Cloud Computing Security: Risks and Threats

Transcription

1 Cloud Computing Security: Risks and Threats Abstract: Now a days, cloud computing has become a significant technology trend. The cloud computing technology benefits include cost savings, high availability of resources, and easy scalability. The cloud users can remotely store their data and enjoy the on-demand high-quality applications and services from cloud resources. The data security is one of the major concerns as the users of cloud storage services no longer physically maintain direct control over their data in cloud. Thus shifting of all data over the cloud has implications for privacy and security. One possible solution of this problem is to encrypt data before storage over cloud but data encryption alone is insufficient. Also the cloud computing has state-of-the-art vulnerabilities due to the core technologies used in it. This paper explains the potential risks and vulnerabilities, challenges associated with various services of cloud computing technologies and recommends methods to mitigate them. These security issues should be taken into account seriously in order to avoid disastrous for an organization s reputation and existence. The cloud service provider should provide the Security as a Service and Data protection as a Service to achieve the trust of the customer and feel them that their data will remain secured and protected in the cloud. Keywords: Cloud computing security, encryption, security as service, data protection as a service. 1. INTRODUCTION Cloud computing is a virtual pool of resources such as software, platform & infrastructure that is dynamically scalable and reconfigured at a very low cost to meet the need of the customer. All services of the cloud computing such as storage, application development and access application are accessed through Internet. It can be used on any kind of devices such as laptops, PCs, smartphones, tablets. Cost saving, high availability of the resources, dynamic scalability are the few of the advantages of cloud computing. Google, Amazon, Microsoft are the big players to provide various services to the cloud users. Every cloud provider deployed a data centre that includes various platforms for the development of applications on cloud and hardware to support the application developed and various infrastructures such as network, database. Cloud service provider uses the service-level agreements (SLA) with the consumer to provide the services. The National Institute of Standards and Technology (NIST) [1] (US Government agency) which is responsible for developing standards and guidelines for technologies defines the cloud computing as... a pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, services) that can be rapidly provisioned and released GD Makkar 1, Vivek Panwar 2 1&2 GRDIMT, Deptartment of CSE, Dehradun , India with minimal management effort or service provider interaction. The most significant benefit of using the cloud is that it works on the pay-per-use model, consumer only pay for what he used the resources such as application, CPU, network and bandwidth etc. Basically Cloud computing provides three kind of services. These three services are Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) model called SPI model. This model is called SPI model (Figure1). SaaS comes at top of the cloud stack. SaaS layer is basically used by the consumer for the use of the applications running on the cloud. The main benefit of using SaaS is that a user doesn t need to purchase the costly licensed softwares. All the software on the cloud are licensed and fully supported by their respective vendors. Consumer only pays for the software use. It replaces the use of software from traditional to rent model, thus reducing the user s physical equipment deployment and management costs. All the applications are accessed through Internet using web browser and there is no need to install anything extra locally. PaaS provides the environment for the application development. It is basically used by application developers, testers and administrators to develop and testing software s. it support the entire software development life cycle and provides the virtual machines, operating systems, applications, services, development frameworks, transactions, and control structures. IaaS provides the infrastructure such as storage, network, CPUs on demand, rent basis. It is based on the concept of virtualization. IaaS creates a virtual environment and let the users to share a resource without them knowing to run their applications. Virtual environment includes virtual computers, cloud storage, network infrastructure components such as firewalls and configuration services. Usage fees are calculated on the basis of per CPU hour, data GB stored per hour, network bandwidth consumed, network infrastructure used per hour. Figure 1 SPI Model Volume 3, Issue 2 March April 2014 Page 111

