Security Issues On Cloud Computing



Similar documents

Cloud Computing. Course: Designing and Implementing Service Oriented Business Processes

White Paper on CLOUD COMPUTING

CLOUD COMPUTING SECURITY ISSUES

Business Intelligence (BI) Cloud. Prepared By: Pavan Inabathini

See Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models.

Managing Cloud Computing Risk

Security Issues in Cloud Computing

Cloud definitions you've been pretending to understand. Jack Daniel, Reluctant CISSP, MVP Community Development Manager, Astaro

Cloud Security Introduction and Overview

IS PRIVATE CLOUD A UNICORN?

Cloud Computing - Architecture, Applications and Advantages

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Addressing Data Security Challenges in the Cloud

Security Issues in Cloud Computing

The NIST Definition of Cloud Computing (Draft)

6 Cloud computing overview

Cloud Infrastructure Security

Cloud Computing Security Issues And Methods to Overcome

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Cloud Computing Service Models, Types of Clouds and their Architectures, Challenges.

Security Considerations for Public Mobile Cloud Computing

Customer Security Issues in Cloud Computing

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

What Cloud computing means in real life

Data Storage Security in Cloud Computing

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Technology & Business Overview of Cloud Computing

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Tufts University. Department of Computer Science. COMP 116 Introduction to Computer Security Fall 2014 Final Project. Guocui Gao

Cloud Computing; What is it, How long has it been here, and Where is it going?

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Cloud Data Protection for the Masses

AskAvanade: Answering the Burning Questions around Cloud Computing

Verifying Correctness of Trusted data in Clouds

The NIST Definition of Cloud Computing

Secure Cloud Computing through IT Auditing

IaaS Cloud Architectures: Virtualized Data Centers to Federated Cloud Infrastructures

Capturing the New Frontier:

How To Secure Cloud Computing

Grid Computing Vs. Cloud Computing

CLOUD COMPUTING. Keywords: Cloud Computing, Data Centers, Utility Computing, Virtualization, IAAS, PAAS, SAAS.

A Study on Service Oriented Network Virtualization convergence of Cloud Computing

A white paper from Fordway on CLOUD COMPUTING. Why private cloud should be your first step on the cloud computing journey - and how to get there

Essential Characteristics of Cloud Computing: On-Demand Self-Service Rapid Elasticity Location Independence Resource Pooling Measured Service

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

International Journal of Innovative Technology & Adaptive Management (IJITAM) ISSN: , Volume-1, Issue-5, February 2014

20 th Year of Publication. A monthly publication from South Indian Bank.

John Essner, CISO Office of Information Technology State of New Jersey

Chapter 1: Introduction

A Survey on Cloud Security Issues and Techniques

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

The Hybrid Cloud: Bringing Cloud-Based IT Services to State Government

EXIN Cloud Computing Foundation

Cloud Computing: The Next Computing Paradigm

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

NIST Cloud Computing Reference Architecture

Cloud Computing Security Issues and Access Control Solutions

INCREASING SERVER UTILIZATION AND ACHIEVING GREEN COMPUTING IN CLOUD

Cloud Computing Security Considerations

CLOUD COMPUTING OVERVIEW

Kent State University s Cloud Strategy

Cloud Computing for SCADA

Always On Infrastructure for Software as a Ser vice

Bringing the Cloud into Focus. A Whitepaper by CMIT Solutions and Cadence Management Advisors

Keywords Cloud Storage, Error Identification, Partitioning, Cloud Storage Integrity Checking, Digital Signature Extraction, Encryption, Decryption

A Secure Strategy using Weighted Active Monitoring Load Balancing Algorithm for Maintaining Privacy in Multi-Cloud Environments

