More Related Content Similar to Introduction to cloud security (20) More from IAEME Publication (20) Introduction to cloud security1. International Journal of Electronics and Communication Engineering & Technology (IJECET),
INTERNATIONAL JOURNAL OF ELECTRONICS AND
ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Special Issue (November, 2013), © IAEME
COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET)
ISSN 0976 – 6464(Print)
ISSN 0976 – 6472(Online)
Special Issue (November, 2013), pp. 252-260
© IAEME: www.iaeme.com/ijecet.asp
Journal Impact Factor (2013): 5.8896 (Calculated by GISI)
www.jifactor.com
IJECET
©IAEME
Introduction to Cloud Security
Taniya
Computer Science Engineering, BKBIET, Pilani, Rajasthan, India
shellysiddiqui2@outlook.com
ABSTRACT: Invented in 1981, the floppy disk was the only way to move files quickly between
computers, then came CD, memory card, USBs and portable hard drives. But very soon they too
are going to get things of the past. The buzzword now is cloud computing. While cloud
computing is getting increasingly popular and offer great features like flexibility, scalability and
energy-saving it also comes with several security issues. The cloud moves across borders,
taking our data with it and leaves us with a trail of concerns about data access, security and
availability. This paper deals with cloud computing and the various security risks associated
with it. It also reviews the best practices to secure Cloud services and data.
KEYWORDS: Cloud computing, IAAS, PAAS, SAAS, Virtualization
I.
INTRODUCTION
As budgets continues to shrink and the cost of data centers and software continue to increase
executives have started relying more on the cloud. The popularity of cloud computing which
provide services on demand on “a pay as you go” basis is increasing among the service vendors
and customers as it’s considered the best way to reduce IT expenditure, improve scalability
and reliability. Both Meryl Lynch and Gartner have predicted a multibillion dollar market for
cloud computing [1]. Delivering IT services via the Cloud is believed to be a time saver, a
money saver and allow for better efficiencies. The savings associated with cloud computing
include maintenance cost, licensing and human resource. According to Gartner, the typical IT
organization invests two-thirds of its budget to daily operations. Moving to the cloud will free
upto 35 to 50 percent of operational and infrastructure resources [2]. As savings mount and as
efficiencies increase, Cloud computing will continue to grow. Through 2015 Chief Information
Officers expect to operate the majority of their applications or infrastructure in a Cloud
environment [3]. Cloud computing is achieved primarily by leveraging the capacity of a data
center. Virtualization is the back bone of cloud computing. Autonomic computing and utility
computing are the other enabling technologies. Google and Amazon are two widely known data
centers providing Cloud computing and storage. But as more and more data gets on the cloud it
becomes more vulnerable as it’s exposed to hacking and various other risks.
International Conference on Communication Systems (ICCS-2013)
B K Birla Institute of Engineering & Technology (BKBIET), Pilani, India
October 18-20, 2013
Page 252
2. International Journal of Electronics and Communication Engineering & Technology (IJECET),
ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Special Issue (November, 2013), © IAEME
A. Definition of Cloud Computing
In layman’s term cloud computing refers to internet-based computing. As bandwidth in our
homes and offices increases, more applications are turning web-based. By plugging your cable
into the wall you can access what you need including support and expertise paid for as a
service. It’s difficult to formally define cloud computing as its definition varies in context with
different industries. Chris Poelker, the author of “Storage Area Networks for Dummies” wrote in
his blog “As I travel around the country meeting with IT professionals and attending or
speaking at industry events, I am amazed by how many different versions there are of cloud
computing”. In March of 2010, The UK’s Centre for the Protection of National Infrastructure, in
their Information Security Briefing 01/2010 on Cloud Computing said “There is, to date, no
universally agreed industry definition of cloud computing and it is usual to find conflicting
descriptions in any nascent industry”[3]. This paper follows the NIST definition of cloud
computing. According to The National Institute of Standards and Technology cloud computing
is defined as “A model for enabling ubiquitous, convenient, on-demand network access to a
shared pool of configurable computing resources (e.g., networks, servers, storage, applications,
and services) that can be rapidly provisioned and released with minimal management effort or
service provider interaction” [4].