2 Clouds can be deployed by three ways: Private, Public and Hybrid. Private cloud is owned by enterprise itself and used exclusively for that organization only. This enables the organization to have greater control over their data and processes. All the resources are managed by that organization. Public cloud is managed by the organization who sells the cloud services (SaaS, PaaS, IaaS) globally. The cloud is operated and managed at a data center owned by a service vendor that has the provision for the bulk data storage, multiple CPU processing etc. services on public cloud is provided on the pay-per-use basis. Popular public clouds are Amazon s AWS EC2, Rackspace Cloud Suite, and Microsoft s Azure Service Platform, Google. Hybrid cloud is the combination of the both private and public cloud allows a organization to use their private cloud with the services of public cloud. 2. CLOUD SECURITY The biggest problem on cloud computing is the security and privacy of the user data storage and management. All the user data is stored at the Cloud Service Provider (CSP). Although CSP take all measures to provide best security but still it is tough to have full faith on the CSP due to the state-of-the-art risks associated with the cloud. Virtualization which is the back bone of the cloud computing and is also a big threat to the security [2]. Virtualization which allows having several machine images on a single server. If the two virtual machines are running on a server, it is quite possible that one can access both virtual machine and have unauthorized access to the data and application of the other user and also a attach launch to one virtual machine can also affect the other virtual machine on the same server. Security level agreement (SLA) is negotiated between CSP and the consumer that defines the risks associated with the cloud services. The major securities flaws exist on the cloud are due to DDoS, malware, IP vulnerabilities, insecure cryptography, Fraudulent Resource Consumption (FRC) etc. 3. SECURITY CHALLENGES IN THE CLOUD 3.1 Establishing the trust between CSP and consumer In cloud user computations are executed remotely at the data centre of the cloud service provider. Cloud computing uses the distributed computing architecture for the execution. It is the CSP responsibility to ensure the security and privacy of the user s stored data and the execution of user s application. Reputation and degree of control are the two primary components that sustain the trust on CSP. Degree of control plays a significant role to maintain the trust on CSP. Cloud service provider should provide the user to have control over the store data, data during processing, software, Regulatory compliances, and billing [3]. Control over stored data: The consumer owns the stored data and should be able to monitor and control all operations remotely for valid as well as invalid users. CSP should provide the control to the consumers so that they can clear the server cache for the temporary data once the process is over also consumer should be able to permanently remove the deleted data from the memory thereby prevent others retrieving data residue. The consumer should also be able to remotely close all ports to its cloud-based servers when they aren t in use. Control over data during processing: Not only the data resided in secondary storage but also the data moving during processing need to be protected. When a consumer is working with an application at cloud, a lot of data transit between the cloud site and consumer site that can be easily captured by the intruder. When data is in process, it is decrypted and should be revealed to the server only. Control over Software: Usually we overlook the protection of application used. On cloud platforms, clients develop and run their own software, which include important business logic that can be hacked by intruder and misused it. A consumer should have control being using his software be able to hide what computation the software is doing. Similarly, consumer might also want to protect their software usage patterns. If a consumer is using a particular function very frequently, a usage patter can be drawn that shows which functions are used frequently and more important to the consumer. Control over Regulatory Compliance: Although several cloud providers offer third-party certifications indicating that they comply with certain regulations, the client doesn t have enough control to know how providers are achieving those compliances. There are various third party regulatory compliances provider such as Cloud Security Alliance (CSA), National Institute of Standards and Technology (NIST), and European Network and Information Security Agency (ENISA). Consumer should have control over which regulatory compliance is to be used and even he/she should be able to use hybrid regulatory compliance. Control over Billing: Over the cloud, user only pay-asper-use. Consumer incurred all the cost he/she subscribed for. Consumer should be able to monitor how many resources such as bandwidth, CPU time and memory he/she used in a particular day, week and month. Usually a consumer knows how many resources he used in a month. If any intruder uses a client bandwidth (Fraudulent Resource Consumption) without his/her knowledge, client has incurred all this cost. If a consumer has control over billing, he/she can set the maximum limit of his/her bill according to his/her usage pattern. 3.2 Privacy and Data Protection Privacy is a core issue for security challenge in the cloud computing. Many organizations don t feel comfortable for storing their private data outside of their premise at third party site. Although cloud computing is also associated Volume 3, Issue 2 March April 2014 Page 112