Mobile Cloud Computing Security Considerations

Enterprise Governance and Planning

Cloud security architecture

SURVEY OF ADAPTING CLOUD COMPUTING IN HEALTHCARE

OVERVIEW Cloud Deployment Services

Future of Cloud Computing. Irena Bojanova, Ph.D. UMUC, NIST

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

Module 1: Facilitated e-learning

CLOUD COMPUTING IN HIGHER EDUCATION

Cloud Computing: Risks and Auditing

What Is The Cloud And How Can Your Agency Use It. Tom Konop Mark Piontek Cathleen Christensen

CLOUD COMPUTING SECURITY ARCHITECTURE - IMPLEMENTING DES ALGORITHM IN CLOUD FOR DATA SECURITY

Cloud Computing Submitted By : Fahim Ilyas ( ) Submitted To : Martin Johnson Submitted On: 31 st May, 2009

Session 2. The economics of Cloud Computing

AN OVERVIEW ABOUT CLOUD COMPUTING

Cloud Based E-Government: Benefits and Challenges

White Paper: Introduction to Cloud Computing

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Capability Paper. Today, aerospace and defense (A&D) companies find

An Introduction to Cloud Computing Concepts

Cloud Computing in a Regulated Environment

Transcription:

Security Issues On Cloud Computing Pratibha Tripathi #1, Mohammad Suaib #2 1 M.Tech(CSE), Second year 2 Research Guide # Department of Computer Science and Engineering Abstract Integral University, Lucknow Uttar Pradesh, India Cloud Computing has emerged as a new technique for delivering services over the internet. It is earning popularity over traditional information processing system for storing and processing huge volume of data. The cloud makes it possible for users to access their information from anywhere at any time. This is especially helpful for business that can t afford the same amount of hardware and storage space as a bigger company. Small companies can store their information in the cloud, removing the cost of purchasing and storing memory devices. The organization who uses cloud to store their private data, they are concerned about the security, trust and privacy issues related to its adoption. In this paper we recognize the roles of security and trust in cloud computing environments from the viewpoint of organization who would hand over their private information to the cloud computing provider. Keywords: cloud computing; cloud computing security, IT security, cloud models. Introduction The evolution of IT related to web, servers and data- and their capabilities have brought cloud computing to the forefront[1]. Cloud computing is one of the most important transformation in information technology with many advantages to both companies and end users. This technology promises to discharge the client from the burden of administering more and more complex and expensive systems by offering him the possibility of using systems with state of art computing capabilities, high availability and scalability. The important features of cloud computing are: sold on demand; the service is managed by the cloud provider; user can determine the amount of services they take and importantly user can log on to the network from any computer in the world. The benefits of cloud computing to the users are: it provides access to a huge range of applications 1

without having to download or install anything; applications can be accessed from any computer, anywhere in the world; they can avoid expenses on hardware and software, only using what they need. Thus it represent as a new standard for the dynamic provisioning of computing services containing ensembles of networked virtual machines[2]. It is a distributing computing mechanism that utilizes the high speed of the internet to move job from private PC to the remote computer clusters (big data centers own by the cloud service providers) for data processing. To attain efficient utilization of resources, cloud provider needs to enhance their resource utilization while decreasing cost. At the same time end user needs to use resource as far as needed while being able to increase or decrease resources consumption based on real demands. The cloud computing model meets such needs by delivering two key characteristics: multi-tenancy and elasticity. Multitenancy: implies sharing of computational resources, storage, services applications with other tenants. This sharing of resources violates the confidentiality between tenants To deliver secure multi-tenancy there should be isolation among tenants data (at rest, processing and transition) and location transparency where tenants have no information or control over the particular location of their resources to avoid planned attacks that attempt to co-locate with the victim assets [3]. Flexibility/Elasticity: users can quickly provision computing resources, as needed, without human interaction. Capabilities can be quickly and elastically provisioned, in some cases automatically, to quickly scale out or up. Cloud computing is viewed as one of the most promising technologies in computing today, inherently able to address a number of issues. A number of key characteristics of cloud computing have been identified [4,5]: Scalability of infrastructure: New nodes can be added or dropped from the network as can physical servers, with limited modifications to infrastructure set up and software. Cloud architecture can scale horizontally or vertically, according to demand. Broad network access: Capabilities are available over the network and accessed through standard mechanisms that support heterogeneous platforms (e.g., mobile phones, laptops, and PDAs). Location independence: In this the customer generally has no control or knowledge over the exact location of the provided resources, but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Reliability: Improve through the use of multiple redundant sites, which makes cloud computing suitable for business continuity and disaster recovery. Economies of scale and cost effectiveness: Cloud implementations, regardless of the deployment model, tend to be as large as possible in order to take advantage of economies of scale. Large cloud deployments can often be located close to cheap power stations and in low-priced real estate, to lower costs. 2

