SlideShare a Scribd company logo
1 of 62
Download to read offline
Security in Cloud Computing




A
DISSERTATION REPORT ON

                     Security in
                  Cloud Computing




Indus Institute of Technology & Engineering   Page 1
Security in Cloud Computing




               SECURITY IN CLOUD COMPUTING



                                     By

                          Dhaval Dave
                         (08MCA008)
      M.C.A, Indus Institute of Technology & Engineering,
                   Gujarat University, 2011




                         A Dissertation
   Submitted in Partial Fulfilment of the Requirements for the
                            degree of
                Master of Computer Application
                               In
                       Computer Science.




                        Department of MCA,
           Indus Institute of Technology & Engineering,
                            January 2011




Indus Institute of Technology & Engineering                 Page 2
Security in Cloud Computing


ACKNOWLEDGEMENT

       Thanks to my Prof. Vrutik Shah who thoroughly introduced me to research.
He was always anxious to provide me with a Study environment suitable for developing
myself and always there to keep me on the right track.


       And, infinite thanks to Prof. H.K. Desai, Head of Department of I.I.T.E. & My
All Prof., who never had any doubts that I would succeed.


       Also thanks to the colleagues for allowing me to feel at home at College
Campus due to the excellent educational culture.


       Further thanks to my parents who always gave me support that allowed me to
pursue my self-fulfillment. I acknowledge all the help I have received from so many
people in accomplishing this project and wish to thank them.




                                                    Acknowledged By:-
                                                    Dhaval Dave




Indus Institute of Technology & Engineering                                   Page 3
Security in Cloud Computing


PREFACE


       “Security in Cloud Computing” was taken by us in Dissertation in our
Semester-V as our project for the partial fulfilment of MCA.


       It is matter of pleasure for me to submit this documentation of the dissertation
work done during Semester-V of MCA.




                                                            By:-
                                                            Dhaval Dave




Indus Institute of Technology & Engineering                                    Page 4
Security in Cloud Computing




Table of Contents
   1. Introduction of Cloud Computing                          8
       1.1 Abstract                                            9
       1.2 Introduction                                        10
       1.3 Cloud Evolution                                     11
       1.4 Comparison                                          13
   2. What is Cloud Computing                                  14
       2.1 Cloud Architecture                                  15
       2.2 Cloud Components                                    16
           2.2.1 Clients                                       17
           2.2.2 DataCenter                                    18
           2.2.3 Distributed Servers                           18
   3. Cloud Computing Deployment Models                        19
       3.1 Public Clouds                                       19
       3.2 Private Clouds                                      21
       3.3 Hybrid Clouds                                       22
       3.4 Community Clouds                                    23
   4. Cloud Computing Service Model                            24
       4.1 Software as a Service(SaaS)                         25
       4.2 Platform as a Service(PaaS)                         25
       4.3 Infrastructure as a Service(IaaS)                   26
       4.4 Anything as a Service(XaaS)                         26
       4.5 Virtualization & Private Clouds                     27
   5. Advantages of Clouds                                     29
   6. Cloud Computing Reference Model                          31
   7. Security for Cloud Computing                             33
       7.1 Defining Security in Cloud                          33
       7.2 Security Issues and Challenges                      34
       7.3 Security Advantages in Cloud Environment            34
       7.4 Security Disadvantages in Cloud Environment         35
       7.5 Security Issues in Virtualization                   37
       7.6 Survey of Cloud Computing                           38
       7.7 Traditional Datacenter Security                     39
   8. Virtualization - The Catalyst of the Cloud               40
       8.1 Confidentiality                                     40
       8.2 Integrity                                           40
       8.3 Authentication                                      41
       8.4 Availability                                        41
       8.5 Accountability                                      41
       8.6 Assurance                                           42
       8.7 Resilience                                          42
   9. Cloud Computing Security Issues                          43
   10. Cloud Security Challenges                               47
       10.1 Administrative Access to Servers Applications      47
       10.2 Dynamic Virtual Machines : VM State and Sprawl     47
       10.3 Vulnerability Exploits and VM to VM Attacks        48

Indus Institute of Technology & Engineering                  Page 5
Security in Cloud Computing


       10.4 Encryption and Data Protection                                   48
       10.5 Policy and Compliance                                            48
       10.6 Patch Management                                                 49
       10.7 Perimeter Protection and Zoning                                  49
       10.8 Rogue Corporate Resources                                        49
   11. Data Protection, Identity Management, Security                        50
       11.1 Data Protection                                                  50
       11.2 Identity Management                                              50
       11.3 Physical and Personnel Security                                  50
   12. Availability                                                          51
   13. Application Securities, User Centric Access Control, Transparency     53
       13.1 Application Securities                                           53
       13.2 Centric Access Control                                           53
       13.3 Transparency                                                     54
   14. New Opportunities                                                     55
   15. Conclusions                                                           58
   16. Vulnerabilities                                                       60
   17. References                                                            61
   18. Appendices                                                            62




Indus Institute of Technology & Engineering                                Page 6
Security in Cloud Computing


List of Figures
Figure 1:- Cloud Computing                                                14
Figure 2:- Cloud Architecture                                             15
Figure 3:- Cloud Components                                               16
Figure 4:- Public Cloud Model                                             20
Figure 5:- Private Cloud Model                                            21
Figure 6:- Hybrid Cloud Model                                             22
Figure 7:- Cloud Computing Reference Model                                32
Figure 8:- Security Architecture Design                                   43




List of Tables

Table 1:- Cloud Computing Service Model                                    24
Table 2:- Major Cloud Service Providers                                    38
Table 3:- Summary of Security Mechanisms by Major Clouds Service Providers 39




Indus Institute of Technology & Engineering                            Page 7
Security in Cloud Computing


1. Introduction of Cloud Computing

       According to Gartner’s Hype Cycle Special Report for 2009, “technologies at
the ‘Peak of Inflated Expectations’ during 2009 include cloud computing, e-books…
and Internet TV, while social software and micro blogging sites…have tipped over the
peak and will soon experience disillusionment among enterprise users”. Is cloud
computing also heading for the trough of disillusionment?

       The Internet is often represented as a cloud and the term “cloud computing”
arises from that analogy. Accenture defines cloud computing as the dynamic
provisioning of IT capabilities (hardware, software, or services) from third parties over
a network. McKinsey says that clouds are hardware-based services offering compute,
network and storage capacity where: hardware management is highly abstracted from
the buyer; buyers incur infrastructure costs as variable OPEX [operating expenditures];
and infrastructure capacity is highly elastic (up or down). The cloud model differs from
traditional outsourcing in that customers do not hand over their own IT resources to be
managed. Instead they plug into the cloud, treating it as they would an internal data
center or computer providing the same functions.


       Large companies can afford to build and expand their own data centers but
small- to medium-sized enterprises often choose to house their IT infrastructure in
someone else’s facility. A collocation center is a type of data center where multiple
customers locate network, server and storage assets, and interconnect to a variety of
telecommunications and other network service providers with a minimum of cost and
complexity.




Indus Institute of Technology & Engineering                                      Page 8
Security in Cloud Computing


1.1Abstract


       The Cloud Computing concept offers dynamically scalable resources
provisioned as a service over the Internet. Economic benefits are the main driver for the
Cloud, since it promises the reduction of capital expenditure and operational
expenditure. Organizations are increasingly looking to cloud computing to improve
operational efficiency and help with the bottom line. Cloud computing gets its name
from the drawings typically used to describe the Internet. Cloud computing comes in
many forms: There are Software-as-a-Service (SaaS) providers like salesforce.com;
platform-as-a-service (PaaS) like Amazon's, Infrastructure-as-a-Service (IaaS),
Software-plus-Service (SpS). Web services that offer application programming
interfaces (APIs) that enable developers to exploit functionality over the Internet.
Increasingly, businesses of all sizes are choosing to migrate their data, applications and
services to the cloud. The Advantages are clear-increased availability, Lightweight,
easy accessible applications, lower maintenance and administrative costs. But security
and privacy concerns present a strong barrier-to-entry. cloud computing to realise its
full potential and become mainstream member of IT portfolio & choices, a lot of
challenges are required to be tackled related to privacy & Security. This Dissertation is
concerned with discovery of the vulnerabilities in the landscape of clouds, discovery of
security solutions, and finding evidence that early-adopters or developers have grown
more concerned with security.




Indus Institute of Technology & Engineering                                       Page 9
Security in Cloud Computing


1.2 Introduction


       We are entering into a new era of computing, and it's all about the “cloud”.
This immediately brings up several important questions, which deserve thoughtful
answers: “What is cloud computing?” “Is it real, or just another buzzword?” And most
important, “How does it affect me?”


       Cloud computing as the dynamic provisioning of IT capabilities (hardware,
software, or services) from third parties over a network. The term cloud computing
refers to the delivery of scalable IT resources over the Internet, as opposed to hosting
and operating those resources locally, such as on a college or university network. Those
resources can include applications and services, as well as the infrastructure on which
they operate. By deploying IT infrastructure and services over the network, an
organization can purchase these resources on an as-needed basis and avoid the capital
costs of software and hardware


       The coming shift to cloud computing is a major change in our industry. One of
the most important parts of that shift is the advent (The coming or arrival, especially of
something extremely important) of cloud platforms. As its name suggests, this kind of
platform lets developers write applications that run in the cloud, or use services
provided from the cloud, or both. Different names are used for this kind of platform
today, including on-demand platform and platform as a service (PaaS). Whatever it’s
called, this new way of supporting applications has great potential.


       To see why, think about how application platforms are used today. When a
development team creates an on-premises application (i.e., one that will run within an
organization), much of what that application needs already exists. An operating system
provides basic support for executing the application, interacting with storage, and
more, while other computers in the environment offer services such as remote storage.
If the creators of every on-premises application first had to build all of these basics,
we’d have many fewer applications today.




Indus Institute of Technology & Engineering                                      Page 10
Security in Cloud Computing


       The cloud is growing at a time when climate change and reducing emissions
from energy use is of paramount concern. With the growth of the cloud, however,
comes an increasing demand for energy. For all of this content to be delivered to us in
real time, virtual mountains of video, pictures and other data must be stored somewhere
and be available for almost instantaneous access. That ‘somewhere’ is data centres -
massive storage facilities that consume incredible amounts of energy.


1.3 Cloud Evolution

       The evolution of cloud computing can be traced to grid computing. The concept
of “The Grid” exploded in popularity “The Grid: Blueprint for a new Computing
Infrastructure” by Ian Foster and Carl Kesselman was published in 1998. The basis of
the grid is the electric utility grid that provides electric power to your home and
business. Using the same concept, hardware and software would be provided from the
grid on-demand much like electricity to run lights and everything else that plugs into
the wall. What is interesting is that many of the same issues that plagued the grid also
plague cloud computing. Defining the grid, vendor lock-in, and forming standards were
just some of the issues. Cloud computing expands upon the grid, but still suffers from
some of the same issues.


       The main focus of cloud computing from the provider's view as extraneous
hardware connected to support downtime on any device in the network, without a
change in the users' perspective. Also, the users' software image should be easily
transferable from one cloud to another. It proposes that a layering mechanism should
occur between the front-end software, middle-ware networking and back-end servers
and storage, so that each part can be designed, implemented, tested and ran independent
from subsequent layers. with its development challenges and industry research efforts.
it describes cloud computing security problems and benefits and showcases a model of
secure architecture for cloud computing implementation.




Indus Institute of Technology & Engineering                                    Page 11
Security in Cloud Computing


       Critics argue that cloud computing is not secure enough because data leaves
companies' local area networks. It is up to the clients to decide the vendors, depending
on how willing they are to implement secure policies and be subject to 3rd party
verifications. Salesforce, Amazon and Google are currently providing such services,
charging clients using an on-demand policy.


       Increasingly, businesses of all sizes are choosing to migrate their data,
applications and services to the cloud. The Advantages are clear-increased availability,
Lightweight, easy accessible applications, lower maintenance and administrative
costs—but so too are the risks.


       Possible Benefits arising out of adopting cloud computing models have been
recently .well documented in literature and therefore these are not reproduced here.
However, for cloud computing to realise its full potential and become mainstream
member of IT portfolio & choices, a lot of challenges are required to be tackled related
to privacy & Security and associated regulation compliance, vendor Lock-in &
Standards, interoperability, latency, performance & Reliability Concerns.




Indus Institute of Technology & Engineering                                    Page 12
Security in Cloud Computing


1.4 Comparisons


Cloud computing can be confused with:


1. Grid computing — "a form of distributed computing and parallel computing,
whereby a 'super and virtual computer' is composed of a cluster of networked, loosely
coupled computers acting in concert to perform very large tasks"
2. Utility computing — the "packaging of computing resources, such as computation
and storage, as a metered service similar to a traditional public utility, such as
electricity";
3. Autonomic computing — "computer systems capable of self-management".




Indus Institute of Technology & Engineering                                 Page 13
Security in Cloud Computing


2.0 What is Cloud Computing?

       As we said previously, the term the cloud is often used as a metaphor for the
Internet and has become a familiar cliché. However, when “the cloud” is combined
with “computing,” it causes a lot of confusion. To define the term using a very broad
                ”
sense, they contend that anything beyond the firewall perimeter is in the cloud. A more
tempered view of cloud computing considers it the delivery of computational resources
from a location other than the one from which you are computing.


       Cloud computing is about moving services, computation and/or data
                                moving                              data—for cost
and business advantage
             advantage—off-site to an internal or external, location
                           site                             location-transparent,
centralized facility or contractor. By making data available in the cloud, it can be more
easily and ubiquitously accessed, often at much lower cost, increasing its value by
                                  often
enabling opportunities for enhanced collaboration, integration, and analysis on a shared
common platform.


       Cloud computing models that encompass a subscription based or pay
                                               subscription-based pay-per-use
paradigm provide a service that can be used over the Internet and extends an IT shop’s
existing capabilities. Many users have found that this approach provides a return on
investment that IT managers are more than willing to accept.




Figure 1 :- Cloud Computing

Indus Institute of Technology & Engineering                                     Page 14
Security in Cloud Computing


2.1 Cloud Architecture

       In Cloud architecture, the systems architecture(A system architecture or
systems architecture is the conceptual model that defines the structure, behaviour, and
more views of a system. An architecture description is a formal description and
representation of a system) of the software systems(The term software system is often
used as a synonym of computer program or software.) involved in the delivery of cloud
computing, typically involves multiple cloud components communicating with each
other over application programming interfaces, usually web services. This resembles
the Unix philosophy of having multiple programs each doing one thing well and
working together over universal interfaces. Complexity is controlled and the resulting
systems are more manageable than their monolithic counterparts.




Figure 2 :- Cloud Architecture


Indus Institute of Technology & Engineering                                   Page 15
Security in Cloud Computing


2.2 Cloud Components




Figure 3 :- Cloud Components


       A cloud computing solution is made up of several elements: clients, the
datacentre, and distributed servers. As shown in Above Figure, these components make
up the three parts of a cloud computing solution.


       Each element has a purpose and plays a specific role in delivering a functional
cloud-based application, so let’s take a closer look.




Indus Institute of Technology & Engineering                                  Page 16
Security in Cloud Computing


2.2.1 Clients


           Clients are, in a cloud computing architecture, the exact same things that they
are in a local area network (LAN). They are, typically, the computers that just sit on
your desk. But they might also be laptops, tablet computers, mobile phones, or PDAs
(Personal digital assistant or Palmtop Computer)—all big drivers for cloud computing
because of their mobility. Anyway, clients are the devices that the end users interact
with to manage their information on the cloud. Clients generally fall into three
categories:


• Mobile -Mobile devices include PDAs or Smartphone’s, like a Blackberry, Windows
Mobile Smartphone or an iPhone.
• Thin -Clients are computers that do not have internal hard drives, but rather let the
servers do all the work, but then display the information.
• Thick -This type of client is a regular computer, using a web browser like Firefox
or Internet Explorer to connect to the cloud.
Thin clients are becoming an increasingly popular solution, because of their price and
effect on the environment. Some benefits to using thin clients include
• Lower hardware costs -Thin clients are cheaper than thick clients because they do not
contain as much hardware. They also last longer before they need to be upgraded or
become obsolete.
• Lower IT costs -Thin clients are managed at the server and there are fewer points of
failure.
• Security -Since the processing takes place on the server and there is no hard drive,
there’s less chance of malware invading the device. Also, since thin clients don’t work
without a server, there’s less chance of them being physically stolen.
• Data security -Since data is stored on the server, there’s less chance for data to be lost
if the client computer crashes or is stolen.




Indus Institute of Technology & Engineering                                        Page 17
Security in Cloud Computing


2.2.2 Datacenter


         The datacenter is the collection of servers where the application to which you
subscribe is housed. It could be a large room in the basement of your building or a
room full of servers on the other side of the world that you access via the Internet.
A growing trend in the IT world is vitalizing servers. That is, software can be installed
allowing multiple instances of virtual servers to be used. In this way, you can have half
a dozen virtual servers running on one physical server.


