xiang, Deqing, Song, Min, & Zheng, 2011) Virtualization provides a new approach to solve the traditional security problems, and it also brings new security issues to computer systems (Rosenblum & Garfinkel, 2010).The security of virtualization-based cloud computing comes down to that of virtualization itself. Virtualization is taken as the underlying infrastructure of cloud computing, and it can resolve certain security problems occurring during the evolution of cloud computing. The advantages of virtualization are described as follows: i. Smaller Trusted Computing Base (TCB): The code size of Virtual Machine Monitor (VMM) is far less than that of the traditional Operating System (OS). It means that VMM has less bugs and better robustness than the traditional OSes. ii. Better Isolation: Virtualization provides better isolation than the traditional OSes. The applications in each Virtual Machine (VM) locate in a different address space on a single platform iii. End users request for various services which are deployed in the cloud by the service providers. Services are deployed into different VMs separately, which are isolated from each other by VMM. Similar to a normal file, a VM can be easily migrated from one platform to another. The states of a virtual machine, such as suspend, destroy, migrate, and so on, vary with time. iv. Delegating Management: A virtual environment provides maximum utility when users can focus on using their VMs however they please, without having to worry about managing them (Rosenblum & Garfinkel, 2010). Administrators can externally modify VMs; tasks not moved outside of the VM can still be delegated while VMs are offline. 19

30 Such as scanning, patching, configuration, etc. can be done by a service running on the virtualization layer that would periodically scan and maintain archived VMs. v. Guest OS Independence: Moving security and management components to the virtualization layer makes them independent of the structure of the guest operating system. This flexibility opens the door for the adoption of more secure and flexible operating systems as a foundation for infrastructure services. Further, because the infrastructure can now authenticate and trust components running at network end-points, it can now delegate responsibility to these end-points, thus making policies such as trustworthy network quarantine (i.e. limiting network access based on VM contents) feasible (Rosenblum & Garfinkel, 2010). A blend of virtualization technologies together form an infrastructure with a layer of abstraction between computing, storage and networking hardware, and the applications running on it. This virtual infrastructure allows for centralized management of pooled resources across the enterprise. The virtual infrastructure solutions can help the IT managers address numerous challenges such as; i. Server Aggregation and Consolidation: This minimizes the number of physical servers necessary for application deployment by instead using virtual machines (VMs) that can run safely and move transparently across shared hardware. This also reduces resource /server underutilization. ii. Test and Development Optimization pre-configured systems can be used to rapidly provision test and development servers thus facilitating developer collaboration and standardizing development environments. iii. Business Continuity Reducing the cost and complexity of business continuity (high availability and disaster recovery solutions) by encapsulating entire systems into single files that can be replicated and restored on any target server, thus minimizing downtime. iv. Enterprise Desktop Securing unmanaged PCs, workstations and laptops without compromising end user autonomy by layering a security policy in software around desktop virtual machines. 20

31 Figure 2-4: Cloud Virtualization (VMware, 2010) Virtual System Components This refers to virtual abstractions or virtual system components that may be present in many virtual environments, and provides high-level scoping guidance for each. a. Hypervisor This is the firmware responsible for hosting and managing virtual machines. The hypervisor system may also include a software component that implements and manages VM hardware abstraction. This software is called virtual machine monitor (VMM). It also provides the management function of the hypervisor. The VMM manages system resources such as memory, CPU time, processor, among other resources to allocate what each virtual machine (also known as a guest) operating system requires. It may provide this function in conjunction with hardware virtualization technology depending on the circumstances (Virtualization Special Interest Group PCI Security Standards Council, 2011). This can be further be divided into 21

32 i. Type 1 Hypervisor This type is also known as native or bare metal. Consists of a piece of software that runs directly on the hardware and is responsible for coordinating access to hardware resources as well as hosting and managing VMs. ii. Type 2 Hypervisor A Type 2 hypervisor is also known as hosted and usually runs as an application on an existing operating system. This type of hypervisor emulates the physical resources required by each VM, and is considered just another application as far as the underlying OS is concerned (Virtualization Special Interest Group PCI Security Standards Council, 2011). b. Virtual Machine A Virtual Machine (VM) is a self-contained operating environment that behaves like a separate computer. It is also known as the Guest, and runs on top of a hypervisor. Each of this VM contain and OS that manages its individual resources. Several VM s run on top of hypervisor which is responsible for managing them (Virtualization Special Interest Group PCI Security Standards Council, 2011). c. Virtual Appliance A virtual appliance simply refers to a pre-packaged software image designed to run inside a virtual machine. Each Virtual appliances is intended to deliver a specific function, and therefore will consist of basic operating system components and a single application. Physical network devices such as switches, firewalls or routers can be virtualized and run as virtual appliances. Virtual Security Appliance (VSA) is a virtual appliance that consists of a hardened operating system and a single security application. Normally this kind of VSA is assigned a higher level of trust than a normal VA hence having a privileged access to the hypervisor and other resources (Virtualization Special Interest Group PCI Security Standards Council, 2011). d. Virtual Switch or Router A virtual switch or router is a software component that provides network-level data routing and switching functionality. A virtual switch is often an integral part of a virtualized server platform for example, as a hypervisor driver, module, or plug-in. A virtual router may be implemented as a distinct virtual appliance or as a component of a physical appliance. Virtual 22

33 switches and routers may also be used to generate multiple logical network devices from a single physical platform. e. Virtual Applications and Desktops Individual applications and desktop environments can also be virtualized to provide functionality for end users. Virtual applications and desktops are typically installed at a central location and accessed remotely via a remote desktop interface. Virtual desktops can be configured to allow access via multiple device types, including thin clients and mobile devices, and may run using local or remote computing resources. Virtual applications and desktops may be present in point-of-sale, customer service, and other interactions with the payment chain (Virtualization Special Interest Group PCI Security Standards Council, 2011). 2.8 Virtualization Approaches Today, virtualization can apply to a range of system layers, including hardware-level virtualization, operating system level virtualization, and high-level language virtual machines (VMware, 2010). Hardware-level virtualization was pioneered on IBM mainframes in the 1970s, and then more recently Unix/RISC system vendors began with hardware-based partitioning capabilities before moving on to software-based partitioning (VMware, 2010) Systems architects do implement three different ways of enabling operating systems to share a virtualized environment. These include; i. Software, or full, virtualization ii. Partial virtualization or Para-virtualization iii. Hardware-assisted virtualization In all three virtualization approaches the use of hypervisor software is necessary to for resource allocation including basic machine resources such as CPU time and memory. Each has a VM that runs a guest OS and the difference comes in techniques they use to manage this individual guest OS. 23

34 i. Full Virtualization Full virtualization causes the hypervisor to trap the machine operations the OS uses to read or modify the system s status or perform input/output (I/O) operations. After it has trapped them, the hypervisor emulates these operations in software and returns status codes consistent with what the real hardware would deliver (Clark, 2007). Unix/RISC and industry-standard x86 systems, have adopted either hosted or hypervisor architectures approach for the software-based partitioning. A hosted approach provides partitioning services on top of a standard operating system and supports the broadest range of hardware configurations. On the other hand, hypervisor architecture (often referred to as a bare metal approach) is the first layer of software installed on a clean x86-based system. Since it has direct access to the hardware resources, a hypervisor is more efficient than hosted architectures, enabling greater scalability, robustness and performance (VMware, 2010) Figure 2-5: Full Virtualization (Smyth, 2012) Advantages of this approach: It is not visible to the guest OS, hence requires no changes to the guest OS or the applications running under that guest. Other advantages include the ability to run applications without making permanent registry, the ability to test new applications in an isolated environment as well as ability to install applications that would otherwise conflict with each other (by using multiple virtual layers). 24

35 The drawback of this type of virtualization is that instruction trapping and emulation may reduce overall system performance significantly in I/O intensive environments. All system operations have to pass through a layer of translation and emulation that the virtualization software creates. Reduced performance is felt under high workload due to the time it takes for processes to be executed. Example includes EMC s VMware ESX which provides a virtual environment for x86 processors (Clark, 2007). ii. Para-virtualization Para-virtualization (sometimes known as partial virtualization) eliminates much of the trappingand-emulation overhead associated with software implemented virtualization. Para-virtualization requires that the guest OS cooperates in creating the virtual environment (Clark, 2007). In other words, the operating system compatibility is traded off against performance for certain CPU-bound applications running on systems without virtualization hardware assisted. This model has potential performance improvements since a guest operating system or application is aware that it is running within a virtualized environment, since it has been modified to exploit this is faster than other forms of virtualization (VMware, 2010). Figure 2-6: Para virtualization (Microsoft, 2009) 25

36 The drawback is that it requires the use of a specially modified guest OS that understands the techniques used hence can give itself to maintain the virtualization illusion (Clark, 2007). In essence this means Para-virtualization approach precludes the ability to run off-the-shelf and legacy operating software in Para-virtual environments. Para-virtualization leverages a hypervisor for the underlying technology hence this approach requires extensive changes to an operating system kernel so that it can coexist with the hypervisor. Example includes Xen, an open-source community s approach to virtualization that was originally developed using Para-virtualization (VMware, 2010). iii. Hardware-Assisted Virtualization Hardware-assisted virtualization relies on hardware extensions to the x86 system architecture to eliminate much of the hypervisor overhead associated with trapping and emulating I/O operations and status instructions executed within a guest OS. AMD Virtualization (AMD-V) is the collective name for AMD s hardware-based virtualization features. Advances in technology have seen the introduction of Quad-Core AMD Opteron processor. With this, the AMD-V receives an enhancement called Rapid Virtualization Indexing. Rapid Virtualization Indexing provides the Virtualized Page Tables and guest TLB functionality. This is expected to provide a significant performance advantage for many virtualized workloads using Quad-Core AMD Opteron processors. Key hypervisor suppliers (Microsoft, VMware, Virtual Iron, and XenSource) all support elements of AMD-V in their software (Clark, 2007). Enabling CPU extensions greatly enhance and provide solutions to the virtualization problems presented by x86-based processors, though some workloads put a lot of pressure on the hypervisor to do to finesse I/O operations, thus adding overhead to each I/O call. A solution currently in development creates a virtual mapping of I/O devices. This will require changes to the chipsets and I/O bridges that link system processors to I/O buses such as PCI Express. AMD has issued specifications for chipset extensions consistent with its processors architecture. Clark, (2007) states that the advantage of this approach is that the AMD Opteron processor with AMD-V has helped mature virtualization for x86 processors. This has made organizations extensively use virtualization in their production environments. Advancements to processor and 26

