Embed Size (px)
Citation preview
Author - Nnaemeka Nweke | Seminar Report | September 7, 2015 |
CLOUD COMPUTING SECURITY
THE MITIGATION OF SECURITY THREATS INHERENT IN CLOUD COMPUTING
PAGE 1
ABSTRACT
Cloud computing has formed the conceptual and infrastructural basis for tomorrow’s
c o m p u t i n g . The global computing infrastructure is rapidly moving towards cloud
based architecture. While it is important to take advantages of could base computing by
means of deploying it in diversified sectors, the security aspects in a cloud based
computing environment remains at the core of interest. Cloud based services and service
providers are being evolved which has resulted in a new business trend based on cloud
technology. With the introduction of numerous cloud based services and geographically
dispersed cloud service providers, sensitive information of different entities are normally
stored in remote servers and locations with the possibilities of being exposed to unwanted
parties in situations where the cloud servers storingthose information are compromised.
If security is not robust and consistent, the flexibility and advantages that cloud
computing has to offer will have little credibility. This seminar presents a review on the
cloud computing concepts as well as security issues inherent within the context of cloud
computing and cloud infrastructure.
PAGE 2
CHAPTER ONE
INTRODUCTION
1.0 Background of the Seminar
Cloud computing is a technology that uses the internet and central remote servers to
maintain data and applications. Cloud computing allows consumers and businesses to use
applications without installation and access their personal files at any computer with
internet access. This technology allows for much more efficient computing by centralizing
storage, memory, processing and bandwidth.
Recent developments in the field of could computing have immensely changed the way of
computing as well as the concept of computing resources. In a cloud based computing
infrastructure, the resources are normally in someone else's premise or network and
accessed remotely by the cloud users (Petre, 2012; Ogigau-Neamtiu, 2012; Singh &
jangwal, 2012). Processing is done remotely implying the fact that the data and other
elements from a person need to be transmitted to the cloud infrastructure or server for
processing; and the output is returned upon completion of required processing. In some
cases, it might be required or at least possible for a person to store data on remote cloud
servers. These gives the following three sensitive states or scenarios that are of particular
concern within the operational context of cloud computing:
(A) The transmission of personal sensitive data to the cloud server,
(B) The transmission of data from the cloud server to clients' computers and
PAGE 3
(C) The storage of clients’ personal data in cloud servers which are remote s e r v e r not
owned by the clients.
All the above three states of cloud computing are severely prone to security breach that
makes the research and investigation within the security aspects of cloud computing
practice an imperative one. There have been a number of different blends that are being
used in cloud computing realm, but the core concept remain same – the infrastructure, or
roughly speaking, the resources remain somewhere else with someone else's ownership
and the users 'rent' it for the time they use the infrastructure (Bisong & Rahman, 2011;
Rashmi, Sahoo & Mehfuz, 2013; Qaisar & Khawaja, 2012). In some cases, stored sensitive
data at remote cloud servers are also to be counted. Security has been at the core of safe
computing practices. When it is possible for any unwanted party to 'sneak' on any private
computers by means of different ways of 'hacking'; the provision of widening the scope to
access someone's personal data by means of cloud computing eventually raises further
security concerns. Cloud computing cannot eliminate this widened scope due to its nature
and approach. As a result, security has always been an issue with cloud computing
practices. Robustness of security and a secured computing infrastructure is not a one-off
effort, it is rather ongoing – this makes it essential to analyze and realize the state-of-the-
art of the cloud computing security as a mandatory practice. Cloud is mainly categorized
as private cloud, community cloud, public cloud and hybrid cloud (Ogigau-Neamtiu, 2012;
Singh & jangwal, 2012; Rashmi et al., 2013; Qaisar & Khawaja, 2012; Kuyoro, Ibikunle
& Awodele, 2011; Suresh & Prasad, 2012; Youssef, 2012) - the discussion in this paper
assumes only one category of cloud exists which is public cloud; as this assumption will
well satisfy all the characteristics of any other type of cloud. Due to its diversified
PAGE 4
potentiality, the approach to cloud computing is being thought to be as the 5th utility to
join the league of existing utilities water, electricity, gas and telephony (Buyya, Yeo,
Venugopal, Broberg & Brandic, 2009) rather than being just another service.
1.1 Objectives of the Seminar
The study presented in this seminar is organized with a view to identify and discuss the
approach to cloud computing security and concerns that must be taken into account in the
deployment of a cloud based computing infrastructure and also the approaches to mitigate
security threats inherent in cloud computing.
