This is a literature survey about security issues and countermeasures on cloud computing. This paper discusses about an overview of cloud computing and security issues of cloud computing.
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
Literature Review: Security on cloud computing
1. Security Issues and countermeasures on Cloud Computing
Suranga Nisiwasala
University of Colombo School of Computing
Abstract
Cloud computing has quickly become one of the most significant field in the IT world due to its
revolutionary model of computing as a utility. It came with increasing flexibility, scalability, and reliability,
while decreasing operational and support cost. The development of cloud computing provide business
supporting technology in a more efficient way than ever before. The shift from server to service based
technology brought a significant change in computing technology. However these development have
created new security vulnerabilities, including security issues whose full impressions are still rising. This
paper reveals an overview and study of cloud computing including main service model of cloud computing,
the general deployment models, security issues, threats, vulnerabilities and challenges of cloud
computing. Main goal of publishing this paper is presenting about possible solutions for the preventing
security threats on Cloud computing
1. Introduction
Cloud computing, as defined by NIST, is a model for enabling always-on, convenient, on demand
networks access to a shared pool of configurable computing resources(e.g. storage, applications,
services etc.) that can be rapidly provisioned and released with minimal ,management effort or service
provider interaction[12]. At the core of cloud computing is a datacenter that uses virtualization to
isolate instance of application or services being hosted in “Cloud”.
2. Cloud Computing Service Models
Software as a service (SaaS): The cloud provider provides the cloud consumer with capability to
deploy an application on a cloud infrastructure [12] and in a way it can be define as provide
business application services on demand such as email, conferencing software, and business
applications. SaaS makes it not necessary for the customer to have a physical copy of the software
installed on a pc, laptop or any other client device. SaaS can sometimes be referred to as service
or application clouds. Often it’s a kind of standard application software functionality offered
within a cloud.(e.g. Salesforce CRM, Google Docs, Google calendar, SAP business by design)
SaaS users have less control over security among the three fundamental delivery models in the
cloud. The adoption of SaaS applications may raise some security concerns.
Application security: flaws in web application may create vulnerabilities for SaaS applications.
Steal sensitive data
Multi-tenancy: single instance servers for all customer, data leakage (security policies are
needed to ensure customer’s data are kept separate from other customers)
Data security: organizational data often processed in plain-text and store in cloud. And data
backup is critical in order to recovery process. So cloud providers subcontract the backup.
Data privacy there
Accessibility: accessing application over the internet via web browser makes access from any
network device easier, including public computer and mobile devices. It exposes the services
2. to additional security risk. Mobile computing threats: Information stealing mobile malware,
insecure network (Wi-Fi), vulnerabilities found in the device operating system and official
application, insecure market places and proximity-based hacking.
Platform as a Services (PaaS): the cloud provider provides the cloud consumer with the capability
to develop and deploy applications on a cloud infrastructure using tools, runtimes, and services
supported by the CSP [12]. The customer doesn’t have access to the underlying cloud
infrastructure including network, servers, operating systems, or storage, but has control over the
deployed tools/services and probably configuration settings for the application-hosting
environment. This provides a set of developer environment that a customer can use to build their
applications without having any clue about what is going on beneath the service. PaaS is a
platform where application can be developed, tested and used( e.g. Google App Engine,
Force.com, Microsoft Windows Azure, Java)
PaaS application security can merge to two sections which are security of the platform itself and
security of customer applications deployed on PaaS platform. PaaS providers are responsible for
securing the platform software stack that includes the runtime engine that runs the customer
applications. Same as SaaS, PaaS also bring data security issues that are describes as follows [1].
Third-party relationships: PaaS doesn’t only provide the traditional programming languages
but also it offers third party web service components such as Mashups. Mashup combine
more than one source element into a single integrated unit. So PaaS models also inherit
security issues related to mashups such as data and network security.
Underlying infrastructure security: generally In PaaS, developers don’t allow to access to the
underlying layers. So providers are responsible for securing that layer as application services.
Infrastructure as a Service (IaaS): The cloud provider provides the cloud consumer with essentially
a virtual machine. The cloud consumer has the ability to deploy and run arbitrary software
supported by the operating systems run by the virtual machine [1]. It provides a pool of resources
such as servers, storage, networks and other computing resources in the form of virtualized
systems, which are accessed through the internet. It is the hardware and software that power the
cloud. The customer doesn’t have access to the underlying cloud infrastructure but has control
over operating systems, storage, and deployed applications, and probably limited control over
selected network components.(e.g. Amazon S3, Microsoft Windows Azure, Mosso)
Here are some security issues with related to IaaS
Virtualization: this allows to users to create, share, copy, migrate and roll back virtual
machines, which may allow them to run a variety of applications. In this layer has two
boundaries which are virtual and physical, so any flaws in either are vulnerable to any type of
attack.