37 chipset extensions (and the software that supports them) continues, and promises to yield enhanced virtualization technology that rings in an era of unprecedented agility in IT operations with little incremental software overhead Security Concern in virtualization Though virtualization provides a myriad of benefits as highlighted above, it also has the downside. First, virtualized networks offer insufficient network-based controls. Given the nature of cloud services, the administrative access to IaaS network infrastructure and the ability to tailor network infrastructure are typically limited; hence, standard controls such as IP-based network zoning can t be applied (Grobauer et al, 2011). Also, standard techniques such as network-based vulnerability scanning are usually forbidden by IaaS providers because, for example, friendly scans can t be distinguished from attacker activity. Finally, technologies such as virtualization mean that network traffic occurs on both real and virtual networks, such as when two virtual machine environments (VMEs) hosted on the same server communicate. Such issues constitute a control challenge because tried and tested networklevel security controls might not work in a given cloud environment (Grobauer et al, 2011). The second challenge is in poor key management procedures. As noted in a recent European Network and Information Security Agency study, cloud computing infrastructures require management and storage of many different kinds of keys. Because virtual machines don t have a fixed hardware infrastructure and cloud-based content is often geographically distributed, it s more difficult to apply standard controls such as hardware security module (HSM) storage to keys on cloud infrastructures(grobauer et al, 2011). The virtual machine escape vulnerability is intrinsic to the core virtualization technology, but it can also be seen as having its root cause in the essential characteristic of resource pooling: whenever resources are pooled, unauthorized access across resources becomes an issue. Hence, for PaaS, where the technology to separate different tenants (and tenant services) isn t necessarily based on virtualization (although that is increasingly true), cross-tenant access vulnerabilities play an important role as well. Similarly, cloud storage is prone to cross-tenant storage access, and cloud communication in the form of virtual networking (Grobauer et al, 2011). 27

38 2.9 Prototype evaluative standards for security in virtualization Cloud Security Reference Model The cloud security reference model addresses the relationships of these classes and places them in context with their relevant security controls and concerns. For organizations and individuals grappling with cloud computing for the first time, it is important to note the following to avoid potential pitfalls and confusion (Cloud Security Alliance, 2009). i. The notion of how cloud services are deployed is often used interchangeably with where they are provided, which can lead to confusion. For example, public or private clouds may be described as external or internal clouds, which may or may not be accurate in all situations. ii. iii. The manner in which cloud services are consumed is often described relative to the location of an organization s management or security perimeter (usually defined by the presence of a firewall). While it is important to understand where security boundaries lie in terms of cloud computing, the notion of a well-demarcated perimeter is an anachronistic concept. The re-perimeterization and the erosion of trust boundaries already happening in the enterprise is amplified and accelerated by cloud computing. Ubiquitous connectivity, the amorphous nature of information interchange, and the ineffectiveness of traditional static security controls which cannot deal with the dynamic nature of cloud services, all require new thinking with regard to cloud computing. The deployment and consumption modalities of cloud should be thought of not only within the context of internal vs. external as they relate to the physical location of assets, resources, and information; but also by whom they are being consumed by; and who is responsible for their governance, security, and compliance with policies and standards. This is not to suggest that the on-premise or off-premise location of an asset, a resource, or information does not affect the security and risk posture of an organization because they do but to underscore that risk also depends upon (Cloud Security Alliance, 2009). i. The types of assets, resources, and information being managed. 28

39 ii. iii. iv. Who manages them and how. Which controls are selected and how they are integrated. Compliance issues Figure 2-7: Security Model (Cloud Security Alliance, 2009) Cloud Cube Model The Cloud Cube Model illustrates the many permutations available in cloud offerings today and presents four criteria/dimensions in order to differentiate cloud formations from one another and the manner of their provision, in order to understand how cloud computing affects the way in which security might be approached. 29

40 Figure 2-8: The Cloud Cube Model (Cloud Security Alliance, 2009) The Cloud Cube Model also highlights the challenges of understanding and mapping cloud models to control frameworks and standards such as ISO/IEC 27002, which provides...a series of guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization (Cloud Security Alliance, 2009). The ISO/IEC 27002, section 6.2, External Parties control objective states: the security of the organization s information and information processing facilities should not be reduced by the introduction of external party products or services As such, the differences in methods and responsibility for securing the three cloud service models mean that consumers of cloud services are faced with a challenging endeavor. Unless cloud providers can readily disclose their security controls and the extent to which they are implemented to the consumer and the consumer knows which controls are needed to maintain the security of their information, there is tremendous potential for misguided decisions and detrimental outcomes. This is critical since one classifies a cloud service against the cloud architecture model. Then it is possible to map its security architecture; as well as business, regulatory, and other compliance requirements; against it as a gap-analysis exercise. The result determines the general security posture of a service and how it relates to an asset s assurance and protection requirements (Cloud Security Alliance, 2009). 30

41 The figure 2-9, shows an example of how a cloud service mapping can be compared against a catalogue of compensating controls to determine which controls exist and which do not as provided by the consumer, the cloud service provider, or a third party. This can in turn be compared to a compliance framework or set of requirements such as PCI DSS, as shown. Figure 2-9: Mapping the Cloud Model to the Security Control & Compliance Model (Cloud Security Alliance, 2009) Once this gap analysis is complete, per the requirements of any regulatory or other compliance mandates, it becomes much easier to determine what needs to be done in order to feed back into a risk assessment framework; this, in turn, helps to determine how the gaps and ultimately risk should be addressed: accepted, transferred, or mitigated (Cloud Security Alliance, 2009). It is important to note that the use of cloud computing as an operational model does not inherently provide for or prevent achieving compliance. The ability to comply with any requirement is a direct result of the service and deployment model utilized and the design, deployment, and management of the resources in scope. 31

42 2.9.3 ISO/IEC Its full name is ISO/IEC 27002:2005 Information technology Security techniques Code of practice for information security management is a standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)(ISO27k, 2012). ISO/IEC 27002:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. The domains covered by ISO include; i. Security policy ii. Organization of information security iii. Asset management iv. Human resources security v. Physical and environmental security vi. Communications and operations management vii. Access control viii. Information systems acquisition, development and maintenance ix. Information security incident management x. Business continuity management xi. Regulatory compliance As explained (ISO27k, 2012), ISO provides general rules, which cannot be translated to match reality at work, in real life. However the diagram and outline in figure 2-9 gives one a reasonable idea of the overall process and the key documents that are required or produced. This means the standard implementation detail vary in each organization. Therefore the shortcoming of this standard is that for each of the controls, implementation guidance is provided. Specific controls are not mandated since: 32

43 a. Each organization is expected to undertake a structured information security risk assessment process to determine its specific requirements before selecting controls that are appropriate to its particular circumstances. These controls are generic since the standards are also open-ended. This means that the information security controls are advisory, leaving the door open for users to adopt alternative controls. b. It is practically impossible to list all conceivable controls in a general purpose standard Beyond Architecture: The Areas of Critical Focus The twelve other domains which comprise the remainder of the CSA guidance highlight areas of concern for cloud computing and are tuned to address both the strategic and tactical security pain points within a cloud environment, and can be applied to any combination of cloud service and deployment model. The domains are divided into two broad categories: governance and operations. The governance domains are broad and address strategic and policy issues within a cloud computing environment, while the operational domains focus on more tactical security concerns and implementation within the architecture. i. Governance Domains Domain Guidance dealing with... Governance and Enterprise Risk Management The ability of an organization to govern and measure enterprise risk introduced by Cloud Computing. Items such as legal precedence for agreement breaches, ability of user organizations to adequately assess risk of a cloud provider, responsibility to protect sensitive data when both user and provider maybe at fault, and how international boundaries may affect these issues, are some of the items discussed. Legal and Electronic Discovery Potential legal issues when using Cloud Computing. Issues touched on in this section 33

44 Compliance and Audit Information Lifecycle Management Portability and Interoperability include protection requirements for information and computer systems, security breach disclosure laws, regulatory requirements, privacy requirements, international laws, etc. Maintaining and proving compliance when using Cloud Computing. Issues dealing with evaluating how Cloud Computing affects compliance with internal security policies, as well as various compliance requirements (Regulatory, legislative, and otherwise) are discussed here. This domain includes some direction on proving compliance during an audit. Managing data that is placed in the cloud. Items surrounding the identification and control of data in the cloud, as well as compensating controls which can be used to deal with the loss of physical control when moving data to the cloud, are discussed here. Other items, such as who is responsible for data confidentiality, integrity, and availability are mentioned. The ability to move data/services from one provider to another, or bring it entirely back inhouse. Issues surrounding interoperability between providers are also discussed Table 2-1 : Government (Cloud Security Alliance, 2009) ii. Operational Domains 34