B. Cloud Computing Model
According to NIST the cloud model comprises of three service models, four deployment models
and five essential characteristics.
Fig. 1: NIST’s three service models, four deployment models and five essential features [4]
The service model contains Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and
Software as a Service (SaaS).
IAAS is the lowest level of functionality where consumer uses only the infrastructure like
storage, hardware, servers and networking. Rackspace, Windows Azure and Amazon EC2 are
International Conference on Communication Systems (ICCS-2013)
B K Birla Institute of Engineering & Technology (BKBIET), Pilani, India
October 18-20, 2013
Page 253
3. International Journal of Electronics and Communication Engineering & Technology (IJECET),
ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Special Issue (November, 2013), © IAEME
some of the IaaS providers. In IaaS the service provider only provides the infrastructure
security but the remainder is left to the customer. In this model the focus is on managing the
virtual machines. The security operations need to protect the data against the rogue cloud
usage.
Moving up the stack is PaaS. This level allows customers to create their own applications. It
provides the user with Application environment and a set of tools like OS, programming
language execution environment, database, and web services etc. Examples are Azure and
Heroku. Consumer and cloud service provider both are responsible for PaaS security. The
security operation needs to maintain balance across providers to ensure fail over of services in
the event of an outage. Another key consideration should be the ability to encrypt the data
whilst stored on a third-party platform and to be aware of the regulatory issues that may apply
to data availability in different geographies [5].
SaaS is at the top of the stack. In this the users run online applications provided by service
vendors and pay a fixed subscription fee. They don’t have to worry about installation, set up
and running of these applications on their systems .In SaaS the cloud service provider is
responsible for security controls. The security officer needs to focus on establishing controls
regarding user’s access to application. The customer needs to protect their API keys and make
sure they don’t replicate their organization in the cloud.
The NIST deployment model includes:
o Private cloud: It is a clouding architecture that provide hosted services for exclusive
use by a single organization comprising multiple consumers behind a firewall
o Public cloud: The cloud infrastructure is provisioned for open use by the general
public. It may be owned, managed, and operated by a business, academic, or
government organization, or some combination of them. It exists on the premises of the
cloud provider.
o Hybrid cloud: This cloud infrastructure is a composition of two or more distinct cloud
infrastructures (private, community, or public) that remain unique entities, but are
bound together by standardized or proprietary technology that enables data and
application portability. In this model the management requirements are complex as
there is a need to manage private and public cloud.
o Community cloud: The cloud infrastructure is maintained by cloud provider or an
organization and used by many organizations with similar requirements.
Each form of the deployment model requires different kind of data depending on which the
level of security for each kind is different.
NIST also defines five important characteristics of a Cloud environment: Resource Pooling, On
Demand Self Service, Broad Network Access, Measured Service and Elasticity.
II.
SECURITY RISKS INVOLVED IN CLOUD COMPUTING: AN OVERVIEW
When we use cloud environment, we rely on cloud providers to make decisions about our data
and platforms in ways never seen before in computer [6]. Also the applications are run on
service provider’s systems and the consumers have little to no knowledge of its environment.
This makes the data vulnerable to peeping and tampering.
International Conference on Communication Systems (ICCS-2013)
B K Birla Institute of Engineering & Technology (BKBIET), Pilani, India
October 18-20, 2013
Page 254
4. International Journal of Electronics and Communication Engineering & Technology (IJECET),
ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Special Issue (November, 2013), © IAEME
The data on the cloud is under the following threats:
o Spoofing: It’s a way of accessing information by using other’s identity.
o Tampering: Data entered by a user are changed without the user's authorization.
o Repudiation: Denying the origin of transaction (request or response).
o Information Disclosure: The data is disclosed to unauthorized users without the
knowledge of the user.
o Denial of Service:In a denial-of-service (DoS) attack, an attacker attempts to prevent
legitimate users from accessing information or services.
o Elevation of Privilege:Elevation of privilege results from giving an attacker
authorization permissions beyond those initially granted. For example, an attacker with
a privilege set of "read only" permissions somehow elevates the set to include "read and
write."
