• Like
Cloud Computing Security Issues in Infrastructure as a Service” report
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Cloud Computing Security Issues in Infrastructure as a Service” report

  • 269 views
Published

 

Published in Engineering , Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
269
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
19
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Cloud Computing Security Issues in Infrastructure as a Service 1 Dept. Of ISE, SJBIT CHAPTER 1 Introduction of Cloud Computing According to Gartner’s Hype Cycle Special Report for 2009, “technologies at the ‘Peak of Inflated Expectations’ during 2009 include cloud computing, e-books and Internet TV, while social software and micro blogging site have tipped over the peak and will soon experience disillusionment among enterprise users”. Is cloud computing also heading for the trough of disillusionment? The Internet is often represented as a cloud and the term “cloud computing” arises from that analogy. Accenture defines cloud computing as the dynamic provisioning of IT capabilities (hardware, software, or services) from third parties over a network. McKinsey says that clouds are hardware-based services offering compute, network and storage capacity where: hardware management is highly abstracted from the buyer; buyers incur infrastructure costs as variable OPEX [operating expenditures]; and infrastructure capacity is highly elastic (up or down). Large companies can afford to build and expand their own data centers but small- to medium-sized enterprises often choose to house their IT infrastructure in someone else’s facility. A collocation center is a type of data center where multiple customers locate network, server and storage assets, and interconnect to a variety of telecommunications and other network service providers with a minimum of cost and complexity. Software, Platform, and Infrastructure as a Service are the three main service delivery models for Cloud Computing. Those models are accessible as a service over the Internet. The Cloud services are made available as pay-as-you-go where users pay only for the resources they actually use for a specific time, unlike traditional services, e.g., web hosting. Furthermore, The pricing for cloud services generally varies according to QoS requirements. The cloud deployment models, based on their relationship to the enterprise, are classified to private, public, and hybrid. Public Cloud services are sold as Utility Computing, while private Cloud refers to internal datacenters of an enterprise which are not available to
  • 2. Cloud Computing Security Issues in Infrastructure as a Service 2 Dept. Of ISE, SJBIT the general public. Examples of emerging Cloud Computing Platforms include Microsoft Azure1, Amazon EC22, and Google App Engine3. The confusion between Cloud and Service Oriented Architecture (SOA) has prompted us to discuss this issue and offer a brief comparison between them. SOA and Cloud Computing can be considered complementary services sharing common characteristics. Hence, if SOA is a set of principles and methodologies designed to facilitate systems integration and communication regardless of development languages and platforms, Cloud Computing, on the other hand, is designed to enable companies to utilize massive capacities instantly without having to invest into new infrastructure, train new staff, or license new software. Cloud Computing allows small and medium-sized businesses to completely outsource their datacenter infrastructure, as well as large companies that need huge load capacities without building larger expensive datacenters internally. Cloud Computing employs the virtualization technology to offer a secure, scalable, shared, and manageable environment. In short, regardless of the difference in designing purposes and the dependency of Cloud Computing on virtualization technology, Cloud Computing might intersect with SOA in Components as a Service, e.g., SOA via Web Service standards. Therefore, Cloud Computing and SOA can be pursued independently, or concurrently as complementary activities to provide an outstanding business. Cloud Computing depends primarily on IaaS layer to provide cheap and pay-as-you- go processing power, data storage, and other shared resources. This paper presents a detailed and precise study of IaaS security and privacy concerns. We have investigated security for each IaaS component: Service Level Agreement (SLA), Utility Computing (UC), Platform Virtualization, Networks & Internet Connectivity, and Computer Hardware. Furthermore, Cloud software’s security that impact on IaaS and on the whole Cloud Computing is presented. We are interested in the IaaS delivery model because it is the foundation of all other delivery models, and a lack of security in this layer affects the other delivery models that are built upon IaaS layer.
  • 3. Cloud Computing Security Issues in Infrastructure as a Service 3 Dept. Of ISE, SJBIT CHAPTER-2 Cloud Computing As we said previously, the term the cloud is often used as a metaphor for the Internet and has become a familiar cliché. However, when “the cloud” is combined with “computing,” it causes a lot of confusion. To define the term using a very broad sense, they contend that anything beyond the firewall perimeter is in the cloud. A more tempered view of cloud computing considers it the delivery of computational resources from a location other than the one from which you are computing. Cloud computing is about moving services, computation and/or data—for cost and business advantage—off-site to an internal or external, location-transparent, centralized facility or contractor. By making data available in the cloud, it can be more easily and ubiquitously accessed, often at much lower cost, increasing its value by enabling opportunities for enhanced collaboration, integration, and analysis on a shared common platform. Cloud computing models that encompass a subscription-based or pay-per-use paradigm provide a service that can be used over the Internet and extends an IT shop’s existing capabilities. Many users have found that this approach provides a return on investment that IT managers are more than willing to accept. Figure 2.1:- Cloud Computing.