45 Traditional Security, Business Continuity and Disaster Recovery How Cloud Computing affects the operational processes and procedures currently use to implement security, business continuity, and disaster recovery. The focus is to discuss and examine possible risks of Cloud Computing, in hopes of increasing dialogue and debate on the overwhelming demand for better enterprise risk management models. Further, the section touches on helping people to identify where Cloud Computing may assist in diminishing certain security risks or entails increases in other areas. Data Center Operations Incident Response, Notification and Remediation How to evaluate a provider s data center architecture and operations. This is primarily focused on helping users identify common data center characteristics that could be detrimental to on-going services, as well as characteristics that are fundamental to long-term stability Proper and adequate incident detection, response, notification, and remediation. This attempts to address items that should be in place at both provider and user levels to enable proper incident handling and forensics. This domain will help you understand the complexities the cloud brings to your current incident handling program. Application Security Securing application software that is running on or being developed in the cloud. This includes items such as whether it s appropriate 35

46 to migrate or design an application to run in the cloud, and if so, what type of cloud platform is most appropriate (SaaS, PaaS, or IaaS). Some specific security issues related to the cloud are also discussed. Encryption and Key Management Identifying proper encryption usage and scalable key management. This section is not prescriptive, but is more informational is discussing why they are needed and identifying issues that arise in use, both for protecting access to resources as well as for protecting data. Identity and Access Management Virtualization Managing identities and leveraging directory services to provide access control. The focus is on issues encountered when extending an organization s identity into the cloud. This section provides insight into assessing an organization s readiness to conduct cloudbased Identity and Access Management (IAM). The use of virtualization technology in Cloud Computing. The domain addresses items such as risks associated with multi-tenancy, VM isolation, VM co-residence, hypervisor vulnerabilities, etc. This domain focuses on the security issues surrounding system/hardware virtualization, rather than a more general survey of all forms of virtualization. Table 2-2: Operational Domain (Cloud Security Alliance, 2009) 36

47 2.11 The Future of Cloud Computing Cloud computing being a relatively new concept continues to evolve and find acceptance among both existing and start-ups businesses. Even at this juncture, we have big customers who are looking forward to rip the benefits underlying the cloud for efficiency and ROI. The cloud is an enabler of real time data processing and interaction. Location independence and company-wide availability of data is guaranteed in an instant with little or no downtime (ExforsysInc, 2009). There is a striking similarity between the cloud and grid computing since they both focus on providing online and real-time service to the client. The only difference is that grid is focused on the server capabilities of the application. The future of cloud computing should be highly considered by businesses in any industry. The possibility of full adaptation of cloud computing by almost any industry is slowly starting to happen. If a business will not consider their future in cloud computing, the challenges as well as the advantages of cloud computing may not be addressed and fully harnessed Level of Competition in Cloud Computing Industry Competition is always good for advancement as best services as well as the most competitive prices are realized. Amazon, Google, Sun Microsystems and SalesForce.com are some of the highly recognized cloud computing giants and each is aggressively promoting their services so as to become the industry leader (ExforsysInc, 2009). This might soon kill competition because not every company can afford to spend millions of dollars on cloud infrastructure especially small companies who provide personalized services for cloud computing. This calls for need for standardization to have a level playing field Standardization of Services According to ExforsysInc (2009), unhealthy competition in the industry is due to the lack of standardization. Some companies do offer platform based services such as Ajax or Ruby on Rails, whereas other companies are offering proprietary functionalities to server business needs. This difference in implementation at the application level reduces the flexibility of enterprises leveling them without many options. Things such as data migration could be a nightmare for the enterprise if they opt to transfer from one provider that offer proprietary functions to platform 37

48 based functions. It might end up taking a huge chunk of resources both human and technical plus several days or even months to ensure successful migration to a new provider (ExforsysInc, 2009) Security The number one concern of any businesses in dealing with cloud computing today is security. Unfortunately, security will continue to be the number one concern of the enterprise in the future. If an industry giant becomes the sole leader in this type of industry, the security as well as the privacy of users as well as businesses is a lot less. Hacks on the system will continue to be there as well. The attack that users experience today will also evolve to adapt to different types of security measures. Since the cloud will always be online, the possibility of attack will always be there. The future of cloud computing has its ups and downs. From the possibility of monopoly to security problem, businesses and industry giants have to be ready for these changes to ensure success of cloud computing (ExforsysInc, 2009). 38

49 Chapter 3: RESEARCH METHODOLOGY 3 RESEARCH METHODOLOGY 3.1 Introduction Grobauer (2011), remarks that currently there are no standardized cloud-specific security metrics that cloud customers can use to monitor the security status of their cloud resources. This makes controls for security assessment, audit, and accountability more difficult and even impossible to employ if standard security metrics are not developed and implemented. Therefore this research will make an attempt to identify security standards that can be used at the virtualization level of cloud computing. This chapter discusses techniques for designing research, formulating questions and developing questionnaires, conducting the field work, and disseminating the findings. The primary objective is to analyze and learn from the experiences of prior researchers and to synthesize the research methods that this research finds to be effective. 3.2 Research Design The review of literature produces a reoccurring theme emphasizing the need to develop standards that address privacy and trust concerns in the cloud. Therefore this study will develop and implement both cloud vendors survey and a cloud user s assessment. The purpose of the vendor survey is to determine the approach and mechanisms they have put in place to secure customer data. This phase of the study examined the data collected for similarity in trends and differences between the independent variables of security, compliance, and virtualization. The purpose of the cloud users assessment is to evaluate their perception towards cloud computing and to determine what they feel would adequately address their security concerns. Data collection and analysis will assist in determining if the security issues related to virtualization in cloud computing can be exhaustively tackled, resulting in proposing of standards that would capture this. 39

50 The research design is a descriptive qualitative study. The objectives of the research are achieved in number of ways. Comparative summary tables are used to summarize steps taken by different companies to tackle security at virtualization level within their respective cloud environments. Qualitative and quantitative data is collected for analysis. Research will aim to develop virtualization specific cloud security standards that can be used to enforce security and privacy concerns. This methodology will deepen the understanding of what happens when it comes to implementation of different virtualization approaches in the cloud. Therefore the intention is to go beyond the numbers and the statistics that would be done in a quantitative research. This research study will draw data from multiple sources that are both primary and secondary data sources. Primary sources are the first hand evidence collected through questionnaires, depth interview, or focus group interviews. On the other hand secondary data is gathered from published sources and other materials written by other researchers. This divergent source allows evidence to be verified and avoids missing data. 3.3 Population and sampling The target populations are users of the cloud as well as the cloud vendors. Since the target population could be large pool of people samples would be taken that would be representative of the larger population. There are approximately 15 companies in Kenya that deal in Cloud computing and cloud related services. These companies offer their services to both local and regional clientele. This represents about 8% of users in the country. The sample would be chosen in an appropriate way so that as to obtain later conclusions for the whole population. This means to get a reasonable conclusion from the population, there is need to ensure a right choice of samples (Mathews, 2010) Calculating the Sample Size Population sampling is the process of taking a subset of subjects that is representative of the entire population (Mathews, 2010). Therefore what matters during population sampling is not set percentage that is accurate for every population but the actual number or size of the sample (Israel, 1992). 40

51 3.3.2 Steps in Selecting a Sample-Size An appropriate sample size is based on a number of accuracy factors that you must consider. Together they comprise a five step process: a. Determine Goals b. Determine desired Precision of results c. Determine Confidence level d. Estimate the degree of Variability e. Estimate the Response Rate Figure 3-1: Formula for Calculating a Sample for Proportions ((Mathews, 2010) Description n = required sample size Z = confidence level (confidence coefficient) of the normal distribution curve and cuts off an area of 0.05 at the tails p = is the estimated proportion of an attribute that is present in the population. q = is 1-p e = is the desired level of precision (margin of error), From the formulae in figure 3-1, the population sample would be as follows; n = required sample size Z= with a confidence level of 95% (the standard/desired value for z is 1.960) p= estimated propotion is 8% representation (0.08) 41

52 e = margin of error at 5% (standard value of 0.05) This would result in; n = z 2 X p(1-p) E 2 n= 1.96 x 1.96 x 0.08 (1-0.08) (0.05) 2 n = x 0.08(0.92) Sample Size (n) = Data Collection Methods Data collection is simply how information is gathered. There are various methods of data collection such as interviews, observation, survey and focus groups. The main purpose of a survey is to estimate, with significant precision, the percentage of population that has a specific attribute by collecting data from a small portion of the total population (Dillman, 2000; Wallen & Fraenkel, 2001).Two instruments are used for data collection in this research study. A survey is conducted on cloud vendors and cloud customers using questionnaires that are administered in written form or online. Surveys have proved to have advantages especially when the goal of research is to obtain quantitative data on a certain population. The strengths of surveys include their accuracy, generalize-ability, and convenience, and therefore the results can be generalized to a larger population within known error limits (Cox, 1996). A survey research design is applied to investigate the research questions. The response data is used for analysis and results obtained are used to draw conclusions that meet the research objectives. The methods for data collection are; 42

53 3.4.1 Questionnaire This is a good means of collecting data using by conducting a survey is through an online questionnaire. The questionnaire will have formats of both structured and unstructured (Eiselen & Uys, 2005). The Internet is useful for giving this survey a geographic reach. The advantages of this methodology is that other than giving a good comparative analysis for various business environments it is cost effective, smaller margin of error since participants enter their responses directly into the system, data can as well be made instantly available and can easily be transferred into specialized statistical software or spreadsheets among other benefits (Joel and Anil, 2005). 3.5 Data Analysis Data analysis usually involves reducing accumulated data to a manageable size, developing summaries, looking for patterns, and applying statistical techniques (James, 2006). Responses to the survey are recorded, exported in a spreadsheet, and transferred to a statistical software package for in-depth analysis. Descriptive statistics which provide simple summaries about the sample and the measures is calculated and data relationships between variables analyzed. The following steps are used in data analysis; a. Coding open-ended data This will involve reading through all the collected data, and making notes of associations or ideas that occur. This will involve assigning variables or other symbols to answers so that responses can be put into a limited number of categories. b. Organizing the information for analysis Organize the data into similar categories (e.g. responses to particular questions; or categories of informants, such as organization representatives, cloud vendors customers, and CIO s interview report). c. Frequency analysis Attempt to identify patterns or associations and causal relationships in the themes (e.g. responses from people in the same industry, from the same skill level or even those who subscribe to the same cloud service. The research will use a statistical software program, SPSS (Statistical Package for Social Sciences) for an in-depth data analyses. 43