The data needs to be protected both in store and in transit. Appropriate mechanisms should be
taken in order to make application execution and stored data accessible to designated persons
only. How much security is required depends upon the deployment model, type of application,
business objective and available budget.While defining security for cloud, it’s required to
address it from operational as well as Governance point of view. Under operational domain it is
very important to focus on traditional security, disaster recovery, data center operations,
incident response, application security, encryption and key management, identity and access
management and virtualization whereas under Governance domain focus has to be given to
Cloud computing architectural framework, risk management and Legal discovery [7].
III.
PROTECTION OF SENSITIVE DATA
The data needs to be secured to overcome the threats mentioned above. The data at rest can
be protected by encrypting it. Encryptions protect data against malicious cloud providers and
co-tenants in the cloud. The keys are kept by the customer so that the description can be done
when needed. Data security also involves enforcing the appropriate accessing policies.
Researchers have implemented the data protection framework which provides authentication,
verification and encrypted data transfer [6].
A. Data Sanitization
The biggest question about data is how long the data has to remain on the cloud. There is a big
chance that the service provider might retain the information even after the client is no longer
accessing the data. When the user migrates or terminates the service he should make sure that
the data is destroyed or no longer visible in cloud provider domain.Data sanitization is the
process of deliberately, permanently, and irreversibly removing or destroying the data stored
in the data base. A device that has been sanitized has no usable residual data and even
advanced forensic tools should not ever be able to recover erased data [8]. Data sanitization is
achieved by using masking technique.
B. Data Isolation
The data on the cloud becomes vulnerable to attacks when there is lack of isolation. The cloud
provider must make sure that the clients are isolated from each other. Virtualization is a great
tool for ensuring isolation. It is implemented by running Virtual Machine (VM) instance for
each user and all users can independently access data without any interference.
International Conference on Communication Systems (ICCS-2013)
B K Birla Institute of Engineering & Technology (BKBIET), Pilani, India
October 18-20, 2013
Page 255
5. International Journal of Electronics and Communication Engineering & Technology (IJECET),
ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Special Issue (November, 2013), © IAEME
C. Data Location
The location of data on the cloud also makes it vulnerable. The service subscriber does not
have detailed information about the location of data. This makes it difficult for the user to
ascertain whether the data is secure and whether the proper legal requirements are being met.
Different countries have different laws regarding cyber security and data privacy. Once the
data crosses the national border it becomes very difficult to guarantee protection under
foreign laws and regulations. For example European consumers have expressed concern that
the USA Patriot Act will afford the US government undue and unfettered access to their data if
they choose to store it on the cloud servers of US providers (e.g., Microsoft or IBM). A recent
survey found that 70 percent of Europeans have concerns about their online data and how well
it is secured [9].
IV.
SECURITY ISSUES DUE TO VIRTUALIZATION
Virtualization is the creation of a virtual (rather than actual) version of something, such as an
operating system, a server, a storage device or network resources. Ottenheimer and Vallace
define it as “The creation of virtual resources from physical resources”. It is one of the major
enabling technique of cloud computing. In a virtual environment, the host has the ability to run
multiple guest operating systems as virtual machines. Virtual machines can be created quickly
and easily and brings many advantages to the space, including higher efficiency due to
increased utilization, energy savings per computation unit, and the flexibility to create and
destroy machines on demand [10]. Also to maximize the utilization of resources these virtual
machines belonging to different organization are co-located on the same physical server.But
virtualization comes with various risks. With the creation of virtual machines the attacker
surface increases as the vulnerabilities not only exist in the physical equipment but also in the
virtualized environment. According to the Cloud Security Alliance (CSA), irrespective of the
service model (IaaS, PaaS and SaaS) used, “Virtualization brings with it all the security
concerns of the guest operating system, along with new virtualization-specific threats.” [11]. In
the virtualized environment A single host with multiple virtual machines may be attacked by
one of the guest operating systems or, a guest operating system may be used to attack other
guest operating systems.
NIST in its virtualization security guidelines recommends organization [12]:
o Secure all elements of a full virtualization solution and maintain their security;
o Restrict and protect administrator access to the virtualization solution;
o Ensure that the hypervisor, the central program that runs the virtual environment, is
properly secured;
o Carefully plan the security for a full virtualization solution before installing, configuring
and deploying it.