1.2 Scope of the Seminar
The scope of this seminar, firstly gives information about cloud computing, then mentions
security threats of cloud computing. After all, talks about how to mitigate security threats
and give recommendations to mitigate security threats.
This seminar does not mention new idea or innovation about cloud computing. Purpose of
this study is intended to be a guide for people who is interested in cloud computing and
want to take advantage of the cloud computing services.
1.3 SECURITY THREATS IN CLOUD COMPUTING
Security threats in cloud computing are important issue for cloud service providers and
cloud service customers. Threats usually are related information security because of data
and applications. Cloud computing service has wide variety of threats because of being
combination of several technologies. If a candidate for cloud computing users wants to use
PAGE 5
cloud computing service, customer is being aware of security threats. In the section has
identified security threats and effect of data security.
1.3.1 Information Security
Information security has an important significance in the cloud. Cloud computing is a
combination of several different technologies. Thus, cloud computing faces just as much
security threats. These threats are lack of cloud provider security, attacks by other
customers, physical security, availability and reliability situation, legal and regulatory
situation, data loss/leakage, shared technology vulnerabilities.
Confidentiality, integrity and availability (CIA) security model is basic security element of
information security. Therefore, cloud provider must supply this security model for
customers. All data and applications being maintained by cloud providers. Provider must
supply the security of data.
1.3.2 Physical Security
Physical security implies that the data center the cloud is hosted in should be secure against
physical threats. This includes not only attempts at penetration by intruders, but also
protection against natural hazards and disasters such as floods, and human error such as
switching off the air conditioning. For this reason, data center location is important. Cloud
computing customers must be careful about location when they choose cloud computing
providers. At first data must be protected physically. Cloud computing providers must
protect infrastructure and choose special location for data center. Specific entry/exit control
PAGE 6
techniques are required for physical security. This control should be done in order to
identify personal and search individuals, vehicles, and materials.
1.3.3 Software Security
Software security is important issue for cloud computing. Because in cloud computing
many companies share same systems and storage. Many companies develop many software
programs. They deploy cloud computing systems. Some software programs have bugs and
vulnerabilities. When a hacker enter system with using vulnerabilities in software program,
the hacker can be accessed all system in cloud computing. Therefore, all software programs
must be tested for security before deploying system in cloud computing.
1.3.4 Data Investigation
Cloud computing consists of many different systems. For that reason, finding information
is difficult in cloud environment. When people need data for searching an illegitimate
activity, they must have enough time on account of analyzing data. In addition, data for
multiple customers may be co- located and may also be spread across multiple data centers.
Usually users’ knowledge is not enough to using cloud computing environment. Service
provider may also impose restrictions on the network security of the service users.
If cloud computing customers have important and sensitive data, they must work with the
best cloud computing service providers. Cloud computing service providers must
guarantee that would give the necessary information quickly.
PAGE 7
1.3.5 Data Segregation
Cloud computing providers store different customers’ data in same devices. Poor
segregation of resources increases the risk of vulnerability. Attackers may be succeeding
stealing data. This threat can be overcome by providing complete isolation of customer
data on a dedicated physical server. Besides, all data in the cloud must be encrypted with
a strong password due to overcome threat. Encrypted data cannot be used even if data is
stolen by attackers. However, strong encryption may increase costs. The data may be
destroyed by encryption accident.
When service providers change business situations in order to ensure data security, this
situation may affect customers adversely. So, the available data is not correctly sent to the
customer at all times of need.
1.3.6 Data Recovery
All data is stored in cloud computing providers’ physical devices. Data is backed up by
cloud computing providers. Data and data backup may be stored in same physical devices.
This situation is major problem about data security in natural and man-made disasters.
However, the cloud is a service aimed at preserving your data, not protecting it. Cloud
computing customers discuss these events with cloud providers. Cloud service providers
must ensure the data security in natural and man-made disasters. The goal is to minimize a
data loss risk and successfully recovering from a loss. In the case of any such unwanted
event, provider must do a complete and quick restoration.
PAGE 8
1.3.7 Data Location
Most well-known cloud service providers have data centers around the globe. Some service
providers also take advantage of their global data centers. However, in some cases
applications and data might be stored in countries, which can have judiciary concerns.