The number of virtual servers that can exist on a physical server depends on the
size and speed of the physical server and what applications will be running on the
virtual server.


2.2.3 Distributed Servers


         In Distributed Servers, the servers don’t all have to be housed in the same
location. Often, servers are in geographically disparate locations. But to you, the cloud
subscriber, these servers act as if they’re humming away right next to each other.
This gives the service provider more flexibility in options and security. For instance,
Amazon has their cloud solution in servers all over the world. If something were to
happen at one site, causing a failure, the service would still be accessed through
another site. Also, if the cloud needs more hardware, they need not throw more servers
in the safe room—they can add them at another site and simply make it part of the
cloud.




Indus Institute of Technology & Engineering                                     Page 18
Security in Cloud Computing


3.0 Cloud Computing Deployment models


   Cloud computing architects provides three basic service models
   • Public cloud
   •   Private cloud
   •   Hybrid cloud
   •   Community Cloud


   IT organizations can choose to deploy applications on public, private, or hybrid
clouds, each of which has its trade-offs. The terms public, private, and hybrid do not
dictate location. While public clouds are typically “out there” on the Internet and
private clouds are typically located on premises, a private cloud might be hosted at a
Collocation (share or designate to share the same place) facility as well.


   A number of considerations with regard to which cloud computing model they
choose to employ, and they might use more than one model to solve different
problems. An application needed on a temporary basis might be best suited for
deployment in a public cloud because it helps to avoid the need to purchase additional
equipment to solve a temporary need. Likewise, a permanent application, or one that
has specific requirements on quality of service or location of data, might best be
deployed in a private or hybrid cloud.


3.1 Public clouds


       Public clouds are run by third parties, and applications from different
customers are likely to be mixed together on the cloud’s servers, storage systems, and
networks. Public clouds are most often hosted away from customer premises, and they
provide a way to reduce customer risk and cost by providing a flexible, even temporary
extension to enterprise infrastructure.




Indus Institute of Technology & Engineering                                  Page 19
Security in Cloud Computing


       If a public cloud is implemented with performance, security, and data locality
in mind, the existence of other applications running in the cloud should be transparent
to both cloud architects and end users.


       Portions of a public cloud can be carved out for the exclusive use of a single
client, creating a virtual private datacenter. Rather than being limited to deploying
virtual machine images in a public cloud, a virtual private datacenter gives customers
greater visibility into its infrastructure. Now customers can manipulate not just virtual
machine images, but also servers, storage systems, network devices, and network
topology.




Figure 4: - Public Cloud Model

Indus Institute of Technology & Engineering                                     Page 20
Security in Cloud Computing


3.2 Private clouds


        Private clouds are built for the exclusive use of one client, providing the utmost
control over data, security, and quality of service . The company owns the
infrastructure and has control over how applications are deployed on it. Private clouds
may be deployed in an enterprise datacenter, and they also may be deployed
at a collocation facility.


        Private clouds can be built and managed by a company’s own IT organization
or by a cloud provider. In this “hosted private” model, a company such as Sun can
install, configure, and operate the infrastructure to support a private cloud within a
company’s enterprise datacenter. This model gives companies a high level of control
over the use of cloud resources while bringing in the expertise needed to establish and
operate the environment.




Figure 5: - Private Cloud Model

Indus Institute of Technology & Engineering                                      Page 21
Security in Cloud Computing


3.3 Hybrid clouds


       Hybrid clouds combine both public and private cloud models. They can help to
provide on-demand, externally provisioned scale. The ability to augment a private
cloud with the resources of a public cloud can be used to maintain service levels in the
face of rapid workload fluctuations. This is most often seen with the use of storage
clouds to support Web 2.0 applications. A hybrid cloud also can be used to handle
planned workload spikes. Sometimes called “surge computing,” a public cloud can be
used to perform periodic tasks that can be deployed easily on a public cloud.


       Hybrid clouds introduce the complexity of determining how to distribute
applications across both a public and private cloud. Among the issues that need to be
considered is the relationship between data and processing resources. If the data is
small, or the application is stateless, a hybrid cloud can be much more successful than
if large amounts of data must be transferred into a public cloud for a small amount of
processing.




Figure 6:- Hybrid Cloud Model
Indus Institute of Technology & Engineering                                     Page 22
Security in Cloud Computing


3.4 Community clouds


       In Community Cloud the cloud infrastructure is shared by several
organizations and supports a specific community that has shared concerns (e.g.,
mission, security requirements, policy, or compliance considerations). It may be
managed by the organizations or a third party and may exist on-premises or
off-premises.




Indus Institute of Technology & Engineering                             Page 23
Security in Cloud Computing


4.0 Cloud computing Service Model

       In practice, cloud service providers tend to offer services that can be grouped
into three categories: software as a service, platform as a service, and infrastructure as
a service. These categories group together the various layers with some overlap.


Table 1: - Cloud Computing Service Model




Indus Institute of Technology & Engineering                                      Page 24
Security in Cloud Computing


4.1 Software as a service (SaaS)


       Software as a service features a complete application offered as a service on
demand. A single instance of the software runs on the cloud and services multiple end
users or client organizations.


       The most widely known example of SaaS is salesforce.com, though many other
examples have come to market, including the Google Apps offering of basic business
services including email and word processing.


       Although salesforce.com preceded the definition of cloud computing by a few
years, it now operates by leveraging its companion force.com, which can be defined as
a platform as a service.


4.2 Platform as a service (PaaS)


       Platform as a service encapsulates a layer of software and provides it as a
service that can be used to build higher-level services. There are at least two
perspectives on PaaS depending on the perspective of the producer or consumer of the
services:


• Someone producing PaaS might produce a platform by integrating an OS,
middleware, application software, and even a development environment that is then
provided to a customer as a service. For example, someone developing a PaaS offering
might base it on a set of Sun™ xVM hypervisor virtual machines that include a
NetBeans™ integrated development environment, a Sun GlassFish™ Web stack and
support for additional programming languages such as Perl or Ruby.
• Someone using PaaS would see an encapsulated service that is presented to them
through an API. The customer interacts with the platform through the API, and the
platform does what is necessary to manage and scale itself to provide a given level of
service. Virtual appliances can be classified as instances of PaaS. A content switch
appliance, for example, would have all of its component software hidden from the
customer, and only an API or GUI for configuring and deploying the service provided

Indus Institute of Technology & Engineering                                  Page 25
Security in Cloud Computing


to them.


       PaaS offerings can provide for every phase of software development and
testing, or they can be specialized around a particular area such as content
management.


       Commercial examples of PaaS include the Google Apps Engine, which serves
applications on Google’s infrastructure. PaaS services such as these can provide a
powerful basis on which to deploy applications, however they may be constrained by
the capabilities that the cloud provider chooses to deliver.


4.3 Infrastructure as a service (IaaS)


       Infrastructure as a service delivers basic storage and compute capabilities as
standardized services over the network. Servers, storage systems, switches, routers,
and other systems are pooled and made available to handle workloads that range from
application components to high-performance computing applications. Commercial
examples of IaaS include Joyent, whose main product is a line of virtualized servers
that provide a highly available on-demand infrastructure.


4.4 Anything-as-a-Service (XaaS)


       Which is also a subset of cloud computing? XaaS broadly encompasses a
process of activating reusable software components over the network. The most
common and successful example is Software-as-a-Service. The growth of
“as-a-service” offerings has been facilitated by extremely low barriers to entry (they are
often accessible for free or available as recurring charges on a personal credit card). As
a result, such offerings have been adopted by consumers and small businesses well
before pushing into the enterprise space. All “as-a-service” offerings share a number of
common attributes, including little or no capital expenditure since the required
infrastructure is owned by the service provider, massive scalability, multitenancy, and
device and location independence allowing consumers remote access to systems using
nearly any current available technology.

Indus Institute of Technology & Engineering                                      Page 26
Security in Cloud Computing


       On the surface, it appears that XaaS is a potentially game-changing technology
that could reshape IT. However, most CIOs still depend on internal infrastructures
because they are not convinced that cloud computing is ready for prime time. Many
contend that if you want real reliability, you must write more reliable applications.
Regardless of one’s view on the readiness of cloud computing to meet corporate IT
requirements, it cannot be ignored. The concept of pay-as-you-go applications,
development platforms, processing power, storage, or any other cloud-enabled services
has emerged and can be expected to reshape IT over the next decade.


4.5 Virtualization and Private Clouds


       Virtualization of computers or operating systems hides the physical
characteristics of a computing platform from users; instead it shows another abstract
computing platform. A hypervisor is a piece of virtualization software that allows
multiple operating systems to run on a host computer concurrently. Virtualization
providers include VMware, Microsoft, and Citrix Systems. Virtualization is an enabler
of cloud computing.


       Recently some vendors have described solutions that emulate cloud computing
on private networks, referring to these as “private” or “internal” clouds (where “public”
or “external” cloud describes cloud computing in the traditional mainstream sense).
Private cloud products claim to deliver some of the benefits of cloud computing without
the pitfalls. Hybrid solutions are also possible: building internal clouds and connecting
customer data centers to those of external cloud providers. It has been reported that Eli
Lilly wants to benefit from both internal and external clouds3 and that Amylin6 is
looking at private cloud VMware as a complement to EC2. Other experts, however, are
skeptical: one has even gone as far as to describe private clouds as absolute rubbish.7
Platform Computing has recently launched a cloud management system, Platform ISF,
enabling customers to manage workload across both virtual and physical environments
and support multiple hypervisors and operating systems from a single interface.
VMware, the market leader in virtualization technology, is moving into cloud
technologies in a big way, with vSphere 4. The company is building a huge partner
network of service providers and is also releasing a “vCloud API”. VMware wants


Indus Institute of Technology & Engineering                                     Page 27
Security in Cloud Computing


customers to build a series of “virtual data centers”, each tailored to meet different
requirements, and then have the ability to move workloads in the virtual data centers to
the infrastructure provided by cloud vendors.


       Cisco, EMC and VMware have formed a new venture called Acadia. Its
strategy for private cloud computing is based on Cisco’s servers and networking,
VMware’s server virtualization and EMC’s storage. (Note, by the way, that EMC owns
nearly 85% of VMware.) Other vendors, such as Google, disagree with VMware’s
emphasis on private clouds; in return VMware says Google’s online applications are
not ready for the enterprise.




Indus Institute of Technology & Engineering                                    Page 28
Security in Cloud Computing


5.0 Advantages of Cloud


   •   Agility improves with users' ability to rapidly and inexpensively re-provision
       technological infrastructure resources


   •   Cost is claimed to be greatly reduced and capital expenditure is converted to
       operational expenditure. This ostensibly lowers barriers to entry, as
       infrastructure is typically provided by a third-party and does not need to be
       purchased for one-time or infrequent intensive computing tasks.


   •   Device and location independence enable users to access systems using a
       web browser regardless of their location or what device they are using (e.g.,
       PC, mobile). As infrastructure is off-site (typically provided by a third-party)
       and accessed via the Internet, users can connect from anywhere.


   •   Multi-tenancy enables sharing of resources and costs across a large pool of
       users


   •   Reliability is improved if multiple redundant sites are used, which makes well
       designed cloud computing suitable for business continuity and disaster
       recovery.


   •   Scalability via dynamic ("on-demand") provisioning of resources on a
       fine-grained, self-service basis near real-time, without users having to engineer
       for peak loads. Performance is monitored, and consistent and loosely coupled
       architectures are constructed using web services as the system interface


   •   Maintenance cloud computing applications are easier to maintain, since they
       don't have to be installed on each user's computer.




Indus Institute of Technology & Engineering                                    Page 29
Security in Cloud Computing



   •   Metering cloud computing resources usage should be measurable and should
       be metered per client and application on daily, weekly, monthly, and annual
       basis. This will enable clients on choosing the vendor cloud on cost and
       reliability


   •   Security      could   improve   due   to   centralization   of   data,   increased
       security-focused resources, etc., but concerns can persist about loss of control
       over certain sensitive data, and the lack of security for stored kernels. Security
       is often as good as or better than under traditional systems, in part because
       providers are able to devote resources to solving security issues that many
       customers cannot afford. Furthermore, the complexity of security is greatly
       increased when data is distributed over a wider area and / or number of devices.




Indus Institute of Technology & Engineering                                      Page 30
Security in Cloud Computing


6.0 Cloud Computing Reference Model


        Understanding the relationships and dependencies between Cloud Computing
models is critical to understanding Cloud Computing security risks.


        IaaS is the foundation of all cloud services, with PaaS building upon IaaS, and
SaaS in turn building upon PaaS as described in the Cloud Reference Model diagram.
In this way, just as capabilities are inherited, so are information security issues and risk.
It is important to note that commercial cloud providers may not neatly fit into the
layered service models. Nevertheless, the reference model is important for relating
real-world services to an architectural framework and understanding the resources and
services requiring security analysis. IaaS includes the entire infrastructure resource
stack from the facilities to the hardware platforms that reside in them. It incorporates
the capability to abstract resources (or not), as well as deliver physical and logical
connectivity to those resources. Ultimately, IaaS provides a set of APIs which allow
management and other forms of interaction with the infrastructure by consumers.


        PaaS sits atop IaaS and adds an additional layer of integration with application
development frameworks; middleware capabilities; and functions such as database,
messaging, and queuing; which allow developers to build applications upon to the
platform; and whose programming languages and tools are supported by the stack.
SaaS in turn is built upon the underlying IaaS and PaaS stacks; and provides a
self-contained operating environment used to deliver the entire user experience
including the content, its presentation, the application(s), and management capabilities.




Indus Institute of Technology & Engineering                                        Page 31
Security in Cloud Computing




Figure 7:- Cloud Computing Reference Model



Indus Institute of Technology & Engineering   Page 32
Security in Cloud Computing


7.0 Security for Cloud Computing

       There is a number of security issues associated with cloud computing but these
issues fall into two broad categories: Security issues faced by cloud providers
(organizations providing Software-, Platform-, or Infrastructure-as-a-Service via the
cloud) and security issues faced by their customers. In most cases, the provider must
ensure that their infrastructure is secure and that their clients’ data and applications are
protected while the customer must ensure that the provider has taken the proper security
measures to protect their information.


       Security controls in cloud computing are, for the most part, no different than
security controls in any IT environment. Cloud computing may present different risks
to an organization than traditional IT solutions. Cloud computing is about gracefully
losing control while maintaining accountability even if the operational responsibility
falls upon one or more third parties.


       While cloud security concerns can be grouped into any number of dimensions
these dimensions have been aggregated into three general areas Security and Privacy,
Compliance, and Legal or Contractual Issues.


7.1 Defining Security in the Cloud


       If we wish to enable cloud-driven growth and innovation through security, we
must have a clear framing on what is meant by security. Security has been notoriously
hard to define in the general case. The canonical goals of information security are
Confidentiality, Integrity, and Availability. We borrow from NIST to include
Accountability and Assurance, and then add a sixth category of Resilience. We define
these terms below and map them to the cloud context, with a few examples of how they
can be supported by both technical and non-technical mechanisms.




Indus Institute of Technology & Engineering                                        Page 33
Security in Cloud Computing


        To begin to answer these questions, let’s quickly look at the security of the
traditional datacenter and the impact of virtualization technology, which is enabling the
cloud computing revolution.


7.2 Security Issues and Challenges

        IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS
(Software as a Service) are three general models of cloud computing. Each of these
models possess a different impact on application security. However, in a typical
scenario where an application is hosted in a cloud, two broad security questions that
arises are:


    •   How secure is the Data?
    •   How secure is the Code?


    Cloud computing environment is generally assumed as a potential cost saver as well
as provider of higher service quality. Security, Availability, and Reliability is the major
quality concerns of cloud service users. Gens et. al., suggests that security in one of the
prominent challenge among all other quality challenges.


7.3 Security Advantages in Cloud Environments

        Current cloud service providers operate very large systems. They have
sophisticated processes and expert personnel for maintaining their systems, which
small enterprises may not have access to. As a result, there are many direct and indirect
security advantages for the cloud users. Here we present some of the key security
advantages of a cloud computing environment:


    •   Data Centralization: In a cloud environment, the service provider takes care of
        storage issues and small business need not spend a lot of money on physical
        storage devices. Also, cloud based storage provides a way to centralize the data
        faster and potentially cheaper. This is particularly useful for small businesses,

Indus Institute of Technology & Engineering                                       Page 34
Security in Cloud Computing


       which cannot spend additional money on security professionals to monitor the
       data.


   •   Incident Response: IaaS providers can put up a dedicated forensic server that
       can be used on demand basis. Whenever a security violation takes place, the
       server can be brought online. In some investigation cases, a backup of the
       environment can be easily made and put onto the cloud without affecting the
       normal course of business.


   •   Forensic Image Verification Time: Some cloud storage implementations
       expose a cryptographic check sum or hash. For example, Amazon S3 generates
       MD5 (Message-Digest algorithm 5) hash automatically when you store an
       object. Therefore in theory, the need to generate time consuming MD5
       checksums using external tools is eliminated.