A. Hypervisor Security
The hypervisor, or virtual machine monitor (VMM), is the software that virtualizes the
hardware and provides isolation, or separation, between guests. Given the relative newness of
non-mainframe virtualization and the need to handle sensitive workloads, hypervisor security
is a great and well-placed concern [10]. Functionality that allows the hypervisor to control and
monitor individual VM activity from outside the VMs is known as introspection. It gives the
International Conference on Communication Systems (ICCS-2013)
B K Birla Institute of Engineering & Technology (BKBIET), Pilani, India
October 18-20, 2013
Page 256
6. International Journal of Electronics and Communication Engineering & Technology (IJECET),
ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Special Issue (November, 2013), © IAEME
hypervisor power to access and analyze the data being processed by the VM, and typically
includes visibility into stored data files as well as monitoring of network traffic, memory and
program execution, and other elements of the VM. The two major security risks with
introspection are that it can bypass role-based access controls and it can be used without
leaving a forensic audit trail within the VM itself. Since no authentication is required, as with
introspection, files can be accessed from within the privileged state of the hypervisor, the file
access leaves no audit trail on the VM and the VM contains no evidence that the file was
accessed.
There are two types of attacks on the hypervisor [13]:
Attack on hypervisor through the host OS: The hypervisor is compromised when the control
is being taken on the host OS by the attacker who then gains the administrative privileges of
the hypervisor and can perform any malicious activity on the VM hosted by the hypervisor.
Fig. 2: Attack on Hypervisor through Host OS [13]
Attack on the hypervisor through guest OS: This is the most possible attack on the
hypervisor. In this a guest OS is used to gain unauthorized access to the hypervisor.
Fig. 3: Attack on the hypervisor through Guest OS [13]
International Conference on Communication Systems (ICCS-2013)
B K Birla Institute of Engineering & Technology (BKBIET), Pilani, India
October 18-20, 2013
Page 257
7. International Journal of Electronics and Communication Engineering & Technology (IJECET),
ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Special Issue (November, 2013), © IAEME
Traditional defenses such as firewalls and IPSs are not capable to stop attack on the hypervisor
as these attacks are rooted in the processor. The best ways to mitigate risks are by creating a
chain of trust in the CPU that will extend to the hypervisor and hardening the hypervisor by
following the manufacture’s best practices.
V.
MULTI-TENANCY
Multi-tenancy is defined as the ability to use the same software and interfaces to configure
resources and isolate customer-specific traffic and data. In a typical multi tenancy
environment, multiple users who do not share or see each other’s data can share the same
applications while running on the same operating system, using the same hardware and the
same data storage mechanism [14]. It comes with many security issues. Over provisioning of
resources is the biggest risk associated with multi-tenancy which further results in resource
contention and potential lack of availability, effectively creating a denial of service situation.
Performance may become unpredictable when “noisy neighbors” are co-located and start
behaving poorly by consuming large amounts of CPU or memory resources [3].To secure the
multi-tenant environment from malicious attacks CSA recommends that implementers should
ensure adequate security zones for different types of machines. Servers, development
machines, workstations and management consoles should each have their own security zone
[3].
VI.
INFORMATION SECURITY STANDARDS
Over the past few years several security standards have evolved to protect the confidentiality,
integrity and availability of data on the cloud. It is very important to thoroughly understand
your organization’s security policies in order to implement like standards in a Cloud
environment that will form your security frame work. It is also very important to choose the
CSP who offer the standards that are relevant to your needs. Standards can be based on
security, system development, financial reporting, IT service delivery, or control environment
[3].
Some of the most popular standards related to security are:
National Institute of Standards and Technology (NIST) publish series of papers stating various
guidelines to insure security in cloud computing outlining the comprehensive security
framework.
The International Standards Organization (ISO) has published ISO/IEC 27001, an audit
standard for Information Security Management Systems. Organizations that claim to have
adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the
standard. It contains 11 domains, 39 control objective and more than 130 controls. Some of
the domains under it are Security policy, physical and environmental security, Access control.
The Federal Information Security Management Act (FISMA) made in 2002 requires the Federal
Government to create standards for minimum information security and standards for
categorizing information and information systems.