Illegal situations about data, laws of the country where the data is stored implemented. This
event can be a big problem to punish the real criminals. Data is not access because of laws
of country where the data is stored. If cloud computing customers have sensitive personal
data or private data, they prefer cloud computing provider in their country for legal
processes. Furthermore, sensitive data must be protected because of homeland security.
Data must be stored own country.
1.3.8 Secure Data Transfer
All of the traffic is between cloud computing customers and cloud provider network. All
data travels through the Internet. There are many threats to the data being transferred. If
attacker leaks network, he/she manages to listen to all of the data flow. If you are not
satisfied security measures, it is big trouble for customers. Thus, service providers make
sure data always travels on a secure channel. When data is transferred, data must be
encrypted.
1.3.9 User Access Control
Firstly, user access control is enough to provide security for sensitivity of the data in cloud.
Because data for multiple customers may be co-located in cloud, other people may be
access other customers’ data. It is an important risk for sensitive data. Cloud service
PAGE 9
vendors must provide best access management for cloud customers. Access management
is to allow accesses to cloud facilities only to authorized users. Additional requirements
are to:
Cloud management personal have not unrestricted access
(A) Multi-factor authentication for example password and fingerprint
(B) Accounts do not shared for example admin
(C) Provide white-listing of IP addresses for remote actions
1.4 MITIGATION OF SECURITY THREATS IN CLOUD
COMPUTING
There are several types of security threats to which cloud computing is vulnerable. These
threats damage confidentiality, integrity and availability (CIA) security model.
Accordingly, solutions of security threats aim to protect (CIA) security model. Many
recommendations which are solved security issues will be offered in these sections.
Firstly, cloud computers’ customers find the best cloud provider. Each cloud service
provider has different data security and data management. Hence, customer determines
requirements for cloud services then choose right cloud provider. Also, cloud provider
must have experience, standards and regulation about cloud service.
PAGE 10
Data transfer between customers’ network and cloud in the Internet. Therefore, data must
be always travelling on a secure channel. HTTP is insecure due to send data all as plain
text. Attackers gain access to website accounts and sensitive information with man-in-the-
middle and eavesdropping attacks. Connect to browser with HTTPS. Because everything
in the HTTPS message is encrypted with SSL. Also, standard protocols should be used for
authentication.
User access control is important in cloud computer because of sensitive and private data.
Only authorized persons should see the information and persons should be authorized until
they need it. Customers to ask service providers for specifics about the people who manage
their data and the level of access they have to it.
Cloud service provider environments require tight integration with enterprise policies
around individual and group access, authentication and auditing (AAA). This involves
integrating corporate directories and group policies with the service provider’s policies.
Service providers should offer stronger authentication methods to enterprises, such as 2-
factor hard or soft tokens or certificates.
All systems and network components’ log must be stored and monitored so as to analyze
unwanted events. Logging and monitoring events is the process of auditing. Auditing is
important for analyzing events. Auditing is necessary to provide security. Cloud computing
customers discuss cloud provider about monitoring logs day-to-day. In addition, the audit
log should be centrally preserved. Authentication and authorization should be done for
people to monitor the audit log.
PAGE 11
Unfortunately, auditing is a passive defense because of becoming aware of critical security
event after the occurrence of the event. Auditing help people to response to unwanted-event
quickly. Thus, cloud provider may improve process that including a cloud-wide intrusion
and anomaly detection system. The intrusion detection systems may be installed an
infrastructure for security.
Besides, security testing is important to provide security in cloud computing. Security tests
should be performed for software before deployment in infrastructure of cloud. Software
patches should be tested for security before software patches to install. Additionally,
security testing should be realized continuously to identify vulnerabilities in the cloud
system. On the risk assessment, some of these tests may be performed by third parties.
There should also be a process to resolve identified vulnerabilities.
If all systems in the data center are synchronized to the same clock, this is helpful both to
ensure correct operation of the systems, as well as to facilitate later analysis of system logs.
If time zone is different, it is big problem for logs and synchronizes systems. Data has
needed to analyze the event such as the time when a problem about security-related events.
In a cloud, with shared storage, encryption is a key technology to ensure isolation of access.
The cloud infrastructure needs to provide secure facilities for the generation, assignment,
revocation, and archiving of keys. It is also necessary to generate procedures for recovering
from compromised keys.
Policies, standards and guidelines should be developed, documented, and implemented.
Cloud computing providers must be up to this standards and policies. To maintain
PAGE 12
relevancy, these policies, standards, and guidelines should be reviewed at regular intervals
or when significant changes occur in the business or IT environment.