54 d. Cross tabulations. Results from the questionnaires are matched to these results to try and find if there exists any links. How do the results speak to or explain each other? What conclusions can be reached that is not obvious at first glance? In this research a methodical approach is used to explain any assumptions if there are any. 3.6 Research Quality The research is carried out based on accepted research practices. Surveys are conducted in an unbiased, way for them to have credibility. Virtualization standards are key in addressing privacy concerns and determining the cloud customer s willingness to trust vendors. Therefore the quality of this research in terms of accuracy should be paramount. Criteria for Rating Quality of Research i. Reliability of Measures Outcome measures should have acceptable reliability to be interpretable. "Acceptable" here means reliability at a level that is conventionally accepted by experts in the field. 0 = Absence of evidence of reliability or evidence that some relevant types of reliability (e.g., test-retest) did not reach acceptable levels. 2 = All relevant types of reliability have been documented to be at acceptable levels in studies by the applicant. ii. Validity of Measures Outcome measures should have acceptable validity to be interpretable. "Acceptable" here means validity at a level that is conventionally accepted by experts in the field. 0 = Absence of evidence of measure validity, or some evidence that the measure is not valid. 2 = Measure has face validity; absence of evidence that measure is not valid Participant confidentiality All individuals participating will have a right to privacy. A guarantee of confidentiality is given, to the participants. Participant s confidentiality is protected in the following ways. 44

55 i. Research personnel should not use or discuss respondent-identifiable data or information for other than legitimate internal research purposes. ii. Restricting access to participant identification. iii. Obtaining signed nondisclosure documents only researchers who have signed nondisclosure forms should be allowed access to the data Nondisclosure of data subsets. iv. Participants to be informed of their right to refuse to answer any questions or participate in the study. Other measure in place to protect confidentiality a. Interview response sheets should be inaccessible to everyone except the editors and data entry personnel. b. Data collection instruments may be destroyed once data is recorded Ethical Standards This research design would include safeguards against causing mental or physical harm to participants. Data integrity would be the first priority hence is highly valued. Ethical issues in this research reflect important moral concerns about the practice of responsible behavior in society. In situations where the research will need to balance the rights of its interviewees against the scientific dictates of the chosen method then it is my responsibility to guard the welfare of the participants. This will extend to organizations, to their clients, their colleagues, and themselves. Careful considerations are given to those research situations in which there is a possibility for psychological harm, invasion of privacy, and/or loss of dignity. 45

56 4 PRESENTATION OF RESEARCH FINDINGS This chapter gives a presentation of the research findings based on the data collected. It provides a description of the survey undertaken, detailing the survey structure, respondents profile, their role in the organization, and results of the survey. A complete sample of the survey questions is provided in appendix A. After data collection, an analysis of the results was done on the questions leading to the development of the evaluative standard. This chapter concludes by highlighting the key findings from the survey. The sample population was 113 respondents as illustrated in chapter 3.3. This sample population targeted cloud users such as business managers e.g. CEO, CFO, and cloud vendors such as information technology managers and engineers such as CTO and CIO. Cloud users were preferable since they were the frequent users of the cloud and their perception and feelings greatly influence the general acceptance of the cloud. On the other hand, information technology managers and engineers were chosen due to their good understanding of the technology and standards. The survey was conducted and received 54 out of the targeted 113 respondents. The online survey was both effective and convenient in terms of access to respondents. It was effective as it broadened the accessibility and reach of respondents. The questionnaire was designed and posted the online by use of an online survey tool provided by Google survey. The link can is https://docs.google.com/spreadsheet/viewform?from =true&formkey=ddkzythsnkptutd YR25NOHB1a3gzWFE6MQ. 4.1 Survey Results Analysis The questionnaire was structured in sections where each section was designed to answer the research questions. The questionnaire was designed in such a way that most of the critical questions where mandatory to avoid incomplete answers. 46

57 The questionnaire was divided into 4 sections as follows; A. BIO-DATA ANALYSIS The research found it necessary to get background information on the respondents especially with regard to their careers and organization of work. This was relevant since it would provide the research with information on the diversity of the respondents. Respondents by industry sector Respondents were asked to indicate the nature of the industry they were working for. The results obtained were as follows: Information Technology (Technical consultants/system integrator) 69%, Manufacturing (Consultant) 4%, Financial and Insurance Sector (Bankers and Accountants) 7%, Education (Students) 28%, Legal Sector 0%, Health Sector 0%, and other sectors 4%. The diversity of respondents shows the level of reliability of the results and thus provides for good inputs for the design of evaluative standard. Respondents by role in organization The survey further sought to establish the role played by the respondents in their respective industry, the results are as follows: Administrators 13%, Accountants 2%, Management 4%, IT role 65%, Student 20% and Others 9%. These results show that majority of respondents are personnel who are in positions of influence in their respective organizations. This is because IT had the highest percentage at 65%. The cross section of respondents from different industry increases the reliability of the results. A wide spread variety of respondents from different industries removes bias to the survey results output needed in terms of IT resources, and have positions of influencing the final decisions. 47

58 B. VIRTUALIZATION APPROACH IN CLOUD COMPUTING The research sought to find out the virtualization approaches in use within the organizations. The results were; Organizations using Cloud computing Respondents were asked about their familiarity in terms of cloud utilization. Cloud utilization percentage from the survey results showed that 76% are using the service. This includes all forms of cloud computing such as Platform as a Service (Paas), Software as a Service (Saas) and Infrastructure as a Service (Iaas). B1: Does your organization use cloud computing? 24% YES 41 NO 13 76% Figure 4-1: Cloud utilization survey results 24% of those organizations that did not use cloud service gave varying response with most users attributing it to lack of either infrastructure or policy necessary for their companies to move to the cloud. Other reasons expressed were that their organizations had existing infrastructure and systems in place andtherefore they did not see the importance of moving to the cloud. Some organizations expressed a lack of policy and expertise necessary to handle cloud environment. Finally others were concerned at the cost implications and the nature of their business not necessitating migration to the cloud. 48

59 Layer of the cloud most preferred From the literature review in chapter 2, we see that there are 3 different models for delivery of cloud services, namely Software as a service (Saas), Platform as a service (Paas) and Infrastructure as a service (Iaas). A review of the cloud reference model, chapter 2.5 highlights the interdependency between the models and the inherent cloud computing security risks associated with these models. From the survey, we find that a majority of cloud users, 48% would prefer to have the Platform as a service model (Paas). Both Software and Infrastructure as a service tied at 41 %, while only 26% preferred to have security as a service hosted on the cloud. The results are shown in the table below. Table 4-1: Preferred cloud model Response Cloud model count Percentage Individual software packages (SaaS) 22 41% Complete operating system and software package available via cloud services (PaaS) 26 46% Raw computing power, storage and network bandwidth and storage etc. (Iaas) 22 41% Security services in the cloud 14 26% Other 0 0% From the results, it is apparent that majority of cloud users would prefer Infrastructure as a service. In chapter 2.3, Iaas is a sensitive layer since the cloud user interacts with the infrastructure at a lower layer. Enforcing security is left to the customer e.g. applying patches and therefore this justifies why we need proper evaluative standards. It is at this layer that virtualization is enforced and therefore it justifies the need to have proper standards that will protect the majority from inherent security risks associated with this layer. Key drivers for adoption Respondents were asked to give reasons for adopting of cloud computing. The varying responses were received. The respondents revealed that majority of organizations were attracted by, the need for flexible IT resources was important with 74%, followed by avoiding capital expenditure on hardware, software and IT support at 63%. Increasing of computing capacity together with 49

60 Business continuity and disaster recovery tied at54%. Resource diversification and Global optimization of IT infrastructure each ranked at 35% and other reason which included controlling marginal profits and assessing the feasibility and profitability ranked lower. Figure 4.2 below shows the summary of the results. From the results it is evident that opinion for adoption scalability and resource optimization to cost cutting % 63% 74% 54% 35% 35% 54% 11% 33% 19% 2% B4: What are the reasons behind your possible engagement in the Cloud Computing area? Figure 4-2: Reason for engaging in cloud computing Virtualization Approaches The respondents were asked the approach used in virtualization at their organizations. From the survey conducted 48% of the respondents would prefer to have software virtualization compared to 41% who would prefer the hardware based form of virtualization. The results are summarized in the figure

61 B5: What type of virtualization approach do you use in your organization? Software Virtualization Para-virtualization Hardware virtualization 41% 48% 11% Figure 4-3: Virtualization Approach Software virtualization is the most preferable as earlier review of the literature indicates. This is because it is not visible to the guest OS, hence requires no changes to the guest OS or the applications running under that guest. This enables most applications that need to be run in test environment without conflicting with existing applications. Threats specific to Virtual machine environment Respondents were asked about specific threats that were of concern to them in their virtual machine environment. The response is summarized in the table 4.2. The response was rated from Not Important to Showstopper. Showstopper in this case was used to imply something of very great concern. Table 4-2: Threats specific to the Virtual environments Not Medium Very Showstopper HighestResponse Factors Contents of VMs and the applications they host are at high risk from inappropriate access. Important Importance Important Count percentage % Availability of services and/or data % 51