Sustainability: Comes about through improved resource utilization, more efficient systems, and carbon neutrality. In cloud computing, the available service models are: Infrastructure as a Service (IaaS). Provides the consumer with the capability to provision processing, storage, networks, and other fundamental computing resources, and allow the consumer to deploy and run arbitrary software, which can include operating systems and applications. The consumer has control over operating systems, storage, deployed applications, and possibly limited control of select networking components. Platform as a Service (PaaS). Provides the consumer with the capability to deploy onto the cloud infrastructure, consumer create applications using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications. Software as a Service (SaaS). Provides the consumer with the capability to use the provider s applications running on a cloud infrastructure. The applications are accessible from various client devices, through a thin client interface, such as a web browser (e.g. web-based e-mail). The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user specific application configuration settings. Four deployment models have been identified for cloud architecture solutions, described below: Private cloud. A private cloud is established for a specific group or organization. It may be managed by the organization or a third party, and may exist on premise or off premise. Community cloud. A community cloud is shared among two or more organizations that have similar cloud requirement. It may be managed by the organizations or a third party, and may exist on premise or off premise. Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology, that enables data and application portability (e.g., cloud bursting for load-balancing between clouds) [6]. Security in cloud computing o Confidentiality and privacy Confidentiality refers to only authorized parties or systems having the ability to access protected data. The threat of data compromise increases in the cloud, due to the increased number of parties, devices and applications involved, that leads to an increase in the number of points of access. A number of concerns emerge regarding the issues of multitenancy, data remanence, application 3

security and privacy [7]. Multitenancy refers to the cloud characteristic of resource sharing. Several aspects of the IS are shared including, memory, programs, networks and data. Cloud computing is based on a business model in which resources are shared (i.e., multiple users use the same resource) at the network level, host level, and application level. Although users are isolated at a virtual level, hardware is not separated. With a multitenant architecture, a software application is designed to virtually partition its data and configuration so that each client organization works with a customized virtual application instance. Multitenancy, is relative to multitasking in operating systems. In computing, multitasking is a method by which multiple tasks, also known as processes, share common processing resources such as a CPU. Multitenancy, as multitasking, presents a number of privacy and confidentiality threats. Object reusability is an important characteristic of cloud infrastructures, but reusable objects must be carefully controlled lest they create a serious vulnerability. Data confidentiality could be breach unintentionally, due to data remanence. Data remanence is the residual representation of data that have been in some way nominally erased or removed. Due to virtual separation of logical drives and lack of hardware separation between multiple users on a single infrastructure, data remanence may lead to the unwilling disclosure of private data. But also maliciously, a user may claim a large amount of disk space and then hunt for sensitive data. Data confidentiality in the cloud is correlated to user authentication. Protecting a user s account from theft is an instance of a larger problem of controlling access to objects, including memory, devices, software etc. Electronic authentication is the process of establishing confidence in user identities, electronically presented to an information system. Lack of strong authentication can lead to unauthorized access to users account on a cloud, leading to a breach in privacy. o Integrity A key aspect of Information Security is integrity. Integrity means that assets can be modified only by authorized parties. Data Integrity refers to protecting data from unauthorized deletion, modification or fabrication. Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have. Due to the increased number of entities and access points in a cloud environment, authorization is crucial in assuring that only authorized entities can interact with data o Availability Availability refers to the property of a system being accessible and usable upon demand by an authorized entity. System availability includes a systems ability to carry on operations even when some authorities misbehave. The system must have the ability to continue operations even in the possibility of a security breach. Availability refers to data, software but also hardware being available to authorized users upon demand. The network is burdened with data retrieval and processing. The cloud owner needs to guarantee that information and information processing is available to clients upon demand. Verifying identities many of which share common fundamental security requirements, and determining specific needs for data protection and information security 4

