CLOUD COMPUTING: SECURITY THREATS AND MECHANISM

Transcription

1 CLOUD COMPUTING: SECURITY THREATS AND MECHANISM Vaishali Jshi 1, Lakshmi 2, Vivek Gupta 3 1,2,3 Department f Cmputer Science Engineering, Acrplis Technical Campus, Indre ABSTRACT Clud cmputing is a mdel fr enabling cnvenient, n-demand netwrk access t a shared pl f cnfigurable cmputing resurces (e.g., netwrks, servers, strage, applicatins, and services) that can be rapidly prvisined and released with minimal management effrt r service prvider interactin. Clud cmputing is a significant advancement in the delivery f infrmatin technlgy and services. This paper explains the security threats and security mechanism in clud cmputing, and utlines what are the majr security cncerns which are stpping the rganizatin frm mving cmpletely t clud. Keywrds: Clud Cmputing, SaaS, PaaS, IaaS, Security, Threat, Mechanism I. INTRODUCTION Clud cmputing is a significant advancement in the delivery f infrmatin technlgy and services. By prviding n demand access t a shared pl f cmputing resurces in a self-service, dynamically scaled and metered manner, clud cmputing ffers cmpelling advantages in speed, agility and efficiency. With Clud Cmputing users can access database resurces via the Internet frm anywhere, fr as lng as they need, withut wrrying abut any maintenance r management f actual resurces. Five Essential Characteristics f clud cmputing are: On-demand self service Users are able t prvisin, mnitr and manage cmputing resurces as needed withut the help f human administratrs Brad netwrk access Cmputing services are delivered ver standard netwrks and hetergeneus devices Rapid elasticity IT resurces are able t scale ut and in quickly and n an as needed basis Resurce pling IT resurces are shared acrss multiple applicatins and tenants in a nn-dedicated manner Measured service IT resurce utilizatin is tracked fr each applicatin and tenant, typically fr public clud billing r private clud chargeback 1.1 Service mdel fr Clud Cmputing Infrastructure-as-a-Service (IaaS) Infrastructure-as-a-Service is the first layer and fundatin f clud cmputing. Using this service mdel, yu manage yur applicatins, data, perating system, middleware and runtime. The service prvider manages yur virtualizatin, servers, netwrking and strage. This allws yu t avid expenditure n hardware and human capital; reduce yur ROI risk; and streamline and autmate scaling. An example f a typical need fr this mdel 105 P a g e

2 is smene wh needs extra data space fr prcessing pwer n ccasin. Infrastructure-as-a-Service allws yu t easily scale based n yur needs and yu nly pay fr the resurces used.. Platfrm-as-a-Service (PaaS) This clud service mdel culd be cnsidered the secnd layer. Yu manage yur applicatins and data and the clud vendr manages everything else. Benefits fr using Platfrm-as-a-Service include streamlined versin deplyment and the ability t change r upgrade and minimize expenses. One ppular Platfrm-as-a-Service is the Ggle app engine.a business with limited resurces interested in app testing r develpment might find Platfrm-as-a-Service beneficial t eliminate csts f upkeep fr hardware. In this mdel, yur business benefits because it is nt necessary t hire peple t maintain these systems. A scalable prcessing center is available at yur dispsal t use as yu need (again, yu nly pay fr what yu use). Sftware-as-a-Service (SaaS) This is the final layer f the clud services mdel. This allws yur business t run prgrams in the clud where all prtins are managed by the clud vendr. Yur users will have assured cmpatibility and easier cllabratin because all will be using the same sftware. Yur cmpany wn t need t pay extra licensing fees and yu can easily add new users. As cnsumers we interact with Sftware-as-a-Service based applicatins everyday withut even realizing it. Examples f this are nline banking and such as Gmail and Htmail. Fig.1: Clud Architecture 1.2 Clud Structures There are three primary deplyment mdels fr clud services: Private cluds, whether perated and hsted by enterprise IT department r by an external prvider, are fr the exclusive use f the rganizatin. Public cluds are pen t any number f rganizatins and individual users n a shared basis. Using a public clud minimizes initial capital investment and cmbines agility and efficiency with massive scalability. Hybrid cluds link private and public cluds, prviding access t extra resurces when the private clud hits maximum utilizatin r, a hybrid clud might split cmputing by tier between private and public cluds. II. CLOUD COMPUTING SECURITY There are majr securities cncerns which are stpping the rganizatin frm mving cmpletely t clud are: Is my data secure n clud? Can ther access my cnfidential data? What if an attacker brings dwn my applicatin which is hsted n clud? 106 P a g e