  • 4. Cloud Computing Security Issues in Infrastructure as a Service 4 Dept. Of ISE, SJBIT 2.1 Cloud Architecture In Cloud architecture, the systems architecture(A system architecture or systems architecture is the conceptual model that defines the structure, behavior, and more views of a system. An architecture description is a formal description and representation of a system) of the software systems(The term software system is often used as a synonym of computer program or software.) involved in the delivery of cloud computing, typically involves multiple cloud components communicating with each other over application programming interfaces, usually web services. This resembles the Unix philosophy of having multiple programs each doing one thing well and working together over universal interfaces. Complexity is controlled and the resulting systems are more manageable than their monolithic counterparts. Figure 2.2:- Cloud Architecture.
  • 5. Cloud Computing Security Issues in Infrastructure as a Service 5 Dept. Of ISE, SJBIT 2.2 Cloud Components Figure 2.3:- Cloud Component A cloud computing solution is made up of several elements: clients, the data centre, and distributed servers. As shown in Above Figure, these components make up the three parts of a cloud computing solution. Each element has a purpose and plays a specific role in delivering a functional cloud- based application, so let’s take a closer look. 2.2.1 Clients Clients are, in a cloud computing architecture, the exact same things that they are in a local area network (LAN). They are, typically, the computers that just sit on your desk. But they might also be laptops, tablet computers, mobile phones, or PDAs (Personal digital assistant or Palmtop Computer)—all big drivers for cloud computing because of their mobility. Anyway, clients are the devices that the end users interact with to manage their information on the cloud. Clients generally fall into three categories:
  • 6. Cloud Computing Security Issues in Infrastructure as a Service 6 Dept. Of ISE, SJBIT • Mobile -Mobile devices include PDAs or Smartphone’s, like a Blackberry, Windows Mobile Smartphone or an iPhone. • Thin -Clients are computers that do not have internal hard drives, but rather let the servers do all the work, but then display the information. • Thick -This type of client is a regular computer, using a web browser like Firefox or Internet Explorer to connect to the cloud. Thin clients are becoming an increasingly popular solution, because of their price and effect on the environment. Some benefits to using thin clients include • Lower hardware costs -Thin clients are cheaper than thick clients because they do not contain as much hardware. They also last longer before they need to be upgraded or become obsolete. • Lower IT costs -Thin clients are managed at the server and there are fewer points of failure. • Security -Since the processing takes place on the server and there is no hard drive, there’s less chance of malware invading the device. Also, since thin clients don’t work without a server, there’s less chance of them being physically stolen. • Data security -Since data is stored on the server, there’s less chance for data to be lost if the client computer crashes or is stolen. 2.2.2 Datacenter The datacenter is the collection of servers where the application to which you subscribe is housed. It could be a large room in the basement of your building or a room full of servers on the other side of the world that you access via the Internet. A growing trend in the IT world is vitalizing servers. That is, software can be installed allowing multiple instances of virtual servers to be used. In this way, you can have half a dozen virtual servers running on one physical server. The number of virtual servers that can exist on a physical server depends on the size and speed of the physical server and what applications will be running on the virtual server.
  • 7. Cloud Computing Security Issues in Infrastructure as a Service 7 Dept. Of ISE, SJBIT 2.2.3 Distributed Servers In Distributed Servers, the servers don’t all have to be housed in the same location. Often, servers are in geographically disparate locations. But to you, the cloud subscriber, these servers act as if they’re humming away right next to each other. This gives the service provider more flexibility in options and security. For instance, Amazon has their cloud solution in servers all over the world. If something were to happen at one site, causing a failure, the service would still be accessed through another site. Also, if the cloud needs more hardware, they need not throw more servers in the safe room—they can add them at another site and simply make it part of the cloud.
