Tips & Tricks
Like this document? Why not share!
BOS ven6 William Radaelli - AON
Email sent successfully!
Show related SlideShares at end
Aug 12, 2012
Comment goes here.
12 hours ago
Are you sure you want to
Your message goes here
Be the first to comment
Be the first to like this
Number of Embeds
No notes for slide
1. ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 5, July 2012 An Initial Approach to Provide Security in Cloud Network Dr. S. Srinivasu, K.P.R KrishnaChaitanya, K.Naresh KumarAbstract: -Cloud computing is a flexible, cost-effective and BENEFITS FOR THE CLOUD COMMUNITYproven delivery platform for providing business or With the exponential increase in data depositedconsumer IT services over the Internet. Cloud resources in cloud environments (both public and private),can be rapidly deployed and easily scaled, with all research in the area of data, information, and knowledgeprocesses, applications and services provisioned “ondemand” regardless of user location or device. As a result, stored and processed in the cloud is timely. Data iscloud computing gives organizations the opportunity to stored in many different forms, and processed in aincrease their service delivery efficiencies, streamline IT myriad of methods. There is a need for an authoritativemanagement and better align IT services with dynamic voice in making sense of the key concerns with databusiness requirements. In many ways, cloud computing storage and processing techniques. There is also anoffers the “best of both worlds” providing solid support for urgent requirement to align current practices withcore business functions along with the capacity to develop governance, risk and compliance regulations.new and innovative services. Although the benefits of cloud Cloud providers have recognized the cloudcomputing are clear, so is the need to develop propersecurity for cloud implementations. Because without a security concern and are working hard to address it. Insecurity policy, the availability of cloud service can be fact, cloud security is becoming a key differentiator andcompromised. The policy begins with assessing the risk to competitive edge between cloud providers. By applyingthe network and building a team to respond. Continuation the strongest security techniques and practices, cloudof the policy requires implementing a cloud security [1, 5] security may soon be raised far above the level that ITchange management practice and monitoring the network departments achieve using their own hardware andfor security violations in cloud. software. Before customers will entrust their IT needs toKey Words: Cloud computing, Policy Management, SecurityViolations, Cloud Services, DHCP Servers, Cloud Controls a cloud services , they need two things: first,Matrix. assurance that the cloud infrastructure is secure and compliant, and second, visibility into their own security I.INTRODUCTION and compliance in cloud or managed infrastructure. Cloud computing provides Internet-based Managed service and cloud providers have theservices, computing, and storage for users in all markets technology and support they need to address these cloudincluding financial, healthcare, and government. This computing security concerns. That means customers cannew approach to computing allows users to avoid move to the cloud with confidence. It also means you,upfront hardware and software investments, gain as a provider, have the opportunity for unprecedentedflexibility, collaborate with others, and take advantage growth and market differentiation in this highlyof the sophisticated services that cloud providers offer. competitive space. So it is very important to develop aHowever, security is a huge concern for cloud users. cloud service which possess highly secure. For that each Cloud services and virtualization are driving cloud resource center  has to fallow below strategysignificant shifts in IT spending and deployments.Cloud services give companies the flexibility to · define policy management.purchase infrastructure, applications, and services, from · perform a risk analysis on that.third-party providers with the goal of freeing up internal · taking counter action for that.resources and recognizing cost savings. Virtualizationallows maximum utilization of hardware and software, II. UPSIDES AND DOWNSIDES OF THE CLOUDincreasing cost savings, as well. Cloud computing is being adopted at a rapid _______________________ rate because it has a large number of upsides for all Dr. S. Srinivasu, CSE, Anurag Engineering College, (e-mail:email@example.com). Kodad, AP, India, 9849676303. kinds of businesses and increases efficiency. Enterprises KPR Krishna Chaitanya, IT, Anurag Engineering College, (e- are reducing storage costs by using online storagemail: firstname.lastname@example.org). Kodad, AP, India, solution providers. This allows the enterprise to store9491892935. K. Naresh Kumar, CSE, Anurag Engineering College, (e-mail: massive amounts of data on third party servers. One ofnareshk03@ gmail.com). Kodad, AP, India, 9849777621. the major advantages is that the storage capacity is scalable and thus, the enterprise only pays for the 70 All Rights Reserved © 2012 IJARCET
ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 5, July 2012amount of storage that it needs. Additionally, access to insight on the subject including the Security Guidancethe data is available through any Internet connection. for Critical Areas of Focus in Cloud Computing and Scalability and allocation of resources are the Cloud Controls Matrix (CCM)  both available frommajor advantages of virtualization. Virtualization allows the Cloud Security Alliance (CSA).administrators to use processing power more efficientlyand share resources across hardware devices by III. DEFINE POLICY MANAGEMENT ANDservicing multi-tenant customers. Administrators can PERFORM A RISK ANALYSIS ON THAT.bring up virtual machines (VMs)  and servers quickly While the public IT cloud has a silver lining for manywithout having the overhead of ordering or provisioning adopters, it isn’t without draw-backs, especially innew hardware. Hardware resources that are no longer regards to data protection. Once data has gone into arequired for a service or application can be reassigned public cloud, data security and governance control isquickly and extra processing power can be consumed by transferred in whole or part to the cloud provider. Yetother services for maximum efficiency. By leveraging cloud providers are not assuming responsibility, e.g.all the available processing power and un-tethering the Amazon’s web services contract states “we strive tohardware from a single server model, cost efficiencies keep your content secure, but cannot guarantee that weare realized in both private and public clouds. will be successful at doing so, given the nature of the Though the introduction of cloud computing is internet”. When handing over the data, the enterpriseby no means the first technology shift to cause major forfeits all control of the security of the data, unless theysecurity concerns, it is a significant milestone. Until protect the data beforehand.recently, most organizations have stored and managed One of the best ways to leverage the cost andtheir most critical information assets in physically efficiency benefits of the cloud and virtualization whileseparated data centers either on their own premises or keeping sensitive information secure, is to protect thewithin rented cages at large hosting providers. data using a security solution that delivers data-centric, But these upsides are tempered with potential file-level encryption that is portable across alldownsides. Minimizing the data security risks, while computing platforms and operating systems and worksmoving and storing data, was easier for organizations to within a private, public or hybrid cloud computingcontrol within private data centers than within the cloud. environment.Storing data in the cloud means that data will be Now a day’s preventing security threatsintermingled on shared servers. If companies leap into coming from outside cloud is not a big deal. if it iscloud without considering the unintended consequences, within the organization ?critical corporate data like customer information and Hence it is recommend creating usage policyintellectual property are at increased risk. statements that outline users roles and responsibilities One of the most concerning downsides is the with regard to security. Create a general policy thatpotential loss of control over some or all of the cloud covers all network systems in cloud and data within theenvironment that houses the data. Cloud computing is company. If any company has identified specificoften divided into three main service types: actions that could result in punitive or disciplinaryInfrastructure as a Service (IaaS), Platform as a Service actions against an employee, these actions and how to(PaaS) and Software as a Service (SaaS) and each avoid them should be clearly articulated in thisimpacts data control and governance a little differently. document.With IaaS, the customer may have full control of the Low Risk Systems or data or virtual machines in cloudactual server configuration granting them more risk that if compromised (data viewed by unauthorizedmanagement control over the environment and data. In personnel, data corrupted, or data lost) would notPaaS, the provider manages the hardware and disrupt the business or cause legal or financialunderlying operating system  which limits enterprise ramifications. The targeted system or data can be easilyrisk management capabilities on those components. restored and does not permit further access of otherWith SaaS, both the platform and the infrastructure are systems.fully managed by the cloud provider which means if the Medium Risk Systems or data or virtual machines inunderlying operating system or service isn’t configured cloud that if compromised (data viewed by unauthorizedproperly the data in the higher layer application may be personnel, data corrupted, or data lost) would cause aat risk. moderate disruption in the business, minor legal or There are a number of ways to protect data in financial ramifications, or provide further access tothe cloud. Some have already been referenced, such as other systems. The targeted system or data requires aaccess controls and monitoring. The purpose of this moderate effort to restore or the restoration process isdocument is not to provide a comprehensive overview disruptive to the system.of cloud security. There are a number of excellentresources for readers that are looking for additional 71 All Rights Reserved © 2012 IJARCET
ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 5, July 2012High Risk Systems or data or virtual machines in cloud Administratorsthat if compromised (data viewed by unauthorized for devicepersonnel, data corrupted, or data lost) would cause an Access configurationextreme disruption in the business, cause major legal or Firewall network High (support stafffinancial ramifications, or threaten the health and safety device only); Allof a person. The targeted system or data requires others for usesignificant effort to restore or the restoration process is as a transportdisruptive to the business or other systems. Next assign this risk level to each core network Administratorsdevices, distribution network devices, access network DNS fordevices, network monitoring devices in cloud. If we and Network configuration; Mediumimplement the same thing at Network equipment such DHCP applications General andas switches, routers, DNS servers, and DHCP servers servers privileged can allow further access into the network, and are users for usetherefore either medium or high risk devices. It is also Administratorspossible that corruption of this equipment could cause forthe network itself to collapse. If we do so 80% problem configuration;is slaved. External All others for Once youve assigned a risk level, its necessary Network e-mail Low mail transportto identify the types of users of that cloud environment. application server between the Internet andAdmin of that cloud: responsible for internal users the internaland network resources. mail serverInternal users: It helps to provide limitation forlocal users while accessing cloud services. Administrators forOutside Partners External users with a need to Internal Network configuration;access some resources. e-mail Medium application All other server internal users Risk Types of for useSystem Description Level Users Taking Counter action (Responding to risk) Administrators for device IV. APPROVING SECURITY CHANGES configuration Security changes are defined as changes toATM Core network High (support staff network equipment that have a possible impact on theswitches device only); All overall security of the cloud service .the security policy others for use should identify specific security configuration as a transport requirements in non-technical terms. In other words, instead of defining a requirement as "No outside sources Administrators FTP connections will be permitted through the firewall", for device define the requirement as "Outside connections should Distribution configurationNetwork not be able to retrieve files from the inside network". network High (support staffrouters Admin will need to define a unique set of requirements device only); All for that organization. others for use The security team should review the list of as a transport plain language requirements to identify specific network Administrators configuration or design issues that meet the for device requirements. Once the team has created the required configuration network configuration changes to implement theISDN or Access (support staff security policy, you can apply these to any futuredial up network Medium only); Partners configuration changes. While its possible for theservers device and privileged security team to review all changes, this process allows users for them to only review changes that pose enough risk to special access warrant special treatment. 72 All Rights Reserved © 2012 IJARCET
ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 5, July 2012Security Violations first to detect the violation. It should trigger a When a violation is detected, the ability to notification to the operations center, which in turnprotect network equipment, determine the extent of the should notify the security team, using a pager ifintrusion, and recover normal operations depends on necessary.quick decisions. Having these decisions made ahead of To resolve this problem we can use the RSAtime makes responding to an intrusion much more Adaptive Authentication as a solution.RSA Adaptivemanageable. The first action following the detection of Authentication is a comprehensive authentication andan intrusion is the notification of the security team. risk management Platform providing cost-effectiveWithout a procedure in place, there will be considerable protection for an entire user base. Adaptivedelay in getting the correct people to apply the correct Authentication monitors and authenticates user activitiesresponse. Define a procedure in your security policy that based on risk levels, institutional policies and customeris available 24 hours a day, 7 days a week. Next you segmentation and can be implemented with mostshould define the level of authority given to the security existing authentication methods