Virtualization has ability to migrate virtual machines between physical servers for load
balancing, fault tolerance and maintaining. So using this ability attacker can transfer the
virtual machine into malicious servers.
Virtual machine roll back: VM can rolled baked to the previous state if an error happen. But
rolling back makes another vulnerability which is attacker can patched or re-enable the
previously disabled passwords or accounts.
3. Virtual network: earlier I have mentioned the VM vulnerabilities. So virtual network increase
the VMs connectivity. So through the virtual network there is possibility to perform attack
such as sniffing and spoofing virtual network.
3. Cloud Deployment Model[4]
Public cloud: A public cloud is one based on the standard cloud computing model in which a
service provider makes resources, such as applications and storages, available to the general
public over the internet. This service may be free or offered on a pay-per usage model [4].
Private cloud: private cloud (also called internal cloud or cooperate cloud) is a marketing term for
a proprietary computing architecture that provide hosted services to a limited number of people
behind a firewall [4].
Community cloud: A community cloud may be established where several organizations have
similar requirements and seek to share infrastructure so as to realize some of the benefits of cloud
computing [4].
Hybrid cloud: A hybrid cloud is a cloud computing environment in which an organization provides
and, manages some resources in-house and has others provided externally. For an n example, an
organization might use a public cloud service, such as Amazon simple storage service (Amazon S3)
for archived data but continue to maintain in-house storage for operational customer data [4].
4. Cloud computing entities [2]
Cloud provider: Including ISPs, telecommunication companies and large business process
outsources that provide either the media (internet connections) or infrastructure (hosted data
centers) that enable customers to access cloud service.
Cloud service broker: include technology consultant, business professional service organizations,
registered brokers and agents that help guide consumers in the selection of cloud computing
solution
Cloud reseller: reseller become an important factor of cloud market when the cloud providers will
expand their business across continents.
5. Threats of Cloud Computing
While cost and ease of use are the two main strong benefits of the cloud computing, there are some major
issues that need to be referenced when allowing moving critical application and sensitive data to public
and shared cloud environment. The main aspect describing the achievement of any new computing
technology is the highest of security it provides whether the data located in the cloud is protected at that
level that it can avoid any sort of security issues. So here are some security threats that make impact on
cloud computing
Account or service hijacking: attacker gain access to the users’ credential by using social
engineering and weak credentials. After that attacker can perform the malicious activities such as
access to sensitive data and manipulate data.
Data scavenging: data can’t remove completely unless destroy the device. So attacker can recover
the data
Data leakage: this will happen when data goes to wrong hands while data transferring, storing or
processing
4. DOS attack: denial of service attack is attacker use the all possible resources which have on
network or server. Then real users can’t access to server/network for getting their services.
VM escape: its design to exploit hypervisor to take control of the underlying infrastructure.
Malicious VM creations: attacker who create a valid account can create a VM image containing
malicious code such as Trojan and store it in the provide repository
Sniffing/Spoofing virtual network: Malicious VM can listen to the virtual network or even use ARP
spoofing to redirect packets t/from other VMs
Here are some other threats that come under the Cloud computing. Following threats also make
measurable impact on cloud computing but in here I haven’t presented detailed description [5].
Multi location of the service provider
Data combination and commingling
Restriction on techniques and logistic
Data transfer across the boarder
Cloud challenges inherited from network concept
SQL injection attacks
Cross site scripting (XSS) attacks
Man in the Middle attack(MITM)
Reused IP addresses
Cookie poisoning
CAPTCHA breaking
6. Countermeasures
In this section I provide a brief description about the possible solutions to prevent or reduce threats which
make impact on cloud computing
Identify the access management guidance: cloud security alliance (CSA) is a non-profit
organization that promote the use of best practices in order to provide security in cloud
environment
Dynamic Credentials: present and algorithm to create dynamic credentials for mobile cloud
computing system
Fragmentation-redundancy-scattering (FRS) technic: Aim to provide intrusion tolerance and, In
consequence, secure storage.
Digital signature: proposes to secure data using digital signature with RSA algorithm while data is
being transfer over the internet.
Homomorphic Encryption: Encryption techniques can be used to secure data while it’s being
transferred in and out of the cloud or stored in the provider’s premises. (AES, SSL)
Web application scanner: this is a program which scans web applications through the web front-
end in order to identify security vulnerabilities.
