COMPREHENSIVE ANALYSIS OF SECURITY ISSUES AND CHALLENGES IN CLOUD COMPUTING AND THEIR COUNTER MEASURES by Pankaj Sareen Computer Applications Department Baddi University of Emerging Sciences & Technology pankaj.sareen1480@gmail.com ABSTRACT Cloud Computing is a recent technology paradigm that enables organizations or individuals to share various services in a seamless, flexible and costeffective manner. Cloud Computing has proven delivery platform for providing business or consumer IT services over the Internet. There are different vulnerabilities and threats to cloud computing. Despite the potential gains achieved from the cloud computing, the organizations are slow in accepting it Organizations which consider adopting cloud based services must also understand the many major problems of information policy including issues of privacy, security, reliability, access and regulation. Due to the many security threats that many organizations have faced at present, this has become an active area of research. Addressing these issues require getting confidence from users for cloud applications and services. In this paper, a comprehensive study of technical components, security and privacy concerns of cloud computing will be made. I will also propose some countermeasures to mitigate these concerns.this paper would help the readers to know about the various attacks that are possible on the Cloud Computing. Set of recommendations for organizations to follow when planning, reviewing, negotiating, or initiating a public cloud service are also suggested by me in the Paper. KEYWORDS: Cloud Computing, Security Issues and Attacks, Countermeasures, Set of Recommendations INTRODUCTION Cloud Computing [1] is a term used to describe both a platform and type of application. A Cloud computing platform dynamically provisions, configures, reconfigures, and deprovisions servers as needed. Cloud Computing [2] also describes applications that are extended to be accessible through the Internet. These applications use large data centers and powerful servers that host Web applications and Web services.
RESEARCH METHODOLOGY A. Objectives of the Study To know Characteristics, Architecture and different types of Cloud Service Delivery Models like SaaS, PaaS, and IaaS To identify the various areas of concerns, attacks and threats to Cloud Computing and their countermeasures. To provide the suggestive measures for organizations to follow when planning, reviewing, and initiating a public cloud service outsourcing arrangement. B. Research Design The research is Literature Based research. This paper involves a comprehensive study of the earlier work done in this area by reviewers. The major purpose of this research is to analyze the Security Issues, Threats, Attacks and Challenges in Cloud Computing and to find out various Countermeasures to mitigate these Concerns. C. Data Collection Secondary data is used for the study. Data will be collected from the secondary sources like National Institute of Standards and Technology (NIST) Cloud Computing, Cloud Security Alliance (CSA), and various Research Papers based upon the Security of Cloud Computing. CLOUD COMPUTING SECURITY AND PRIVACY ISSUES Security of the Cloud Computing system [3] can be thought in two dimensions: physical security and cyber security. Physical security concerns the physical properties of the system. For example, a data center, which is owned by provider infrastructure, has to realize security standards; supervision and manageability on security preventions, uninterrupted power supplies, precautions for natural disasters (earthquake, flood, fire etc.) are indispensable. Cyber security defines the prevention of system from cyber attacks. These attack can use huge amounts of computing resources, disables their usage by consumer efficiently A. Areas of Concerns Cloud computing has many areas of concern. Some of the more fundamental concerns [4] include the following: 1) System Complexity: A public cloud computing environment is extremely complex. Complexity typically relates inversely to security, with greater complexity giving rise to vulnerabilities 2) Shared Multi-tenant Environment:
