This presentation was delivered at the 2nd International Conference on Recent Trends in Information Technology and Computer Science in Mumbai. The paper deals with security issues in Cloud Computing, its mitigation and proposes a secure cloud mechanism with an implementation of the single-sign on mechanism on the Ubuntu Enterprise Cloud
2. Cloud Computing: Security Issues, Mitigation andCloud Computing: Security Issues, Mitigation and
a Secure Cloud Architecturea Secure Cloud Architecture
Tejaswi AgarwalTejaswi Agarwal
School of Computing Science and EngineeringSchool of Computing Science and Engineering
Vellore Institute of Technology-ChennaiVellore Institute of Technology-Chennai
Amrit SahooAmrit Sahoo
Department of Computer Science andDepartment of Computer Science and
EngineeringEngineering
National Institute of Technology-TrichyNational Institute of Technology-Trichy
3. ABSTRACT
Cloud computing, an emerging field in Information technology has
changed the perception of infrastructure architectures, software delivery
and deployment models.
In a nutshell, cloud computing could be classified as a term for
delivering hosted services, dynamically scalable and shared resources
on the internet.
Research in this technology has gained tremendous momentum in the
past few years since its inception and one of the key research areas is
considered to be the security aspects of cloud computing.
4. OBJECTIVE
This paper will classify the three models of cloud computing,
some key differentiating aspects between cloud, grid and
distributed computing, a comprehensive study on the major
security concerns in cloud computing, its mitigation and
describe a secure cloud computing framework with an
implementation of Single Sign on mechanism on Ubuntu
Enterprise Cloud
5. INTRODUCTION
The most widely accepted definition of Cloud Computing given by
National Institute of Science and Technology, USA is “Cloud computing is
a model for enabling ubiquitous, convenient, on-demand network access to
a shared pool of configurable computing resources (e.g., networks, servers,
storage, applications, and services) that can be rapidly provisioned and
released with minimal management effort or service provider interaction”
Cloud computing involves getting services at a much lesser cost for the
user, and the maintenance cost is zero as the service provider is responsible
for availability.
6. • Backgroud:Backgroud:
• SAAS:SAAS: Software as a service is software that is deployed as a hostedSoftware as a service is software that is deployed as a hosted
service and accessed over the Internet to run behind a firewall in your localservice and accessed over the Internet to run behind a firewall in your local
area network or personal computer. This is an “on-demand” model deployingarea network or personal computer. This is an “on-demand” model deploying
patches and upgrades to the application transparently, and delivering access topatches and upgrades to the application transparently, and delivering access to
end users over the Internet through a browser or smart-client applicationend users over the Internet through a browser or smart-client application
• PAAS:PAAS: PaaS can be defined as a computing platform that allows thePaaS can be defined as a computing platform that allows the
creation of web applications quickly and easily and without the complexity ofcreation of web applications quickly and easily and without the complexity of
buying and maintaining the software and infrastructure underneath it . PaaSbuying and maintaining the software and infrastructure underneath it . PaaS
enables the end user to create and maintain software using the libraries andenables the end user to create and maintain software using the libraries and
tools of the service provider.tools of the service provider.
• IAAS:IAAS: Infrastructure as a service refers to a facility availed byInfrastructure as a service refers to a facility availed by
organisations that offers users the leverage of extra support operations,organisations that offers users the leverage of extra support operations,
including storage, hardware, servers and networking components. Theincluding storage, hardware, servers and networking components. The
resources are owned by the service provider and the client pays on per-useresources are owned by the service provider and the client pays on per-use
basis.basis.
7.
8. CLOUD, GRID ANDCLOUD, GRID AND
DISTRIBUTED COMPUTINGDISTRIBUTED COMPUTING
• Cloud computing is a model where an application doesn't accessCloud computing is a model where an application doesn't access
resources it requires directly, rather it accesses them through aresources it requires directly, rather it accesses them through a
service.service.
• It has evolved out of the need for a more economic and scalableIt has evolved out of the need for a more economic and scalable
form of computing .form of computing .
• Distributed computing is the management of numerousDistributed computing is the management of numerous
computer systems which are limited in memory and processingcomputer systems which are limited in memory and processing
powerpower
• A Grid is a hardware and software infrastructure that clustersA Grid is a hardware and software infrastructure that clusters
and integrates high-end computers, networks, databases, andand integrates high-end computers, networks, databases, and
scientific instruments from multiple sources to form a singlescientific instruments from multiple sources to form a single
virtual system.virtual system.
9. Security Issues in Cloud Computing
• A. Insider and Outsider Threats :
• These trusted insiders are employees or contractors of the organization and are given
access to perform their daily duties and it is difficult to restrict their access.