   •   Logging: In a traditional computing paradigm by and large, logging is often an
       afterthought. In general, insufficient disk space is allocated that makes logging
       either non-existent or minimal. However, in a cloud, storage need for standard
       logs is automatically solved.


7.4 Security Disadvantages in Cloud Environments


       In spite of security advantages, cloud computing paradigm also introduces some
key security challenges. Here we discuss some of these key security challenges:


   •   Data Location: In general, cloud users are not aware of the exact location of
       the datacenter and also they do not have any control over the physical access
       mechanisms to that data. Most well-known cloud service providers have
       datacenters around the globe. Some service providers also take advantage of
       their global datacenters. However, in some cases applications and data might be
       stored in countries, which can judiciary concerns. For example, if the user data
       is stored in X country then service providers will be subjected to the security


Indus Institute of Technology & Engineering                                    Page 35
Security in Cloud Computing


       requirements and legal obligations of X country. This may also happen that a
       user does not have the information of these issues.


   •   Investigation: Investigating an illegitimate activity may be impossible in cloud
       environments. Cloud services are especially hard to investigate, because data
       for multiple customers may be co-located and may also be spread across
       multiple datacenters. Users have little knowledge about the network topology of
       the underlying environment. Service provider may also impose restrictions on
       the network security of the service users.


   •   Data Segregation: Data in the cloud is typically in a shared environment
       together with data from other customers. Encryption cannot be assumed as the
       single solution for data segregation problems. In some situations, customers
       may not want to encrypt data because there may be a case when encryption
       accident can destroy the data.


   •   Long-term Viability: Service providers must ensure the data safety in
       changing business situations such as mergers and acquisitions. Customers must
       ensure data availability in these situations. Service provider must also make
       sure data security in negative business conditions like prolonged outage etc.


   •   Compromised Servers: In a cloud computing environment, users do not even
       have a choice of using physical acquisition toolkit. In a situation, where a server
       is compromised; they need to shut their servers down until they get a previous
       backup of the data. This will further cause availability concerns.


   •   Regulatory Compliance: Traditional service providers are subjected to
       external audits and security certifications. If a cloud service provider does not
       adhere to these security audits, then it leads to a obvious decrease in customer
       trust.


   •   Recovery: Cloud service providers must ensure the data security in natural and
       man-made disasters. Generally, data is replicated across multiple sites.


Indus Institute of Technology & Engineering                                      Page 36
Security in Cloud Computing


           However, in the case of any such unwanted event, provider must do a complete
           and quick restoration.




7.5 Security Issues in Virtualization


           Full Virtualization and Para Virtualization is two kinds of virtualization in a
cloud computing paradigm. In full virtualization, entire hardware architecture is
replicated virtually. However, in para virtualization, an operating system Towards
Analyzing Data Security Risks in Cloud Computing Environments 259 is modified so
that it can be run concurrently with other operating systems.


           VMM (Virtual Machine Monitor), is a software layer that abstracts the physical
resources used by the multiple virtual machines. The VMM provides a virtual processor
and other virtualized versions of system devices such as I/O devices, storage, memory,
etc.


           VMM Instance Isolation ensures that different instances running on the same
physical machine are isolated from each other. However, current VMMs do not offer
perfect isolation. Many bugs have been found in all popular VMMs that allow escaping
from VM (Virtual machine). Vulnerabilities have been found in all virtualization
software’s, which can be exploited by malicious users to bypass certain security
restrictions or/and gain escalated privileges. Below are few examples for this:


       •   Vulnerability in Microsoft Virtual PC and Microsoft Virtual Server could allow
           a guest operating system user to run code on the host or another guest operating
           system.


       •   Vulnerability was found in VMware’s shared folders mechanism that grants
           users of a guest system read and write access to any portion of the host’s file
           system including the system folder and other security-sensitive files.




Indus Institute of Technology & Engineering                                         Page 37
Security in Cloud Computing


    •   Vulnerability in Xen can be exploited by “root” users of a guest domain to
        execute arbitrary commands.


7.6 Survey of Cloud Computing


        We carry out a small survey of major cloud service providers to investigate the
security mechanisms to overcome the security issues discussed in this paper. We
consider ten major cloud service providers. These providers provide their services in all
major areas of cloud computing, including SaaS, PaaS and IaaS.


        Table 1 shows the list of service providers that we studied in this survey. In
order to analyze the complete state of art of security in cloud computing, the survey
needs to be more exhaustive. However, due to the fact that the scope of our work is not
just to explore the state of art but to look at the major factors that affect security in cloud
computing. Therefore we have intentionally not considered other cloud service
providers in this survey.


Table 2:- Major Cloud Service Providers
Service Provider Type              Names
IaaS                               Amazon EC2, Amazon S3, GoGrid
PaaS                               Google App Engine, Microsoft Azure Services,
                                   Amazon
                                   Elastic Map Reduce
SaaS                               Salesforce, Google Docs




        In table 2, we present the results of the survey that depicts the current state of
security mechanisms. Information given in table 2 is based on the information available
online at the official websites of these providers




Indus Institute of Technology & Engineering                                          Page 38
Security in Cloud Computing


Table 3:- Summary of Security Mechanisms by Major Cloud Service Providers
Security Issue                  Results
Password Recovery               90% are using standard methods like other common
                                services,
                                while 10% are using sophisticated techniques.
Encryption Mechanism            40% are using standard SSL encryption, while 20% are
                                using encryption mechanism but at an extra cost. 40%
                                are using advance methods like HTTPS access also.
Data Location                   70% have their datacenters located in more than one
                                country, while 10% are located at a single location.
                                20%
                                are not open about this issue.
Availability History            In 40% there is a reported downtime alongwith a result
                                in data loss, while in 60% cases data availability is
                                good.
Proprietary/Open                Only 10% providers have open mechanism.
Monitoring Services             70% are providing extra monitoring services, while
                                10%
                                are using automatic techniques. 20 % are not open
                                about
                                this issue.




7.7 Traditional Datacenter Security

         The word ‘datacenter’ has long evoked images of massive server farms behind
locked doors, where electricity and cooling were as important as network security to
maintain reliability and availability of data. Perimeter security controls are the most
common approach taken for traditional datacenter security. This approach typically
includes perimeter firewall, demilitarized zones (DMZ), network segmentation,
network intrusion detection and prevention systems (IDS/IPS) and network monitoring
tools.



Indus Institute of Technology & Engineering                                   Page 39
Security in Cloud Computing


8.0 Virtualization – The Catalyst of the Cloud

       Advancements in virtualization technologies enable enterprises to get more
computing power from the underutilized capacity of physical servers. The traditional
datacenter footprint is shrinking to enable cost savings and “greener” IT through server
consolidation. Enterprises and service providers are using virtualization to enable
multi-tenant uses of what used to be single-tenant or single-purpose physical servers.


       Extending virtual machines to public clouds causes the enterprise network
perimeter to evaporate and the lowest-common denominator to impact the security of
all. The inability of physical segregation and hardware-based security to deal with
attacks between virtual machines on the same server highlights the need for
mechanisms to be deployed directly on the server, or virtual machines.


       Deploying this line of defense at the virtual machine itself enables critical
applications and data to be moved to cloud environments.


8.1 Confidentiality

       Confidentiality refers to keeping data private. Privacy is of tent amount
importance as data leaves the borders of the organization. Not only must internal
secrets and sensitive personal data be safeguarded, but metadata and transactional data
can also leak important details about firms or individuals. Confidentiality is supported
by, among other things, technical tools such as encryption and access control, as well as
legal protections.


8.2 Integrity

       Integrity is a degree confidence that the data in the cloud is what is supposed to
be there, and is protected against accidental or intentional alteration without
authorization. It also extends to the hurdles of synchronizing multiple databases.



Indus Institute of Technology & Engineering                                     Page 40
Security in Cloud Computing


Integrity is supported by well audited code, well-designed distributed systems, and
robust access control mechanisms.


8.3 Authentication

User authentication is often the primary basis for access control, keeping the bad guys
out while allowing authorized users in with a minimum of fuss. In the cloud
environment, authentication and access control are more important than ever since the
cloud and all of its data are accessible to anyone over the Internet. The TPM can easily
provide stronger authentication than username and passwords. TCG’s IF-MAP
standard allows for real-time communication between the cloud provider and the
customer about authorized users and other security issues. When a user is fired or
reassigned, the customer’s identity management system can notify the cloud provider
in real-time so that the user’s cloud access can be modified or revoked within seconds.
If the fired user is logged into the cloud, they can be immediately disconnected. Trusted
Computing enables authentication of client PCs and other devices, which also is critical
to ensuring security in cloud computing.


8.4 Availability

       Availability means being able to use the system as anticipated. Cloud
technologies can increase availability through widespread internet-enabled access, but
the client is dependent on the timely and robust provision of resources. Availability is
supported by capacity building and good architecture by the provider, as well as
well-defined contracts and terms of agreement.


8.5 Accountability

       Accountability maps actions in the system to responsible parties. Inside the
cloud, actions must be traced uniquely back to an entity, allowing for integration into
organizational processes, conflict resolution and deterrence of bad behavior.



Indus Institute of Technology & Engineering                                     Page 41
Security in Cloud Computing


Accountability is supported by robust identity, authentication and access control, as
well as the ability to log transactions and then, critically, audit these logs.


8.6 Assurance

        Assurance refers to the need for a system to behave as expected. In the cloud
context, it is important that the cloud provider provides what the client has specified.
This is not simply a matter of the software and hardware behaving as the client expects
but that the needs of the organization are understood, and that these needs are
accurately translated into information architecture requirements, which are then
faithfully implemented in the cloud system. Assurance is supported by a trusted
computing architecture in the cloud, and a by careful processes mapping from business
case to technical details to legal agreements.



8.7 Resilience

        Resilience in a system allows it to cope with security threats, rather than failing
critically. Cloud technology can increase resilience, with a broader base, backup data
and systems, and the potential identify threats and dynamically counteract. However,
by shifting critical systems and functions to an outside party, organizations can
aggravate resilience by introducing a single point of failure. Resilience is supported by
redundancy, diversification and real-time forensic capacity.




Indus Institute of Technology & Engineering                                       Page 42
Security in Cloud Computing


9.0 Cloud Computing Security Issues

       In order to ensure that data is secure (that it cannot be accessed by unauthorized
users or simply lost) and that data privacy is maintained, cloud providers attend to the
following areas in Security and Privacy issues.




Figure 8: - Security Architecture Design



Indus Institute of Technology & Engineering                                     Page 43
Security in Cloud Computing


       A security architecture framework should be established with consideration of
processes (enterprise authentication and authorization, access control, confidentiality,
integrity, no repudiation, security management, etc.), operational procedures,
technology specifications, people and organizational management, and security
program compliance and reporting. A security architecture document should be
developed that defines security and privacy principles to meet business objectives.
Documentation is required for management controls and metrics specific to asset
classification and control, physical security, system access controls, network and
computer management, application development and maintenance, business continuity,
and compliance. A design and implementation program should also be integrated with
the formal system development life cycle to include a business case, requirements
definition, design, and implementation plans. Technology and design methods should
be included, as well as the security processes necessary to provide the following
services across all technology layers:


   9.1 Authentication
   9.2 Authorization
   9.3 Availability
   9.4 Confidentiality
   9.5 Integrity
   9.6 Accountability
   9.7 Privacy


   The creation of a secure architecture provides the engineers, data center operations
personnel, and network operations personnel a common blueprint to design, build, and
test the security of the applications and systems.


   Design reviews of new changes can be better assessed against this architecture to
assure that they conform to the principles described in the architecture, allowing for
more consistent and effective design reviews.




Indus Institute of Technology & Engineering                                    Page 44
Security in Cloud Computing


   • Secure Software Development Life Cycle (SecSDLC)


   The SecSDLC involves identifying specific threats and the risks they represent,
followed by design and implementation of specific controls to counter those threats and
assist in managing the risks they pose to the organization and/or its customers. The
SecSDLC must provide consistency, repeatability, and conformance. The SDLC
consists of six phases, and there are steps unique to the SecSDLC in each of phases:


           o Investigation: Define project processes and goals, and document them
               in the program security policy.


           o Analysis: Analyze existing security policies and programs, analyze
               current threats and controls, examine legal issues, and perform risk
               analysis.


           o Logical design: Develop a security blueprint, plan incident response
               actions, plan business responses to disaster, and determine the
               feasibility of continuing and/or outsourcing the project.
           o Physical design: Select technologies to support the security blueprint,
               develop a definition of a successful solution, design physical security
               measures to support technological solutions, and review and approve
               plans.


           o Implementation: Buy or develop security solutions. At the end of this
               phase, present a tested package to management for approval.


           o Maintenance: Constantly monitor, test, modify, update, and repair to
               respond to changing threats.




Indus Institute of Technology & Engineering                                   Page 45
Security in Cloud Computing


       In the SecSDLC, application code is written in a consistent manner that can
easily be audited and enhanced; core application services are provided in a common,
structured, and repeatable manner; and framework modules are thoroughly tested for
security issues before implementation and continuously retested for conformance
through the software regression test cycle. Additional security processes are developed
to support application development projects such as external and internal penetration
testing and standard security requirements based on data classification. Formal training
and communications should also be developed to raise awareness of process
enhancements.




Indus Institute of Technology & Engineering                                    Page 46
Security in Cloud Computing


10 Cloud Security Challenges

       At first glance, the security requirements for cloud computing providers would
appear to be the same as traditional datacenters — apply a strong network security
perimeter and keep the bad guys out. However, as previously stated, physical
segregation and hardware-based security cannot protect against attacks between virtual
machines on the same server. The following outlines some of the primary concerns that
enterprises should be aware of when planning their cloud computing deployments.


10.1       Administrative                Access          to       Servers          and
Applications

       One of the most important characteristics of cloud computing is that it offers
“self-service” access to computing power, most likely via the Internet. In traditional
datacenters, administrative access to servers is controlled and restricted to direct or
on-premise connections. In cloud computing, this administrative access must now be
conducted via the Internet, increasing exposure and risk. It is extremely important to
restrict administrative access and monitor this access to maintain visibility of changes
in system control.


10.2 Dynamic Virtual Machines: VM State and
Sprawl

       Virtual machines are dynamic. They can quickly be reverted to previous
instances, paused and restarted, relatively easily. They can also be readily cloned and
seamlessly moved between physical servers. This dynamic nature and potential for VM
sprawl makes it difficult to achieve and maintain consistent security. Vulnerabilities or
configuration errors may be unknowingly propagated. Also, it is difficult to maintain an
auditable record of the security state of a virtual machine at any given point in time. In
cloud computing environments, it will be necessary to be able to prove the security state



Indus Institute of Technology & Engineering                                      Page 47
Security in Cloud Computing


of a system, regardless of its location or proximity to other, potentially insecure virtual
machines.


10.3 Vulnerability Exploits and VM-TO-VM Attacks

       Cloud computing servers use the same operating systems, enterprise and web
applications as localized virtual machines and physical servers. The ability for an
attacker or malware to remotely exploit vulnerabilities in these systems and
applications is a significant threat to virtualized cloud computing environments. In
addition, co-location of multiple virtual machines increases the attack surface and risk
of VM-to-VM compromise. Intrusion detection and prevention systems need to be able
to detect malicious activity at the virtual-machine level, regardless of the location of the
VM within the virtualized cloud environment.


10.4 Encryption and Data Protection

       Many regulations and standards such as the PCI DSS and HIPAA include
requirements for the use of encryption to protect critical information—such as
cardholder data and personally identifiable information (PII)—to achieve compliance
or safe harbor in the event of a breach. The multi-tenant nature of the cloud amplifies
these requirements and creates unique challenges with the accessibility and protection
of encryption credentials used to ensure data protection.


10.5 Policy and Compliance

       Enterprises are experiencing significant pressure to comply with a wide range
of regulations and standards such as PCI, HIPAA, and GLBA in addition to auditing
practices such as SAS70 and ISO. Enterprises need to prove compliance with security
standards, regardless of the location of the systems required to be in scope of
regulation, be that on-premise physical servers, on-premise virtual machines or
off-premise virtual machines running on cloud computing resources.



Indus Institute of Technology & Engineering                                        Page 48
Security in Cloud Computing


10.6 Patch Management


       The self-service nature of cloud computing may create confusion for patch
management efforts. Once an enterprises subscribes to a cloud computing
resource—for example by creating a Web server from templates offered by the cloud
computing service provider—the patch management for that server is no longer in the
hands of the cloud computing vendor, but is now the responsibility of the subscriber.
Keeping in mind that according to the previously mentioned Verizon 2008 Data Breach
Investigations Report, 90% of known vulnerabilities that were exploited had patches
available for at least six months prior to the breach, organizations leveraging cloud
computing need to keep vigilant to maintain cloud resources with the most recent
vendor supplied patches. If patching is impossible or unmanageable, compensating
controls such as “virtual patching” need to be considered.


