Tips & Tricks
Introduction to cloud security
Like this document? Why not share!
Failed - Why Security Fails And Wha...
by Rafal Los
April 26, 2007 Centre College: Soft...
Cyber 51 Partnership Program Presen...
by Cyber 51 LLC
iViZ Security : On Demand Penetrati...
by iViZ Techno Solut...
Ks 899 network alarm system
by Vedard Security A...
Cloud Computing Online training tut...
by Ecorp trainings
Email sent successfully!
Show related SlideShares at end
Introduction to cloud security
Dec 05, 2013
Comment goes here.
12 hours ago
Are you sure you want to
Your message goes here
Be the first to comment
Be the first to like this
Number of Embeds
No notes for slide
Transcript of "Introduction to cloud security"
1. International Journal of Electronics and Communication Engineering & Technology (IJECET), INTERNATIONAL JOURNAL OF ELECTRONICS AND ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Special Issue (November, 2013), © IAEME COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET) ISSN 0976 – 6464(Print) ISSN 0976 – 6472(Online) Special Issue (November, 2013), pp. 252-260 © IAEME: www.iaeme.com/ijecet.asp Journal Impact Factor (2013): 5.8896 (Calculated by GISI) www.jifactor.com IJECET ©IAEME Introduction to Cloud Security Taniya Computer Science Engineering, BKBIET, Pilani, Rajasthan, India firstname.lastname@example.org ABSTRACT: Invented in 1981, the floppy disk was the only way to move files quickly between computers, then came CD, memory card, USBs and portable hard drives. But very soon they too are going to get things of the past. The buzzword now is cloud computing. While cloud computing is getting increasingly popular and offer great features like flexibility, scalability and energy-saving it also comes with several security issues. The cloud moves across borders, taking our data with it and leaves us with a trail of concerns about data access, security and availability. This paper deals with cloud computing and the various security risks associated with it. It also reviews the best practices to secure Cloud services and data. KEYWORDS: Cloud computing, IAAS, PAAS, SAAS, Virtualization I. INTRODUCTION As budgets continues to shrink and the cost of data centers and software continue to increase executives have started relying more on the cloud. The popularity of cloud computing which provide services on demand on “a pay as you go” basis is increasing among the service vendors and customers as it’s considered the best way to reduce IT expenditure, improve scalability and reliability. Both Meryl Lynch and Gartner have predicted a multibillion dollar market for cloud computing . Delivering IT services via the Cloud is believed to be a time saver, a money saver and allow for better efficiencies. The savings associated with cloud computing include maintenance cost, licensing and human resource. According to Gartner, the typical IT organization invests two-thirds of its budget to daily operations. Moving to the cloud will free upto 35 to 50 percent of operational and infrastructure resources . As savings mount and as efficiencies increase, Cloud computing will continue to grow. Through 2015 Chief Information Officers expect to operate the majority of their applications or infrastructure in a Cloud environment . Cloud computing is achieved primarily by leveraging the capacity of a data center. Virtualization is the back bone of cloud computing. Autonomic computing and utility computing are the other enabling technologies. Google and Amazon are two widely known data centers providing Cloud computing and storage. But as more and more data gets on the cloud it becomes more vulnerable as it’s exposed to hacking and various other risks. International Conference on Communication Systems (ICCS-2013) B K Birla Institute of Engineering & Technology (BKBIET), Pilani, India October 18-20, 2013 Page 252
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Special Issue (November, 2013), © IAEME A. Definition of Cloud Computing In layman’s term cloud computing refers to internet-based computing. As bandwidth in our homes and offices increases, more applications are turning web-based. By plugging your cable into the wall you can access what you need including support and expertise paid for as a service. It’s difficult to formally define cloud computing as its definition varies in context with different industries. Chris Poelker, the author of “Storage Area Networks for Dummies” wrote in his blog “As I travel around the country meeting with IT professionals and attending or speaking at industry events, I am amazed by how many different versions there are of cloud computing”. In March of 2010, The UK’s Centre for the Protection of National Infrastructure, in their Information Security Briefing 01/2010 on Cloud Computing said “There is, to date, no universally agreed industry definition of cloud computing and it is usual to find conflicting descriptions in any nascent industry”. This paper follows the NIST definition of cloud computing. According to The National Institute of Standards and Technology cloud computing is defined as “A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” . B. Cloud Computing Model According to NIST the cloud model comprises of three service models, four deployment models and five essential characteristics. Fig. 1: NIST’s three service models, four deployment models and five essential features  The service model contains Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). IAAS is the lowest level of functionality where consumer uses only the infrastructure like storage, hardware, servers and networking. Rackspace, Windows Azure and Amazon EC2 are International Conference on Communication Systems (ICCS-2013) B K Birla Institute of Engineering & Technology (BKBIET), Pilani, India October 18-20, 2013 Page 253
