Security issues in cloud computing for msmes
Upcoming SlideShare
Loading in...5
×
 

Security issues in cloud computing for msmes

on

  • 468 views

 

Statistics

Views

Total Views
468
Views on SlideShare
468
Embed Views
0

Actions

Likes
0
Downloads
7
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Security issues in cloud computing for msmes Security issues in cloud computing for msmes Document Transcript

  • International Journal of AdvancedJOURNAL OF ADVANCED RESEARCH (Print), INTERNATIONAL Research in Management (IJARM), ISSN 0976 – 6324 IN MANAGEMENT (IJARM)ISSN 0976 – 6332 (Online), Volume 3, Issue 2, July-December (2012)ISSN 0976 - 6324 (Print)ISSN 0976 - 6332 (Online)Volume 3, Issue 2, July-December (2012), pp. 21-28 IJARM© IAEME: www.iaeme.com/ijarm.html ©IAEMEJournal Impact Factor (2012): 2.8021 (Calculated by GISI)www.jifactor.com SECURITY ISSUES IN CLOUD COMPUTING FOR MSMES Mr. Hemantkumar Wani Dr. N. Mahesh Department of Management studies Department of Management studies Shri Jagdiprasad Jhabarmal Tibrewala Shri Jagdiprasad Jhabarmal Tibrewala University University Rajasthan, India Rajasthan, India sayhemant@rediffmail.com nadiminty.mahesh@gmail.comABSTRACTThis research paper focuses on the security issues of Cloud computing in the sector of micro,small & medium enterprises (MSMEs). The more MSMEs competition intensifying and earlieradaption of latest internet based application and services have led to greater opportunities that areworthwhile to be seized. The opening up the world IT based markets has posed many challengeswith the flooding of IT enabled services and applications. It makes an aim come true for theusers to get all the resources instantly from various locations that are not known. But there are lotof hurdles in accomplishing this idea in the form of security parameters and backup issues.Keywords-MSME(Micro,Small& Medium Enterprises), SLA,SSL technology, firewall,Middleserver. I. INTRODUCTION Indian manufacturers especially from MSME sector have started to adapt software andtechnology solutions that have further revolutionized by the concept of cloud computing, whichoffer cutting-edge and innovative solution to cope with these challenges. In recent past, the concept of cloud computing has revolutionized the world of IT. Cloudcomputing enables an efficient delivery of business applications online that are accessible fromweb browsers. The cloud computing can supply a new type of computing and business model forMSMEs. The MSME sector has adapted this concept worldwide and has implemented it toimprove their overall operations. The type (SaaS, PaaS, etc) of cloud service an MSME willlikely use, the disaster recovery options consideration and the cloud computing services in termof IT services and applications that effects on business and the economy. Security risks should be 21
  • International Journal of Advanced Research in Management (IJARM), ISSN 0976 – 6324 (Print),ISSN 0976 – 6332 (Online), Volume 3, Issue 2, July-December (2012)analyze in adopting cloud computing technologies along with the actual needs, requirements andexpectations of the MSMEs for cloud computing services. Cloud computing emerged from so called distributed computing and grid computing. Here theuser can access any service which he/she wants for a specific task and for a specific amount oftime [1]. Cloud computing provides us with a facility of sharing and interoperating the resourcesbetween different users and the systems being owned by the organizations. Security is a majorhindrance in such type of systems because if the users are storing their data in a remote locationowned by an unknown person and an organization then their data is not protected. Memberscommunicating to each other should have a good level of trust so as to share the data and resourcewith each other. In actual scenario, the cloud is the concept of virtualizing the local system of the user usingremote cloud operating system to get a virtual desktop with a specific or a choice of operatingsystems to choose of operating systems to choose and to store the personal data and execute theapplication from anywhere. The customers or the user purchase the computing power dependingon their demand and are not concerned with the underlying technologies used. The resources usedand data accessed are owned by a third party and operated by them. This third party may not belocated in the same area the user lives may be in the state or country. II. CLOUD STRUCTURE AND TYPES Public cloud: It is basically used by lot of users in the whole world and the securityaspects act as utmost hindrance in such situations. It is basically a pay per use model in whichusers pay as per their use which becomes very useful and cost effective for the companies theyare working for and for themselves. Private Cloud: In