10.7 Perimeter Protection and Zoning


       In   cloud   computing,     the   enterprise   perimeter   evaporates   and   the
lowest-common denominator impacts the security of all. The enterprise firewall, the
foundation for establishing security policy and zoning for networks, can either no
longer reach cloud computing servers, or its policies are no longer in the control of the
resource owner, but the responsibility of the cloud computing provider. To establish
zones of trust in the cloud, the virtual machines must be self-defending, effectively
moving the perimeter to the virtual machine itself.


10.8 Rogue Corporate Resources


       Eager for immediate computing resources and results, non-IT savvy individuals
and groups are jumping at cloud computing. Important corporate data and applications
are being deployed in the cloud, possibly oblivious to the security implications.




Indus Institute of Technology & Engineering                                     Page 49
Security in Cloud Computing


11 Data Protection, Identity Management, Security


11.1 Data Protection

       To be considered protected, data from one customer must be properly
segregated from that of another; it must be stored securely when “at rest” and it must be
able to move securely from one location to another. Cloud providers have systems in
place to prevent data leaks or access by third parties. Proper separation of duties should
ensure that auditing and/or monitoring cannot be defeated, even by privileged users at
the cloud provider.


11.2 Identity Management

       Every enterprise will have its own identity management system to control
access to information and computing resources. Cloud providers either integrate the
customer’s identity management system into their own infrastructure, using federation
or SSO technology, or provide an identity management solution of their own.


11.3 Physical and Personnel Security

       Providers ensure that physical machines are adequately secure and that access
to these machines as well as all relevant customer data is not only restricted but that
access is documented. Finally, providers ensure that all critical data (credit card
numbers, for example) are masked and that only authorized users have access to data in
its entirety. Moreover, digital identities and credentials must be protected as should any
data that the provider collects or produces about customer activity in the cloud.




Indus Institute of Technology & Engineering                                      Page 50
Security in Cloud Computing


12 Availability
   Cloud providers assure customers that they will have regular and predictable access
to their data and applications.


   For        example,        consider     some       of       the      cloud-related
                                                                        cloud
outages which have been widely reported…


   Bit bucket, DDoS'd Off The Air
             ,




Indus Institute of Technology & Engineering                                  Page 51
Security in Cloud Computing


Maintenance Induced Cascading Failures




Indus Institute of Technology & Engineering   Page 52
Security in Cloud Computing


13 Application Securities, User Centric Access
Control, Transparency

13.1 Application Securities

        Cloud providers ensure that applications available as a service via the cloud are
secure. Securing application software that is running on being developed in the cloud.
This includes items such as whether it’s appropriate to migrate or design an application
to run in the cloud, and if so, what type of cloud platform is most appropriate (SaaS,
PaaS, or IaaS). Some specific security issues related to the cloud are also discussed.


13.2 User Centric Access Control

        The traditional model of application-centric access control, where each
application keeps track of its collection of users and manages them, is not feasible in
cloud based architectures. This is more so, because the user space maybe shared across
applications that can lead to data replication, making mapping of users and their
privileges a herculean task. Also, it requires the user to remember multiple
accounts/passwords and maintain them. Cloud requires a user centric access control
where every user request to any service provider is bundled with the user identity and
entitlement information. User identity will have identifiers or attributes that identity
and define the user. The identity is tied to a domain, but is portable. User centric
approach leaves the user with the ultimate control of their digital identities. User centric
approach also implies that the system maintains a context of information for every user,
in order to find how best to react to in a given situation to a given user request. It should
support pseudonyms and multiple and discrete identities to protect user privacy. This
can be achieved easily by using one of the open standards like OpenID or SAML.




Indus Institute of Technology & Engineering                                        Page 53
Security in Cloud Computing


13.3 Transparency

        Security measures assumed in the cloud must be made available to the
customers to gain their trust. There is always a possibility that the cloud infrastructure is
secured with respect to some requirements and the customers are looking for a different
set of security. The important aspect is to see that the cloud provider meets the security
requirements of the application and this can be achieved only through 100%
transparency. Open Cloud Manifesto exerts stress on transparency in clouds, due the
consumer’s apprehensions to host their applications on a shared infrastructure, on
which they do not have any control. Transparency can be achieved by complete audit
logging and control.




Indus Institute of Technology & Engineering                                        Page 54
Security in Cloud Computing


14 New Opportunities

       Combining the contemporary and historical viewpoints, we arrive at the
position that many cloud computing security problems are not in fact new, but often
will still require new solutions in terms of specific mechanisms. Existing contemporary
works already explore many pertinent topics; we highlight here several areas that
deserve more attention.


       First, cloud providers should offer a choice of security primitives with
well-considered defaults. Cloud users know more about their applications, but cloud
providers potentially know more about the relevant security issues due to a higher
concentration of security expertise. The cloud user would ideally choose from a
spectrum of security levels and security subsystem boundaries. We believe this
flexibility could prove to be a major improvement if done well. One possible approach
would be to formulate the security primitives around defending different stakeholders
against different particular threat models. An additional feature might support “plug
and-play" services readily compliant with common standards such as those of HIPAA
or Payment Card Industry.


       Another important research area concerns determining apt granularities for
isolation. Several are possible: isolate by virtual or physical machines, LANs, clouds,
or datacenters. We at present lack a good understanding of the tradeoffs between
security and performance for each of these options, but it would appear likely that cloud
providers can fruitfully offer different granularities of isolation as a part of their
spectrum of security.


       Side channels and covert channels pose another fundamental threat, one which
interplays with the granularities of isolation discussed above. While not a panacea (e.g.,
it takes very few bits to steal a password), a helpful analysis could include when
appropriate a quantification of channel bit rates, coupled with an assessment of the bit
rate required to do harm.




Indus Institute of Technology & Engineering                                      Page 55
Security in Cloud Computing


       One important area that has yet to receive much attention is mutual audit ability.
The auditing capabilities of most existing systems focus on one-way audit ability. In
cloud computing, providers and users may need to demonstrate mutual trustworthiness,
in a bilateral or multilateral fashion. As discussed above, such audit ability can have
major benefits with regard to fate-sharing, such as enabling cloud providers in search
and seizure incidents to demonstrate to law enforcement that they have turned over all
relevant evidence, and prove to users that they turned over only the necessary evidence
and nothing more. Recent work notes that implementing thorough auditing is not a
simple matter even for straightforward web services. In cloud computing, it remains an
open challenge to achieve thorough auditing without impairing performance. To
complicate matters even further, the auditor fundamentally needs to be an independent
third party, and a third-party auditor requires a setup quite different than today’s
practice, in which cloud providers record and maintain all the audit logs. In short,
mutual audit ability needs significant work. On the plus side, achieving it robustly
would constitute an important security feature.


       More broadly, we see a need for research that seeks to understand the ecosystem
of threats. Current work in the literature generally focuses only single aspects of the
cloud security problem. As we begin to understand problems in isolation, we should
also start to put together an understanding of how different issues and threats combine.
For example, in web security we understand security problems at a high-level as an
ecosystem involving the interplay between worms, bots, scams, spam, phishing, active
content, browsers, usability, and other human factors. We argue that future work on
cloud security needs to similarly bridge established topic boundaries.


       Lastly, we would highlight that breaking real clouds makes them stronger. Such
studies involve obvious ethical issues, but provide much more compelling results than
breaking hypothetical clouds. For example, the EC2 information leak study in triggered
a highly visible security effort by Amazon Web Services, and serves as a model for
similar future work in academia. Similarly, the Air Force Mastics security
enhancements originated from a companion effort to find security exploits. Such
coupled attack and defense approaches serve as a model for potential government cloud
security projects today, and cloud providers should sponsor internal adversarial efforts
to discover vulnerabilities before they become exposed in the wild. Needless to say,

Indus Institute of Technology & Engineering                                     Page 56
Security in Cloud Computing


stakeholders also need to continue to track black-hat perspectives. Finally, research
partnerships between different types of stakeholders will likely prove very beneficial to
advancing the field.




Indus Institute of Technology & Engineering                                     Page 57
Security in Cloud Computing


15 Conclusions


       In cloud computing, end-to-end security is critical. Building blocks from TCG
and commercial products built on these principles will help make the cloud
environment more secure. Ongoing research from TCG and operating system or device
security vendors will take advantage of the TPM using additional software to enhance
its capability for cloud computing. Other research on cloud computing security is under
way at several companies. Today, the good news is that most cloud security issues can
be addressed with well-known, existing techniques.


       The TPM can be an independent entity that works on behalf of cloud computing
customers. Inside every server in the cloud, the TPM and associated software can check
what is installed on each machine and verify the machine’s health and proper
performance. When it detects a problem, TNC technology can immediately restrict
access to a device or server. For securing data at rest in the cloud or in clients that
access cloud data, self-encrypting drives based on Trusted Storage provide the
ultimately secure solution.



       Organizations that have already implemented TCG-based solutions can
leverage their corporate investment in hardware, software and policies and re-use them
for cloud computing. If cloud computing represents an organization’s initial
implementation of TCG-based technology (used by the cloud provider), the rest of the
organization should be re-evaluated for areas where TCG technology can provide
improved internal security, including: activating TPMs, use of self-encrypting drives
and network access control through TNC.

       In an emerging discipline, like cloud computing, security needs to be analyzed
more frequently. With advancement in cloud technologies and increasing number of
cloud users, data security dimensions will continuously increase. In this paper, we have
analyzed the data security risks and vulnerabilities which are present in current cloud
computing environments.




Indus Institute of Technology & Engineering                                    Page 58
Security in Cloud Computing


       The most obvious finding to emerge from this study is that, there is a need of
better trust management. We have built a risk analysis approach based on the prominent
security issues. The security analysis and risk analysis approach will help service
providers to ensure their customers about the data security. Similarly, the approach can
also be used by cloud service users to perform risk analysis before putting their critical
data in a security sensitive cloud.


       At present, there is a lack of structured analysis approaches that can be used for
risk analysis in cloud computing environments. The approach suggested in this paper is
a first step towards analyzing data security risks. This approach is easily adaptable for
automation of risk analysis.




Indus Institute of Technology & Engineering                                      Page 59
Security in Cloud Computing


16 Vulnerabilities


   Cloud computing shares in common with other network-based application, storage
and communication platforms certain vulnerabilities in several broad areas:



   •   Web application vulnerabilities, such as cross-site scripting and SQL injection
       (which are symptomatic of poor field input validation, buffer overflow; as well
       as default configurations or miss-configured applications.


   •   Accessibility vulnerabilities, which are vulnerabilities inherent to the TCP/IP
       stack and the operating systems, such as denial of service and distributed denial
       of services


   •   Authentication of the respondent device or devices. IP spoofing RIP attacks,
       ARP poisoning (spoofing), and DNS poisoning are all too common on the
       Internet. TCP/IP has some “unfixable flaws” such as “trusted machine” status
       of machines that have been in contact with each other, and tacit assumption that
       routing tables on routers will not be maliciously altered.


   •   Data Verification, tampering, loss and theft, while on a local machine, while in
       transit, while at rest at the unknown third-party device, or devices, and during
       remote back-ups.


   •   Physical access issues, both the issue of an organization’s staff not having
       physical access to the machines storing and processing a data, and the issue of
       unknown third parties having physical access to the machines


   •   Privacy and control issues stemming from third parties having physical control
       of a data is an issue for all outsourced networked applications and storage, but
       cloud architectures have some specific issues that are distinct from the usual
       issues.



Indus Institute of Technology & Engineering                                    Page 60
Security in Cloud Computing


17 References
URL:
http://en.wikipedia.org/wiki/Cloud_Computing
http://www.cloudsecurityalliance.org
http://cloudcomputing.sys-con.com/node/1330353
http://www.parc.com/content/attachments/ControllingDataInTheCloud-CCSW-09.pdf
http://www.trustedcomputinggroup.org
http://cloudsecurityalliance.org
http://cloudcomputing.sys-con.com/node/1203943
http://cloudcomputing.sys-con.com/node/1330353


Books:

   •   Amazon elastic computer cloud (2008), http://aws.amazon.com/ec2/
   •   Twenty Experts Define Cloud Computing (2008),
       http://cloudcomputing.syscon.com/read/612375_p.htm
   •   Andert, D., Wakefield, R., Weise, J.: Trust Modeling for Security Architecture
       Development (2002), http://www.sun.com/blueprints
   •   John, H.: Security Guidance for Critical Areas of Focus in Cloud Computing
       (2009), http://www.cloudsecurityalliance.org/guidance/ (Accessed 2 July 2009)
   •   Two Factor Authentication, http://en.wikipedia.org/wiki/
   •   Public Key, http://en.wikipedia.org/wiki/Public_key_certificate
   •   Buyya, R., Yeo, C.S., Venugopal, S., Broberg, J., Brandic, I.: Cloud Computing
       and Emerging IT Platforms: Vision, Hype, and Reality for delivering
       Computing as the 5th Utility. Future Generation Computer Systems 25,
       599–616
   •   Cachin, C., Keider, I., Shraer, A.: Trusting The Cloud. IBM Research, Zurich
       Research laboratory (2009)
   •   Google App Engine (2008), http://appengine.google.com
   •   Microsoft Live Mesh (2008), http://www.mesh.com
   •   Brodkin, J.: Seven Cloud Computing Security Risks (2008),
       http://www.gartner.com/DisplayDocument?id=685308

Indus Institute of Technology & Engineering                                 Page 61
Security in Cloud Computing


   18 Appendices


      TCG – Trusted Computing Group
      LAN – Local Area Network
      API – Application Programming Interface
      TPI – Trusted Platform Module
      DMZ - Demilitarized Zones
      ID -Intrusion Detection
      IPS- Intrusion Prevention Systems




Indus Institute of Technology & Engineering     Page 62

More Related Content

What's hot

Introduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityIntroduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityAndrew Wong
 
Cloud computing ppt
Cloud computing pptCloud computing ppt
Cloud computing pptAmex Ka
 
Introduction to Cloud and Eucalyptus
Introduction to Cloud and EucalyptusIntroduction to Cloud and Eucalyptus
Introduction to Cloud and EucalyptusLester Wade
 
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | EdurekaCloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | EdurekaEdureka!
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New PerspectiveWen-Pai Lu
 
Introduction to Cloud | Cloud Computing Tutorial for Beginners | Cloud Certif...
Introduction to Cloud | Cloud Computing Tutorial for Beginners | Cloud Certif...Introduction to Cloud | Cloud Computing Tutorial for Beginners | Cloud Certif...
Introduction to Cloud | Cloud Computing Tutorial for Beginners | Cloud Certif...Edureka!
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsViresh Suri
 
Cloud Computing and Amazon Web Services
Cloud Computing and Amazon Web ServicesCloud Computing and Amazon Web Services
Cloud Computing and Amazon Web ServicesAditya Jha
 

What's hot (20)

Introduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityIntroduction - Trend Micro Deep Security
Introduction - Trend Micro Deep Security
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Cloud computing ppt
Cloud computing pptCloud computing ppt
Cloud computing ppt
 
Introduction to Cloud and Eucalyptus
Introduction to Cloud and EucalyptusIntroduction to Cloud and Eucalyptus
Introduction to Cloud and Eucalyptus
 
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | EdurekaCloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 
Lecture5
Lecture5Lecture5
Lecture5
 
MULTI-CLOUD ARCHITECTURE
MULTI-CLOUD ARCHITECTUREMULTI-CLOUD ARCHITECTURE
MULTI-CLOUD ARCHITECTURE
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New Perspective
 
Introduction to Cloud | Cloud Computing Tutorial for Beginners | Cloud Certif...
Introduction to Cloud | Cloud Computing Tutorial for Beginners | Cloud Certif...Introduction to Cloud | Cloud Computing Tutorial for Beginners | Cloud Certif...
Introduction to Cloud | Cloud Computing Tutorial for Beginners | Cloud Certif...
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentals
 
Introduction to Microsoft Azure 101
Introduction to Microsoft Azure 101Introduction to Microsoft Azure 101
Introduction to Microsoft Azure 101
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Security in Cloud Computing
Security in Cloud ComputingSecurity in Cloud Computing
Security in Cloud Computing
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 
Cloud Computing and Amazon Web Services
Cloud Computing and Amazon Web ServicesCloud Computing and Amazon Web Services
Cloud Computing and Amazon Web Services
 
Cloud Deployment
Cloud DeploymentCloud Deployment
Cloud Deployment
 
Cloud computing ppt
Cloud computing pptCloud computing ppt
Cloud computing ppt
 

Viewers also liked

Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingJim Geovedi
 
Ensuring data security in cloud computing. - Anusha Tuke
Ensuring data security in  cloud computing. - Anusha TukeEnsuring data security in  cloud computing. - Anusha Tuke
Ensuring data security in cloud computing. - Anusha TukeAnusha Chavan
 
Scaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityScaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityBill Burns
 
Introduction of Cloud computing
Introduction of Cloud computingIntroduction of Cloud computing
Introduction of Cloud computingRkrishna Mishra
 
Cloud computing security from single to multiple
Cloud computing security from single to multipleCloud computing security from single to multiple
Cloud computing security from single to multipleKiran Kumar
 
Virtualization in cloud computing ppt
Virtualization in cloud computing pptVirtualization in cloud computing ppt
Virtualization in cloud computing pptMehul Patel
 