3 with traditional state-of-the-art vulnerabilities such as IP vulnerabilities, DoS etc. CSP must ensure their customers for the high security and privacy of their data that it will be fully protected from the unauthorized access and availability will be high. Identity of the consumer will be fully protected and maintained and all the transaction histories will be kept secured. All the database measures will be applied to maintain the consistency of the data. CSP will record every piece of information about the data like who created it, who and when it was modified and so on as these information could be used for auditing. Privacy is a significant challenge for the cloud service provider and keep track on whether the information is being used by the valid user or the intruder. CSP not only provide security and privacy to the user data but also to the application deployed by user on the cloud. 3.3 Organizational Security Management One of the core frameworks of implementing cloud computing is the virtualization that works on the concept of multi-tenancy where multiple virtual machines resides on a single server shared by multiple users. In the multitenant environment, one tenant could be highly targeted by the intruders, which could substantially affects the other tenants. It could be possible that CSP have a malicious employee in their organization that can take the advantage of their position and misuse the client s information for amoral purposes [4]. CSP must ensure that no their employee is wicked. 4. VULNERABILITIES ON CLOUD 4.1 Core-Technology Vulnerabilities All cloud services are accessed through web browser. Web applications, virtualization and cryptography are the core technologies of cloud computing. These core technologies are vulnerable to state-of-the art. If an attacker be able to enter the virtualized environment of cloud, he/she will be getting full unauthorized access on the server that will affect the various users who are connected with the server. Attacking to one tenant on a server may also harm to the other tenants. To secure data on the cloud, cryptography is required not only when the data is stored but also during transit. If the user uses the weak encryption, it can be easily captured by the intruder and misused. No one can think about using the cloud without good encryption. 4.2 Insecure Interfaces and Application Programming Interfaces Data in the cloud are usually stored through the application. Malfunctions and error in the software interface can lead to an intruder to get inside the software and have unauthorized access of the user data. For example, a flaw in Apache allowed an attacker to gain complete control over the web server [5]. These malfunctions are exists due to the poorly designed or implemented security measures. Software interface must be made fully secured against the accidental and malicious disclosure. 4.3 Malicious Insiders A malicious insider is an employee of the CSP who take the advantage of his/her position to get the client s private information and misuse it for amoral purpose. It is always worrying aspect that a clandestine employee can have access to consumer s data and use private data for their own means [4]. Sometime CSP unintentionally can also be act as malicious. This insidious form of the malicious insider problem is through PaaS based services. If the service provider offers a platform that allows developers to develop an application that interact with users data i.e. Facebook Applications, users may unknowingly allow these developers access to all their data. For example, it is well known on the Facebook Platform that once a user adds an application, the application may have the ability to access all user s information, if allowed to do so. Similar when a developer added his application in the Google play store and user installed application in mobile, it unknowingly give access to the user s private information such as phone status and identity, network access, mobile location, contacts etc. Even if the application developers are not malicious this does not mean that the application cannot be hacked. 4.4 Virtualization Issues The virtualization which is the core technology of cloud computing allows CSP to host several machine images on a single server and each machine image is allocated to each user dynamically. Ristenpart, Tromer et al. [2] practically demonstrated the attack on virtualization framework. They reveal this attack on Amazon EC2. They gave two conclusions. First, if they have access to one virtual machine, they can easily map the internal structure of the cloud by having unauthorized access to other virtual machines that are co-resident with the virtual machine they have access. Secondly, they demonstrated that they were able to, intentionally, add a virtual machine to the cloud so that it was co-resident with another machine. Finally, the they showed that once a machine was co-resident, they would be able to launch several attacks that would allow them to get information regarding CPU cache use, network traffic rates and keystroke timings etc. 4.5 Data Availability Issue (DoS) Availability issues arise when the data is available but it is made inaccessible to the consumer. Attacker sends the flood of requests to the server that it is not able to respond to the genuine users. Such attack is called Denial of Services (DoS) attacks, attempt to flood the service with requests in an order to overtake the service and stop all the services of the server. One of the benefits of Cloud Computing is that consumers are charged on the basis of pay-as-per-use. Increase in the Volume 3, Issue 2 March April 2014 Page 113