private cloud we get additional benefits like additional security as thecompany has the server at its end. As a way to exercise greater control over security andapplication availability, some enterprises are moving toward building private clouds. With theright approach and expertise in place, this type of setup can offer the best of both worlds: thecost-effectiveness of cloud computing and the assurance that comes with the ability to managedata and applications more closely. Hybrid cloud: It provides services by combining private and public clouds that have beenintegrated to optimize service. The promise of the hybrid cloud is to provide the local databenefits of the private clouds with the economies, scalability, and on-demand access of thepublic cloud. The hybrid cloud remains somewhat undefined because it specifies a midway pointbetween the two ends of the continuum of services provided strictly over the Internet and thoseprovided through the data centre or on the desktop. [2] 22
  • International Journal of Advanced Research in Management (IJARM), ISSN 0976 – 6324 (Print),ISSN 0976 – 6332 (Online), Volume 3, Issue 2, July-December (2012) III. MODELS OF CLOUD COMPUTINGA. Model 1:Infrastructure as a service(Iaas)The key aspects of IT infrastructure, hardware, facilities, and administration have traditionallybeen the domain of IT departments within each company. Dedicated personnel install andconfigure servers, routers, firewalls, and other devices in support of their respective employers.This equipment requires dedicated housing as well as environmental controls, emergency power,and security systems to keep it functioning properly. Finally, every company allocates additionalspace where IT personnel work to support the infrastructure that is in place. Every aspect of ITinfrastructure has evolved on its own, yet-until now - has not moved toward integration. Forexample, a company purchases software it needs and then purchases a server to run it. If datastorage is necessary for files or databases, disk arrays and hard drives are added into the mix toaccommodate the needs of the company. A local network is maintained to provide employeesaccess to IT resources, and high speed internet connectivity for voice and data is added to thecompany account as necessary. Practically speaking, each IT system has its own managementsystem, with some systems requiring the addition of a specialized worker to the staff.Infrastructure as a service takes the traditional components of IT infrastructure, takes them offsite, and offers them in one unified, scalable package to companies who can manage themthrough one management interface. Infrastructure as a service results in IT services that easilyconform to the changing requirements of a business. Because the infrastructure does not resideon the premises, obsolete equipment, upgrades, and retrofits no longer play a role in thecompanys decision to adopt new technology [3]. The IaaS provider takes care of that seamlesslyallowing the business to focus on its mission .Cost effectiveness augments the convenience ofIaaS. Because the IaaS provider has massive platforms segmented for each customer, theeconomies of scale are enormous, providing significant cost savings through efficiency. Theneed for every company to maintain its own infrastructure is eliminated through IaaS. The powerof IaaS brings the resources needed to service government and enterprise contracts to businessesof every size. IaaS improves reliability because service providers have specialized workers thatensure nearly constant uptime and state-of-the-art security measures. Infrastructure as a Serviceis a form of hosting. It includes network access, routing services and storage. The IaaS providerwill generally provide the hardware and administrative services needed to store applications anda platform for running applications. Scaling of bandwidth, memory and storage are generallyincluded, and vendors compete on the performance and pricing offered on their dynamicservices. IaaS can be purchased with either a contract or on a pay-as-you-go basis. However,most buyers consider the key benefit of IaaS to be the flexibility of the pricing, since you shouldonly need to pay for the resources that your application delivery requires [4].B. Model 2:Software as a Service(SaaS)Software is ubiquitous in today’s business world, where software applications can help us trackshipments across multiple countries, manage large inventories, train employees, and even help usform good working relationships with customers. For decades, companies have run software ontheir own internal infrastructures or computer networks. In recent years, traditional softwarelicense purchases have begun to seem antiquated, as many vendors and customers have migratedto software as a service business model. Software as a service, or SaaS, is a software application 23