Trusted virtual datacenter (TVDc): it groups virtual machines that have common objectives into
workloads named Trusted Virtual Domains (TVDs). TVDc provides integrity by employing load-
time attestation mechanism to verify the integrity of the systems
5. HyperSafe: it’s an approach that provides hypervisor control-flow integrity. This goal is to protect
type I hypervisors using two techniques: non-by passable memory lockdown and restricted
pointed indexing
Trusted Cloud computing platform (TCCP): It enables provides to offer closed box execution
environments and allows users to determine if the environment is secure before launching their
VMs. The TCCP has two main elements: a Trusted Virtual Machine Monitor (TVMM) and Trusted
Coordinator (TC).
Virtual Network Security: propose a virtual network framework that secure the communication
among virtual machines. This framework is based on Xen which offers two configuration modes
for virtual networks: “Bridge” and “Routed”. The virtual network model is composed of three
layers: routing layers, firewall and shared networks, which can prevent VMs from sniffing and
spoofing.
7. Challenges of cloud computing
The research on cloud computing is still at an early stage. Many existing issues haven’t been fully
addressed, while new challenges keep emerging from industry applications. Some of the challenging
research issues in cloud computing are given below
Service level agreement
Cloud data management & security
Data encryption
Migration of virtual machines
Interoperability
Access controls
Energy management
Server consolidations
Reliability & availability of service
Common cloud standards
Platform management
Reference
[1]. Keiko Hashizume, David G Rosado, Eduardo Fernandes-Medina and Eduardo B Fernandez, “An Analysis of
security issues for cloud computing “Journal of internet services and applications, 2013 available at:
http://www.jisajournal.com/content/pdf/1869-0238-4-5.pdf
[2]. Rabi Prasad Padhy, Manas Ranjan Patra, Suresh Chandra satapathy,”Cloud Computing: Security Issues and
Research Challenges”, IRACST-International Journal of computer science and information technology &
security (LJCSITS) Vol.1, No.2 December 2011, available at:
http://ijcsits.org/papers/Vol1no22011/13vol1no2.pdf
[3]. Monjur Ahmed and Mohammad Ashraf Hossain, “Cloud Computing and Security Issues in the Cloud”,
International journal of network security & Its Applications (IJNSA), Vol.6, No.1, January 2014. Available
at: http://airccse.org/journal/nsa/6114nsa03.pdf
6. [4]. Pankaj Arora, Rubal Chaudhry Waldhawan, Er.Satinder Pal Ahuja ,“Cloud Computing Security Issues in
Infrastructure as a Service” International journal of advanced research in computer science and software
Engineerng, Vol.2, No.1, January 2012, Available at: www.ijarcsse.com
[5]. Vahid Ashktorab, Seyed Reza Taghizadeh, “Security Threats and Countermeasures in Cloud Computing”,
International Journal of Application or Innovative in Engineering & Management (IJAIEM) Vol. 1, No.2,
October 2012, available: www.ijaiem.org
[6]. Kangchan Lee “Security threats in Cloud computing Environment”, International Journal of Security and Its
Application, Vol.6, No.4, October 2012, available:
http://www.sersc.org/journals/IJSIA/vol6_no4_2012/3.pdf
[7]. Amar Gonaliya, “Security in Cloud Computing”, Technical paper contest 2011/ cloud 20/20 version 3.0,
available at: http://www.emacromall.com/techpapers/Security%20in%20Cloud%20Computing.pdf
[8]. Mohammed A. AlZain, Eric Parded, Ben Soh, James A. Thom, “Cloud Computing Security: From Single to
Multi-Clouds”, 2012 45th
Hawaii International Conference on system science, available at:
http://www.computer.org/csdl/proceedings/hicss/2012/4525/00/4525f490.pdf
[9]. Cloud Security Alliance, “Security Guidance for Critical Areas of Focus in Cloud Computing V2.1”,
December 2009, available at: https://cloudsecurityalliance.org/csaguide.pdf
[10].Teuseef Ahmad, Mohammad Amanul Haque, Khaled Al-Nafijan, Asrar Ahmad Ansari, “Development of
Cloud Computing and Security Issues”, ISSN 2224-5758(paper) ISSN 2224-896X(online) Vol.3, No.1, 2013,
available at: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.476.9007&rep=rep1&type=pdf
[11].Kim-Kwang Raymond Choo, “Cloud Computing: Challenges and Future Directions”, Trends & Issues in
crime and criminal justice, No.400, Oct 2010, available at:
http://aic.gov.au/media_library/publications/tandi_pdf/tandi400.pdf
[12].National Institute of Standards and Technology, NIST definition of cloud computing, Sept. 2011
[13]. Nash Gajic, “SAP Cloud Consideration”, available at: http://scn.sap.com/community/cloud/blog
[14].“Cloud Computing”, available at: http://en.wikipedia.org/wiki/Cloud_computing