including:team to make changes, and in what order the changes Invisible authentication: Device identification andshould be made. Possible corrective actions are: profiling Out-of-band authentication: Phone call, SMS or e- · Implementing changes to prevent further access to mailthe violation. Challenge questions: Question- or knowledge-based · Isolating the violated systems. authentication · Contacting the carrier or ISP in an attempt to trace Multi-credential framework: For those organizationsthe attack. wanting more choices, Adaptive Authentication is There are two reasons for collecting and designed to easily integrate with a large selection ofmaintaining information during a security attack: to other authentication methods. The Multi-credentialdetermine the extent to which systems have been Framework allows organizations to developcompromised by a security attack, and to prosecute authentication methods via RSA Professional Services,external violations. The type of information and the “in-house” or through third parties, to customizemanner in which you collect it differs according to your Adaptive Authentication.goal. Site-to-user authentication: Assuring users that they To determine the extent of the violation, do the are transacting with a legitimate Website by displaying afollowing: personal security image and caption that has been pre- 1. Record the event by obtaining sniffer traces of selected by the user at login.the network, copies of log files, active user accounts,and network connections. V. CONCLUSION 2. Limit further compromise by disabling accounts,disconnecting network equipment from the network, and A cloud is an attractive infrastructure solutiondisconnecting from the Internet. for web applications since it enables web applications to dynamically adjust its infrastructure capacity on 3. Backup the compromised system to aid in a demand. Hence along with services is important todetailed analysis of the damage and method of attack. concentrate on security also. Policy management may Look for other signs of compromise. Often solve security problem. But it will not give 100%when a system is compromised, there are other systems alternate for the security problems in cloud services.or Accounts involved. Hence we have to check alternates for every time.4. Maintain and review security device log files and Because security problems in cloud computing does notnetwork monitoring log files, as they often provide clues have the permanent solutions.to the method of attack. Following this example, create a monitoringpolicy for each area identified in your risk analysis. Werecommend monitoring low−risk equipment weekly,medium−risk equipment daily and high−risk equipmenthourly. If you require more rapid detection, monitor ona shorter time frame. Lastly, your security policy should addresshow to notify the security team of security violations.Often, your network monitoring software will be the 73 All Rights Reserved © 2012 IJARCET
ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 5, July 2012 REFERENCE Author Profile1. https://cloudsecurityalliance.org/ Dr. S. Srinivasu received Ph.D (Computer Science Engineering)2. AT&TCloudServices:https://www.synaptic.att.com/cloudu from University of Allahabad, ser/compute_overview.htm Master of Technology from Mahatma Gandhi Kashi Vidyapeet,3. DHCPServer:http://technet.microsoft.com/en- Varanasi, U.P. His research interests us/windowsserver/dd448608.aspx include Network Security and Cryptography (Security). He is4. CloudResourceCenter:http://www.deitel.com/ResourceCen currently working as a Professor in ters/Programming/CloudComputing/tabid/3057/ the department of Computer Science Default.aspx and Engineering in Anurag Engineering College, Kodad. He is a life member of ISTE and5. NISTCloudReferenceandArchitecture:http://collaborate.nis member of CSI. t.gov/twiki-cloud-computing/bin/view/ CloudComputing/ReferenceArchitectureTaxonomy. K.P.R.Krishna Chaitanya received6. VirtualMachines:Virtualizationvs.Emulation: Master of Technology (Computer http://www.griffincaprio.com/blog/2006/08/virtual- Science & Engineering) from machines-virtualization-vs-emulation.html Jawaharlal Nehru Technological University (JNTUH). My research7. OperatingSystem: http://www.computerhope.com/os.htm interests include Information Security, Cloud Computing and Grid8. https://cloudsecurityalliance.org/research/ccm/(Cloud Computing. Presently working as an Control Matrix) Assistant Professor in the department of IT in Anurag Engineering College (AEC), Ananthagiri(V), Kodad(M), Nalgonda(Dt.), Andhra Pradesh, India. He is a professional member of ACM. K. Naresh Kumar received Master of Computer Applications (MCA) from Osmania University. Master of Technology (Computer Science & Engineering) from Jawaharlal Nehru Technological University (JNTUH). My research interests include Information Security, Web Services, Cloud Computing and Mobile Computing. Presently working as an Associate Professor in the department of CSE in Anurag Engineering College (AEC), Ananthagiri(V), Kodad(M), Nalgonda(Dt.), Andhra Pradesh, India. 74 All Rights Reserved © 2012 IJARCET
Email sent successfully..