Subscribing organizations typically share components and resources with other subscribers that are unknown to them. Having to share an infrastructure with unknown outside parties can be a major drawback for some applications and requires a high level of assurance for the strength of the security mechanisms used for logical separation. 3) Internet-facing Services Public cloud services are delivered over the Internet. Applications and data that were previously accessed from the confines an organization s intranet, but moved to the cloud, must now face increased risk from network threats B. Top Threats for Cloud Computing Users Cloud Security Alliance has proposed the biggest security threats [5] of cloud systems. These threats are as follow: 1) Abuse and immoral Use of Cloud Computing IaaS providers offer services to their customers through a registration process where anyone with a valid credit card can register and immediately begin using cloud services. By abusing the relative anonymity behind these registration and usage models, spammers and other criminals have been able to conduct their activities with relative freedom. 2) Insecure Interfaces and APIs: The security and availability of general cloud services is dependent upon the security of APIs. These interfaces must be designed to protect against both accidental and malicious attempts 3) Data Loss or Leakage: There are many ways to compromise data. Deletion or alteration of records without a backup of the original content is an obvious example. Unauthorized parties must be prevented from gaining access to sensitive data. 4) Malicious Insiders: The malicious insider threat is one that gains in importance as many providers still don't reveal how they hire people, how they grant them access to assets or how they monitor them. Models affected by these threats are shown in the Table 1. Type of Threat by CSA Models affected Abuse Use of Cloud Computing IaaS, PaaS Insecure Interfaces and APIs IaaS, PaaS, SaaS
Data Loss or Leakage IaaS, PaaS, SaaS Malicious Insiders IaaS, PaaS, SaaS C. Countermeasures [5] to these threats Table 1 Service Models Affected 1) Confronting Abuse and immoral Use of Cloud Computing: Stricter initial registration and validation processes. Enhanced credit card fraud monitoring and coordination. Comprehensive introspection of customer network traffic. Monitoring blacklists for one s own network blocks. 2) Confronting Insecure Interfaces and APIs Analyze the security model of cloud provider interfaces. Ensure strong authentication and access controls are implemented in concert with encrypted transmission. 3) Confronting Data loss or Leakage Implement strong API access control. Encrypt and protect integrity of data in transit. Analyzes data protection at both design and run time. Implement strong key generation 4) Confronting Malicious Insiders Specify HR requirements as part of legal contracts. Require transparency into overall information security and management practices. ATTACKS ON CLOUD COMPUTING A.XML Signature Wrapping Attack Wrapping attacks [6,7] aim at injecting a faked element into the message structure so that a valid signature covers the unmodified element while the faked one is processed by the application logic. So, an attacker can perform an arbitrary Web Service request while authenticating as a legitimate user. In 2011, researchers lead by Dr. JorgSchwenk found a cryptographic hole in Amazon s EC2 and S3 services [8]. The attackers hijacked control interfaces used to manage cloud computing resources, which would allow attackers to create, modify, and delete machine images, and change administrative passwords. B. SQL injection attacks [9]
In this type of attack a malicious code is inserted into a standard SQL code. Thus the attackers gain unauthorized access to a database and are able to access sensitive. C. Sniffer Attacks [9] These types of attacks are launched by applications which can capture packets flowing in a network and if the data that is being transferred through these packets is not encrypted, it can be read. D. Account Hijacking [10] It is usually carried out with stolen credentials. Examples of such attacks include: eavesdropping on transactions, manipulation of data, and redirection to illegitimate sites [8]. Attack Name Consequences Category Theft-ofservice Cloud service usage without billing Cloud resource stealing with no cost Cloud Infrastructure Denial Service Malware Injection of Service/hardware unavailability Wrapping a malicious code in Xml to gain unauthorized access Accessing any other private information User data/information leakage Cloud resources/infrastructure information leakage Table 2 Known Attacks on Cloud Computing Network, Cloud Infrastructure Cloud Infrastructure SOME MORE ATTACKS ON CLOUD Issa M. Khalil, Abdallah Khreishah and Muhammad Azeem highlighted Known attacks [11] on the Cloud. These are: 1) Theft of Service Attacks [12] This attack is realized when the hypervisor fails to detect and account of Central Processing Unit (CPU) usage by poorly behaved virtual machines. The common incidents include: using Cloud Computing services for (1) long period of time while hiding it from the vendor and (2) without representing it in a billing cycle 2) Malware Injection In a malware-injection attack an adversary attempts to inject malicious code into a system. This attack can appear in the form of code, scripts, active content, and/or other software. 3) Traffic Flooding Traffic flooding attacks occur when a network or service becomes so weighed down with packets initiating incomplete connection requests it cannot process genuine connection