Cloud computing simple ppt
Cloud computing simple pptCloud computing simple ppt
Cloud computing simple pptAgarwaljay
 
Cloud Computing: Architecture, IT Security and Operational Perspectives
Cloud Computing: Architecture, IT Security and Operational PerspectivesCloud Computing: Architecture, IT Security and Operational Perspectives
Cloud Computing: Architecture, IT Security and Operational PerspectivesMegan Eskey
 
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationCloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationVenkateswar Reddy Melachervu
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issuesAleem Mohammed
 
B. ejemplo plan de asignatura
B.  ejemplo plan de asignaturaB.  ejemplo plan de asignatura
B. ejemplo plan de asignaturaimac_angel
 
Cloud computing architecture and vulnerabilies
Cloud computing architecture and vulnerabiliesCloud computing architecture and vulnerabilies
Cloud computing architecture and vulnerabiliesVinay Dwivedi
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud ComputingFalgun Rathod
 
Call Centre Management
Call Centre ManagementCall Centre Management
Call Centre ManagementAbhishek Jain
 

Viewers also liked (19)

Cloud Computing Security Issues
Cloud Computing Security Issues Cloud Computing Security Issues
Cloud Computing Security Issues
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computing
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud Computing
 
Ensuring data security in cloud computing. - Anusha Tuke
Ensuring data security in  cloud computing. - Anusha TukeEnsuring data security in  cloud computing. - Anusha Tuke
Ensuring data security in cloud computing. - Anusha Tuke
 
Scaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityScaling the Cloud - Cloud Security
Scaling the Cloud - Cloud Security
 
Introduction of Cloud computing
Introduction of Cloud computingIntroduction of Cloud computing
Introduction of Cloud computing
 
Cloud computing security from single to multiple
Cloud computing security from single to multipleCloud computing security from single to multiple
Cloud computing security from single to multiple
 
Virtualization in cloud computing ppt
Virtualization in cloud computing pptVirtualization in cloud computing ppt
Virtualization in cloud computing ppt
 
Cloud computing simple ppt
Cloud computing simple pptCloud computing simple ppt
Cloud computing simple ppt
 
cloud computing ppt
cloud computing pptcloud computing ppt
cloud computing ppt
 
Demystifying Cloud Security
Demystifying Cloud SecurityDemystifying Cloud Security
Demystifying Cloud Security
 
Cloud Computing: Architecture, IT Security and Operational Perspectives
Cloud Computing: Architecture, IT Security and Operational PerspectivesCloud Computing: Architecture, IT Security and Operational Perspectives
Cloud Computing: Architecture, IT Security and Operational Perspectives
 
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationCloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issues
 
B. ejemplo plan de asignatura
B.  ejemplo plan de asignaturaB.  ejemplo plan de asignatura
B. ejemplo plan de asignatura
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Cloud computing architecture and vulnerabilies
Cloud computing architecture and vulnerabiliesCloud computing architecture and vulnerabilies
Cloud computing architecture and vulnerabilies
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
 
Call Centre Management
Call Centre ManagementCall Centre Management
Call Centre Management
 

Similar to Cloud Computing Security

Secure Cloud Storage
Secure Cloud StorageSecure Cloud Storage
Secure Cloud StorageALIN BABU
 
Cloud computing
Cloud computingCloud computing
Cloud computingsaralaanuj
 
Becloud hybrid cloud
Becloud hybrid cloudBecloud hybrid cloud
Becloud hybrid cloudBecloud
 
Safe Net: Cloud Security Solutions
Safe Net: Cloud Security SolutionsSafe Net: Cloud Security Solutions
Safe Net: Cloud Security SolutionsASBIS SK
 
Security policy enforcement in cloud infrastructure
Security policy enforcement in cloud infrastructureSecurity policy enforcement in cloud infrastructure
Security policy enforcement in cloud infrastructurecsandit
 
SECURITY POLICY ENFORCEMENT IN CLOUD INFRASTRUCTURE
SECURITY POLICY ENFORCEMENT IN CLOUD INFRASTRUCTURESECURITY POLICY ENFORCEMENT IN CLOUD INFRASTRUCTURE
SECURITY POLICY ENFORCEMENT IN CLOUD INFRASTRUCTUREcscpconf
 
Cloud computing security from single to multi clouds
Cloud computing security from single to multi cloudsCloud computing security from single to multi clouds
Cloud computing security from single to multi cloudsCholavaram Sai
 
An Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud ResourcesAn Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud ResourcesNiranjana Padmanabhan
 
Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14L S Subramanian
 
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performanceDeepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performanceUNIT4 IT Solutions
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architectureVladimir Jirasek
 
Building your private cloud the ncs experience harrison lee
Building your private cloud the ncs experience harrison leeBuilding your private cloud the ncs experience harrison lee
Building your private cloud the ncs experience harrison leeMicrosoft Singapore
 

Similar to Cloud Computing Security (20)

Smart cloud - single to multi cloud
Smart cloud - single to multi cloud Smart cloud - single to multi cloud
Smart cloud - single to multi cloud
 
Secure Cloud Storage
Secure Cloud StorageSecure Cloud Storage
Secure Cloud Storage
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
D32035052
D32035052D32035052
D32035052
 
D32035052
D32035052D32035052
D32035052
 
Becloud hybrid cloud
Becloud hybrid cloudBecloud hybrid cloud
Becloud hybrid cloud
 
Safe Net: Cloud Security Solutions
Safe Net: Cloud Security SolutionsSafe Net: Cloud Security Solutions
Safe Net: Cloud Security Solutions
 
489 493
489 493489 493
489 493
 
Security policy enforcement in cloud infrastructure
Security policy enforcement in cloud infrastructureSecurity policy enforcement in cloud infrastructure
Security policy enforcement in cloud infrastructure
 
SECURITY POLICY ENFORCEMENT IN CLOUD INFRASTRUCTURE
SECURITY POLICY ENFORCEMENT IN CLOUD INFRASTRUCTURESECURITY POLICY ENFORCEMENT IN CLOUD INFRASTRUCTURE
SECURITY POLICY ENFORCEMENT IN CLOUD INFRASTRUCTURE
 
Paper published
Paper published Paper published
Paper published
 
Cloud computing security from single to multi clouds
Cloud computing security from single to multi cloudsCloud computing security from single to multi clouds
Cloud computing security from single to multi clouds
 
An Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud ResourcesAn Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud Resources
 
Eb31854857
Eb31854857Eb31854857
Eb31854857
 
Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14
 
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performanceDeepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
 
Cloud provenance
Cloud provenanceCloud provenance
Cloud provenance
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
 
Security of,for & by cloud
Security of,for & by cloudSecurity of,for & by cloud
Security of,for & by cloud
 
Building your private cloud the ncs experience harrison lee
Building your private cloud the ncs experience harrison leeBuilding your private cloud the ncs experience harrison lee
Building your private cloud the ncs experience harrison lee
 

Recently uploaded

Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1DianaGray10
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTopCSSGallery
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfTejal81
 
20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kitJamie (Taka) Wang
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingMAGNIntelligence
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationKnoldus Inc.
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameKapil Thakar
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)codyslingerland1
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfInfopole1
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.IPLOOK Networks
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2DianaGray10
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIVijayananda Mohire
 
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveIES VE
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3DianaGray10
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Muhammad Tiham Siddiqui
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInThousandEyes
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxKaustubhBhavsar6
 

Recently uploaded (20)

Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile Brochure
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development Companies
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
 
20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kit
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced Computing
 
SheDev 2024
SheDev 2024SheDev 2024
SheDev 2024
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its application
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First Frame
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdf
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAI
 