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Special Issue (November, 2013), © IAEME some of the IaaS providers. In IaaS the service provider only provides the infrastructure security but the remainder is left to the customer. In this model the focus is on managing the virtual machines. The security operations need to protect the data against the rogue cloud usage. Moving up the stack is PaaS. This level allows customers to create their own applications. It provides the user with Application environment and a set of tools like OS, programming language execution environment, database, and web services etc. Examples are Azure and Heroku. Consumer and cloud service provider both are responsible for PaaS security. The security operation needs to maintain balance across providers to ensure fail over of services in the event of an outage. Another key consideration should be the ability to encrypt the data whilst stored on a third-party platform and to be aware of the regulatory issues that may apply to data availability in different geographies . SaaS is at the top of the stack. In this the users run online applications provided by service vendors and pay a fixed subscription fee. They don’t have to worry about installation, set up and running of these applications on their systems .In SaaS the cloud service provider is responsible for security controls. The security officer needs to focus on establishing controls regarding user’s access to application. The customer needs to protect their API keys and make sure they don’t replicate their organization in the cloud. The NIST deployment model includes: o Private cloud: It is a clouding architecture that provide hosted services for exclusive use by a single organization comprising multiple consumers behind a firewall o Public cloud: The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. o Hybrid cloud: This cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability. In this model the management requirements are complex as there is a need to manage private and public cloud. o Community cloud: The cloud infrastructure is maintained by cloud provider or an organization and used by many organizations with similar requirements. Each form of the deployment model requires different kind of data depending on which the level of security for each kind is different. NIST also defines five important characteristics of a Cloud environment: Resource Pooling, On Demand Self Service, Broad Network Access, Measured Service and Elasticity. II. SECURITY RISKS INVOLVED IN CLOUD COMPUTING: AN OVERVIEW When we use cloud environment, we rely on cloud providers to make decisions about our data and platforms in ways never seen before in computer . Also the applications are run on service provider’s systems and the consumers have little to no knowledge of its environment. This makes the data vulnerable to peeping and tampering. International Conference on Communication Systems (ICCS-2013) B K Birla Institute of Engineering & Technology (BKBIET), Pilani, India October 18-20, 2013 Page 254
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Special Issue (November, 2013), © IAEME The data on the cloud is under the following threats: o Spoofing: It’s a way of accessing information by using other’s identity. o Tampering: Data entered by a user are changed without the user's authorization. o Repudiation: Denying the origin of transaction (request or response). o Information Disclosure: The data is disclosed to unauthorized users without the knowledge of the user. o Denial of Service:In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate users from accessing information or services. o Elevation of Privilege:Elevation of privilege results from giving an attacker authorization permissions beyond those initially granted. For example, an attacker with a privilege set of "read only" permissions somehow elevates the set to include "read and write." The data needs to be protected both in store and in transit. Appropriate mechanisms should be taken in order to make application execution and stored data accessible to designated persons only. How much security is required depends upon the deployment model, type of application, business objective and available budget.While defining security for cloud, it’s required to address it from operational as well as Governance point of view. Under operational domain it is very important to focus on traditional security, disaster recovery, data center operations, incident response, application security, encryption and key management, identity and access management and virtualization whereas under Governance domain focus has to be given to Cloud computing architectural framework, risk management and Legal discovery . III. PROTECTION OF SENSITIVE DATA The data needs to be secured to overcome the threats mentioned above. The data at rest can be protected by encrypting it. Encryptions protect data against malicious cloud providers and co-tenants in the cloud. The keys are kept by the customer so that the description can be done when needed. Data security also involves enforcing the appropriate accessing policies. Researchers have implemented the data protection framework which provides authentication, verification and encrypted data transfer . A. Data Sanitization The biggest question about data is how long the data has to remain on the cloud. There is a big chance that the service provider might retain the information even after the client is no longer accessing the data. When the user migrates or terminates the service he should make sure that the data is destroyed or no longer visible in cloud provider domain.Data sanitization is the process of deliberately, permanently, and irreversibly removing or destroying the data stored in the data base. A device that has been sanitized has no usable residual data and even advanced forensic tools should not ever be able to recover erased data . Data sanitization is achieved by using masking technique. B. Data Isolation The data on the cloud becomes vulnerable to attacks when there is lack of isolation. The cloud provider must make sure that the clients are isolated from each other. Virtualization is a great tool for ensuring isolation. It is implemented by running Virtual Machine (VM) instance for each user and all users can independently access data without any interference. International Conference on Communication Systems (ICCS-2013) B K Birla Institute of Engineering & Technology (BKBIET), Pilani, India October 18-20, 2013 Page 255