4 resources consumption, network usage and hardware maintenance are the consequences of the flooding attack. Ultimately this will also increase the amount of money the consumer will be charged for resource usage. Moreover, these monetary increases will have adverse affect on the operational expenditure of the service provider. 4.6 Internet protocol vulnerabilities All the cloud services are accessed through Internet via web browsers using a standard Internet protocol which is untrusted. Cloud computing is prone to the state-of-theart all vulnerabilities related to the Internet protocol. 4.7 Resource sharing vulnerability One of the greatest benefit of using cloud computing that helps the users to decrease their expenditure is resource sharing. User doesn t owns the resources while rent them and pay-as-per-use. Server, network, storages and software all are used on sharing basis. It reduces the burden on user to purchase the resources and licensed softwares. In malice of all these benefits, resource sharing also leads to vulnerability. Resources used by one user will be allocated to the other user later for use. It is quite possible, for storage resources, it might have some remained temporary data of the pervious user and server cache was not refreshed before it made available to the other user. 4.8 Injection flaws Injection flaws allow an intruder to send malicious code through the web application inside the system or server. Scripts written in Python, Perl or any other programming language can be injected and executed into the unsecure application. When the web application receives external HTTP request, it must be carefully examine otherwise an intruder can inject special characters or malicious code in the information which will certainly transfer these to the external system for execution. The most common type of injection is SQL injection. In this type of attack, when a application send a request to the database, the attacker append its malicious SQL command into the content of that request and trick the web application to forward fake queries to the databases [6]. With a successful SQL injection, an intruder can login without any authentication process and access the user s private information. 4.9 Security Misconfiguration The web server and application server are the backbone of a web application. They provide a number of services such as mail, data storage, running web applications etc. if these servers are not properly managed and configured, it will lead to variety of security breaches. Security misconfiguration can happen at the application level, the framework, the web server, the custom code and the platform. Attackers use the unpatched flaws, unprotected files and directories to have illegal access of the system. The defaults account must always be changed because the attacker can discover the standard admin page and log in with those defaults passwords [7] Insecure cryptographic storage In the cloud, the need to store sensitive information by the web application in the database is important. The information can be a credit card number, account details and username & passwords or any other private information. Therefore, the use of encryption is necessary. Amateur users usually make a mistake while using encryption. Failure to cipher critical data, insecure storage of keys, certificates and passwords, poor selection of encryption algorithms are a few of the major mistakes. Database is the backbone of every organization. Usually databases are handled using application and on cloud by web applications. Almost every application is connected to a database; the username and password that is used to make these connection should be encrypted using powerful encryption algorithm such as RC4_128 with MD5 for message authentication and RSA as the key exchange mechanism [8] so that no unauthorized user can easily access the user s private data. The web application must have cryptographic support. When a user is making payment using credit card or debit card, his/her personal account number, the cardholder s name and the expiration date should be encrypted when transmitting across different network [9] Authentication and Identity Management An identity management (IDM) mechanism helps to authenticate users to utilize the services on the cloud on the basis of valid credentials [10]. Existing passwordbased authentication is not enough to authenticate users. It poses significant risks and an intruder can easily by bypass this authentication process. The following problems arise when the user has weak user authentication mechanisms: Denial of service due to account lockout: when a user fails to access his/her account after several unsuccessful authentication attempts, this usually leads to lock the account and user has to wait either for some time to try again or ask their service provider to unlock the account. Attackers can benefit of this lock and attempts such failed authentication to launch DoS attacks against a user. Insufficient or faulty authorization check: insufficient or faulty authorization check allows the unauthorized user to access the private data and information. URLguessing attacks are the cause of missing authorization in which user modify the URLs to get access of the other user s account Fraudulent Resource Consumption (FRC) Vulnerability A consumer uses and pay for the cloud services and resources such as bandwidth, storage and CPU hours etc. Volume 3, Issue 2 March April 2014 Page 114