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptx
 

Cloud Computing Security

  • 1. Security in Cloud Computing A DISSERTATION REPORT ON Security in Cloud Computing Indus Institute of Technology & Engineering Page 1
  • 2. Security in Cloud Computing SECURITY IN CLOUD COMPUTING By Dhaval Dave (08MCA008) M.C.A, Indus Institute of Technology & Engineering, Gujarat University, 2011 A Dissertation Submitted in Partial Fulfilment of the Requirements for the degree of Master of Computer Application In Computer Science. Department of MCA, Indus Institute of Technology & Engineering, January 2011 Indus Institute of Technology & Engineering Page 2
  • 3. Security in Cloud Computing ACKNOWLEDGEMENT Thanks to my Prof. Vrutik Shah who thoroughly introduced me to research. He was always anxious to provide me with a Study environment suitable for developing myself and always there to keep me on the right track. And, infinite thanks to Prof. H.K. Desai, Head of Department of I.I.T.E. & My All Prof., who never had any doubts that I would succeed. Also thanks to the colleagues for allowing me to feel at home at College Campus due to the excellent educational culture. Further thanks to my parents who always gave me support that allowed me to pursue my self-fulfillment. I acknowledge all the help I have received from so many people in accomplishing this project and wish to thank them. Acknowledged By:- Dhaval Dave Indus Institute of Technology & Engineering Page 3
  • 4. Security in Cloud Computing PREFACE “Security in Cloud Computing” was taken by us in Dissertation in our Semester-V as our project for the partial fulfilment of MCA. It is matter of pleasure for me to submit this documentation of the dissertation work done during Semester-V of MCA. By:- Dhaval Dave Indus Institute of Technology & Engineering Page 4
  • 5. Security in Cloud Computing Table of Contents 1. Introduction of Cloud Computing 8 1.1 Abstract 9 1.2 Introduction 10 1.3 Cloud Evolution 11 1.4 Comparison 13 2. What is Cloud Computing 14 2.1 Cloud Architecture 15 2.2 Cloud Components 16 2.2.1 Clients 17 2.2.2 DataCenter 18 2.2.3 Distributed Servers 18 3. Cloud Computing Deployment Models 19 3.1 Public Clouds 19 3.2 Private Clouds 21 3.3 Hybrid Clouds 22 3.4 Community Clouds 23 4. Cloud Computing Service Model 24 4.1 Software as a Service(SaaS) 25 4.2 Platform as a Service(PaaS) 25 4.3 Infrastructure as a Service(IaaS) 26 4.4 Anything as a Service(XaaS) 26 4.5 Virtualization & Private Clouds 27 5. Advantages of Clouds 29 6. Cloud Computing Reference Model 31 7. Security for Cloud Computing 33 7.1 Defining Security in Cloud 33 7.2 Security Issues and Challenges 34 7.3 Security Advantages in Cloud Environment 34 7.4 Security Disadvantages in Cloud Environment 35 7.5 Security Issues in Virtualization 37 7.6 Survey of Cloud Computing 38 7.7 Traditional Datacenter Security 39 8. Virtualization - The Catalyst of the Cloud 40 8.1 Confidentiality 40 8.2 Integrity 40 8.3 Authentication 41 8.4 Availability 41 8.5 Accountability 41 8.6 Assurance 42 8.7 Resilience 42 9. Cloud Computing Security Issues 43 10. Cloud Security Challenges 47 10.1 Administrative Access to Servers Applications 47 10.2 Dynamic Virtual Machines : VM State and Sprawl 47 10.3 Vulnerability Exploits and VM to VM Attacks 48 Indus Institute of Technology & Engineering Page 5
  • 6. Security in Cloud Computing 10.4 Encryption and Data Protection 48 10.5 Policy and Compliance 48 10.6 Patch Management 49 10.7 Perimeter Protection and Zoning 49 10.8 Rogue Corporate Resources 49 11. Data Protection, Identity Management, Security 50 11.1 Data Protection 50 11.2 Identity Management 50 11.3 Physical and Personnel Security 50 12. Availability 51 13. Application Securities, User Centric Access Control, Transparency 53 13.1 Application Securities 53 13.2 Centric Access Control 53 13.3 Transparency 54 14. New Opportunities 55 15. Conclusions 58 16. Vulnerabilities 60 17. References 61 18. Appendices 62 Indus Institute of Technology & Engineering Page 6
  • 7. Security in Cloud Computing List of Figures Figure 1:- Cloud Computing 14 Figure 2:- Cloud Architecture 15 Figure 3:- Cloud Components 16 Figure 4:- Public Cloud Model 20 Figure 5:- Private Cloud Model 21 Figure 6:- Hybrid Cloud Model 22 Figure 7:- Cloud Computing Reference Model 32 Figure 8:- Security Architecture Design 43 List of Tables Table 1:- Cloud Computing Service Model 24 Table 2:- Major Cloud Service Providers 38 Table 3:- Summary of Security Mechanisms by Major Clouds Service Providers 39 Indus Institute of Technology & Engineering Page 7
  • 8. Security in Cloud Computing 1. Introduction of Cloud Computing According to Gartner’s Hype Cycle Special Report for 2009, “technologies at the ‘Peak of Inflated Expectations’ during 2009 include cloud computing, e-books… and Internet TV, while social software and micro blogging sites…have tipped over the peak and will soon experience disillusionment among enterprise users”. Is cloud computing also heading for the trough of disillusionment? The Internet is often represented as a cloud and the term “cloud computing” arises from that analogy. Accenture defines cloud computing as the dynamic provisioning of IT capabilities (hardware, software, or services) from third parties over a network. McKinsey says that clouds are hardware-based services offering compute, network and storage capacity where: hardware management is highly abstracted from the buyer; buyers incur infrastructure costs as variable OPEX [operating expenditures]; and infrastructure capacity is highly elastic (up or down). The cloud model differs from traditional outsourcing in that customers do not hand over their own IT resources to be managed. Instead they plug into the cloud, treating it as they would an internal data center or computer providing the same functions. Large companies can afford to build and expand their own data centers but small- to medium-sized enterprises often choose to house their IT infrastructure in someone else’s facility. A collocation center is a type of data center where multiple customers locate network, server and storage assets, and interconnect to a variety of telecommunications and other network service providers with a minimum of cost and complexity. Indus Institute of Technology & Engineering Page 8
  • 9. Security in Cloud Computing 1.1Abstract The Cloud Computing concept offers dynamically scalable resources provisioned as a service over the Internet. Economic benefits are the main driver for the Cloud, since it promises the reduction of capital expenditure and operational expenditure. Organizations are increasingly looking to cloud computing to improve operational efficiency and help with the bottom line. Cloud computing gets its name from the drawings typically used to describe the Internet. Cloud computing comes in many forms: There are Software-as-a-Service (SaaS) providers like salesforce.com; platform-as-a-service (PaaS) like Amazon's, Infrastructure-as-a-Service (IaaS), Software-plus-Service (SpS). Web services that offer application programming interfaces (APIs) that enable developers to exploit functionality over the Internet. Increasingly, businesses of all sizes are choosing to migrate their data, applications and services to the cloud. The Advantages are clear-increased availability, Lightweight, easy accessible applications, lower maintenance and administrative costs. But security and privacy concerns present a strong barrier-to-entry. cloud computing to realise its full potential and become mainstream member of IT portfolio & choices, a lot of challenges are required to be tackled related to privacy & Security. This Dissertation is concerned with discovery of the vulnerabilities in the landscape of clouds, discovery of security solutions, and finding evidence that early-adopters or developers have grown more concerned with security. Indus Institute of Technology & Engineering Page 9
  • 10. Security in Cloud Computing 1.2 Introduction We are entering into a new era of computing, and it's all about the “cloud”. This immediately brings up several important questions, which deserve thoughtful answers: “What is cloud computing?” “Is it real, or just another buzzword?” And most important, “How does it affect me?” Cloud computing as the dynamic provisioning of IT capabilities (hardware, software, or services) from third parties over a network. The term cloud computing refers to the delivery of scalable IT resources over the Internet, as opposed to hosting and operating those resources locally, such as on a college or university network. Those resources can include applications and services, as well as the infrastructure on which they operate. By deploying IT infrastructure and services over the network, an organization can purchase these resources on an as-needed basis and avoid the capital costs of software and hardware The coming shift to cloud computing is a major change in our industry. One of the most important parts of that shift is the advent (The coming or arrival, especially of something extremely important) of cloud platforms. As its name suggests, this kind of platform lets developers write applications that run in the cloud, or use services provided from the cloud, or both. Different names are used for this kind of platform today, including on-demand platform and platform as a service (PaaS). Whatever it’s called, this new way of supporting applications has great potential. To see why, think about how application platforms are used today. When a development team creates an on-premises application (i.e., one that will run within an organization), much of what that application needs already exists. An operating system provides basic support for executing the application, interacting with storage, and more, while other computers in the environment offer services such as remote storage. If the creators of every on-premises application first had to build all of these basics, we’d have many fewer applications today. Indus Institute of Technology & Engineering Page 10
  • 11. Security in Cloud Computing The cloud is growing at a time when climate change and reducing emissions from energy use is of paramount concern. With the growth of the cloud, however, comes an increasing demand for energy. For all of this content to be delivered to us in real time, virtual mountains of video, pictures and other data must be stored somewhere and be available for almost instantaneous access. That ‘somewhere’ is data centres - massive storage facilities that consume incredible amounts of energy. 1.3 Cloud Evolution The evolution of cloud computing can be traced to grid computing. The concept of “The Grid” exploded in popularity “The Grid: Blueprint for a new Computing Infrastructure” by Ian Foster and Carl Kesselman was published in 1998. The basis of the grid is the electric utility grid that provides electric power to your home and business. Using the same concept, hardware and software would be provided from the grid on-demand much like electricity to run lights and everything else that plugs into the wall. What is interesting is that many of the same issues that plagued the grid also plague cloud computing. Defining the grid, vendor lock-in, and forming standards were just some of the issues. Cloud computing expands upon the grid, but still suffers from some of the same issues. The main focus of cloud computing from the provider's view as extraneous hardware connected to support downtime on any device in the network, without a change in the users' perspective. Also, the users' software image should be easily transferable from one cloud to another. It proposes that a layering mechanism should occur between the front-end software, middle-ware networking and back-end servers and storage, so that each part can be designed, implemented, tested and ran independent from subsequent layers. with its development challenges and industry research efforts. it describes cloud computing security problems and benefits and showcases a model of secure architecture for cloud computing implementation. Indus Institute of Technology & Engineering Page 11
  • 12. Security in Cloud Computing Critics argue that cloud computing is not secure enough because data leaves companies' local area networks. It is up to the clients to decide the vendors, depending on how willing they are to implement secure policies and be subject to 3rd party verifications. Salesforce, Amazon and Google are currently providing such services, charging clients using an on-demand policy. Increasingly, businesses of all sizes are choosing to migrate their data, applications and services to the cloud. The Advantages are clear-increased availability, Lightweight, easy accessible applications, lower maintenance and administrative costs—but so too are the risks. Possible Benefits arising out of adopting cloud computing models have been recently .well documented in literature and therefore these are not reproduced here. However, for cloud computing to realise its full potential and become mainstream member of IT portfolio & choices, a lot of challenges are required to be tackled related to privacy & Security and associated regulation compliance, vendor Lock-in & Standards, interoperability, latency, performance & Reliability Concerns. Indus Institute of Technology & Engineering Page 12
  • 13. Security in Cloud Computing 1.4 Comparisons Cloud computing can be confused with: 1. Grid computing — "a form of distributed computing and parallel computing, whereby a 'super and virtual computer' is composed of a cluster of networked, loosely coupled computers acting in concert to perform very large tasks" 2. Utility computing — the "packaging of computing resources, such as computation and storage, as a metered service similar to a traditional public utility, such as electricity"; 3. Autonomic computing — "computer systems capable of self-management". Indus Institute of Technology & Engineering Page 13
  • 14. Security in Cloud Computing 2.0 What is Cloud Computing? As we said previously, the term the cloud is often used as a metaphor for the Internet and has become a familiar cliché. However, when “the cloud” is combined with “computing,” it causes a lot of confusion. To define the term using a very broad ” sense, they contend that anything beyond the firewall perimeter is in the cloud. A more tempered view of cloud computing considers it the delivery of computational resources from a location other than the one from which you are computing. Cloud computing is about moving services, computation and/or data moving data—for cost and business advantage advantage—off-site to an internal or external, location site location-transparent, centralized facility or contractor. By making data available in the cloud, it can be more easily and ubiquitously accessed, often at much lower cost, increasing its value by often enabling opportunities for enhanced collaboration, integration, and analysis on a shared common platform. Cloud computing models that encompass a subscription based or pay subscription-based pay-per-use paradigm provide a service that can be used over the Internet and extends an IT shop’s existing capabilities. Many users have found that this approach provides a return on investment that IT managers are more than willing to accept. Figure 1 :- Cloud Computing Indus Institute of Technology & Engineering Page 14
  • 15. Security in Cloud Computing 2.1 Cloud Architecture In Cloud architecture, the systems architecture(A system architecture or systems architecture is the conceptual model that defines the structure, behaviour, and more views of a system. An architecture description is a formal description and representation of a system) of the software systems(The term software system is often used as a synonym of computer program or software.) involved in the delivery of cloud computing, typically involves multiple cloud components communicating with each other over application programming interfaces, usually web services. This resembles the Unix philosophy of having multiple programs each doing one thing well and working together over universal interfaces. Complexity is controlled and the resulting systems are more manageable than their monolithic counterparts. Figure 2 :- Cloud Architecture Indus Institute of Technology & Engineering Page 15
  • 16. Security in Cloud Computing 2.2 Cloud Components Figure 3 :- Cloud Components A cloud computing solution is made up of several elements: clients, the datacentre, and distributed servers. As shown in Above Figure, these components make up the three parts of a cloud computing solution. Each element has a purpose and plays a specific role in delivering a functional cloud-based application, so let’s take a closer look. Indus Institute of Technology & Engineering Page 16
  • 17. Security in Cloud Computing 2.2.1 Clients Clients are, in a cloud computing architecture, the exact same things that they are in a local area network (LAN). They are, typically, the computers that just sit on your desk. But they might also be laptops, tablet computers, mobile phones, or PDAs (Personal digital assistant or Palmtop Computer)—all big drivers for cloud computing because of their mobility. Anyway, clients are the devices that the end users interact with to manage their information on the cloud. Clients generally fall into three categories: • Mobile -Mobile devices include PDAs or Smartphone’s, like a Blackberry, Windows Mobile Smartphone or an iPhone. • Thin -Clients are computers that do not have internal hard drives, but rather let the servers do all the work, but then display the information. • Thick -This type of client is a regular computer, using a web browser like Firefox or Internet Explorer to connect to the cloud. Thin clients are becoming an increasingly popular solution, because of their price and effect on the environment. Some benefits to using thin clients include • Lower hardware costs -Thin clients are cheaper than thick clients because they do not contain as much hardware. They also last longer before they need to be upgraded or become obsolete. • Lower IT costs -Thin clients are managed at the server and there are fewer points of failure. • Security -Since the processing takes place on the server and there is no hard drive, there’s less chance of malware invading the device. Also, since thin clients don’t work without a server, there’s less chance of them being physically stolen. • Data security -Since data is stored on the server, there’s less chance for data to be lost if the client computer crashes or is stolen. Indus Institute of Technology & Engineering Page 17
  • 18. Security in Cloud Computing 2.2.2 Datacenter The datacenter is the collection of servers where the application to which you subscribe is housed. It could be a large room in the basement of your building or a room full of servers on the other side of the world that you access via the Internet. A growing trend in the IT world is vitalizing servers. That is, software can be installed allowing multiple instances of virtual servers to be used. In this way, you can have half a dozen virtual servers running on one physical server. The number of virtual servers that can exist on a physical server depends on the size and speed of the physical server and what applications will be running on the virtual server. 2.2.3 Distributed Servers In Distributed Servers, the servers don’t all have to be housed in the same location. Often, servers are in geographically disparate locations. But to you, the cloud subscriber, these servers act as if they’re humming away right next to each other. This gives the service provider more flexibility in options and security. For instance, Amazon has their cloud solution in servers all over the world. If something were to happen at one site, causing a failure, the service would still be accessed through another site. Also, if the cloud needs more hardware, they need not throw more servers in the safe room—they can add them at another site and simply make it part of the cloud. Indus Institute of Technology & Engineering Page 18
  • 19. Security in Cloud Computing 3.0 Cloud Computing Deployment models Cloud computing architects provides three basic service models • Public cloud • Private cloud • Hybrid cloud • Community Cloud IT organizations can choose to deploy applications on public, private, or hybrid clouds, each of which has its trade-offs. The terms public, private, and hybrid do not dictate location. While public clouds are typically “out there” on the Internet and private clouds are typically located on premises, a private cloud might be hosted at a Collocation (share or designate to share the same place) facility as well. A number of considerations with regard to which cloud computing model they choose to employ, and they might use more than one model to solve different problems. An application needed on a temporary basis might be best suited for deployment in a public cloud because it helps to avoid the need to purchase additional equipment to solve a temporary need. Likewise, a permanent application, or one that has specific requirements on quality of service or location of data, might best be deployed in a private or hybrid cloud. 3.1 Public clouds Public clouds are run by third parties, and applications from different customers are likely to be mixed together on the cloud’s servers, storage systems, and networks. Public clouds are most often hosted away from customer premises, and they provide a way to reduce customer risk and cost by providing a flexible, even temporary extension to enterprise infrastructure. Indus Institute of Technology & Engineering Page 19
  • 20. Security in Cloud Computing If a public cloud is implemented with performance, security, and data locality in mind, the existence of other applications running in the cloud should be transparent to both cloud architects and end users. Portions of a public cloud can be carved out for the exclusive use of a single client, creating a virtual private datacenter. Rather than being limited to deploying virtual machine images in a public cloud, a virtual private datacenter gives customers greater visibility into its infrastructure. Now customers can manipulate not just virtual machine images, but also servers, storage systems, network devices, and network topology. Figure 4: - Public Cloud Model Indus Institute of Technology & Engineering Page 20
  • 21. Security in Cloud Computing 3.2 Private clouds Private clouds are built for the exclusive use of one client, providing the utmost control over data, security, and quality of service . The company owns the infrastructure and has control over how applications are deployed on it. Private clouds may be deployed in an enterprise datacenter, and they also may be deployed at a collocation facility. Private clouds can be built and managed by a company’s own IT organization or by a cloud provider. In this “hosted private” model, a company such as Sun can install, configure, and operate the infrastructure to support a private cloud within a company’s enterprise datacenter. This model gives companies a high level of control over the use of cloud resources while bringing in the expertise needed to establish and operate the environment. Figure 5: - Private Cloud Model Indus Institute of Technology & Engineering Page 21
  • 22. Security in Cloud Computing 3.3 Hybrid clouds Hybrid clouds combine both public and private cloud models. They can help to provide on-demand, externally provisioned scale. The ability to augment a private cloud with the resources of a public cloud can be used to maintain service levels in the face of rapid workload fluctuations. This is most often seen with the use of storage clouds to support Web 2.0 applications. A hybrid cloud also can be used to handle planned workload spikes. Sometimes called “surge computing,” a public cloud can be used to perform periodic tasks that can be deployed easily on a public cloud. Hybrid clouds introduce the complexity of determining how to distribute applications across both a public and private cloud. Among the issues that need to be considered is the relationship between data and processing resources. If the data is small, or the application is stateless, a hybrid cloud can be much more successful than if large amounts of data must be transferred into a public cloud for a small amount of processing. Figure 6:- Hybrid Cloud Model Indus Institute of Technology & Engineering Page 22
  • 23. Security in Cloud Computing 3.4 Community clouds In Community Cloud the cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations). It may be managed by the organizations or a third party and may exist on-premises or off-premises. Indus Institute of Technology & Engineering Page 23
  • 24. Security in Cloud Computing 4.0 Cloud computing Service Model In practice, cloud service providers tend to offer services that can be grouped into three categories: software as a service, platform as a service, and infrastructure as a service. These categories group together the various layers with some overlap. Table 1: - Cloud Computing Service Model Indus Institute of Technology & Engineering Page 24
  • 25. Security in Cloud Computing 4.1 Software as a service (SaaS) Software as a service features a complete application offered as a service on demand. A single instance of the software runs on the cloud and services multiple end users or client organizations. The most widely known example of SaaS is salesforce.com, though many other examples have come to market, including the Google Apps offering of basic business services including email and word processing. Although salesforce.com preceded the definition of cloud computing by a few years, it now operates by leveraging its companion force.com, which can be defined as a platform as a service. 4.2 Platform as a service (PaaS) Platform as a service encapsulates a layer of software and provides it as a service that can be used to build higher-level services. There are at least two perspectives on PaaS depending on the perspective of the producer or consumer of the services: • Someone producing PaaS might produce a platform by integrating an OS, middleware, application software, and even a development environment that is then provided to a customer as a service. For example, someone developing a PaaS offering might base it on a set of Sun™ xVM hypervisor virtual machines that include a NetBeans™ integrated development environment, a Sun GlassFish™ Web stack and support for additional programming languages such as Perl or Ruby. • Someone using PaaS would see an encapsulated service that is presented to them through an API. The customer interacts with the platform through the API, and the platform does what is necessary to manage and scale itself to provide a given level of service. Virtual appliances can be classified as instances of PaaS. A content switch appliance, for example, would have all of its component software hidden from the customer, and only an API or GUI for configuring and deploying the service provided Indus Institute of Technology & Engineering Page 25