62 Contents of VMs and the % applications they host are at high risk from insecure Application Programming Interfaces Shared Technology Vulnerabilities % Lack of liability of providers in % case of security incidents Inconsistency between trans % national laws and regulations Data Loss/Leakage % Malicious Insiders % Cost and difficulty of migration to % the cloud (legacy software etc.) Intra-clouds (vendor lock-in) % migration Account, Service & Traffic % Hijacking The results indicate 54% of respondents who participated in the survey consider availability of services to be very important. The second threat would be malicious insiders at 52%. Inconsistency between trans-national laws and regulations is of the least importance at 35%. Measures to address specific threats in a virtualized environment Respondents were asked to indicate what measures they have in place to address threats affecting their virtual environments. This give some insight to the third research question mentioned in the previous chapters. Table 4-3: Addressing threats in a virtualized environment Measures 52 Response count Percentage count Application Layer security such as software-based firewalls and running them as agents on each VM 38 75%

63 Third-party security controls for virtualized environments 19 37% Create a list of what are appropriate and warranted applications and services to be run on that VM % Measures to help protect data. E.g. 3rd party assessment and validation, compliance to certain and well known standards % An appropriate access control policy ensures that new VMs cloned from existing types, inherit the appropriate security settings % Other 1 2% The results are summarized in the table 4-3. The results shows that 75% of cloud users have in place Application layer security used to protect the virtual machine from existing threats. This shows that application layer security might be more effective and most reliable when it comes to enforcing security given the complex nature of cloud security due to its unique architectural design as reviewed in chapter % of respondents use measures such as 3 rd party assessment and compliance to certain well known standards some of which have been highlighted in chapter 2.9 C. EVALUATION OF EXISTING STANDARDS Respondents were asked to state if any existing standards are in place to protect end-user data. The analysis of the response would show how trends based on the practice of the service providers. Table 4-4: Evaluation of existing standards Options True False 1. Do you create new VMs using standardized 63% 37% templates 2. Do you create new VMs by cloning existing ones 59% 41% 3. Monitor and Protect the Hypervisor 72% 28% 4. Layer Defenses from within the Hypervisor 59% 41% 5. Enforce Access Control Per VM 85% 15% 6. A white list that shows warranted applications that 56% 44% are allowed to run on the VM 7. Log aggregation and analysis 65% 35% 8. Enforce access control via physical firewalls/routers 53 91% 9%

64 9. Do you use encryption to secure data in transit or 65% 35% storage? 10. Do you have shared accounts? 54% 46% 11. Do you support multi-tenancy Virtual 52% 48% environment 12. Do you have an effective segmentation and 56% 44% isolation of tenants and their assets within the multi-tenant environment 13. Other (please specify) 0% 0% At 91%, an overwhelming majority of the respondents still rely on the traditional access control methods such as using of firewall among other physical security devices to control access. These network-based controls proved insufficient for a virtualized environments as highlighted in chapter 2.8.1, and therefore there is need to create awareness through enhanced evaluate standard. Table 4.4 brings to the front a bad trend where 56% of respondents acknowledge creation of new VM s by cloning existing ones. This can pose a serious threat because a compromised VM environment can lead to compromise of the entire infrastructure in a multi-tenancy environment as illustrated in chapter 2.6. Use of shared accounts as indicated by 56% of the respondents, shows bad practice that could lead to compromise of the system and make it difficult to trace logs. Rating threats to a virtualized environment The research wanted to find out from the respondents threats prevalent to their VM. The interest was in the operational domain especially technical aspects discussed in chapter Feedback is summarized in table 4.5. Respondents were asked to rate the importance of these threatson a scale of 1 to 4 with 1="Neutral ", 2="Little threat, 3="Medium threat ", 4="Great Threat ") Table 4-5: Vulnerabilities in VM Threat Highest Response (percentage) 54

65 1. Malware infection spreading from % one VM to another VM 2. Virtual machine-based Rootkit % 3. Undetectable viruses % 4. VM hopping - in which an % attacker hacks a VM using some standard method and then exploiting some hypervisor vulnerability 5. Management of administrator % passwords 6. Migration of VMs % 7. Patch management % Management of administrator s passwords seems to be a great threat at 37%. These include human lapses and bad practice such as sharing of passwords or even worse still sharing of user accounts. A further 35% percent of respondents attribute malware infection as being a threat to operation of their virtual environment. This goes to show that customer s data might be exposed to attack and therefore measures necessary have to be taken to prevent this trend. D. DEVELOP EVALUATIVE STANDARDS Finally the research wanted to get answers from the same respondents on what they think would be able to assist overcome the shortcomings they have experienced in their virtual environments. Therefore respondents by giving their view on what they think best secures their data would help this research come up with an agreed upon standard. Since the information is from the consumers, this would reinforce user acceptance of the cloud. Addressing problems in virtual environment The research compiled a summary of possible security challenges and desired solutions likely to exist in a virtual environment. Respondents were asked to rate the solutions with a view to find out what was deemed significant and what was trivial. The response was given is summarized in the table below. 55

66 Table 4-6: Addressing threats in a Virtual Environment Options Not Important Medium Importance Very Important Highest Response 1. Create new VMs using % standardized templates 2. Proactive monitoring and protect % the Hypervisor to detect unauthorized activity. 3. Harden the hypervisor by % disabling unnecessary functions 4. Layer Defenses at the Network, % storage, compute and Application layer of the VM 5. Enforce Access Control Per VM % 6. A white list that shows % warranted applications that are allowed to run on the VM 7. Log aggregation and analysis % % 8. Enforce access control via physical firewalls/routers 9. Disable shared accounts and encourage separation of duties 10. Ensure that antivirus, intrusion detection, and other protection are enabled for every VM. 11. Have a standard procedure for granting emergency account access 12. All activity data is captured and logged with some level of granularity recorded 13. Ability to use logs for forensic analysis. 14. Have standardized SLAs that help define critical components of the relationship between organizations and their service providers, as well as how to manage those relationships. 15. Abide to standards to simplify interoperability among cloud providers and avoid vendor lock-down % % % % % % % % 56

67 16. Enable users the ability to monitor incorrect configurations, policy violations, and control failures across their infrastructure 17. Strong authentication and access controls. 18. Conduct regular vulnerability scanning and configuration audits. 19. Strong key generation, storage and management, and data destruction practices. 20. Provide service reports such as Statement of Accounting Standards which incorporate reporting on controls relevant to security, availability, processing integrity and confidentiality? % % % % % From the data above it is evident that majority of the respondents at 76% still view enforcing access control via physical firewalls/routers as being the best approach in securing their environments. Another 72% of the respondents see antivirus, intrusion detection, and other protection essential to protect each VM from possible attacks. However creating ofnew VMs using standardized templates was ranked lowest compared to all other safeguard measures. Regulatory compliance measures Regulation and compliance is important since it guides one as to how risk should be addressed as illustrated in figure 2.9. Therefore it is imperative that users give feedback of what kind of regulatory and compliance measures they would wish to abide to. Respondents were therefore asked to indicate the appropriate measures and 28% opt for a fully outsourced regulatory compliance measures compared to 72% of those who choose a regulatory compliance plan based on internal resources 57

68 Which of the following regulatory compliance measures are of interest to you? 0% 28% Fully outsourced regulatory compliance measures guided by set standards. 72% A Regulatory compliance plan based on internal resources (i.e. leveraging services/platform/infrastructu re already in use before the Cloud ) Figure 4-4: Regulatory measures Conclusion The research sought to find out if indeed there exist any evaluative standards that ensure virtualization security. Though this is true that there exists so form of standard, the enforcement of these standard are hampered due to lack of strict enforcement procedures as well as the risk introduced by human element, e.g. sharing of user accounts and cloning of new VM from existing ones as shown in table 4.4. This calls for more elaborate and well outlined standard that will address any such shortcomings. 58

69 5 Discussions 5.1 Introduction After presentation of findings in the previous chapter, it is important to discuss them in an attempt to seek answers to the research objectives. Analyzed results are presented in comparison to what is revised in the literature with an aim to provide the needed answers to the research objectives. Each of the research questions is tackled in its entirety with justifications based on results. 5.2 Current virtualization approaches A number of organizations in this case 48% are using software virtualization as indicated in figures 4-3. From the discussion in chapter 2 this approach to virtualization is preferred since the virtualization is not visible to the guest OS, hence requires no changes to the guest OS or the applications running under that guest. This vital advantage proves to be of great importance especially when we have several applications running in the guest environment. Technological advances and a reduction in the cost of hardware is making hardware virtualization a better option for organizations, 41% of whom have adapted hardware virtualization as indicated in figure 4-3. This alternative becomes easier since most hardware devices such as servers are coming already with the virtualization capability enabled. 5.3 Inherent weaknesses in technology that can lead to a violation of security and privacy concerns The research found out that there are a myriad of vulnerabilities in technology that can be exploited as shown in table 4.2. Top on the list is data/service availability at 54%, followed by malicious insiders at 52% and data leakage at 50%.A close look at cloud reference model in chapter 2.5 indicates that for the 46% of organizations who use Platform as a service (Paas), they need to have proper standards in place to curb the above stated vulnerabilities. The cloud reference model in chapter 2.5 shows the lower you go in the model more responsibility you have in terms of enforcing security. Although the upper layer of the cloud model, software as a service, does not offer much to the customer when it comes to enforcing restrictions/controls, it is important that the customer is 59