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Special Issue (November, 2013), © IAEME C. Data Location The location of data on the cloud also makes it vulnerable. The service subscriber does not have detailed information about the location of data. This makes it difficult for the user to ascertain whether the data is secure and whether the proper legal requirements are being met. Different countries have different laws regarding cyber security and data privacy. Once the data crosses the national border it becomes very difficult to guarantee protection under foreign laws and regulations. For example European consumers have expressed concern that the USA Patriot Act will afford the US government undue and unfettered access to their data if they choose to store it on the cloud servers of US providers (e.g., Microsoft or IBM). A recent survey found that 70 percent of Europeans have concerns about their online data and how well it is secured . IV. SECURITY ISSUES DUE TO VIRTUALIZATION Virtualization is the creation of a virtual (rather than actual) version of something, such as an operating system, a server, a storage device or network resources. Ottenheimer and Vallace define it as “The creation of virtual resources from physical resources”. It is one of the major enabling technique of cloud computing. In a virtual environment, the host has the ability to run multiple guest operating systems as virtual machines. Virtual machines can be created quickly and easily and brings many advantages to the space, including higher efficiency due to increased utilization, energy savings per computation unit, and the flexibility to create and destroy machines on demand . Also to maximize the utilization of resources these virtual machines belonging to different organization are co-located on the same physical server.But virtualization comes with various risks. With the creation of virtual machines the attacker surface increases as the vulnerabilities not only exist in the physical equipment but also in the virtualized environment. According to the Cloud Security Alliance (CSA), irrespective of the service model (IaaS, PaaS and SaaS) used, “Virtualization brings with it all the security concerns of the guest operating system, along with new virtualization-specific threats.” . In the virtualized environment A single host with multiple virtual machines may be attacked by one of the guest operating systems or, a guest operating system may be used to attack other guest operating systems. NIST in its virtualization security guidelines recommends organization : o Secure all elements of a full virtualization solution and maintain their security; o Restrict and protect administrator access to the virtualization solution; o Ensure that the hypervisor, the central program that runs the virtual environment, is properly secured; o Carefully plan the security for a full virtualization solution before installing, configuring and deploying it. A. Hypervisor Security The hypervisor, or virtual machine monitor (VMM), is the software that virtualizes the hardware and provides isolation, or separation, between guests. Given the relative newness of non-mainframe virtualization and the need to handle sensitive workloads, hypervisor security is a great and well-placed concern . Functionality that allows the hypervisor to control and monitor individual VM activity from outside the VMs is known as introspection. It gives the International Conference on Communication Systems (ICCS-2013) B K Birla Institute of Engineering & Technology (BKBIET), Pilani, India October 18-20, 2013 Page 256
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Special Issue (November, 2013), © IAEME hypervisor power to access and analyze the data being processed by the VM, and typically includes visibility into stored data files as well as monitoring of network traffic, memory and program execution, and other elements of the VM. The two major security risks with introspection are that it can bypass role-based access controls and it can be used without leaving a forensic audit trail within the VM itself. Since no authentication is required, as with introspection, files can be accessed from within the privileged state of the hypervisor, the file access leaves no audit trail on the VM and the VM contains no evidence that the file was accessed. There are two types of attacks on the hypervisor : Attack on hypervisor through the host OS: The hypervisor is compromised when the control is being taken on the host OS by the attacker who then gains the administrative privileges of the hypervisor and can perform any malicious activity on the VM hosted by the hypervisor. Fig. 2: Attack on Hypervisor through Host OS  Attack on the hypervisor through guest OS: This is the most possible attack on the hypervisor. In this a guest OS is used to gain unauthorized access to the hypervisor. Fig. 3: Attack on the hypervisor through Guest OS  International Conference on Communication Systems (ICCS-2013) B K Birla Institute of Engineering & Technology (BKBIET), Pilani, India October 18-20, 2013 Page 257
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Special Issue (November, 2013), © IAEME Traditional defenses such as firewalls and IPSs are not capable to stop attack on the hypervisor as these attacks are rooted in the processor. The best ways to mitigate risks are by creating a chain of trust in the CPU that will extend to the hypervisor and hardening the hypervisor by following the manufacture’s best practices. V. MULTI-TENANCY Multi-tenancy is defined as the ability to use the same software and interfaces to configure resources and isolate customer-specific traffic and data. In a typical multi tenancy environment, multiple users who do not share or see each other’s data can share the same applications while running on the same operating system, using the same hardware and the same data storage mechanism . It comes with many security issues. Over provisioning of resources is the biggest risk associated with multi-tenancy which further results in resource contention and potential lack of availability, effectively creating a denial of service situation. Performance may