  • International Journal of Advanced Research in Management (IJARM), ISSN 0976 – 6324 (Print),ISSN 0976 – 6332 (Online), Volume 3, Issue 2, July-December (2012)delivery model by which an enterprise vendor develops a web-based software application, andthen hosts and operates that application over the Internet for use by its customers. Customers donot need to buy software licenses or additional infrastructure equipment, and typically only paymonthly fees (also referred to as annuity payments) for using the software. It is important to notethat SaaS typically encapsulates enterprise as opposed to consumer-oriented web-hostedsoftware, which is generally known as web 2.0. According to a leading research firm, the SaaSmarket reached $6.3B in 2006; still a small fraction of the over $300B licensed softwareindustry. However, growth in SaaS since 2000 has averaged 26% CAGR, while licensedsoftware growth has remained relatively flat. Demand for SaaS is being driven by real businessneeds — namely its ability to drive down IT-related costs, decrease deployment times, and fosterinnovation [5]. Both public and private cloud models are now in use. Available to anyone withInternet access, public models include Software as a Service (SaaS) clouds like IBMLotusLive™, Platform as a Service (PaaS) clouds such as IBM Computing on Demand™, andSecurity and Data Protection as a Service (SDPaaS) clouds like the IBM VulnerabilityManagement Service. Private clouds are owned and used by a single organization. They offermany of the same benefits as public clouds, and they give the owner organization greaterflexibility and control. Furthermore, private clouds can provide lower latency than public cloudsduring peak traffic periods. Many organizations embrace both public and private cloudcomputing by integrating the two models into hybrid clouds. These hybrids are designed to meetspecific business and technology requirements, helping to optimize security and privacy with aminimum investment in fixed IT costs.All these services are cost effective but have a lot of issues regarding security and backup.Depending upon the implementation and platform needed the central server can send the requestto the respective server. IV. REQUIREMENTS OF SECURITYIt gives a general description of security services and related mechanisms, which can be ensuredby the Reference Model, and of the positions within the Reference Model where the services andmechanisms may be provided. Extends the field of application of ISO 7498 [6] to cover securecommunications between open systems. Adds to the concepts and principles included in ISO7498 but does not modify them. In the fig 1, we have showed how the requirements are fulfilledin our proposed system. a. Authentication and AuthorisationUser can be identified in this model as we are using the SSL security for that purpose. Agovernance body is acting as an interface between the user and the cloud servers. There will beencryption between the user and central server and between the central server and cloud ofservers. User details will be stored within the central server in the form of UserID etc andvalidation will be done accordingly. Hence the requirement is fulfilled in this. Authorization isnot a big issue in private cloud because the system administrator can look into it by grantingaccess only to those who are authorized to access the data. Whereas in public cloud it willbecome more hectic due to requests from normal users have to be taken into considerations.Privileges over the process flow have to be considered as the control may flow from one server 24
  • International Journal of Advanced Research in Management (IJARM), ISSN 0976 – 6324 (Print),ISSN 0976 – 6332 (Online), Volume 3, Issue 2, July-December (2012)to another. Respective UserID will be saved in the central servers after the registration andauthorization can be done easily as the respective rights can be stated there. b. ConfidentialityConfidentiality plays a very important role as the data has to be secure and should not be reviledanywhere. This can be achieved in this system as we have used Dual SSL technology. User’sdata, profiles etc have to be maintained and as they are virtually accessed various protocols(security) have to be enforced. If we standardize the whole cluster of a particular sector then itcan be easily imposed. With regard to data-in-transit, the primary risk is in not using a vettedencryption algorithm. Although this is obvious to information security professionals, it is notcommon for others to understand this requirement when using a public cloud, regardless ofwhether it is IaaS, PaaS or SaaS. It is also important to ensure that a protocol providesconfidentiality as well as integrity (e.g., FTP over SSL [FTPS], Hypertext