  • 26. Security in Cloud Computing to them. PaaS offerings can provide for every phase of software development and testing, or they can be specialized around a particular area such as content management. Commercial examples of PaaS include the Google Apps Engine, which serves applications on Google’s infrastructure. PaaS services such as these can provide a powerful basis on which to deploy applications, however they may be constrained by the capabilities that the cloud provider chooses to deliver. 4.3 Infrastructure as a service (IaaS) Infrastructure as a service delivers basic storage and compute capabilities as standardized services over the network. Servers, storage systems, switches, routers, and other systems are pooled and made available to handle workloads that range from application components to high-performance computing applications. Commercial examples of IaaS include Joyent, whose main product is a line of virtualized servers that provide a highly available on-demand infrastructure. 4.4 Anything-as-a-Service (XaaS) Which is also a subset of cloud computing? XaaS broadly encompasses a process of activating reusable software components over the network. The most common and successful example is Software-as-a-Service. The growth of “as-a-service” offerings has been facilitated by extremely low barriers to entry (they are often accessible for free or available as recurring charges on a personal credit card). As a result, such offerings have been adopted by consumers and small businesses well before pushing into the enterprise space. All “as-a-service” offerings share a number of common attributes, including little or no capital expenditure since the required infrastructure is owned by the service provider, massive scalability, multitenancy, and device and location independence allowing consumers remote access to systems using nearly any current available technology. Indus Institute of Technology & Engineering Page 26
  • 27. Security in Cloud Computing On the surface, it appears that XaaS is a potentially game-changing technology that could reshape IT. However, most CIOs still depend on internal infrastructures because they are not convinced that cloud computing is ready for prime time. Many contend that if you want real reliability, you must write more reliable applications. Regardless of one’s view on the readiness of cloud computing to meet corporate IT requirements, it cannot be ignored. The concept of pay-as-you-go applications, development platforms, processing power, storage, or any other cloud-enabled services has emerged and can be expected to reshape IT over the next decade. 4.5 Virtualization and Private Clouds Virtualization of computers or operating systems hides the physical characteristics of a computing platform from users; instead it shows another abstract computing platform. A hypervisor is a piece of virtualization software that allows multiple operating systems to run on a host computer concurrently. Virtualization providers include VMware, Microsoft, and Citrix Systems. Virtualization is an enabler of cloud computing. Recently some vendors have described solutions that emulate cloud computing on private networks, referring to these as “private” or “internal” clouds (where “public” or “external” cloud describes cloud computing in the traditional mainstream sense). Private cloud products claim to deliver some of the benefits of cloud computing without the pitfalls. Hybrid solutions are also possible: building internal clouds and connecting customer data centers to those of external cloud providers. It has been reported that Eli Lilly wants to benefit from both internal and external clouds3 and that Amylin6 is looking at private cloud VMware as a complement to EC2. Other experts, however, are skeptical: one has even gone as far as to describe private clouds as absolute rubbish.7 Platform Computing has recently launched a cloud management system, Platform ISF, enabling customers to manage workload across both virtual and physical environments and support multiple hypervisors and operating systems from a single interface. VMware, the market leader in virtualization technology, is moving into cloud technologies in a big way, with vSphere 4. The company is building a huge partner network of service providers and is also releasing a “vCloud API”. VMware wants Indus Institute of Technology & Engineering Page 27
  • 28. Security in Cloud Computing customers to build a series of “virtual data centers”, each tailored to meet different requirements, and then have the ability to move workloads in the virtual data centers to the infrastructure provided by cloud vendors. Cisco, EMC and VMware have formed a new venture called Acadia. Its strategy for private cloud computing is based on Cisco’s servers and networking, VMware’s server virtualization and EMC’s storage. (Note, by the way, that EMC owns nearly 85% of VMware.) Other vendors, such as Google, disagree with VMware’s emphasis on private clouds; in return VMware says Google’s online applications are not ready for the enterprise. Indus Institute of Technology & Engineering Page 28
  • 29. Security in Cloud Computing 5.0 Advantages of Cloud • Agility improves with users' ability to rapidly and inexpensively re-provision technological infrastructure resources • Cost is claimed to be greatly reduced and capital expenditure is converted to operational expenditure. This ostensibly lowers barriers to entry, as infrastructure is typically provided by a third-party and does not need to be purchased for one-time or infrequent intensive computing tasks. • Device and location independence enable users to access systems using a web browser regardless of their location or what device they are using (e.g., PC, mobile). As infrastructure is off-site (typically provided by a third-party) and accessed via the Internet, users can connect from anywhere. • Multi-tenancy enables sharing of resources and costs across a large pool of users • Reliability is improved if multiple redundant sites are used, which makes well designed cloud computing suitable for business continuity and disaster recovery. • Scalability via dynamic ("on-demand") provisioning of resources on a fine-grained, self-service basis near real-time, without users having to engineer for peak loads. Performance is monitored, and consistent and loosely coupled architectures are constructed using web services as the system interface • Maintenance cloud computing applications are easier to maintain, since they don't have to be installed on each user's computer. Indus Institute of Technology & Engineering Page 29
  • 30. Security in Cloud Computing • Metering cloud computing resources usage should be measurable and should be metered per client and application on daily, weekly, monthly, and annual basis. This will enable clients on choosing the vendor cloud on cost and reliability • Security could improve due to centralization of data, increased security-focused resources, etc., but concerns can persist about loss of control over certain sensitive data, and the lack of security for stored kernels. Security is often as good as or better than under traditional systems, in part because providers are able to devote resources to solving security issues that many customers cannot afford. Furthermore, the complexity of security is greatly increased when data is distributed over a wider area and / or number of devices. Indus Institute of Technology & Engineering Page 30
  • 31. Security in Cloud Computing 6.0 Cloud Computing Reference Model Understanding the relationships and dependencies between Cloud Computing models is critical to understanding Cloud Computing security risks. IaaS is the foundation of all cloud services, with PaaS building upon IaaS, and SaaS in turn building upon PaaS as described in the Cloud Reference Model diagram. In this way, just as capabilities are inherited, so are information security issues and risk. It is important to note that commercial cloud providers may not neatly fit into the layered service models. Nevertheless, the reference model is important for relating real-world services to an architectural framework and understanding the resources and services requiring security analysis. IaaS includes the entire infrastructure resource stack from the facilities to the hardware platforms that reside in them. It incorporates the capability to abstract resources (or not), as well as deliver physical and logical connectivity to those resources. Ultimately, IaaS provides a set of APIs which allow management and other forms of interaction with the infrastructure by consumers. PaaS sits atop IaaS and adds an additional layer of integration with application development frameworks; middleware capabilities; and functions such as database, messaging, and queuing; which allow developers to build applications upon to the platform; and whose programming languages and tools are supported by the stack. SaaS in turn is built upon the underlying IaaS and PaaS stacks; and provides a self-contained operating environment used to deliver the entire user experience including the content, its presentation, the application(s), and management capabilities. Indus Institute of Technology & Engineering Page 31
  • 32. Security in Cloud Computing Figure 7:- Cloud Computing Reference Model Indus Institute of Technology & Engineering Page 32
  • 33. Security in Cloud Computing 7.0 Security for Cloud Computing There is a number of security issues associated with cloud computing but these issues fall into two broad categories: Security issues faced by cloud providers (organizations providing Software-, Platform-, or Infrastructure-as-a-Service via the cloud) and security issues faced by their customers. In most cases, the provider must ensure that their infrastructure is secure and that their clients’ data and applications are protected while the customer must ensure that the provider has taken the proper security measures to protect their information. Security controls in cloud computing are, for the most part, no different than security controls in any IT environment. Cloud computing may present different risks to an organization than traditional IT solutions. Cloud computing is about gracefully losing control while maintaining accountability even if the operational responsibility falls upon one or more third parties. While cloud security concerns can be grouped into any number of dimensions these dimensions have been aggregated into three general areas Security and Privacy, Compliance, and Legal or Contractual Issues. 7.1 Defining Security in the Cloud If we wish to enable cloud-driven growth and innovation through security, we must have a clear framing on what is meant by security. Security has been notoriously hard to define in the general case. The canonical goals of information security are Confidentiality, Integrity, and Availability. We borrow from NIST to include Accountability and Assurance, and then add a sixth category of Resilience. We define these terms below and map them to the cloud context, with a few examples of how they can be supported by both technical and non-technical mechanisms. Indus Institute of Technology & Engineering Page 33
  • 34. Security in Cloud Computing To begin to answer these questions, let’s quickly look at the security of the traditional datacenter and the impact of virtualization technology, which is enabling the cloud computing revolution. 7.2 Security Issues and Challenges IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service) are three general models of cloud computing. Each of these models possess a different impact on application security. However, in a typical scenario where an application is hosted in a cloud, two broad security questions that arises are: • How secure is the Data? • How secure is the Code? Cloud computing environment is generally assumed as a potential cost saver as well as provider of higher service quality. Security, Availability, and Reliability is the major quality concerns of cloud service users. Gens et. al., suggests that security in one of the prominent challenge among all other quality challenges. 7.3 Security Advantages in Cloud Environments Current cloud service providers operate very large systems. They have sophisticated processes and expert personnel for maintaining their systems, which small enterprises may not have access to. As a result, there are many direct and indirect security advantages for the cloud users. Here we present some of the key security advantages of a cloud computing environment: • Data Centralization: In a cloud environment, the service provider takes care of storage issues and small business need not spend a lot of money on physical storage devices. Also, cloud based storage provides a way to centralize the data faster and potentially cheaper. This is particularly useful for small businesses, Indus Institute of Technology & Engineering Page 34
  • 35. Security in Cloud Computing which cannot spend additional money on security professionals to monitor the data. • Incident Response: IaaS providers can put up a dedicated forensic server that can be used on demand basis. Whenever a security violation takes place, the server can be brought online. In some investigation cases, a backup of the environment can be easily made and put onto the cloud without affecting the normal course of business. • Forensic Image Verification Time: Some cloud storage implementations expose a cryptographic check sum or hash. For example, Amazon S3 generates MD5 (Message-Digest algorithm 5) hash automatically when you store an object. Therefore in theory, the need to generate time consuming MD5 checksums using external tools is eliminated. • Logging: In a traditional computing paradigm by and large, logging is often an afterthought. In general, insufficient disk space is allocated that makes logging either non-existent or minimal. However, in a cloud, storage need for standard logs is automatically solved. 7.4 Security Disadvantages in Cloud Environments In spite of security advantages, cloud computing paradigm also introduces some key security challenges. Here we discuss some of these key security challenges: • Data Location: In general, cloud users are not aware of the exact location of the datacenter and also they do not have any control over the physical access mechanisms to that data. Most well-known cloud service providers have datacenters around the globe. Some service providers also take advantage of their global datacenters. However, in some cases applications and data might be stored in countries, which can judiciary concerns. For example, if the user data is stored in X country then service providers will be subjected to the security Indus Institute of Technology & Engineering Page 35
  • 36. Security in Cloud Computing requirements and legal obligations of X country. This may also happen that a user does not have the information of these issues. • Investigation: Investigating an illegitimate activity may be impossible in cloud environments. Cloud services are especially hard to investigate, because data for multiple customers may be co-located and may also be spread across multiple datacenters. Users have little knowledge about the network topology of the underlying environment. Service provider may also impose restrictions on the network security of the service users. • Data Segregation: Data in the cloud is typically in a shared environment together with data from other customers. Encryption cannot be assumed as the single solution for data segregation problems. In some situations, customers may not want to encrypt data because there may be a case when encryption accident can destroy the data. • Long-term Viability: Service providers must ensure the data safety in changing business situations such as mergers and acquisitions. Customers must ensure data availability in these situations. Service provider must also make sure data security in negative business conditions like prolonged outage etc. • Compromised Servers: In a cloud computing environment, users do not even have a choice of using physical acquisition toolkit. In a situation, where a server is compromised; they need to shut their servers down until they get a previous backup of the data. This will further cause availability concerns. • Regulatory Compliance: Traditional service providers are subjected to external audits and security certifications. If a cloud service provider does not adhere to these security audits, then it leads to a obvious decrease in customer trust. • Recovery: Cloud service providers must ensure the data security in natural and man-made disasters. Generally, data is replicated across multiple sites. Indus Institute of Technology & Engineering Page 36
  • 37. Security in Cloud Computing However, in the case of any such unwanted event, provider must do a complete and quick restoration. 7.5 Security Issues in Virtualization Full Virtualization and Para Virtualization is two kinds of virtualization in a cloud computing paradigm. In full virtualization, entire hardware architecture is replicated virtually. However, in para virtualization, an operating system Towards Analyzing Data Security Risks in Cloud Computing Environments 259 is modified so that it can be run concurrently with other operating systems. VMM (Virtual Machine Monitor), is a software layer that abstracts the physical resources used by the multiple virtual machines. The VMM provides a virtual processor and other virtualized versions of system devices such as I/O devices, storage, memory, etc. VMM Instance Isolation ensures that different instances running on the same physical machine are isolated from each other. However, current VMMs do not offer perfect isolation. Many bugs have been found in all popular VMMs that allow escaping from VM (Virtual machine). Vulnerabilities have been found in all virtualization software’s, which can be exploited by malicious users to bypass certain security restrictions or/and gain escalated privileges. Below are few examples for this: • Vulnerability in Microsoft Virtual PC and Microsoft Virtual Server could allow a guest operating system user to run code on the host or another guest operating system. • Vulnerability was found in VMware’s shared folders mechanism that grants users of a guest system read and write access to any portion of the host’s file system including the system folder and other security-sensitive files. Indus Institute of Technology & Engineering Page 37
  • 38. Security in Cloud Computing • Vulnerability in Xen can be exploited by “root” users of a guest domain to execute arbitrary commands. 7.6 Survey of Cloud Computing We carry out a small survey of major cloud service providers to investigate the security mechanisms to overcome the security issues discussed in this paper. We consider ten major cloud service providers. These providers provide their services in all major areas of cloud computing, including SaaS, PaaS and IaaS. Table 1 shows the list of service providers that we studied in this survey. In order to analyze the complete state of art of security in cloud computing, the survey needs to be more exhaustive. However, due to the fact that the scope of our work is not just to explore the state of art but to look at the major factors that affect security in cloud computing. Therefore we have intentionally not considered other cloud service providers in this survey. Table 2:- Major Cloud Service Providers Service Provider Type Names IaaS Amazon EC2, Amazon S3, GoGrid PaaS Google App Engine, Microsoft Azure Services, Amazon Elastic Map Reduce SaaS Salesforce, Google Docs In table 2, we present the results of the survey that depicts the current state of security mechanisms. Information given in table 2 is based on the information available online at the official websites of these providers Indus Institute of Technology & Engineering Page 38
  • 39. Security in Cloud Computing Table 3:- Summary of Security Mechanisms by Major Cloud Service Providers Security Issue Results Password Recovery 90% are using standard methods like other common services, while 10% are using sophisticated techniques. Encryption Mechanism 40% are using standard SSL encryption, while 20% are using encryption mechanism but at an extra cost. 40% are using advance methods like HTTPS access also. Data Location 70% have their datacenters located in more than one country, while 10% are located at a single location. 20% are not open about this issue. Availability History In 40% there is a reported downtime alongwith a result in data loss, while in 60% cases data availability is good. Proprietary/Open Only 10% providers have open mechanism. Monitoring Services 70% are providing extra monitoring services, while 10% are using automatic techniques. 20 % are not open about this issue. 7.7 Traditional Datacenter Security The word ‘datacenter’ has long evoked images of massive server farms behind locked doors, where electricity and cooling were as important as network security to maintain reliability and availability of data. Perimeter security controls are the most common approach taken for traditional datacenter security. This approach typically includes perimeter firewall, demilitarized zones (DMZ), network segmentation, network intrusion detection and prevention systems (IDS/IPS) and network monitoring tools. Indus Institute of Technology & Engineering Page 39
  • 40. Security in Cloud Computing 8.0 Virtualization – The Catalyst of the Cloud Advancements in virtualization technologies enable enterprises to get more computing power from the underutilized capacity of physical servers. The traditional datacenter footprint is shrinking to enable cost savings and “greener” IT through server consolidation. Enterprises and service providers are using virtualization to enable multi-tenant uses of what used to be single-tenant or single-purpose physical servers. Extending virtual machines to public clouds causes the enterprise network perimeter to evaporate and the lowest-common denominator to impact the security of all. The inability of physical segregation and hardware-based security to deal with attacks between virtual machines on the same server highlights the need for mechanisms to be deployed directly on the server, or virtual machines. Deploying this line of defense at the virtual machine itself enables critical applications and data to be moved to cloud environments. 8.1 Confidentiality Confidentiality refers to keeping data private. Privacy is of tent amount importance as data leaves the borders of the organization. Not only must internal secrets and sensitive personal data be safeguarded, but metadata and transactional data can also leak important details about firms or individuals. Confidentiality is supported by, among other things, technical tools such as encryption and access control, as well as legal protections. 8.2 Integrity Integrity is a degree confidence that the data in the cloud is what is supposed to be there, and is protected against accidental or intentional alteration without authorization. It also extends to the hurdles of synchronizing multiple databases. Indus Institute of Technology & Engineering Page 40
  • 41. Security in Cloud Computing Integrity is supported by well audited code, well-designed distributed systems, and robust access control mechanisms. 8.3 Authentication User authentication is often the primary basis for access control, keeping the bad guys out while allowing authorized users in with a minimum of fuss. In the cloud environment, authentication and access control are more important than ever since the cloud and all of its data are accessible to anyone over the Internet. The TPM can easily provide stronger authentication than username and passwords. TCG’s IF-MAP standard allows for real-time communication between the cloud provider and the customer about authorized users and other security issues. When a user is fired or reassigned, the customer’s identity management system can notify the cloud provider in real-time so that the user’s cloud access can be modified or revoked within seconds. If the fired user is logged into the cloud, they can be immediately disconnected. Trusted Computing enables authentication of client PCs and other devices, which also is critical to ensuring security in cloud computing. 8.4 Availability Availability means being able to use the system as anticipated. Cloud technologies can increase availability through widespread internet-enabled access, but the client is dependent on the timely and robust provision of resources. Availability is supported by capacity building and good architecture by the provider, as well as well-defined contracts and terms of agreement. 8.5 Accountability Accountability maps actions in the system to responsible parties. Inside the cloud, actions must be traced uniquely back to an entity, allowing for integration into organizational processes, conflict resolution and deterrence of bad behavior. Indus Institute of Technology & Engineering Page 41
  • 42. Security in Cloud Computing Accountability is supported by robust identity, authentication and access control, as well as the ability to log transactions and then, critically, audit these logs. 8.6 Assurance Assurance refers to the need for a system to behave as expected. In the cloud context, it is important that the cloud provider provides what the client has specified. This is not simply a matter of the software and hardware behaving as the client expects but that the needs of the organization are understood, and that these needs are accurately translated into information architecture requirements, which are then faithfully implemented in the cloud system. Assurance is supported by a trusted computing architecture in the cloud, and a by careful processes mapping from business case to technical details to legal agreements. 8.7 Resilience Resilience in a system allows it to cope with security threats, rather than failing critically. Cloud technology can increase resilience, with a broader base, backup data and systems, and the potential identify threats and dynamically counteract. However, by shifting critical systems and functions to an outside party, organizations can aggravate resilience by introducing a single point of failure. Resilience is supported by redundancy, diversification and real-time forensic capacity. Indus Institute of Technology & Engineering Page 42