requests. Eventually, the host s memory buffer becomes full and no further connections can be made, and the result is a Denial of Service. 4) Distributed Denial of Service Attacks This attack is relayed from different dynamic networks which have already been compromised unlike the DoS attack. COUNTERMEASURES TO THESE ATTACKS 1) Countermeasure to XML Signature Wrapping Attack Solution is to use the SOAP message during message passing from the web server to the web browser. A STAMP bit will be added onto the signature value when it is appended in the SOAP header. This bit will be transmitted when the message is interfered with by a third party during the transfer. When the message reaches its destination the STAMP bit is checked. If it has been changed, then a new signature value is generated by the browser and the new value is sent back to the server as recorded to modify the authenticity checking 2) Countermeasure to SQL injection attacks Filtering techniques to sanitize the user input etc. are used to check the SQL injection attacks [13] 3) Countermeasure to Sniffing Attacks A malicious sniffing detection platform based on ARP and RTT can be used to detect a sniffing system running on a network [14] 4) Countermeasure to Account Hijacking In order to prevent this attack, Dropbox has implemented two-factor authentication into the company s security controls in which user has to enter two of the following three properties: something the user knows (e.g., password, PIN), something the user has (e.g., ATM card) and/or something the user is (e.g., biometric characteristic, such as a fingerprint) [15]. 5) Countermeasure to Theft of Service Attacks Gruschkaet al. in has suggested using a new instance of cloud-to-user surface in victim machine to monitor the scheduling of parallel instances. Then, the outputs of both the attacker and the legitimate instances are compared. A significant difference in results is reported to the responsible authorities as an attack. There are other solutions provided for hypervisor scheduling such as [16, 17, 18] but they are only limited to CPU-bound issues. 6) Countermeasure to Denial of Service Attack Karnwal [20] in provides a framework called cloud defender that is based on following stages: Sensor: It monitors the incoming request messages. If there is hypothetical increase in number of messages coming from same consumer, it marks it as suspicious.
HOP Count filter: It will count the hop count value (total nodes, does message traverse from source to destination) and compare it with pre-defined HOP count. If a difference is found, it means that the header or the message has been modified and thus is marked suspicious. IP Frequency Divergence: Marks a message suspicious, if there is same frequency of IP messages. SET OF RECOMMENDATIONS FOR ORGANIZATIONS Set of recommendations for organizations [4] are: Governance Extend organizational practices pertaining to the policies, procedures and standards used for application development. Compliance Understand the various types of laws and regulations that impose security and privacy obligations on the organization. Trust Incorporate mechanisms into the contract that allow visibility into the security and privacy controls. Identity and Access Management Ensure that adequate safeguards are in place to secure authentication, authorization and other identity and access management functions. Software Isolation Understand virtualization and other software isolation techniques that the cloud provider employs. Availability Ensure that during an intermediate or prolonged disruption or a serious disaster, critical operations can be immediately resumed in a timely and organized manner. CONCLUSION In today s global competitive market, companies must innovate and get the most from its resources to succeed. This requires enabling its employees, business partners, and users with the platforms and collaboration tools that promote innovation. Cloud computing infrastructures are next generation platforms that can provide tremendous value to companies of any size. Cloud computing helps IT enterprises use various techniques to optimize and secure application performance in a cost-effective manner.