The European Network and Information Security Agency (ENISA) is an agency of the European
Union. The objective of ENISA is to improve network and information security in the European
Other entities that create standards are Institute of Electronics and Electrical Engineers (IEEE),
American National Standards Institute (ANSI) and National Security Agency (NSA).
International Conference on Communication Systems (ICCS-2013)
B K Birla Institute of Engineering & Technology (BKBIET), Pilani, India
October 18-20, 2013
Page 258
8. International Journal of Electronics and Communication Engineering & Technology (IJECET),
ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Special Issue (November, 2013), © IAEME
There is a wide range of standards and guidelines concerning the information security. This
sometimes leads to confusion among the customers as different CSA follow different standards.
To make it easy for the users to know about the best suited standard the Cloud Security
Alliance has created a Cloud Controls Matrix (CCM). The CCM is designed to provide
fundamental security principles to assist cloud customers in assessing the overall security risk
of a cloud provider. It consists of 13 domains based on ISO 270001 and NIST. No matter which
standard the CSA adheres to certification provides customers with a promise that information
security is given the highest priority and a process to protect the confidentiality, integrity and
availability of data is in place.
VII.
CONCLUSION
Cloud computing is a revolution in how computing power is developed to business. Business
and government continues to move on Cloud environment in an effort to reduce costs, improve
efficiencies and reduce administrative overhead. Though cloud computing has various
advantages it also comes with several security issues.As the data gets off premises and moves
to the cloud it gets vulnerable to attacks both at rest and in transit. While virtualization reduces
some security risks, others are increased because the attack surface in a Cloud service
increases. Also there are various security issues in multi-tenant architecture of cloud
computing.In these paper I have tried to summarize all these security issues related to various
aspects and models of cloud computing. I have also reviewed various mitigation strategies,
security standards and guidelines.
ACKNOWLEDGEMENT
Foremost, I would like to express my sincere gratitude to Ms. Sonam Mittal, Assistant
Professor, BKBIET, Pilani for helping me out in completing the paper. My sincere thanks also go
to my friends who helped me in finding the resources and motivating me. Last but not the least;
I would like to thank my family for supporting me.
REFERENCES
[1] ShikhareshMajundar, Resource Management on Clouds- The Multifaceted Problem &
Solution, Advancement in Cloud Computing, 2012
[2]http://betanews.com/2011/01/24/gartner-most-cios-have-their-heads-in-the-clouds/
[3] Todd Steiner, An Introduction to Securing a Cloud Environment (white paper), SANS
institute
[4] http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
[5]http://www.csoonline.com/article/660065/saas-paas-and-iaas-a-security-checklist-forcloud-models
[6] P. Jayarekha, Anintha H M, Exploring Cloud Computing and Security Issues, Advancement in
Cloud Computing, 2012
[7] N. Sarat Chandra Babu, Cloud Security, Advancement in Cloud Computing, 2012
[8] http://cnc.ucr.edu/security/datasan.html
[9] http://www.mayerbrown.com/publications/The-USA-Patriot-Act-and-the-Privacy-of-DataStored-in-the-Cloud-01-18-2012/
[10] ftp://public.dhe.ibm.com/linux/pdfs/LXW03004-USEN-00.pdf
[11] https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
International Conference on Communication Systems (ICCS-2013)
B K Birla Institute of Engineering & Technology (BKBIET), Pilani, India
October 18-20, 2013
Page 259
9. International Journal of Electronics and Communication Engineering & Technology (IJECET),
ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Special Issue (November, 2013), © IAEME
[12] http://www.nist.gov/itl/csd/virtual-020111.cfm
[13] http://www.cse.wustl.edu/~jain/cse571-11/ftp/virtual/
[14] http://apprenda.com/library/glossary/definition-multitenant/
BIOGRAPHY
Taniya was born in Dehradun, Uttarakhand, India in 1992. She is doing her
B.Tech in Computer Science Engineering from B K Birla Institute of
Engineering and technology Pilani (Rajasthan), India.
International Conference on Communication Systems (ICCS-2013)
B K Birla Institute of Engineering & Technology (BKBIET), Pilani, India
October 18-20, 2013
Page 260