5 cloud consumers has to incur all computational costs for all leased resources used, regardless of whether the resources were consumed in good faith. Cloud consumers only pay for the resources they consume and for the time they use such resources. In the agreement between the cloud service provider (CSP) and consumer, cloud consumers has to incur all computational costs for all leased resources used, regardless of whether the resources were consumed in good faith. An attacker can perform the distributed denial-of-service (DDoS) attack on the cloud services and resources. An attacker can consume the metered bandwidth of cloud services thus increasing the consumer s financial burden. This is fraudulent resource consumption (FRC) attack [11]. Whenever cloud service provider receives a request, it is always serviced with a reply thus causes the financial burden on the cloud consumer. Cloud consumer (the victim) has to incur cost every time a cloud application (the attack target) services a reply. Malicious use is more burdensome, because the additional bandwidth used has no associated business value. CSP s don t monitor how many times consumer uses the applications so it s up to the cloud consumer to prevent, monitor, and respond to such fraudulent behavior [12]. 5. CONCLUSIONS Cloud computing is one of the emerging technology in use today. Cloud computing offers numerous advantages to enterprises. It is a much more flexible and scalable solution (It is fast, flexible, robust and scalable.). It is cost-effective and economical because a user is charged only for what he or she utilizes. It provides software, platform and infrastructure as a service to a user. User doesn t need big IT infrastructure to run costly business applications and also need not to purchase licensed software s to use them. User can rent them and pay for all these on the basis of pay-as-per-use model. Security is a major concern for cloud computing providers. Both the user and cloud service providers are equally responsible for the security. These responsibilities differ by the kind of cloud services been consumed. Service providers have the responsibility to ensure that the proper security and isolation protections be there against data loss, misuse, or privacy violation within the cloud. One of the main concerns of users in the cloud environment is data security and privacy. The huge amount of data and resources available in the cloud makes it a best place for attackers to exploit it when moving on cloud. Customer has to decide whether he/she wants to store their important files in a single storage or replicate them in multiple storages. Indeed, it is good idea to store the important files and data that is geographically distributed to protect against any unavailability that could be caused by natural disasters or power shortages or any DoS attack. Some of today s cloud providers (such as Amazon) allow their customers to choose where to store and replicate their data. The main theme of this paper was that cloud consumer should also know about the vulnerabilities associated with the cloud. It doesn t mean these vulnerabilities cannot be removed. CSP should provide some degree of control to the consumer and it is necessary that both consumer and CSP have faith and confidence on each other. References [1] P. Mell and T. Grance, The NIST Definition of Cloud Computing, National Institute of Standards and Technology, Information Technology Laboratory, Technical Report Version September [2] T. Ristenpart and E. Tromer et al., Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds, ACM Conference on Computer and Communications Security CCS'09. Nov [3] K. M. Khan and Q. Malluhi, Trust in Cloud Services: Providing More Controls to Clients, Qatar University, published by the IEEE Computer Society, 2013, [4] P. Wong. Conversations About the Internet #5: Anonymous Facebook Employee, The Rumpus. Jan url: [5] C. Ho. Apache aw opens systems up to attack ZDNet UK. Mar url: [6] The Open Web Application Security Project (OWASP), A Injection Flaws, url: _Flaws. [7] The Open Web Application Security Project (OWASP), Top A6-Security misconfiguration, url: Security_Misconfiguration. [8] N. Sharma and V. S. Rathore, Different Data Encryption Methods Used in Secure Auto Teller Machine Transactions, International Journal of Engineering and Advanced Technology (IJEAT) ISSN: , Volume-1, Issue-4, April [9] Payment Card Industry Data Security Standard, Navigating the PCI DSS, PCI Security Standard Council LLC: October 2010, url: gating_dss_v20.pdf. [10] E. Bertino, F. Paci and R. Ferrini, Privacy- Preserving Digital Identity Management for Cloud Computing, IEEE Computer Society Data Engineering Bulletin, Mar. 2009, pp Volume 3, Issue 2 March April 2014 Page 115

6 [11] J. Idziorek, M. Tannian and D. Jacobson, Detecting Fraudulent Use of Cloud Resources, Proc. 3rd ACM Workshop on Cloud Computing Security Workshop (CCSW 11), ACM, 2011, pp [12] J. Idziorek, M. F. Tannian and Doug Jacobson, "The Insecurity of Cloud Utility Models," IT Professional, vol. 15, no. 2, pp , March-April Volume 3, Issue 2 March April 2014 Page 116