Apart from advantages it has some disadvantages on security and privacy concerns, which are seen as the primary obstacles to wide adoption. At the same time, because of the distributed nature of the system, there is a risk of security attacks on services and resources in cloud computing. These attacks can be both outside and inside the cloud provider s network. The idea of handling over important data to another company worries some people. These issues are the main reasons that cause many enterprises which have a plane to migrate to cloud prefer using cloud for less sensitive data and store important data in their own local machines. Cloud computing has the potential to become a frontrunner in promoting a secure, virtual and economically viable IT solution in the future. REFERENCES 1. Definition of Cloud Computing from <http://en.wikipedia.org/wiki/cloud_computing> retrieved on 15.03.2014 2. G. Gruman and E. Knorr, What cloud computing really means by in InfoWorld, April 2008. Electronic Magazine, available at <http://www.infoworld.com/article/08/04/07/15fe-cloudcomputing reality 1.html> 3. U. Oktay and O.K. Sahingoz, Attack Types and Intrusion Detection Systems in Cloud Computing, 6th INTERNATIONAL INFORMATION SECURITY & CRYPTOLOGY CONFERENCE 4. Wayne Jansen, Guidelines on Security and Privacy in Public Cloud Computing in NIST Draft Special Publication 800-144 5. Top Threats to Cloud Computing V1.0 Prepared by the Cloud Security Alliance, March 2010 6. S. Gajek, M. Jense Analysis of signature wrapping attacks, IEEE International Conference on Web Services, 2009 7. M. Jensen, C. Meyer, J. Somorovsky, and J. Schwenk, On the effectiveness of XML schema validation for countering XML signature wrapping attacks, International Workshop on Securing Services on the Cloud IWSSC, 2011. 8. A. Hickey, Researchers uncover 'massive security flaws' in Amazon Cloud, Available at <http://www.crn.com/news/cloud/231901911/researchers-uncovermassive-security-flaws-inamazon-cloud.htm> 9. V. Ashktorab and S.R. Taghizadeh, Security Threats and Countermeasures in Cloud Computing, International Journal of Application or Innovation in Engineering &Management (IJAIEM), Volume 1, Issue 2 10. Chimere Barron and Justin Zhan, Cloud Computing Security Case Studies and Research, Proceedings of the World Congress on Engineering 2013 Vol II, WCE 2013, July 3-5, 2013, London, U.K 11. I.M. Khalil, Muhammad Azeem, Cloud Computing Security: A Survey, doi:10.3390/computers3010001 12. Z. Fangfei and R. Sundaram, Scheduler vulnerabilities and coordinated attacks, Proceedings of the 2011 10th IEEE International Symposium on Network Computing and Applications (NCA), Cambridge, MA, USA, 25 27 August 2011; pp. 123 130
13. Y. Yuan and A Stavrou, SQLProb: A Proxybased Architecture towards Preventing SQL Injection Attacks, SAC March 8-12, 2009 14. Zouheir Trabelsi, Mounir Frikha, Malicious Sniffing System Detection Platform, Proceedings of the 2004 International Symposium on Applications and the Internet, pp. 201-207, 2004 15. M. Rouse, Two-factor authentication, Available at http://searchsecurity.techtarget.com/definition/two-factor-authentication 16. N. Gruschka and M. Jensen, Attack surfaces: taxonomy for attacks on cloud services, proceedings of the 2010 IEEE 3rd International Conference on Cloud Computing (CLOUD), Miami, FL, USA, 17. L. Cherkasova and D. Gupta, Comparison of the three CPU schedulers in Xen. ACM SIGMETERICS Perform. Eval. Rev. 2007, Kim, H.; Lim, H.; Jeong, J.; Jo, H.; Lee, J. Taskaware virtual machine scheduling for I/O Performance. In Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, Washington, DC, March 11-13, 2009; pp. 101 110. 18. L. Cherkasova and D. Gupta, A. When virtual is harder than real: Resource allocation challenges in virtual machine based IT environments. Technical Report HPL-2007-25, HP Laboratories Palo. Alto, Feb. 2007. 19. L. Martignoni and R. Paleari, A framework for behavior-based malware analysis in the cloud, proceedings of the 5th International Conference on Information Systems Security (ICISS 09), Kolkata, India, 14 18 December 2009;Springer-Verlag: Berlin, Heidelberg, 2009; pp. 178 192 20. T. Karnwal and T.Sivakumar, A comberapproach to protect cloud computing against XML DDoS and HTTP DDoS attack, proceedings of the 2012 IEEE Students Conference on Electrical, Electronics and Computer Science (SCEECS), Bhopal, India, 1 2 March 2012; pp. 1 5.