Transfer ProtocolSecure [HTTPS], and Secure Copy Program [SCP])—particularly if the protocol is used fortransferring data across the Internet. Merely encrypting data and using a non-secured protocol(e.g., “vanilla” or “straight” FTP or HTTP) can provide confidentiality, but does not ensure theintegrity of the data (e.g., with the use of symmetric streaming ciphers) [6]. c. IntegrityIntegrity is maintained as the hashing is done in SSL technology. The major drawback in case ofthis technology is the excessive redundant data due to which the bandwidth is used up and thepacket size is increased. From a privacy and confidentiality perspective, the terms of service maybe the most important feature of cloud computing for an average user who is not subject to alegal or professional obligation. It is common for a cloud provider to offer its facilities to userswithout individual contracts and subject to the provider’s published terms of service. A providermay offer different services, each of which has distinct terms of service. A cloud provider mayalso have a separate privacy policy. It is also possible for a cloud provider to conduct businesswith users subject to specific contractual agreements between the provider and the user thatprovides better protections for users. The contractual model is not examined further here. If theterms of service give the cloud provider rights over a user’s information, then a user is likelybound by those terms. A cloud provider may acquire through its terms of service a variety ofrights, including the right to copy, use, change, publish, display, distribute, and share withaffiliates or with the world the user’s information. There may be few limits to the rights that acloud provider may claim as a condition of offering services to users. Audits and other dataintegrity measures may be important if a user’s local records differ from the records maintainedon the user’s behalf by a cloud provider. d. AvailabilityAnother issue is availability of the data when it is requested via authorized users. The mostpowerful technique is prevention through avoiding threats affecting the availability of the serviceor data. It is very difficult to detect threats targeting the availability. Threats targeting availabilitycan be either Network based attacks such as Distributed Denial of Service (DDoS) attacks orCSP availability. For example, Amazon S3 suffered from two and a half hours outage inFebruary 2008 and eight hours outage in July 2008. In the next section, we will discuss theidentity and access management practices of the cloud computing by tackling some protocols 25
  • International Journal of Advanced Research in Management (IJARM), ISSN 0976 – 6324 (Print),ISSN 0976 – 6332 (Online), Volume 3, Issue 2, July-December (2012)such as Security assertion Markup Language (SAML), Open Authentication (OAuth) protocoland a comparison between these two techniques to conclude the best solution. e. Non-repudiationNon-repudiation is the requirement which states that if a sender is sending the data to the otherend. In our proposed system this requirement is fulfilled by the middle server because it has therouting table as well as the table of content of all the servers in the cloud with correspondingserver ID, name, location etc. Due to the routing table’s entry of server ip, receiver and sender ipwe can state that if the user has sent the request he cannot deny it and if receiver givesacknowledgement or response he also cannot deny of giving it. f. Backup and Disaster RecoveryA cloud may be used for production operations, so it is important to have a backup and disasterrecovery policy in place. The backup policy should define what data is backed up, how longbackups are kept, as well as costs associated with those services. Similarly, in the event of acatastrophic failure of a private cloud, a failover plan should be in place. This plan may includeusing multiple data centers to host a private cloud or running jobs in a more conventionallyorganized cluster environment with manual management of jobs. The details of how toimplement backup and disaster recovery will vary by your needs and resources, but it is essentialfor business continuity planning to have some policy in place [8]. V. USE OF PROPOSED MODELIn the proposed system we have introduced an idea in which we have defined a central serverwhich will be having a router table which contains cloud Id, the corresponding user Id , theactual server Id to which the user is connecting to. The source ip and the destination ip also havebeen put into the table. Figure 1. Architecture Diagram of proposed model 26
