Embed Size (px)
Citation preview
@IJRTER-2016, All Rights Reserved 533
User centric security requirements and threat analysis in Cloud
Computing Sunny Sharma 1, Prithvipal Singh2, Amritpal Singh3
1,2,3Dept. Of Computer Science, Guru Nanak Dev University
Abstract— The evolution to network and computational technologies has gone through a
remarkable phase of growth and development. The growth curve was indeed very steep in major
domain of application of these technologies. The advent of Cloud computing, Big Data analytics,
Evolutionary computing, Internet of Things (IoT) etc. has enhanced the implementation avenues of
these technologies in various application areas. Cloud computing has emerged as a special area of
interest for many researchers keeping in view its huge application-domain scope. Research is being
done on different aspects of CC for identifying areas of improvement and their respective remedies.
One important issue in CC is that of Security, because of the various threats of working on network
architecture. This paper scribbles through various review papers and research papers to identify the
threats and security requirements for different levels of use and the corresponding users. It reviews
the perspective of the users at various level already described in good quality research papers which
highlight security requirements and tries to emphasize on threats faced by users for those security
requirements as mix of required security consideration can be better defined if the threats involved
are taken into account and their respective remedies can be designed keeping user perspective in
mind and their cloud computing usage experiences can be enhanced by following appropriate
security measures.
Keywords—Level of use and users, Threats, Performance domain, Security consideration, Cloud
computing (CC), Big Data
I. INTRODUCTION
According to NIST definition: “Cloud computing (CC) is a model for enabling convenient, on-
demand network access to a shared pool of configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can be rapidly provisioned and released with
minimal management effort or service provider interaction.” In CC various service providers (SPs)
namely; Amazon, Google, Salesforce etc. provides different kind of services across the world; even
different companies (Microsoft, Google, IBM 2, Yahoo) in different locations are deploying very
high computational data centers (DCs). Recent DCs have high end servers for hosting applications.
[1]
II. CHARACTERISTICS OF CLOUD COMPUTING
Five Key characteristics of CC:
Computing Resources (VM, storage, processing power etc.) can be attained without any
human dealings with CSPs at anytime. (On-demand self-service)
Resources can be accessible over a various networks by means of heterogeneous platforms such as PDA, Mobiles, and Laptops. (Broad network access)
Multiple user’s shared pooled resources by CSPs. it is known Multi-tenancy. (Resource pooling)
A customer can rapidly obtain and release computing resources by scaling out and scale in according to the needs. (Rapid elasticity)
International Journal of Recent Trends in Engineering & Research (IJRTER) Volume 02, Issue 04; April - 2016 [ISSN: 2455-1457]
@IJRTER-2016, All Rights Reserved 534
Computing resources usage are measured by taking proper metrics into consideration such usage of
bandwidth, processor hours, usage of monitoring storage etc. (Measured service)
III. SERVICES/BUSINESS MODELS
All SPs implements those above mention characteristics but each CC offers services to their
customers on different level. So, there are main three services or business models provided to
customers by CSPs.
Infrastructure as a Service (IaaS) provides various kinds of resources like storage,
bandwidth of network, servers (VMs), and various tools that are required to develop user
specific application. Moreover, some SPs assurance to provide virtually endless computing
resources. e.g. of IaaS providers comprise Amazon EC2, Flexiscale etc.
Platform as a Service (PaaS) provides a platform to App developers to write personalized applications in which scale-out, load-balancing and maintenance are managed by SP and
developers can focus on its application functionality. E.g. of PaaS providers comprise
Amazon S3, Mosso, Google App Engine.
Software as a Service (SaaS) provides applications made by CSPs that are available over the Internet. E.g. of SaaS providers comprise Gmail, Salesforce, Google Docs.
Fig 1. Cloud services/Business model [1]
The Business models explained above are deployed on various types of clouds, it depends on who
uses and owns them. So, there are main four deployment models in cloud provided by CSPs.
Private cloud: designed entirely for one organization and it may be operating by third party
or an organization itself. It is also referred as internal cloud e.g. Co-laboratory and Concur
Technologies company that have its internal cloud.
Public cloud: offers its resources and services to public and it demand major investment so that it’s owned by reputed companies like Google, Microsoft, and Amazon.
International Journal of Recent Trends in Engineering & Research (IJRTER) Volume 02, Issue 04; April - 2016 [ISSN: 2455-1457]
@IJRTER-2016, All Rights Reserved 535
Community cloud: setup for definite specifications and also shares for supporting research
by several companies. e.g. Open Cirrus cloud that have its community cloud.
Hybrid cloud: is a blend of private/public clouds. In this cloud, private cloud runs infrastructure service part and public cloud runs rest of the part. It provides security and
control over cloud data, more flexibility; support on-demand contraction and expansion of
service than other clouds.[1][2][5][6][7][8][9][14]
Table 1: The characteristics of various cloud models (Security perspective)[3][4]
Characteristic Public Cloud Private Cloud Hybrid Cloud
Security Low High Moderate
Reliability Moderate, service provider
availability and internet
connectivity dependent
High, majority of the
organizations
equipments are in-
house
Moderate to high, duplicate
content lies within
organization
Data Security-Solutions Entire data is public so not
much secure
Data stays within the
private cloud so its
secure
Personal data is used in
encrypted format and
Sensitive- data is stored in
private cloud so good security
options available
Accountability-Solutions Privacy violation chances
are Medium
Privacy violation
chances are Low
Every step requires an audit.