can be one of the most complex elements of IS design. This multiuser distributed environment proposes unique security challenges, dependent on the level at which the user operates. The security objectives within a distributed system are essential[8]: to ensure the availability of information communicated between participating systems; to maintain the integrity of information communicated between participating systems, i.e. preventing the loss or modification of information due to unauthorized access, component failure or other errors; to maintain the integrity of the services provided, i.e. confidentiality and correct operation; to provide control over access to services or their components to ensure that users may only use services for which they are authorized; to authenticate the identity of communicating parties (peer entities) and where necessary (e.g. for banking purposes) to ensure non-repudiation of data origin and delivery; and where appropriate, to provide secure interworking with the non-open systems world. While adding, To ensure the confidentiality of information held on participating systems. Clear separation of data and processes on the virtual level of the cloud, ensuring zero data leakage between different applications. To maintain the same level of security when adding or removing resources on the physical level. o Trusted Third Party We claim that employing Trusted Third Party services within the cloud, leads to the establishment of the necessary Trust level and provides ideal solutions to preserve the confidentiality, integrity and authenticity of data and communications [9]. In cryptography, a Trusted Third Party (TTP) is an entity which facilitates secure interactions between two parties who both trust this third party. The scope of a TTP within an Information System is to provide end-to-end security services, which are scalable, based on standards and useful across different geographical areas. The establishment and the assurance of a trust relationship between two transacting parties shall be concluded as a result of specific acceptances, techniques and mechanisms. The Third Party reviews all critical transaction communications between the parties, based on the ease of creating fraudulent digital content. Introducing a Trusted Third Party can specifically address the loss of the traditional security boundary by producing trusted security domains. As described by Castell, A Trusted Third Party is an impartial organization delivering business confidence, through commercial and technical security features, to an electronic transaction. It supplies technically and legally reliable means of carrying out, facilitating, producing independent evidence about and/or arbitrating on an electronic transaction. Its services are provided and underwritten by technical, legal, financial and/or structural means [10]. TTP services are provided and underwritten not only by technical, but also by legal, financial, and structural means [10,11]. TTPs are operationally connected through chains of trust (usually called certificate paths) in order to provide a web of trust forming the notion of a Public Key Infrastructure (PKI). Public Key Infrastructure provides technically sound and legally acceptable means to implement: 5

Strong Authentication: The control of authenticity, the process of identification of parts involved in electronic transactions or exchange of information with electronic means. Authorization: The authenticated access to resources, database and informative systems, according to the user s permission rights and the roles Data Confidentiality: The protection of information either locally stored or in transmission from unauthorized access. Data Integrity: The protection of information either locally stored or in transmission from unauthorized modification. Non-Repudiation: Ensuring that no part of an electronic transaction can deny its attendance in it. o Interoperability issues The cloud computing technology offers a degree of resource scalability which has never been reached before. Companies can benefit from additional computational needs, load demands. If the demand falls back the additional capacity can be shut down just as quickly as it was scaled up without any hardware equipment sitting idle. This great advantage has also a major drawback. It comes alongside with the risk of managing data within a shared environment (computation, storage, and network) with other cloud clients. Additionally, at one time one company may have multiple cloud providers for different services which have to be interoperable. In time, for different reasons, companies may decide to move their services to another cloud and in such a case the lack of interoperability can block or raise heavy obstacles to such a process. o Malicious insider A malicious insider is a person motivated to create a bad impact on the organization s mission by taking action that compromises information confidentiality, integrity, and/or availability. The malicious activities often insider could potentially have an impact on: the confidentiality, integrity and availability of all kind of data and services with impact on the internal activities, organization s reputation and customer trust. This is especially important in the case of cloud computing due to the fact that cloud architectures require certain roles, like cloud administrators, cloud auditors, cloud security personnel, which are extremely high-risk. o Trust The concept of trust, adjusted to the case of two parties involved in a transaction, can be described as follows: An entity A is considered to trust another entity B when entity A believes that entity B will behave exactly as expected and required [12]. Thereinafter, an entity can be considered trustworthy, if the parties or people involved in transactions with that entity rely on its credibility. In general, the concept described above can be verbally represented by the term reliability, which refers to the quality of a person or entity that is worthy of trust. The notion of 6