• On the application level the cloud faces threats in the form of Denial of service (DoS)
attacks, Distributed Denial of service attacks (DDoS), backdoors, cookie poisoning
and also CAPTCHA breaking
• B. Loss of data :
• Data loss can occur in many forms such as downtimes, network or system failures. If a
vendor closes down due to legal issues, this might also pose a problem of data loss for
the user. Since the amount of data in the cloud is increasing at an exponential rate in
the cloud, handling data loss is a major challenge.
10. • C. Service Disruption and Account hijackingC. Service Disruption and Account hijacking
• Amazons EC2 and RDS services suffered a major outage for four days inAmazons EC2 and RDS services suffered a major outage for four days in
2011 when their data centre in Northern Virginia was affected. This service2011 when their data centre in Northern Virginia was affected. This service
disruption affected millions of cloud computing customersdisruption affected millions of cloud computing customers
• D. Abuse and unethical use of cloudD. Abuse and unethical use of cloud
computingcomputing
• Providers with weak registration process give anonymity and are potentialProviders with weak registration process give anonymity and are potential
targets of abuse. Cloud services are often taken advantage of to create botnettargets of abuse. Cloud services are often taken advantage of to create botnet
commands and control and host malicious data.commands and control and host malicious data.
• E. Confidentiality and PrivacyE. Confidentiality and Privacy
• Privacy concerns exist wherever personal information is collected and storedPrivacy concerns exist wherever personal information is collected and stored
digitally and improper disclosure control leads to privacy issues.digitally and improper disclosure control leads to privacy issues.
11. MITIGATION CONCEPTSMITIGATION CONCEPTS
• A. Insider and Outsider Threats:A. Insider and Outsider Threats: The first step wouldThe first step would
be to identify any abnormal behaviour that may indicate malicious attacks andbe to identify any abnormal behaviour that may indicate malicious attacks and
automatically block them. All sensitive data usage must be monitored andautomatically block them. All sensitive data usage must be monitored and
access to private data must be audited.access to private data must be audited.
• A careful monitoring of the network can help identify threats like DoS orA careful monitoring of the network can help identify threats like DoS or
DDoS attack whose symptoms include slowing down of network and requestDDoS attack whose symptoms include slowing down of network and request
from large number of users.from large number of users.
• B. Loss of data:B. Loss of data: The key to data loss prevention is a content andThe key to data loss prevention is a content and
context aware Data Loss Prevention (DLP) system. A DLP works by firstcontext aware Data Loss Prevention (DLP) system. A DLP works by first
identifying sensitive information that needs to be protected and indexes it. Itidentifying sensitive information that needs to be protected and indexes it. It
must provide agents to scan for sensitive data and threats. A DLP must bemust provide agents to scan for sensitive data and threats. A DLP must be
provided at various levels such as the Network layer; storage layer, endpointprovided at various levels such as the Network layer; storage layer, endpoint
DLP and file-level DLPDLP and file-level DLP
12. • C. Service disruptions and account hijackingC. Service disruptions and account hijacking
• Increase in capacity of servers handling requests as majorly serviceIncrease in capacity of servers handling requests as majorly service
disruptions are caused when an unexpected amount of request gets targeteddisruptions are caused when an unexpected amount of request gets targeted
at a particular clusterat a particular cluster..
• D. Abuse and nefarious use:D. Abuse and nefarious use: Stricter registration processStricter registration process
to check on multiple account creation by single user. Use of CAPTCHAs toto check on multiple account creation by single user. Use of CAPTCHAs to
make it difficult for automated account creationmake it difficult for automated account creation
• E. Confidentiality and Privacy :E. Confidentiality and Privacy : Maintaining flexibilityMaintaining flexibility
of identity management and offering users maximum choice and privacyof identity management and offering users maximum choice and privacy
protection.protection.
• 2. Ensuring system integrity that indicates whether a system has a trustworthy2. Ensuring system integrity that indicates whether a system has a trustworthy
executing environmentexecuting environment
13. SECURE CLOUDSECURE CLOUD
ARCHITECTUREARCHITECTURE
• A. Single sign-on and Authentication:A. Single sign-on and Authentication:
Single-sign on for all cloud users to enable usersSingle-sign on for all cloud users to enable users
to access multiple application and services thusto access multiple application and services thus
enabling a strong authentication at user levelenabling a strong authentication at user level
• B. Secure, consistent backups andB. Secure, consistent backups and
restoration of cloud-based resourcesrestoration of cloud-based resources
• C. Encryption of critical dataC. Encryption of critical data
• D. Increased availability:D. Increased availability:
14.