Trainings or programs should be developed that provide a baseline for providing
fundamental security and risk management skills and knowledge to the cloud computing
providers, the security team and their internal partners.
PAGE 13
CHAPTER TWO
LITERATURE REVIEW
2.1 History of Cloud Computing
Cloud computing is a computing term or metaphor that evolved in the late 1900s, based on
utility and consumption of computer resources. Cloud computing involves deploying
groups of remote servers and software networks that allow different kinds of data sources
to be uploaded for real time processing to generate computing results without the need to
store processed data on the local machine. Clouds can be classified as public, private and
hybrid.
Cloud computing relies on sharing of resources to achieve coherence and economies of
scale, similar to a utility (like the electricity grid) over a network. At the foundation of
cloud computing is the broader concept of converged infrastructure and shared services.
Cloud computing, or in simpler shorthand just "the cloud", also focuses on maximizing the
effectiveness of the shared resources. Cloud resources are usually not only shared by
multiple users but are also dynamically reallocated per demand. This can work for
allocating resources to users. For example, a cloud computer facility that serves European
users during European business hours with a specific application (e.g., email) may
reallocate the same resources to serve North American users during North America's
business hours with a different application (e.g., a web server). This approach should
maximize the use of computing power thus reducing environmental damage as well since
less power, air conditioning, rack space, etc. are required for a variety of functions. With
PAGE 14
cloud computing, multiple users can access a single server to retrieve and update their data
without purchasing licenses for different applications.
The term "moving to cloud" also refers to an organization moving away from a traditional
CAPEX model (buy the dedicated hardware and depreciate it over a period of time) to the
OPEX model (use a shared cloud infrastructure and pay as one uses it).
2.2 CLOUD COMPUTING INFRASTRUCTURE
The term cloud computing is rather a concept which is a generalized meaning evolved from
distributed and grid computing. Cloud computing is described as the offspring of
distributed and grid computing by some authors (Che, Duan, Zhang & Fan, 2011).The
straightforward meaning of cloud computing refers to the features and scenarios where
total computing could be done by using someone else’s network where ownership of
hardware and soft resources are of external parties. In general practice, the dispersive
nature of the resources that are considered to be the ‘cloud’ to the users are essentially in
the form of distributed computing; though this is not apparent or by its definition of cloud
computing, do not essentially have to be apparent to the users.
In recent years, the cloud has evolved in two broad perspectives – to rent the infrastructure
in cloud, or to rent any specific service in the cloud. Where the former one deals with the
hardware and software usage on the cloud, the later one is confined only with the 'soft'
products or services from the cloud service and infrastructure providers. The computing
world has been introduced with a number of terminologies like SaaS (Software as a
Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service) with the
PAGE 15
evolution of cloud computing. As discussed earlier, the term ‘cloud computing’ is rather a
concept, so are the terminologies to define different blends of cloud computing. At its core
essence, cloud computing is nothing but a specialized form of grid and distributed
computing which varies in terms of infrastructure, services, deployment and geographic
dispersion (Hashizume et al. 2013; Westphall et al., 2011; Hamlen, Kantarcioglu, Khan, &
Thuraisingham, 2010). In a pervasive meaning within the context of computer networks,
infrastructure could be thought of as the hardware as well as their alignment where platform
is the operating system which acts as the platform for the software (Singh & jangwal, 2012;
Lee, 2012). Thus the concept of cloud based services is hierarchically built from bottom to
top in the order of IaaS, PaaS and SaaS. This is merely the level of abstraction that defines
the extent to which an end-user could 'borrow' the resources ranging from infrastructure to
software – the core concern of security and the fashion of computing are not affected by
this level of abstraction. As a result, security is to be considered within any form of cloud
computing (Bisong & Rahman, 2011) regardless of flavour, hierarchy and level of
abstraction. Virtualization is an inevitable technology that is highly coupled with the
concept of cloud computing (Buyya et al., 2009; Ogigau-Neamtiu, 2012; Hashizume et al.
2013; Kim, 2009; Mosher, 2011; Atayero & Feyisetan, 2011; Zissis & Lekkas, 2012) – it
is the virtualization technology that complements cloud services specially in the form of
PaaS and SaaS where one physical infrastructure contains services or platforms to deliver
a number of cloud users simultaneously. This leads to the addition of total security aspects
of virtualization technology on top of the existing security concerns and issues of cloud
computing.