3 2.1 Key cncept in infrmatin security is CIA (Cnfidentiality, Integrity, Availability) triad. Cnfidentiality: ensures that yur data is cnfidential, unauthrized user can nt access yur data nly authrized user can access the data. Integrity: ensures that yur data remains as it is s n unauthrized user can change yur data. Availability: ensures that yur data, applicatin & services are always available t authrized users. 2.1 Security Cncerns in Clud Cmputing Multitenancy: Single server hst multiple VM Same infrmatin is shared by different rganizatin and VM might be cllcated in a single server. When multiple rganizatins have varius frm f security plicy hw des clud prvider make sure that each cmpany s security plicy is fulfilled. Velcity f attack: Infrastructure is huge s the surface which is available fr attack is huge that s why velcity f attack is als higher s because f this ptential lss is als high, because if 1 VM is attack the entire infrastructure might get attack. Infrmatin assurance and data wnership: In case f clud cmputing envirnment data and applicatin are hsted by clud service prvider s the clud service prvider has access t data but the wner is nt the CSP, the rganizatin is wner s hw t make sure that yur data is accessed nly by the authrized user and ensuring that the cnfidentiality is maintained. Data Privacy: T make sure that privacy f data is ensured in clud envirnment because multiple enterprises and multiple users might be using the same infrastructure and might have access the data s it is imprtant t make sure that privacy f data is maintained. 2.2 Clud Security Threats VM theft: is vulnerability which enable attacker t cpy a VM and use it fr attacking the rest f infrastructure. VM is nthing but a file s VM is saved as a file in virtual envirnment s if a file desn t have prper access privileges an authrized user can cpy yur VM file and use it fr attacking. S hyper jacking enables attackers t install VM mnitr that can take cntrl f the underline server resurces. Hyper wiser is a cmpnent that virtualized a server. Hyper jacking is an attack which takes cntrl ver the hyper wiser that creates the virtual envirnment within a VM hst. Data Leakage: Cnfidential data stred n a third party clud n is ptentially vulnerable t unauthrized access r manipulatin. Denial f service attack: It is an attempt t prevent legitimate users frm accessing a resurce r service. III. CLOUD SECURITY MECHANISM Cmpute and netwrk security Secure data at rest Identity and access management Risk analysis and cmpliance 107 P a g e

4 3.1 Security at Cmpute Level It includes Securing physical server Securing hypervisr Securing VMs VM islatin VM hardening Securing at guest OS level Guest OS hardening Securing at applicatin level Applicatin hardening 3.2 Securing Data-at-Rest Data-at- rest Data which is nt being transferred ver a netwrk Encryptin f Data-at-rest Prvides cnfidentiality and integrity services Reduces legal liabilities f a CSP due t an unauthrized disclsure f data at its clud. Full disk encryptin is a key methd t encrypt data at rest residing n a disk. 3.3 Identity and Access Management One time passwrd Every new access requires new passwrd A measure against passwrd cmprmises. Federated identity management is prvided as a service n clud Enables rganizatin t authenticate their users f clud service using the chsen identity prvider User identities acrss different rganizatin can be managed tgether t enable cllabratin n clud. 3.4 Risk Assessment Aim t identify ptential risks while perating n clud envirnment Shuld be perfrmed befre mving t a clud Used t determine the actual scpe fr clud adptin Cmpliance Clud adptin and peratin fr enterprise business need t abide by cmpliance plicies Types f cmpliance Internal plicy cmpliance Cntrls the nature f IT peratins within rganizatin Needs t maintain same cmpliance even when perating in clud External Regulatry cmpliance Includes legal legislatins and identity regulatins 108 P a g e

5 Cntrls the nature f IT peratin related t flw f data ut f an rganizatin May differs based n the type f infrmatin, business etc. IV. CONCLUSION Clud cmputing represents an exciting pprtunity t bring n-demand applicatins t custmers in an envirnment f reduced risk and enhanced reliability. Clud cmputing is particularly valuable t small and medium businesses, where effective and affrdable IT tls are critical t helping them becme mre prductive withut spending lts f mney n in-huse resurces and technical equipment. By adpting varius mechanism f clud cmputing security and take prper measure t avid threats in clud cmputing security, rganizatin can easily adapt themselves in clud envirnment. REFERENCES [1] Clud Applicatin Architectures: Building Applicatin by Gerge Reese. [2] Clud Cmputing: Web-Based Applicatins That Change the Way Yu Wrk and Cllabrate Online by Michael Miller [3] Grssman, R. L. The case f clud cmputing, prc. f IEEE Educatinal Activities Department, Piscataway, NJ, USA vl. 11, Issue 2, pp , March, [4] M. D. Dikaiaks, D. Katsars, G. Pallis, A. Vakali, P. Mehra: Guest Editrs Intrductin: "Clud Cmputing, IEEE Internet Cmputing [5] Luis M. Vaquer et al., A Break in the Cluds: Tward a Clud Definitin, ACM SIGCOMM Cmputer Cmmunicatin Review, Vlume 39, Issue 1 (January 2009) [6] L. Kleinrck. A visin fr the Internet. ST Jurnal f Research, 2(1):4-5, Nv P a g e