70 knowledgeable on what is going on. 41% of respondents who use Saas, table 4.1 should be aware of standards used by their service providers to secure their data. 5.4 What evaluative standard can be used to address these security and privacy concerns? The research proposes a solution which can be deployed as a standardized API layer (securitylayer) between the hardware and the application software supporting virtualization in this case the hypervisor. This layer provides a centralized platform for security configuration, traffic monitoring and filtering, and policy enforcement among other functions that are required. This will help prevent malware attacks among other security exploits. It is important that all the Virtual Machines are configured to accept access only via this API otherwise the malicious hackers would compromise security at the layer. The security configurations at this layer is guided in form of a security checklist for a virtualized environment. The recommendations herein are neither vendor specific nor product specific, and therefore for specific environments one should consult a specific vendor for implementations details. This security layer is made up of 3 major components. This security layer directly interfaces to the hypervisor, and presents one control point to monitor and act on all traffic moving through the hypervisor onto the virtual machines and vice versa. It is used to enforce 3 major components. 1. Identity and Access management This feature will deal with issues relating to user administration and applying relevant policies. These include; a. Access and authentication controls. b. Encourage separation of duties c. Enable users the ability to monitor incorrect configurations and policy violations. d. Strong key generation, storage and management, and data destruction practices. e. Develop standard procedure for granting emergency account access. 60

71 2. Host architecture and operating system hardening This will address issues that pertain to the host and virtual machines running on that host. The component will ensure that all loop-holes and vulnerabilities due to midconfiguration or use of default configuration are addressed. This will look at; a. Ensure new VMs meet the required standards. b. Disabling unnecessary functions that pose a security risk or consume unnecessary resources. c. Enforce polices that ensure only warranted applications that are allowed to run on the VM. d. Conduct regular vulnerability scanning and configuration audits. e. Installation of antivirus, intrusion detection, and other protection f. Proactive monitoring and protect the Hypervisor to detect unauthorized activity. g. Abide to standards to simplify interoperability among cloud providers. 3. Logging and virtual platform audit. a. Granular capture and logging of all activity data is captured. b. Enable integrity of logs for use in forensic analysis. c. Provide granular service reports. 5.5 Architectural overview of the proposed framework The standardized API is a security layer that sits between the Virtual machine monitor and the virtual machines. All communication from the physical hardware, through to the virtual machine monitors on to the individual virtual machines have to pass through this layer. This layer is responsible for enforcement of the desired standards configured by the administrator. 61

72 Guest OS Guest OS Guest OS Guest OS Guest OS Management Layer API Virtual Machine Monitor Hardware Based Physical Server Figure 5-1: Proposed architecture for enforcing virtualization security Detail of the security layer API Virtual Machine (Guest Operating System) Traffic Security Layer Identity & Access Management Host Architecture & OS hardening Logging & platform Audit Virtual Machine Monitor (Hypervisor) Figure 16: Detailed component of the Management Layer API 62

International Journal of Advancements in Research & Technology, Volume 1, Issue6, November-2012 1 ISSN 2278-7763

International Journal of Advancements in Research & Technology, Volume 1, Issue6, November-2012 1 ISSN 2278-7763 International Journal of Advancements in Research & Technology, Volume 1, Issue6, November-2012 1 VIRTUALIZATION Vikas Garg Abstract: The main aim of the research was to get the knowledge of present trends

More information

Virtualization Overview

Virtualization Overview VMWARE W HWHITE I T E PPAPER A P E R Virtualization Overview 1 Table of Contents Introduction... 3 Virtualization in a Nutshell... 3 Virtualization Approaches... 4 Virtualization for Server Consolidation

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

Effective End-to-End Cloud Security

Effective End-to-End Cloud Security Effective End-to-End Cloud Security Securing Your Journey to the Cloud Trend Micro SecureCloud A Trend Micro & VMware White Paper August 2011 I. EXECUTIVE SUMMARY This is the first paper of a series of

More information

See Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models.

See Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models. Cloud Strategy Information Systems and Technology Bruce Campbell What is the Cloud? From http://csrc.nist.gov/publications/nistpubs/800-145/sp800-145.pdf Cloud computing is a model for enabling ubiquitous,

More information

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com Introduction to Cloud Computing Srinath Beldona srinath_beldona@yahoo.com Agenda Pre-requisites Course objectives What you will learn in this tutorial? Brief history Is cloud computing new? Why cloud computing?

More information

Virtualizing Exchange

Virtualizing Exchange Virtualizing Exchange Simplifying and Optimizing Management of Microsoft Exchange Server Using Virtualization Technologies By Anil Desai Microsoft MVP September, 2008 An Alternative to Hosted Exchange

More information

Virtualization: an old concept in a new approach

Virtualization: an old concept in a new approach MPRA Munich Personal RePEc Archive Virtualization: an old concept in a new approach Logica Banica and Doina Rosca and Cristian Stefan University of Pitesti, Faculty of Economics, University of Craiova,

More information

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015 NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X

More information

9/26/2011. What is Virtualization? What are the different types of virtualization.

9/26/2011. What is Virtualization? What are the different types of virtualization. CSE 501 Monday, September 26, 2011 Kevin Cleary kpcleary@buffalo.edu What is Virtualization? What are the different types of virtualization. Practical Uses Popular virtualization products Demo Question,

More information

Security & Trust in the Cloud

Security & Trust in the Cloud Security & Trust in the Cloud Ray Trygstad Director of Information Technology, IIT School of Applied Technology Associate Director, Information Technology & Management Degree Programs Cloud Computing Primer

More information

Keyword: Cloud computing, service model, deployment model, network layer security.

Keyword: Cloud computing, service model, deployment model, network layer security. Volume 4, Issue 2, February 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com An Emerging

More information

Lecture 02a Cloud Computing I

Lecture 02a Cloud Computing I Mobile Cloud Computing Lecture 02a Cloud Computing I 吳 秀 陽 Shiow-yang Wu What is Cloud Computing? Computing with cloud? Mobile Cloud Computing Cloud Computing I 2 Note 1 What is Cloud Computing? Walking

More information

Trend Micro Cloud Protection

Trend Micro Cloud Protection A Trend Micro White Paper August 2015 Trend Micro Cloud Protection Security for Your Unique Cloud Infrastructure Contents Introduction...3 Private Cloud...4 VM-Level Security...4 Agentless Security to

More information

IBM 000-281 EXAM QUESTIONS & ANSWERS

IBM 000-281 EXAM QUESTIONS & ANSWERS IBM 000-281 EXAM QUESTIONS & ANSWERS Number: 000-281 Passing Score: 800 Time Limit: 120 min File Version: 58.8 http://www.gratisexam.com/ IBM 000-281 EXAM QUESTIONS & ANSWERS Exam Name: Foundations of

More information

Addressing Data Security Challenges in the Cloud

Addressing Data Security Challenges in the Cloud Addressing Data Security Challenges in the Cloud Coordinate Security. The Need for Cloud Computing Security A Trend Micro White Paper July 2010 I. INTRODUCTION Enterprises increasingly recognize cloud

More information

COS 318: Operating Systems. Virtual Machine Monitors

COS 318: Operating Systems. Virtual Machine Monitors COS 318: Operating Systems Virtual Machine Monitors Kai Li and Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall13/cos318/ Introduction u Have

More information

PCI DSS Virtualization Guidelines. Information Supplement: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: June 2011

PCI DSS Virtualization Guidelines. Information Supplement: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: June 2011 Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines

More information

A Survey on Cloud Security Issues and Techniques

A Survey on Cloud Security Issues and Techniques A Survey on Cloud Security Issues and Techniques Garima Gupta 1, P.R.Laxmi 2 and Shubhanjali Sharma 3 1 Department of Computer Engineering, Government Engineering College, Ajmer Guptagarima09@gmail.com

More information

Cloud Computing Architecture: A Survey

Cloud Computing Architecture: A Survey Cloud Computing Architecture: A Survey Abstract Now a day s Cloud computing is a complex and very rapidly evolving and emerging area that affects IT infrastructure, network services, data management and

More information

Chapter 1: Introduction

Chapter 1: Introduction Chapter 1 Introduction 1 Chapter 1: Introduction 1.1 Inspiration Cloud Computing Inspired by the cloud computing characteristics like pay per use, rapid elasticity, scalable, on demand self service, secure

More information

Future of Cloud Computing. Irena Bojanova, Ph.D. UMUC, NIST

Future of Cloud Computing. Irena Bojanova, Ph.D. UMUC, NIST Future of Cloud Computing Irena Bojanova, Ph.D. UMUC, NIST No Longer On The Horizon Essential Characteristics On-demand Self-Service Broad Network Access Resource Pooling Rapid Elasticity Measured Service

More information

The Reincarnation of Virtual Machines

The Reincarnation of Virtual Machines The Reincarnation of Virtual Machines By Mendel Rosenblum Co-Founder of VMware Associate Professor, Computer Science Stanford University Abstract:VMware, Inc. has grown to be the industry leader in x86-based

More information

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS CLOUD COMPUTING Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing

More information

IS PRIVATE CLOUD A UNICORN?

IS PRIVATE CLOUD A UNICORN? IS PRIVATE CLOUD A UNICORN? With all of the discussion, adoption, and expansion of cloud offerings there is a constant debate that continues to rear its head: Public vs. Private or more bluntly Is there

More information

Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Computing Governance & Security. Security Risks in the Cloud Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud

More information

Cloud Computing; What is it, How long has it been here, and Where is it going?