trust in an organization could be defined as the customer s certainty that the organization is capable of providing the required services accurately and reliably. The notion of security refers to a given situation where all possible risks are either eliminated or brought to an absolute minimum. Conclusion The cloud computing model is one of the promising computing models for service providers, cloud providers and cloud consumers. But to best utilize the model we need to block the existing security holes. Based on the details explained above, we can summarize the cloud security problem as follows: technologies such as virtualization. -tenancy and isolation is a major dimension in the cloud security problem that requires a vertical solution from the SaaS layer down to physical infrastructure (to develop physical alike boundaries among tenants instead of virtual boundaries currently applied). this number of requirements and controls. Based on this discussion we recommend that cloud computing security solutions should: -based approaches to capture different security views and link such views in a holistic cloud security model. -tenancy where each user can see only his security configurations, elasticity, to scale up and down based on the current context. controls at different layers to deliver integrated security. stakeholders needs. Future Scope At present, in a short period of time, the cloud computing cannot completely replace traditional computing. It is still not being fully accepted that to manage data by a third party, especially for large enterprises and government departments. Because it allows better management and flexible control of resources, cloud computing can be more secure than traditional IT. But some areas do require new solutions such as Encryption Keys management, New cloud storage technologies, data protection measures, virtual machines and Physical security of cloud environments. References [1] Iyer, B. & Henderson, J.C. (2010). Preparing for the future: understanding the seven capabilities of cloud computing. MIS Quarterly Executive, 9, 117-131. [2] R. R.Buyya, R.Ranjan, Intercloud: Utility-oriented federation of cloud computing environments for scaling of application services, in: ICA3PP 2010, Part I, LNCS 6081., 2010, pp. 13 31. [3] Thomas Ristenpart, Eran Tromer, Hovav Shacham, Stefan Savage, "Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds," presented at the Proceedings of the 16th ACM conference on Computer and communications security, Chicago, Illinois, USA, 2009. 7

[4] G. Reese, Cloud Application Architectures: Building Applications and Infrastructure in the Cloud, in: Theory in Practice, O Reilly Media, 2009. [5] B. Rajkumar, C. Yeo, S. Venugopal, S. Malpani, Cloud computing and emerging IT platforms: vision, hype, and reality for delivering computing as the 5 th utility, Future Generation Computer Systems (2009). [6] National Institute of Standards and Technology, The NIST Definition of Cloud Computing, Information Technology Laboratory, 2009. [7] Cloud Security Alliance. Top threats to cloud computing, Cloud Security Alliance, 2010. [8] R. Sherman, Distributed systems security, Computers & Security 11 (1) (1992). [9] D. Polemi, Trusted third party services for health care in Europe, Future Generation Computer Systems 14 (1998) 51 59. [10] S. Castell, Code of practice and management guidelines for trusted third party services, INFOSEC Project Report S2101/02, 1993. [11] Commission of the European Community. Green paper on the security of information systems, ver. 4.2.1, 1994. [12] International Telecommunication Union, X-509 ISO/IEC 9594-8, The directory: Public-key and attribute certificate frameworks, ITU, X-Series, 2001. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information