PAGE 16
Figure 1 illustrates a typical cloud based scenario that includes the cloud service provider
and the cloud users in a cloud computing architecture.
Figure 1: A Typical Cloud Architecture
The illustration of cloud architecture in figure 1 is a simplest one where few complex
characteristics of cloud computing (e.g. redundancy, server replication, and geographic
dispersion of the cloud providers’ network) are not shown – the purpose of the illustration
is to establish the arrangement that makes the concept of cloud computing a tangible one.
The network architecture is self explanatory with the identification of cloud users when
PAGE 17
considered in-line with the discussion of the cloud computing concept presented earlier.
One notable part from the architecture is that, while the cloud users are clearly identified
and named accordingly due to their remote location and means of remote access to the
cloud servers, the admin users who are administering the cloud servers are not cloud users
in any form with respect to the cloud service provider’s network in the scenario. It is
arguable whether the LAN users in figure 1 are cloud users or not. Such room for argument
could exist due to the phrase ‘cloud computing’ being a concept rather than a technical
terminology. If the definition of cloud computing is taken to have essential arrangements
of being the servers located remotely that are accessed through public infrastructure (or
through cloud), then the LAN users in figure 1 may not be considered as the cloud users in
the context. With respect to distributed and grid computing as the mother technology that
define the infrastructural approach to achieve cloud computing, the LAN users in the
scenario are essentially the cloud users when they use the cloud services offered by the
servers; the LAN users in this perspective are essentially using resources that are
‘borrowed’ from the servers on an on-demand basis
Figure 2 illustrates the hierarchical arrangement based on which a cloud is perceived in the
form of IaaS, PaaS and SaaS from any cloud end-user’s viewpoint.
PAGE 18
Figure 2: Cloud Service Hierarchy
As depicted in figure 2, the technical details, arrangements and management of the cloud
service providers’ network is transparent to the cloud user. From the end of the cloud user,
the service from the provider comes in the form of SaaS, PaaS or IaaS where the cloud user
has no intention or worry about what goes on in the internal arrangement of the cloud
service providers’ network. Any disruption of any form for whatever is the reason, deem
to the cloud users either as service unavailability or quality deterioration – its affect and
ways to counter this disruption is a critical part for the cloud infrastructure. Security issues
might play a stimulating role as a driving factor for any aforementioned disruption.
PAGE 19
CHAPTER THREE
3.0 CONCLUSION
Cloud computing has enormous prospects, but the security threats embedded in cloud
computing approach are directly proportional to it’s offered advantages. The vast
possibilities of cloud computing cannot be ignored solely for the security issues reason –
the ongoing investigation and research for robust, consistent and integrated security models
for cloud computing could be the only path of motivation.
Security for cloud computing environment is a non-compromising requirement. Cloud
computing is inevitable to become the ideal (and possibly the ultimate) approach to
business computing though the security barriers along with other issues need to be resolved
for cloud computing to make it more viable (Marston, Li, Bandyopadhyay, Zhang &
Ghalsasi, 2011)
Regardless of the nature of security issues, it can be undoubtedly concluded that the severe
adverse effects as a consequence of security breaches in cloud computing, the deployment
of any form of cloud computing should deal with the security concerns corresponding to
those of the safety critical systems.
PAGE 20
3.1 RECOMENDATION
Cloud computers’ customers find the best cloud provider. Each cloud service provider has
different data security and data management. Hence, customer determines requirements for
cloud services then choose right cloud provider. Also, cloud provider must have
experience, standards and regulation about cloud service.
Besides, security testing is important to provide security in cloud computing. Security tests
should be performed for software before deployment in infrastructure of cloud.
PAGE 21
REFRENCES
Abbadi, I.M. and Martin, A. (2011). Trust in the Cloud. Information Security
Technical Report, 16, 108-114. doi:10.1016/j.istr.2011.08.006
Agarwal, A. and Agarwal A. (2011). The Security Risks Associated with Cloud
Computing.
Homomorphic Encryption. Journal of Emerging Trends in Computing and
Information Sciences, 2(10), 546-552.
Bisong, A. and Rahman, S.S.M. (2011). An Overview of the Security Concerns in
Enterprise Cloud Computing. International Journal of Network Security & Its
Applications, 3(1), 30-45. doi:10.5121/ijnsa.2011.3103
http://www.wikipedia.com/
http://www.gentyict.blogspot.com/