Cloud Computing; What is it, How long has it been here, and Where is it going? Cloud Computing; What is it, How long has it been here, and Where is it going? David Losacco, CPA, CIA, CISA Principal January 10, 2013 Agenda The Cloud WHAT IS THE CLOUD? How long has it been here? Where

More information

Security & Cloud Services IAN KAYNE

Security & Cloud Services IAN KAYNE Security & Cloud Services IAN KAYNE CloudComponents CLOUD SERVICES Dynamically scalable infrastructure, services and software based on broad network accessibility NETWORK ACCESS INTERNAL ESTATE CloudComponents

More information

Cloud Computing for SCADA

Cloud Computing for SCADA Cloud Computing for SCADA Moving all or part of SCADA applications to the cloud can cut costs significantly while dramatically increasing reliability and scalability. A White Paper from InduSoft Larry

More information

Cloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security

Cloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security Russ Dietz Vice President & Chief Technology Officer Cloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security By Russ Dietz Vice President & Chief

More information

Cloud Infrastructure Security

Cloud Infrastructure Security Cloud Infrastructure Security Dimiter Velev 1 and Plamena Zlateva 2 1 University of National and World Economy, UNSS - Studentski grad, 1700 Sofia, Bulgaria dvelev@unwe.acad.bg 2 Institute of Control and

More information

Full and Para Virtualization

Full and Para Virtualization Full and Para Virtualization Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF x86 Hardware Virtualization The x86 architecture offers four levels

More information

Making Data Security The Foundation Of Your Virtualization Infrastructure

Making Data Security The Foundation Of Your Virtualization Infrastructure Making Data Security The Foundation Of Your Virtualization Infrastructure by Dave Shackleford hytrust.com Cloud Under Control P: P: 650.681.8100 Securing data has never been an easy task. Its challenges

More information

Unmasking Virtualization Security. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

Unmasking Virtualization Security. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems Eric A. Hibbard, CISSP, CISA Hitachi Data Systems SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA unless otherwise noted. Member companies and individual members may

More information

Virtualization. Jukka K. Nurminen 23.9.2015

Virtualization. Jukka K. Nurminen 23.9.2015 Virtualization Jukka K. Nurminen 23.9.2015 Virtualization Virtualization refers to the act of creating a virtual (rather than actual) version of something, including virtual computer hardware platforms,

More information

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such

More information

Cloud Courses Description

Cloud Courses Description Courses Description 101: Fundamental Computing and Architecture Computing Concepts and Models. Data center architecture. Fundamental Architecture. Virtualization Basics. platforms: IaaS, PaaS, SaaS. deployment

More information

http://www.alljntuworld.in/

http://www.alljntuworld.in/ Table of Content Cloud Computing Tutorial... 2 Audience... 2 Prerequisites... 2 Copyright & Disclaimer Notice... 2 Cloud Computing - Overview... 9 What is Cloud?... 9 What is Cloud Computing?... 9 Basic

More information

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary VISIBILITY DATA GOVERNANCE SYSTEM OS PARTITION UNIFIED MANAGEMENT CENTRAL AUDIT POINT ACCESS MONITORING ENCRYPTION STORAGE VOLUME POLICY ENFORCEMENT ProtectV SECURITY SNAPSHOT (backup) DATA PROTECTION

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Cloud Computing Dr. A. Askarunisa Professor and Head Vickram College of Engineering, Madurai, Tamilnadu, India N.Ganesh Sr.Lecturer Vickram College of Engineering, Madurai, Tamilnadu,

More information

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect OWASP Chapter Meeting June 2010 Presented by: Brayton Rider, SecureState Chief Architect Agenda What is Cloud Computing? Cloud Service Models Cloud Deployment Models Cloud Computing Security Security Cloud

More information

Safeguarding the cloud with IBM Dynamic Cloud Security

Safeguarding the cloud with IBM Dynamic Cloud Security Safeguarding the cloud with IBM Dynamic Cloud Security Maintain visibility and control with proven security solutions for public, private and hybrid clouds Highlights Extend enterprise-class security from

More information

What Cloud computing means in real life

What Cloud computing means in real life ITU TRCSL Symposium on Cloud Computing Session 2: Cloud Computing Foundation and Requirements What Cloud computing means in real life Saman Perera Senior General Manager Information Systems Mobitel (Pvt)

More information

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption THE DATA PROTECTIO TIO N COMPANY Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption whitepaper Executive Summary Long an important security measure, encryption has

More information

CLOUD COMPUTING OVERVIEW

CLOUD COMPUTING OVERVIEW CLOUD COMPUTING OVERVIEW http://www.tutorialspoint.com/cloud_computing/cloud_computing_overview.htm Copyright tutorialspoint.com Cloud Computing provides us a means by which we can access the applications

More information

Virtualization. Dr. Yingwu Zhu

Virtualization. Dr. Yingwu Zhu Virtualization Dr. Yingwu Zhu What is virtualization? Virtualization allows one computer to do the job of multiple computers. Virtual environments let one computer host multiple operating systems at the

More information

A Review on Cloud Computing Vulnerabilities

A Review on Cloud Computing Vulnerabilities A Review on Cloud Computing Vulnerabilities Ms. Sugandha Nandedkar, Ms.Sangeeta Kakarwal Asst.Prof., Department of Computer Science and Engineering, DIEMS /Dr. BAMU, Aurangabad, MH, India. Prof. and HOD,

More information

Cloud Models and Platforms

Cloud Models and Platforms Cloud Models and Platforms Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF A Working Definition of Cloud Computing Cloud computing is a model

More information

Security Model for VM in Cloud

Security Model for VM in Cloud Security Model for VM in Cloud 1 Venkataramana.Kanaparti, 2 Naveen Kumar R, 3 Rajani.S, 4 Padmavathamma M, 5 Anitha.C 1,2,3,5 Research Scholars, 4Research Supervisor 1,2,3,4,5 Dept. of Computer Science,

More information

Basics in Energy Information (& Communication) Systems Virtualization / Virtual Machines

Basics in Energy Information (& Communication) Systems Virtualization / Virtual Machines Basics in Energy Information (& Communication) Systems Virtualization / Virtual Machines Dr. Johann Pohany, Virtualization Virtualization deals with extending or replacing an existing interface so as to

More information

VIRTUALIZATION THE FOUNDATION OF CLOUD COMPUTING

VIRTUALIZATION THE FOUNDATION OF CLOUD COMPUTING VIRTUALIZATION THE FOUNDATION OF CLOUD COMPUTING TM 989 Old Eagle School Road Suite 815 Wayne, PA 19087 USA 610.964.8000 www.evolveip.net Did You Know Approximately 70 percent of a typical IT budget in

More information

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC RE Think Invent IT & Business IBM SmartCloud Security Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC 2014 IBM Corporation Some Business Questions Is Your Company is Secure

More information

Cloud Computing: The Next Computing Paradigm

Cloud Computing: The Next Computing Paradigm Cloud Computing: The Next Computing Paradigm Ronnie D. Caytiles 1, Sunguk Lee and Byungjoo Park 1 * 1 Department of Multimedia Engineering, Hannam University 133 Ojeongdong, Daeduk-gu, Daejeon, Korea rdcaytiles@gmail.com,

More information

Virtualization and Cloud Computing

Virtualization and Cloud Computing Virtualization and Cloud Computing Security is a Process, not a Product Guillermo Macias CIP Security Auditor, Sr. Virtualization Purpose of Presentation: To inform entities about the importance of assessing

More information

Virtual. The term virtual machine initially described a 1960s. The Reincarnation of FOCUS. Virtual. Machines

Virtual. The term virtual machine initially described a 1960s. The Reincarnation of FOCUS. Virtual. Machines The term virtual machine initially described a 1960s operating system concept: a software abstraction with the looks of a computer system s hardware (real machine). Forty years later, the term encompasses

More information

A Study on Analysis and Implementation of a Cloud Computing Framework for Multimedia Convergence Services

A Study on Analysis and Implementation of a Cloud Computing Framework for Multimedia Convergence Services A Study on Analysis and Implementation of a Cloud Computing Framework for Multimedia Convergence Services Ronnie D. Caytiles and Byungjoo Park * Department of Multimedia Engineering, Hannam University

More information

www.see-grid-sci.eu Regional SEE-GRID-SCI Training for Site Administrators Institute of Physics Belgrade March 5-6, 2009

www.see-grid-sci.eu Regional SEE-GRID-SCI Training for Site Administrators Institute of Physics Belgrade March 5-6, 2009 SEE-GRID-SCI Virtualization and Grid Computing with XEN www.see-grid-sci.eu Regional SEE-GRID-SCI Training for Site Administrators Institute of Physics Belgrade March 5-6, 2009 Milan Potocnik University

More information

SECURITY IN OPERATING SYSTEM VIRTUALISATION

SECURITY IN OPERATING SYSTEM VIRTUALISATION SECURITY IN OPERATING SYSTEM VIRTUALISATION February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in

More information

Assessing Risks in the Cloud

Assessing Risks in the Cloud Assessing Risks in the Cloud Jim Reavis Executive Director Cloud Security Alliance Agenda Definitions of Cloud & Cloud Usage Key Cloud Risks About CSA CSA Guidance approach to Addressing Risks Research

More information

Addressing Cloud Computing Security Considerations

Addressing Cloud Computing Security Considerations Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more Contents 2 Introduction 3 Key Security Considerations 4 Office 365 Service Stack 5 ISO Certifications for the Microsoft

More information

SECURITY MODELS FOR CLOUD 2012. Kurtis E. Minder, CISSP

SECURITY MODELS FOR CLOUD 2012. Kurtis E. Minder, CISSP SECURITY MODELS FOR CLOUD 2012 Kurtis E. Minder, CISSP INTRODUCTION Kurtis E. Minder, Technical Sales Professional Companies: Roles: Security Design Engineer Systems Engineer Sales Engineer Salesperson

More information

Secure Multi Tenancy In the Cloud. Boris Strongin VP Engineering and Co-founder, Hytrust Inc. bstrongin@hytrust.com

Secure Multi Tenancy In the Cloud. Boris Strongin VP Engineering and Co-founder, Hytrust Inc. bstrongin@hytrust.com Secure Multi Tenancy In the Cloud Boris Strongin VP Engineering and Co-founder, Hytrust Inc. bstrongin@hytrust.com At-a-Glance Trends Do MORE with LESS Increased Insider Threat Increasing IT spend on cloud

More information

Total Cloud Protection

Total Cloud Protection Total Cloud Protection Data Center and Cloud Security Security for Your Unique Cloud Infrastructure A Trend Micro White Paper August 2011 I. INTRODUCTION Many businesses are looking to the cloud for increased

More information

Table of Content Cloud Computing Tutorial... 2 Audience... 2 Prerequisites... 2 Copyright & Disclaimer Notice... 2 Cloud Computing - Overview...