  • 43. Security in Cloud Computing 9.0 Cloud Computing Security Issues In order to ensure that data is secure (that it cannot be accessed by unauthorized users or simply lost) and that data privacy is maintained, cloud providers attend to the following areas in Security and Privacy issues. Figure 8: - Security Architecture Design Indus Institute of Technology & Engineering Page 43
  • 44. Security in Cloud Computing A security architecture framework should be established with consideration of processes (enterprise authentication and authorization, access control, confidentiality, integrity, no repudiation, security management, etc.), operational procedures, technology specifications, people and organizational management, and security program compliance and reporting. A security architecture document should be developed that defines security and privacy principles to meet business objectives. Documentation is required for management controls and metrics specific to asset classification and control, physical security, system access controls, network and computer management, application development and maintenance, business continuity, and compliance. A design and implementation program should also be integrated with the formal system development life cycle to include a business case, requirements definition, design, and implementation plans. Technology and design methods should be included, as well as the security processes necessary to provide the following services across all technology layers: 9.1 Authentication 9.2 Authorization 9.3 Availability 9.4 Confidentiality 9.5 Integrity 9.6 Accountability 9.7 Privacy The creation of a secure architecture provides the engineers, data center operations personnel, and network operations personnel a common blueprint to design, build, and test the security of the applications and systems. Design reviews of new changes can be better assessed against this architecture to assure that they conform to the principles described in the architecture, allowing for more consistent and effective design reviews. Indus Institute of Technology & Engineering Page 44
  • 45. Security in Cloud Computing • Secure Software Development Life Cycle (SecSDLC) The SecSDLC involves identifying specific threats and the risks they represent, followed by design and implementation of specific controls to counter those threats and assist in managing the risks they pose to the organization and/or its customers. The SecSDLC must provide consistency, repeatability, and conformance. The SDLC consists of six phases, and there are steps unique to the SecSDLC in each of phases: o Investigation: Define project processes and goals, and document them in the program security policy. o Analysis: Analyze existing security policies and programs, analyze current threats and controls, examine legal issues, and perform risk analysis. o Logical design: Develop a security blueprint, plan incident response actions, plan business responses to disaster, and determine the feasibility of continuing and/or outsourcing the project. o Physical design: Select technologies to support the security blueprint, develop a definition of a successful solution, design physical security measures to support technological solutions, and review and approve plans. o Implementation: Buy or develop security solutions. At the end of this phase, present a tested package to management for approval. o Maintenance: Constantly monitor, test, modify, update, and repair to respond to changing threats. Indus Institute of Technology & Engineering Page 45
  • 46. Security in Cloud Computing In the SecSDLC, application code is written in a consistent manner that can easily be audited and enhanced; core application services are provided in a common, structured, and repeatable manner; and framework modules are thoroughly tested for security issues before implementation and continuously retested for conformance through the software regression test cycle. Additional security processes are developed to support application development projects such as external and internal penetration testing and standard security requirements based on data classification. Formal training and communications should also be developed to raise awareness of process enhancements. Indus Institute of Technology & Engineering Page 46
  • 47. Security in Cloud Computing 10 Cloud Security Challenges At first glance, the security requirements for cloud computing providers would appear to be the same as traditional datacenters — apply a strong network security perimeter and keep the bad guys out. However, as previously stated, physical segregation and hardware-based security cannot protect against attacks between virtual machines on the same server. The following outlines some of the primary concerns that enterprises should be aware of when planning their cloud computing deployments. 10.1 Administrative Access to Servers and Applications One of the most important characteristics of cloud computing is that it offers “self-service” access to computing power, most likely via the Internet. In traditional datacenters, administrative access to servers is controlled and restricted to direct or on-premise connections. In cloud computing, this administrative access must now be conducted via the Internet, increasing exposure and risk. It is extremely important to restrict administrative access and monitor this access to maintain visibility of changes in system control. 10.2 Dynamic Virtual Machines: VM State and Sprawl Virtual machines are dynamic. They can quickly be reverted to previous instances, paused and restarted, relatively easily. They can also be readily cloned and seamlessly moved between physical servers. This dynamic nature and potential for VM sprawl makes it difficult to achieve and maintain consistent security. Vulnerabilities or configuration errors may be unknowingly propagated. Also, it is difficult to maintain an auditable record of the security state of a virtual machine at any given point in time. In cloud computing environments, it will be necessary to be able to prove the security state Indus Institute of Technology & Engineering Page 47
  • 48. Security in Cloud Computing of a system, regardless of its location or proximity to other, potentially insecure virtual machines. 10.3 Vulnerability Exploits and VM-TO-VM Attacks Cloud computing servers use the same operating systems, enterprise and web applications as localized virtual machines and physical servers. The ability for an attacker or malware to remotely exploit vulnerabilities in these systems and applications is a significant threat to virtualized cloud computing environments. In addition, co-location of multiple virtual machines increases the attack surface and risk of VM-to-VM compromise. Intrusion detection and prevention systems need to be able to detect malicious activity at the virtual-machine level, regardless of the location of the VM within the virtualized cloud environment. 10.4 Encryption and Data Protection Many regulations and standards such as the PCI DSS and HIPAA include requirements for the use of encryption to protect critical information—such as cardholder data and personally identifiable information (PII)—to achieve compliance or safe harbor in the event of a breach. The multi-tenant nature of the cloud amplifies these requirements and creates unique challenges with the accessibility and protection of encryption credentials used to ensure data protection. 10.5 Policy and Compliance Enterprises are experiencing significant pressure to comply with a wide range of regulations and standards such as PCI, HIPAA, and GLBA in addition to auditing practices such as SAS70 and ISO. Enterprises need to prove compliance with security standards, regardless of the location of the systems required to be in scope of regulation, be that on-premise physical servers, on-premise virtual machines or off-premise virtual machines running on cloud computing resources. Indus Institute of Technology & Engineering Page 48
  • 49. Security in Cloud Computing 10.6 Patch Management The self-service nature of cloud computing may create confusion for patch management efforts. Once an enterprises subscribes to a cloud computing resource—for example by creating a Web server from templates offered by the cloud computing service provider—the patch management for that server is no longer in the hands of the cloud computing vendor, but is now the responsibility of the subscriber. Keeping in mind that according to the previously mentioned Verizon 2008 Data Breach Investigations Report, 90% of known vulnerabilities that were exploited had patches available for at least six months prior to the breach, organizations leveraging cloud computing need to keep vigilant to maintain cloud resources with the most recent vendor supplied patches. If patching is impossible or unmanageable, compensating controls such as “virtual patching” need to be considered. 10.7 Perimeter Protection and Zoning In cloud computing, the enterprise perimeter evaporates and the lowest-common denominator impacts the security of all. The enterprise firewall, the foundation for establishing security policy and zoning for networks, can either no longer reach cloud computing servers, or its policies are no longer in the control of the resource owner, but the responsibility of the cloud computing provider. To establish zones of trust in the cloud, the virtual machines must be self-defending, effectively moving the perimeter to the virtual machine itself. 10.8 Rogue Corporate Resources Eager for immediate computing resources and results, non-IT savvy individuals and groups are jumping at cloud computing. Important corporate data and applications are being deployed in the cloud, possibly oblivious to the security implications. Indus Institute of Technology & Engineering Page 49
  • 50. Security in Cloud Computing 11 Data Protection, Identity Management, Security 11.1 Data Protection To be considered protected, data from one customer must be properly segregated from that of another; it must be stored securely when “at rest” and it must be able to move securely from one location to another. Cloud providers have systems in place to prevent data leaks or access by third parties. Proper separation of duties should ensure that auditing and/or monitoring cannot be defeated, even by privileged users at the cloud provider. 11.2 Identity Management Every enterprise will have its own identity management system to control access to information and computing resources. Cloud providers either integrate the customer’s identity management system into their own infrastructure, using federation or SSO technology, or provide an identity management solution of their own. 11.3 Physical and Personnel Security Providers ensure that physical machines are adequately secure and that access to these machines as well as all relevant customer data is not only restricted but that access is documented. Finally, providers ensure that all critical data (credit card numbers, for example) are masked and that only authorized users have access to data in its entirety. Moreover, digital identities and credentials must be protected as should any data that the provider collects or produces about customer activity in the cloud. Indus Institute of Technology & Engineering Page 50
  • 51. Security in Cloud Computing 12 Availability Cloud providers assure customers that they will have regular and predictable access to their data and applications. For example, consider some of the cloud-related cloud outages which have been widely reported… Bit bucket, DDoS'd Off The Air , Indus Institute of Technology & Engineering Page 51
  • 52. Security in Cloud Computing Maintenance Induced Cascading Failures Indus Institute of Technology & Engineering Page 52
  • 53. Security in Cloud Computing 13 Application Securities, User Centric Access Control, Transparency 13.1 Application Securities Cloud providers ensure that applications available as a service via the cloud are secure. Securing application software that is running on being developed in the cloud. This includes items such as whether it’s appropriate to migrate or design an application to run in the cloud, and if so, what type of cloud platform is most appropriate (SaaS, PaaS, or IaaS). Some specific security issues related to the cloud are also discussed. 13.2 User Centric Access Control The traditional model of application-centric access control, where each application keeps track of its collection of users and manages them, is not feasible in cloud based architectures. This is more so, because the user space maybe shared across applications that can lead to data replication, making mapping of users and their privileges a herculean task. Also, it requires the user to remember multiple accounts/passwords and maintain them. Cloud requires a user centric access control where every user request to any service provider is bundled with the user identity and entitlement information. User identity will have identifiers or attributes that identity and define the user. The identity is tied to a domain, but is portable. User centric approach leaves the user with the ultimate control of their digital identities. User centric approach also implies that the system maintains a context of information for every user, in order to find how best to react to in a given situation to a given user request. It should support pseudonyms and multiple and discrete identities to protect user privacy. This can be achieved easily by using one of the open standards like OpenID or SAML. Indus Institute of Technology & Engineering Page 53
  • 54. Security in Cloud Computing 13.3 Transparency Security measures assumed in the cloud must be made available to the customers to gain their trust. There is always a possibility that the cloud infrastructure is secured with respect to some requirements and the customers are looking for a different set of security. The important aspect is to see that the cloud provider meets the security requirements of the application and this can be achieved only through 100% transparency. Open Cloud Manifesto exerts stress on transparency in clouds, due the consumer’s apprehensions to host their applications on a shared infrastructure, on which they do not have any control. Transparency can be achieved by complete audit logging and control. Indus Institute of Technology & Engineering Page 54
  • 55. Security in Cloud Computing 14 New Opportunities Combining the contemporary and historical viewpoints, we arrive at the position that many cloud computing security problems are not in fact new, but often will still require new solutions in terms of specific mechanisms. Existing contemporary works already explore many pertinent topics; we highlight here several areas that deserve more attention. First, cloud providers should offer a choice of security primitives with well-considered defaults. Cloud users know more about their applications, but cloud providers potentially know more about the relevant security issues due to a higher concentration of security expertise. The cloud user would ideally choose from a spectrum of security levels and security subsystem boundaries. We believe this flexibility could prove to be a major improvement if done well. One possible approach would be to formulate the security primitives around defending different stakeholders against different particular threat models. An additional feature might support “plug and-play" services readily compliant with common standards such as those of HIPAA or Payment Card Industry. Another important research area concerns determining apt granularities for isolation. Several are possible: isolate by virtual or physical machines, LANs, clouds, or datacenters. We at present lack a good understanding of the tradeoffs between security and performance for each of these options, but it would appear likely that cloud providers can fruitfully offer different granularities of isolation as a part of their spectrum of security. Side channels and covert channels pose another fundamental threat, one which interplays with the granularities of isolation discussed above. While not a panacea (e.g., it takes very few bits to steal a password), a helpful analysis could include when appropriate a quantification of channel bit rates, coupled with an assessment of the bit rate required to do harm. Indus Institute of Technology & Engineering Page 55
  • 56. Security in Cloud Computing One important area that has yet to receive much attention is mutual audit ability. The auditing capabilities of most existing systems focus on one-way audit ability. In cloud computing, providers and users may need to demonstrate mutual trustworthiness, in a bilateral or multilateral fashion. As discussed above, such audit ability can have major benefits with regard to fate-sharing, such as enabling cloud providers in search and seizure incidents to demonstrate to law enforcement that they have turned over all relevant evidence, and prove to users that they turned over only the necessary evidence and nothing more. Recent work notes that implementing thorough auditing is not a simple matter even for straightforward web services. In cloud computing, it remains an open challenge to achieve thorough auditing without impairing performance. To complicate matters even further, the auditor fundamentally needs to be an independent third party, and a third-party auditor requires a setup quite different than today’s practice, in which cloud providers record and maintain all the audit logs. In short, mutual audit ability needs significant work. On the plus side, achieving it robustly would constitute an important security feature. More broadly, we see a need for research that seeks to understand the ecosystem of threats. Current work in the literature generally focuses only single aspects of the cloud security problem. As we begin to understand problems in isolation, we should also start to put together an understanding of how different issues and threats combine. For example, in web security we understand security problems at a high-level as an ecosystem involving the interplay between worms, bots, scams, spam, phishing, active content, browsers, usability, and other human factors. We argue that future work on cloud security needs to similarly bridge established topic boundaries. Lastly, we would highlight that breaking real clouds makes them stronger. Such studies involve obvious ethical issues, but provide much more compelling results than breaking hypothetical clouds. For example, the EC2 information leak study in triggered a highly visible security effort by Amazon Web Services, and serves as a model for similar future work in academia. Similarly, the Air Force Mastics security enhancements originated from a companion effort to find security exploits. Such coupled attack and defense approaches serve as a model for potential government cloud security projects today, and cloud providers should sponsor internal adversarial efforts to discover vulnerabilities before they become exposed in the wild. Needless to say, Indus Institute of Technology & Engineering Page 56
  • 57. Security in Cloud Computing stakeholders also need to continue to track black-hat perspectives. Finally, research partnerships between different types of stakeholders will likely prove very beneficial to advancing the field. Indus Institute of Technology & Engineering Page 57
  • 58. Security in Cloud Computing 15 Conclusions In cloud computing, end-to-end security is critical. Building blocks from TCG and commercial products built on these principles will help make the cloud environment more secure. Ongoing research from TCG and operating system or device security vendors will take advantage of the TPM using additional software to enhance its capability for cloud computing. Other research on cloud computing security is under way at several companies. Today, the good news is that most cloud security issues can be addressed with well-known, existing techniques. The TPM can be an independent entity that works on behalf of cloud computing customers. Inside every server in the cloud, the TPM and associated software can check what is installed on each machine and verify the machine’s health and proper performance. When it detects a problem, TNC technology can immediately restrict access to a device or server. For securing data at rest in the cloud or in clients that access cloud data, self-encrypting drives based on Trusted Storage provide the ultimately secure solution. Organizations that have already implemented TCG-based solutions can leverage their corporate investment in hardware, software and policies and re-use them for cloud computing. If cloud computing represents an organization’s initial implementation of TCG-based technology (used by the cloud provider), the rest of the organization should be re-evaluated for areas where TCG technology can provide improved internal security, including: activating TPMs, use of self-encrypting drives and network access control through TNC. In an emerging discipline, like cloud computing, security needs to be analyzed more frequently. With advancement in cloud technologies and increasing number of cloud users, data security dimensions will continuously increase. In this paper, we have analyzed the data security risks and vulnerabilities which are present in current cloud computing environments. Indus Institute of Technology & Engineering Page 58
  • 59. Security in Cloud Computing The most obvious finding to emerge from this study is that, there is a need of better trust management. We have built a risk analysis approach based on the prominent security issues. The security analysis and risk analysis approach will help service providers to ensure their customers about the data security. Similarly, the approach can also be used by cloud service users to perform risk analysis before putting their critical data in a security sensitive cloud. At present, there is a lack of structured analysis approaches that can be used for risk analysis in cloud computing environments. The approach suggested in this paper is a first step towards analyzing data security risks. This approach is easily adaptable for automation of risk analysis. Indus Institute of Technology & Engineering Page 59
  • 60. Security in Cloud Computing 16 Vulnerabilities Cloud computing shares in common with other network-based application, storage and communication platforms certain vulnerabilities in several broad areas: • Web application vulnerabilities, such as cross-site scripting and SQL injection (which are symptomatic of poor field input validation, buffer overflow; as well as default configurations or miss-configured applications. • Accessibility vulnerabilities, which are vulnerabilities inherent to the TCP/IP stack and the operating systems, such as denial of service and distributed denial of services • Authentication of the respondent device or devices. IP spoofing RIP attacks, ARP poisoning (spoofing), and DNS poisoning are all too common on the Internet. TCP/IP has some “unfixable flaws” such as “trusted machine” status of machines that have been in contact with each other, and tacit assumption that routing tables on routers will not be maliciously altered. • Data Verification, tampering, loss and theft, while on a local machine, while in transit, while at rest at the unknown third-party device, or devices, and during remote back-ups. • Physical access issues, both the issue of an organization’s staff not having physical access to the machines storing and processing a data, and the issue of unknown third parties having physical access to the machines • Privacy and control issues stemming from third parties having physical control of a data is an issue for all outsourced networked applications and storage, but cloud architectures have some specific issues that are distinct from the usual issues. Indus Institute of Technology & Engineering Page 60
  • 61. Security in Cloud Computing 17 References URL: http://en.wikipedia.org/wiki/Cloud_Computing http://www.cloudsecurityalliance.org http://cloudcomputing.sys-con.com/node/1330353 http://www.parc.com/content/attachments/ControllingDataInTheCloud-CCSW-09.pdf http://www.trustedcomputinggroup.org http://cloudsecurityalliance.org http://cloudcomputing.sys-con.com/node/1203943 http://cloudcomputing.sys-con.com/node/1330353 Books: • Amazon elastic computer cloud (2008), http://aws.amazon.com/ec2/ • Twenty Experts Define Cloud Computing (2008), http://cloudcomputing.syscon.com/read/612375_p.htm • Andert, D., Wakefield, R., Weise, J.: Trust Modeling for Security Architecture Development (2002), http://www.sun.com/blueprints • John, H.: Security Guidance for Critical Areas of Focus in Cloud Computing (2009), http://www.cloudsecurityalliance.org/guidance/ (Accessed 2 July 2009) • Two Factor Authentication, http://en.wikipedia.org/wiki/ • Public Key, http://en.wikipedia.org/wiki/Public_key_certificate • Buyya, R., Yeo, C.S., Venugopal, S., Broberg, J., Brandic, I.: Cloud Computing and Emerging IT Platforms: Vision, Hype, and Reality for delivering Computing as the 5th Utility. Future Generation Computer Systems 25, 599–616 • Cachin, C., Keider, I., Shraer, A.: Trusting The Cloud. IBM Research, Zurich Research laboratory (2009) • Google App Engine (2008), http://appengine.google.com • Microsoft Live Mesh (2008), http://www.mesh.com • Brodkin, J.: Seven Cloud Computing Security Risks (2008), http://www.gartner.com/DisplayDocument?id=685308 Indus Institute of Technology & Engineering Page 61
  • 62. Security in Cloud Computing 18 Appendices TCG – Trusted Computing Group LAN – Local Area Network API – Application Programming Interface TPI – Trusted Platform Module DMZ - Demilitarized Zones ID -Intrusion Detection IPS- Intrusion Prevention Systems Indus Institute of Technology & Engineering Page 62