  • International Journal of Advanced Research in Management (IJARM), ISSN 0976 – 6324 (Print),ISSN 0976 – 6332 (Online), Volume 3, Issue 2, July-December (2012) TABLE I. ROUTING TABLE UID SID Source IP Destn IP 12017 2747 191.268.67.67 101.123.22.25 86770 2967 111.125.25.23 102.124.12.35 Time Cloud ID Packet Server Lease Time Size Name 500mins 222 437kb ABC 30mins 800mins 266 128kb XYZ 18minsIt also contains the actual amount of data flow that is the packets per second transfer rate. On theuser end there will be personal firewall and the connectivity between the user and the centralserver will be encrypted using SSL encryption standards that are regularly used now-a-days.Again at the Central server’s end there will be an application level firewall which will checkwhether the packets are malicious or not. Application-level firewalls (sometimes called proxies)have been looking more deeply into the application data going through their filters. Fig.2 showsthe architectural diagram of the proposed system. By considering the context of client requestsand application responses, these firewalls attempt to enforce correct application behavior, blockmalicious activity and help organizations ensure the safety of sensitive information and systems.They can log user activity too. Application-level filtering may include protection against spamand viruses as well, and be able to block undesirable Web sites based on content rather than justtheir IP address. [6] Further what we have suggested is to make a separate cluster of clouds forbanking sector, educational sector, government bodies (will not contain confidential data). Theuser has a personal firewall at his end. The central server say for banks as an example consists ofa table which consists of the user ID, server id, its name and all the related information throughwhich a governance body can back track the server and the user. When a user tries to connect toa particular server from the cloud then his/her user id sever id source ip and destination ip aresaved. The total time of synchronization, packet size being transferred server name and the totallease time in case of a secure connection is saved in the table incase if the user is not able toconnect to a server i.e., if the ping shows connection time out we can easily track the server fromthe central servers routing table. Even the user credentials and the session are secured by SSLtechnology. Further we can achieve more security by clubbing different security algorithms withSSL [9].There is a secured connectivity between the user and the central server and between cloud’sservers. Due to double encryption all the security requirements are fulfilled in this model.Tracking the server is also simple because their will be a table which will help us know the cloudid server name, server id and the corresponding organizations name whose server it is. So if theserver is not getting connected then we can track it. We also have to standardize all the servers inthe cloud for a particular sector like banking sector, the centralized banks and co-operative banks 27
  • International Journal of Advanced Research in Management (IJARM), ISSN 0976 – 6324 (Print),ISSN 0976 – 6332 (Online), Volume 3, Issue 2, July-December (2012)etc have to come together and use standardized protocols so as to achieve this proposal. Even bystandardizing in education sector we can achieve a common place to gain knowledge and we canuse the services as according. We have also included the routing table below which depicts theactual scenario. I. CONCLUSIONThe model we have proposed is having its own advantages in case of security and backup. Dueto a middle server technology in between the user and the cloud server we can easily track theuser as well as the server in the cloud. We can also nexus both public cloud and private cloudtogether in one with hybrid clouds. Due to SSL security the security parameters are also takeninto consideration. This model can help cloud computing and make it reach new ends.REFERENCES[1] Peter Mell and Tim Grance,”The NIST Definition of Cloud Computing”http://csrc.nist.gov/groups/SNS/cloud-computing/[2] Architectural Requirements Of The Hybrid Cloud Information Management Online, February 10, 2010 Brian J. Dooley[3] http://cloudstoragestrategy.com/2010/01/cloud-storage-for-the-enterprise---part-2-the-hybrid- cloud.html By Steve Lesem on January 25, 2010[4] R. Nicole, “Title of paper with only first word capitalized,” J. Name Stand. Abbrev., in press.[5] http://www.wikinvest.com/concept/Software_as_a_Service[6] Tim Mather, Subra Kumaraswamy, and Shahed Latif”Cloud Privacy and security” pp. 529– 551, September 2009: First Edition[7] "IBM Point of View: Security and Cloud Computing"Cloud computing White paper November 2009.[8] Zhidong Shen,2010 2nd International Conference on Signal Processing Systems (ICSPS).[9] Palivela Hemant, Hemant Wani “Development of Servers In Cloud Computin To Solve Issues Related To Security And Backup” (CCIS-IEEE Conference.Beijing ,China). 28