Table of Content Cloud Computing Tutorial... 2 Audience... 2 Prerequisites... 2 Copyright & Disclaimer Notice... 2 Cloud Computing - Overview... Table of Content Cloud Computing Tutorial... 2 Audience... 2 Prerequisites... 2 Copyright & Disclaimer Notice... 2 Cloud Computing - Overview... 9 What is Cloud?... 9 What is Cloud Computing?... 9 Basic

More information

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information

More information

Double-Take Replication in the VMware Environment: Building DR solutions using Double-Take and VMware Infrastructure and VMware Server

Double-Take Replication in the VMware Environment: Building DR solutions using Double-Take and VMware Infrastructure and VMware Server Double-Take Replication in the VMware Environment: Building DR solutions using Double-Take and VMware Infrastructure and VMware Server Double-Take Software, Inc. 257 Turnpike Road; Suite 210 Southborough,

More information

Control your corner of the cloud.

Control your corner of the cloud. Chapter 1 of 5 Control your corner of the cloud. From the halls of government to the high-rise towers of the corporate world, forward-looking organizations are recognizing the potential of cloud computing

More information

Understanding Full Virtualization, Paravirtualization, and Hardware Assist. Introduction...1 Overview of x86 Virtualization...2 CPU Virtualization...

Understanding Full Virtualization, Paravirtualization, and Hardware Assist. Introduction...1 Overview of x86 Virtualization...2 CPU Virtualization... Contents Introduction...1 Overview of x86 Virtualization...2 CPU Virtualization...3 The Challenges of x86 Hardware Virtualization...3 Technique 1 - Full Virtualization using Binary Translation...4 Technique

More information

Requirements and Challenges for Securing Cloud Applications and Services

Requirements and Challenges for Securing Cloud Applications and Services IOSR Journal of Computer Engineering (IOSRJCE) ISSN: 2278-0661 Volume 4, Issue 2 (Sep.-Oct. 2012), PP 46-52 Requirements and Challenges for Securing Cloud Applications and Services Mrs. Y. Lakshmi Prasanna

More information

Virtual Machine Monitors. Dr. Marc E. Fiuczynski Research Scholar Princeton University

Virtual Machine Monitors. Dr. Marc E. Fiuczynski Research Scholar Princeton University Virtual Machine Monitors Dr. Marc E. Fiuczynski Research Scholar Princeton University Introduction Have been around since 1960 s on mainframes used for multitasking Good example VM/370 Have resurfaced

More information

Cloud Computing Tutorial

Cloud Computing Tutorial Cloud Computing Tutorial CLOUD COMPUTINGTUTORIAL by tutorialspoint.com tutorialspoint.com i ABOUT THE TUTORIAL Cloud Computing Tutorial Cloud Computing provides us a means by which we can access the applications

More information

AskAvanade: Answering the Burning Questions around Cloud Computing

AskAvanade: Answering the Burning Questions around Cloud Computing AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,

More information

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. Gunnar Wahlgren 1, Stewart Kowalski 2 Stockholm University 1: (wahlgren@dsv.su.se), 2: (stewart@dsv.su.se) ABSTRACT

More information

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is

More information

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information

Virtualization Impact on Compliance and Audit

Virtualization Impact on Compliance and Audit 2009 Reflex Systems, LLC Virtualization Impact on Compliance and Audit Michael Wronski, CISSP VP Product Management Reflex Systems Agenda Introduction Virtualization? Cloud? Risks and Challenges? Compliance

More information

Lecture 02b Cloud Computing II

Lecture 02b Cloud Computing II Mobile Cloud Computing Lecture 02b Cloud Computing II 吳 秀 陽 Shiow-yang Wu T. Sridhar. Cloud Computing A Primer, Part 2: Infrastructure and Implementation Topics. The Internet Protocol Journal, Volume 12,

More information

Virtualization System Security

Virtualization System Security Virtualization System Security Bryan Williams, IBM X-Force Advanced Research Tom Cross, Manager, IBM X-Force Security Strategy 2009 IBM Corporation Overview Vulnerability disclosure analysis Vulnerability

More information

Data Protection: From PKI to Virtualization & Cloud

Data Protection: From PKI to Virtualization & Cloud Data Protection: From PKI to Virtualization & Cloud Raymond Yeung CISSP, CISA Senior Regional Director, HK/TW, ASEAN & A/NZ SafeNet Inc. Agenda What is PKI? And Value? Traditional PKI Usage Cloud Security

More information

Securing Virtual Applications and Servers

Securing Virtual Applications and Servers White Paper Securing Virtual Applications and Servers Overview Security concerns are the most often cited obstacle to application virtualization and adoption of cloud-computing models. Merely replicating

More information

Solution Recipe: Improve PC Security and Reliability with Intel Virtualization Technology

Solution Recipe: Improve PC Security and Reliability with Intel Virtualization Technology Solution Recipe: Improve PC Security and Reliability with Intel Virtualization Technology 30406_VT_Brochure.indd 1 6/20/06 4:01:14 PM Preface Intel has developed a series of unique Solution Recipes designed

More information

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM) Security Management of Cloud-Native Applications Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM) 1 Outline Context State-of-the-Art Design Patterns Threats to cloud systems Security

More information

1.1.1 Introduction to Cloud Computing

1.1.1 Introduction to Cloud Computing 1 CHAPTER 1 INTRODUCTION 1.1 CLOUD COMPUTING 1.1.1 Introduction to Cloud Computing Computing as a service has seen a phenomenal growth in recent years. The primary motivation for this growth has been the

More information

Data Centers and Cloud Computing

Data Centers and Cloud Computing Data Centers and Cloud Computing CS377 Guest Lecture Tian Guo 1 Data Centers and Cloud Computing Intro. to Data centers Virtualization Basics Intro. to Cloud Computing Case Study: Amazon EC2 2 Data Centers

More information

Cloud Computing. Bringing the Cloud into Focus

Cloud Computing. Bringing the Cloud into Focus Cloud Computing Bringing the Cloud into Focus November 2011 Introduction Ken Cochrane CEO, IT/NET Partner, KPGM Performance and Technology National co-leader IT Advisory Services KPMG Andrew Brewin Vice

More information

CS 695 Topics in Virtualization and Cloud Computing and Storage Systems. Introduction

CS 695 Topics in Virtualization and Cloud Computing and Storage Systems. Introduction CS 695 Topics in Virtualization and Cloud Computing and Storage Systems Introduction Hot or not? source: Gartner Hype Cycle for Emerging Technologies, 2014 2 Source: http://geekandpoke.typepad.com/ 3 Cloud

More information

Cloud Courses Description

Cloud Courses Description Cloud Courses Description Cloud 101: Fundamental Cloud Computing and Architecture Cloud Computing Concepts and Models. Fundamental Cloud Architecture. Virtualization Basics. Cloud platforms: IaaS, PaaS,

More information

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments H Y T RUST: S OLUTION B RIEF Solve the Nosy Neighbor Problem in Multi-Tenant Environments Summary A private cloud with multiple tenants such as business units of an enterprise or customers of a cloud service

More information

CHAPTER 2 THEORETICAL FOUNDATION

CHAPTER 2 THEORETICAL FOUNDATION CHAPTER 2 THEORETICAL FOUNDATION 2.1 Theoretical Foundation Cloud computing has become the recent trends in nowadays computing technology world. In order to understand the concept of cloud, people should

More information

White Paper on CLOUD COMPUTING

White Paper on CLOUD COMPUTING White Paper on CLOUD COMPUTING INDEX 1. Introduction 2. Features of Cloud Computing 3. Benefits of Cloud computing 4. Service models of Cloud Computing 5. Deployment models of Cloud Computing 6. Examples

More information

Virtual Machines and Security Paola Stone Martinez East Carolina University November, 2013.

Virtual Machines and Security Paola Stone Martinez East Carolina University November, 2013. Virtual Machines and Security Paola Stone Martinez East Carolina University November, 2013. Keywords: virtualization, virtual machine, security. 1. Virtualization The rapid growth of technologies, nowadays,

More information

Cloud Security: The Grand Challenge

Cloud Security: The Grand Challenge Dr. Paul Ashley IBM Software Group pashley@au1.ibm.com Cloud Security: The Grand Challenge Outline Cloud computing: the pros, the cons, the blind spots Security in the cloud - what are the risks now and

More information

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC www.fmsinc.org 1 2015 Financial Managers Society, Inc. Cloud Security Implications

More information

Trend Micro Deep Security

Trend Micro Deep Security Trend Micro Deep Security VMware Global Technology Alliance Partner Changing the Game with Agentless Security for the Virtual Data Center A 2012 Trend Micro White Paper I. INTRODUCTION From its early experimental

More information

journey to a hybrid cloud

journey to a hybrid cloud journey to a hybrid cloud Virtualization and Automation VI015SN journey to a hybrid cloud Jim Sweeney, CTO GTSI about the speaker Jim Sweeney GTSI, Chief Technology Officer 35 years of engineering experience

More information

Cloud Essentials for Architects using OpenStack

Cloud Essentials for Architects using OpenStack Cloud Essentials for Architects using OpenStack Course Overview Start Date 18th December 2014 Duration 2 Days Location Dublin Course Code SS906 Programme Overview Cloud Computing is gaining increasing

More information