Data-loss, leakage or privacy
violation regarded as a threat
Data-Handling Data is on public-platform Data is on private-
platform
Hidden Confidential data
Defined geographical-location
of data and defined data
destruction policies
III. LEVEL OF USE, USER AND THREATS
At application level using Software as a Service (SaS) term End-user applies to a person or
organization who subscribes to a service offered by a cloud provider and is accountable for its use, at
virtual level using Platform as a Service (PaS) & Infrastructure as a Service (IaS). term Developer–
moderator applies to a person or organization that deploys software on a cloud infrastructure and at
physical level using Physical datacenter term Owner applies to a person or organization that owns
the infrastructure upon which clouds are deployed [8]. Information System (IS) security involves
threat identification which can be handled by selecting and applying appropriate counter-measures.
Security requirements and selected security controls recognised earlier are put to basic systems-
engineering process, to properly merge security-controls with the IS requirements together with other
important system considerations [10]. Architectural design and characteristics of Cloud computing
provides many security advantages including security centralization, segmentation of data and
process, redundancy consideration and high-availability. Majority of conventional risks are properly
tackled, a set of different security challenges are induced due to the infrastructures-singular
properties. Exquisite properties of Cloud computing need risk assessment in various categories
specifically in its various implementation levels. [11][12][13][14][15][16]
International Journal of Recent Trends in Engineering & Research (IJRTER) Volume 02, Issue 04; April - 2016 [ISSN: 2455-1457]
@IJRTER-2016, All Rights Reserved 536
Table 2: User centric security requirements and related threats. [8][9]
V. CONCLUSION
The concept of cloud computing in various application areas is bringing about a revolutionary
change in the way the industry is working. The benefits of involving technology and Internet in
conventional business models are far reaching and more rewarding. The consideration of security
threats at each level of cloud computing and its user perspective defines the security requirements
and can be further made specific to the needs of a business-domain which can enhance the working
of any business and its service providers. Also the correct identification of threats and taking them
into account for design of security measures not only make the process more secure but also adds an
element of cost effectiveness to the entire process. The considerations are apparent in terms of the
user experience enhancement in secure cloud usage. Proper measures taken to address the security
concerns will infuse confidence in the users at various levels and will be very helpful in the growth
of cloud community.
REFERENCES 1. Ilango Sriram, Ali Khajeh-Hosseini, “Research Agenda in Cloud Technologies” submitted to the 1st ACM
Symposium on Cloud Computing, SOCC 2010, arXiv:1001.3259
2. Kaur, Manpreet, and Hardeep Singh. "A Review of Cloud Computing Security Issues." International Journal of
Grid and Distributed Computing IJGDC 8.5 (2015): 215-22. Web.
International Journal of Recent Trends in Engineering & Research (IJRTER) Volume 02, Issue 04; April - 2016 [ISSN: 2455-1457]
@IJRTER-2016, All Rights Reserved 537
3. Kaur, Karandeep. "A Review of Cloud Computing Service Models." International Journal of Computer Applications
IJCA 140.7 (2016): 15-18. Web.
4. Rao, T.Venkat, Kamsali Naveena, & Reena David. "A New Computing Envornment Using Hybrid Cloud." Journal
of Information Sciences and Computing Technologies [Online], 3.1 (1): 180-185. Web. 5 Mar.2016
5. PLUMMER, D.C., BITTMAN , T.J., AUSTIN, T., CEARLEY, D.W., and SMITH D.M., Cloud
Computing:Defining and Describing an Emerging Phenomenon , 2008
6. STATEN, J., Is Cloud Computing Ready For The Enterprise?, 2008.
7. MELL, P. and GRANCE, T. 2009. Draft NIST Working Definition of Cloud Computing. ERDOGMUS, H. 2009.
Cloud Computing: Does Nirvana Hide behind the Nebula? Software, IEEE 26, 2, 4-6.
8. Zissis, Dimitrios, and Dimitrios Lekkas. "Addressing Cloud Computing Security Issues." Future Generation
Computer Systems 28.3 (2012): 583-92. Web.
9. R. Sherman, Distributed systems security, Computers & Security 11 (1) (1992).
10. National Institute of Standards and Technology. Guide for mapping types of information and information systems to
security categories, NIST 800-60,2008
11. LEMOS, R. 2009. Inside One Firm's Private Cloud Journey. Retrieved December 1, 2009, from
http://www.cio.com/article/506114/Inside_One_Firm_s_Private_Cloud_Journey
12. Open CirrusTM: the HP/Intel/Yahoo! Open Cloud Computing Research Testbed. Retrieved December 1,2009, from
https://opencirrus.org/
13. BUYYA, R., RANJAN, R. and CALHEIROS, R. N. 2009.Modeling and simulation of scalable Cloud computing
environments and the CloudSim toolkit: Challenges and opportunities. In High Performance Computing &
Simulation, 2009. HPCS '09. International Conference on, 1-11.
14. VAQUERO, L., MERINO, L., CACERES, J. And LINDNER, M. 2009. A break in the clouds: towards a cloud
definition. SIGCOMM Comput. Commun. Rev. 39, 1, 50-55. YOUSEFF, L., BUTRICO, M. and DA SILVA, D.
2008.
15. Toward a Unified Ontology of Cloud Computing. In Grid Computing Environments Workshop, 2008. GCE '08,
1-10. 16. Ostermann, Simon, Alexandria Iosup, Nezih Yigitbasi, Radu Prodan, Thomas Fahringer, and Dick Epema. "A
Performance Analysis of EC2 Cloud Computing Services for Scientific Computing." Cloud Computing Lecture
Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering (2010): 115-
31. Web.