15. IMPLEMENTATIONIMPLEMENTATION
• The architecture of Eucalyptus [13], which is the mainThe architecture of Eucalyptus [13], which is the main
component of Ubuntu Enterprise Cloud, has beencomponent of Ubuntu Enterprise Cloud, has been
designed as modular set of five simple elements thatdesigned as modular set of five simple elements that
can be easily scaled:can be easily scaled:
• 1. Cloud Controller (CLC)1. Cloud Controller (CLC)
• 2. Walrus Storage Controller (WS3)2. Walrus Storage Controller (WS3)
• 3. Elastic Block Storage Controller (EBS)3. Elastic Block Storage Controller (EBS)
• 4. Cluster Controller (CC)4. Cluster Controller (CC)
• 5. Node Controller (NC5. Node Controller (NC))
17. Single Sign OnSingle Sign On
• Single sign on was implemented by using aSingle sign on was implemented by using a
central authentication server with thecentral authentication server with the
authentication server supplying user credentialsauthentication server supplying user credentials
to the appropriate server, whenever a clientto the appropriate server, whenever a client
requests to use an application on another server.requests to use an application on another server.
This was developed using PHP and JavascriptThis was developed using PHP and Javascript
[14] which enables a client to register on a[14] which enables a client to register on a
centralised server and store their credentials.centralised server and store their credentials.
This authentication proxy server uses an LDAPThis authentication proxy server uses an LDAP
database to maintain client credentials ofdatabase to maintain client credentials of
registered users.registered users.
18. CONCLUSION/FUTURE SCOPE
• The new era of “cloud computing” offers many benefits, includ-ing lower IT
costs and greater flexibility for businesses as well as new and easier ways for
individuals to connect, share common interests, and access information.
• This paper presented a complete structure of cloud computing, major security
risks and their mitigation and implementation of a secure cloud architecture
using which ser-vice provides could offer extensive services to customers with
complete security. Single sign-on greatly enhances the usability of the Cloud
environment by allowing users to authenticate once to access applications on
multiple machines.
• It is essential to know the fact that a single measure cannot completely resolve
the security issue, however, with a correct security strategy, multiple layers of
security control it is possible to reduce the threat and make the cloud
computing era a successful revolution
19. REFERENCES
[1] Farhan Bashir, Shaikh, “Security threats in Cloud Computing”
6th International conference on Internet Technology and Secure Transactions, IEEE 2011
[2] Jianfeng Yang, Zhibin Chen, “Cloud Computing Security issues” 978-1-4244-5392-4/10 2010 IEEE
[3] Ian Foster, Yong Zhao, Ioan Raicu, Shiyong Lu. "Cloud Computing and Grid Computing 360-Degree Compared",
IEEE Grid Computing Environments (GCE08) 2008, co-located with IEEE/ACM Supercomputing 2008.
[4] Alok Tripathy, Abhinav Mishra “Cloud computing security considerations” IEEE, 2011
[5] Rohit Bhadauria, Rituparna Chaki, Nabendu Chaki, Sugata Sanyal: A Survey on Security Issues in Cloud
Computing CoRR abs/1109.5388: (2011)
[6]Amazon Web services: Official Amazon report: http://aws.amazon.com
[7] Rocha F. “The Final Frontier: Confidentiality and Privacy in the Cloud” IEEE Volume:44 Issue:9 Sept. 2011
[8] Sara Qaisar ,Kausar Fiaz Khawaja “Cloud Computing: Network/Security Threats and Countermeasures”
Interdisciplinary Journal of Contempory research in business January 2012 Vol.3, No. 9
[9] T. Takebayashi et al.: Data Loss Prevention Technologies FUJITSU Sci. Tech. J., Vol. 46, No. 1 (January 2010)
[10] David Q. Liu Shilpashree Srinivasamurthy “Survey on Cloud Computing Security” IEEE-2011
[11] Jeff Naruchitparames and Mehmet Hadi Gunes, “Enhancing Data Privacy and Integrity in the Cloud”.
[12] W. Mao, F. Yan, and C. Chen, “Daonity: grid security with behaviour conformity from trusted computing,” in 1st
ACM workshop on Scalable trusted computing. ACM, 2006, pp. 43–46.
[13] Johnson D, Kiran Murari, Murthy Raju, Suseendran RB, Yogesh Girikumar, ”Eucalyptus Beginner s Guide -‟
UEC Edi-tion”, v1.0, 25 May 2010, CSS Corp. Pvt. Ltd.
[14] http://techportal.ibuildings.com/2009/03/31/php-and-the-cloud/
[15] Andrew Sudbury, Director, Security Metrics Design & Best
Practices, ”Highlights of a Security Scorecard Project”,
ClearPoint Metrics.