become unpredictable when “noisy neighbors” are co-located and start behaving poorly by consuming large amounts of CPU or memory resources .To secure the multi-tenant environment from malicious attacks CSA recommends that implementers should ensure adequate security zones for different types of machines. Servers, development machines, workstations and management consoles should each have their own security zone . VI. INFORMATION SECURITY STANDARDS Over the past few years several security standards have evolved to protect the confidentiality, integrity and availability of data on the cloud. It is very important to thoroughly understand your organization’s security policies in order to implement like standards in a Cloud environment that will form your security frame work. It is also very important to choose the CSP who offer the standards that are relevant to your needs. Standards can be based on security, system development, financial reporting, IT service delivery, or control environment . Some of the most popular standards related to security are: National Institute of Standards and Technology (NIST) publish series of papers stating various guidelines to insure security in cloud computing outlining the comprehensive security framework. The International Standards Organization (ISO) has published ISO/IEC 27001, an audit standard for Information Security Management Systems. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard. It contains 11 domains, 39 control objective and more than 130 controls. Some of the domains under it are Security policy, physical and environmental security, Access control. The Federal Information Security Management Act (FISMA) made in 2002 requires the Federal Government to create standards for minimum information security and standards for categorizing information and information systems. The European Network and Information Security Agency (ENISA) is an agency of the European Union. The objective of ENISA is to improve network and information security in the European Other entities that create standards are Institute of Electronics and Electrical Engineers (IEEE), American National Standards Institute (ANSI) and National Security Agency (NSA). International Conference on Communication Systems (ICCS-2013) B K Birla Institute of Engineering & Technology (BKBIET), Pilani, India October 18-20, 2013 Page 258
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Special Issue (November, 2013), © IAEME There is a wide range of standards and guidelines concerning the information security. This sometimes leads to confusion among the customers as different CSA follow different standards. To make it easy for the users to know about the best suited standard the Cloud Security Alliance has created a Cloud Controls Matrix (CCM). The CCM is designed to provide fundamental security principles to assist cloud customers in assessing the overall security risk of a cloud provider. It consists of 13 domains based on ISO 270001 and NIST. No matter which standard the CSA adheres to certification provides customers with a promise that information security is given the highest priority and a process to protect the confidentiality, integrity and availability of data is in place. VII. CONCLUSION Cloud computing is a revolution in how computing power is developed to business. Business and government continues to move on Cloud environment in an effort to reduce costs, improve efficiencies and reduce administrative overhead. Though cloud computing has various advantages it also comes with several security issues.As the data gets off premises and moves to the cloud it gets vulnerable to attacks both at rest and in transit. While virtualization reduces some security risks, others are increased because the attack surface in a Cloud service increases. Also there are various security issues in multi-tenant architecture of cloud computing.In these paper I have tried to summarize all these security issues related to various aspects and models of cloud computing. I have also reviewed various mitigation strategies, security standards and guidelines. ACKNOWLEDGEMENT Foremost, I would like to express my sincere gratitude to Ms. Sonam Mittal, Assistant Professor, BKBIET, Pilani for helping me out in completing the paper. My sincere thanks also go to my friends who helped me in finding the resources and motivating me. Last but not the least; I would like to thank my family for supporting me. REFERENCES  ShikhareshMajundar, Resource Management on Clouds- The Multifaceted Problem & Solution, Advancement in Cloud Computing, 2012 http://betanews.com/2011/01/24/gartner-most-cios-have-their-heads-in-the-clouds/  Todd Steiner, An Introduction to Securing a Cloud Environment (white paper), SANS institute  http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf http://www.csoonline.com/article/660065/saas-paas-and-iaas-a-security-checklist-forcloud-models  P. Jayarekha, Anintha H M, Exploring Cloud Computing and Security Issues, Advancement in Cloud Computing, 2012  N. Sarat Chandra Babu, Cloud Security, Advancement in Cloud Computing, 2012  http://cnc.ucr.edu/security/datasan.html  http://www.mayerbrown.com/publications/The-USA-Patriot-Act-and-the-Privacy-of-DataStored-in-the-Cloud-01-18-2012/  ftp://public.dhe.ibm.com/linux/pdfs/LXW03004-USEN-00.pdf  https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf International Conference on Communication Systems (ICCS-2013) B K Birla Institute of Engineering & Technology (BKBIET), Pilani, India October 18-20, 2013 Page 259
International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Special Issue (November, 2013), © IAEME  http://www.nist.gov/itl/csd/virtual-020111.cfm  http://www.cse.wustl.edu/~jain/cse571-11/ftp/virtual/  http://apprenda.com/library/glossary/definition-multitenant/ BIOGRAPHY Taniya was born in Dehradun, Uttarakhand, India in 1992. She is doing her B.Tech in Computer Science Engineering from B K Birla Institute of Engineering and technology Pilani (Rajasthan), India. International Conference on Communication Systems (ICCS-2013) B K Birla Institute of Engineering & Technology (BKBIET), Pilani, India October 18-20, 2013 Page 260