  • 8. Cloud Computing Security Issues in Infrastructure as a Service 8 Dept. Of ISE, SJBIT CHAPTER - 3 Cloud Computing Deployment models Cloud computing architects provides three basic service models i. Public cloud ii. Private cloud iii. Hybrid cloud IT organizations can choose to deploy applications on public, private, or hybrid clouds, each of which has its trade-offs. The terms public, private, and hybrid do not dictate location. While public clouds are typically “out there” on the Internet and private clouds are typically located on premises, a private cloud might be hosted at a Collocation (share or designate to share the same place) facility as well. A number of considerations with regard to which cloud computing model they choose to employ, and they might use more than one model to solve different problems. An application needed on a temporary basis might be best suited for deployment in a public cloud because it helps to avoid the need to purchase additional equipment to solve a temporary need. Likewise, a permanent application, or one that has specific requirements on quality of service or location of data, might best be deployed in a private or hybrid cloud. 3.1 Public clouds Public clouds are run by third parties, and applications from different customers are likely to be mixed together on the cloud’s servers, storage systems, and networks. Public clouds are most often hosted away from customer premises, and they provide a way to reduce 111customer risk and cost by providing a flexible, even temporary extension to enterprise infrastructure. If a public cloud is implemented with performance, security, and data locality in mind, the existence of other applications running in the cloud should be transparent to both cloud architects and end users. Portions of a public cloud can be carved out for the exclusive use of a single client, creating a virtual private datacenter. Rather than being limited to deploying virtual machine
  • 9. Cloud Computing Security Issues in Infrastructure as a Service 9 Dept. Of ISE, SJBIT images in a public cloud, a virtual private datacenter gives customers greater visibility into its infrastructure. Now customers can manipulate not just virtual machine images, but also servers, storage systems, network devices, and network topology. 3.2 Private clouds Private clouds are built for the exclusive use of one client, providing the utmost control over data, security, and quality of service . The company owns the infrastructure and has control over how applications are deployed on it. Private clouds may be deployed in an enterprise datacenter, and they also may be deployed at a collocation facility. Private clouds can be built and managed by a company’s own IT organization or by a cloud provider. In this “hosted private” model, a company such as Sun can install, configure, and operate the infrastructure to support a private cloud within a company’s enterprise datacenter. This model gives companies a high level of control over the use of cloud resources while bringing in the expertise needed to establish and operate the environment. 3.3 Hybrid clouds Hybrid clouds combine both public and private cloud models. They can help to provide on- demand, externally provisioned scale. The ability to augment a private cloud with the resources of a public cloud can be used to maintain service levels in the face of rapid workload fluctuations. This is most often seen with the use of storage clouds to support Web 2.0 applications. A hybrid cloud also can be used to handle planned workload spikes. Sometimes called “surge computing,” a public cloud can be used to perform periodic tasks that can be deployed easily on a public cloud. Hybrid clouds introduce the complexity of determining how to distribute applications across both a public and private cloud. Among the issues that need to be considered is the relationship between data and processing resources. If the data is small, or the application is stateless, a hybrid cloud can be much more successful than if large amounts of data must be transferred into a public cloud for a small amount of processing.
  • 10. Cloud Computing Security Issues in Infrastructure as a Service 10 Dept. Of ISE, SJBIT CHAPTER- 4 Cloud computing Service Model In practice, cloud service providers tend to offer services that can be grouped into three categories: software as a service, platform as a service, and infrastructure as a service. These categories group together the various layers with some overlap. Table 4.1: - Cloud Computing Service Model 4.1 Software as a service (SaaS) Software as a service features a complete application offered as a service on demand. A single instance of the software runs on the cloud and services multiple end users or client organizations.
  • 11. Cloud Computing Security Issues in Infrastructure as a Service 11 Dept. Of ISE, SJBIT The most widely known example of SaaS is salesforce.com, though many other examples have come to market, including the Google Apps offering of basic business services including email and word processing. Although salesforce.com preceded the definition of cloud computing by a few years, it now operates by leveraging its companion force.com, which can be defined as a platform as a service. 4.2 Platform as a service (PaaS) Platform as a service encapsulates a layer of software and provides it as a service that can be used to build higher-level services. There are at least two perspectives on PaaS depending on the perspective of the producer or consumer of the services: • Someone producing PaaS might produce a platform by integrating an OS, middleware, application software, and even a development environment that is then provided to a customer as a service. For example, someone developing a PaaS offering might base it on a set of Sun™ x VM hypervisor virtual machines that include a Net Beans™ integrated development environment, a Sun Glass Fish™ Web stack and support for additional programming languages such as Perl or Ruby. • Someone using PaaS would see an encapsulated service that is presented to them through an API. The customer interacts with the platform through the API, and the platform does what is necessary to manage and scale itself to provide a given level of service. Virtual appliances can be classified as instances of PaaS. A content switch appliance, for example, would have all of its component software hidden from the customer, and only an API or GUI for configuring and deploying the service provided to them. PaaS offerings can provide for every phase of software development and testing, or they can be specialized around a particular area such as content management. Commercial examples of PaaS include the Google Apps Engine, which serves applications on Google’s infrastructure. PaaS services such as these can provide a powerful basis on which to deploy applications, however they may be constrained by the capabilities that the cloud provider chooses to deliver.
  • 12. Cloud Computing Security Issues in Infrastructure as a Service 12 Dept. Of ISE, SJBIT 4.3 Infrastructure as a service (IaaS) Infrastructure as a service delivers basic storage and compute capabilities as standardized services over the network. Servers, storage systems, switches, routers, and other systems are pooled and made available to handle workloads that range from application components to high-performance computing applications. Commercial examples of IaaS include Joyent, whose main product is a line of virtualized servers that provide a highly available on- demand infrastructure. 4.4 Anything-as-a-Service (XaaS) Which is also a subset of cloud computing? XaaS broadly encompasses a process of activating reusable software components over the network. The most common and successful example is Software-as-a-Service. The growth of “as-a-service” offerings has been facilitated by extremely low barriers to entry (they are often accessible for free or available as recurring charges on a personal credit card). As a result, such offerings have been adopted by consumers and small businesses well before pushing into the enterprise space. All “as-a-service” offerings share a number of common attributes, including little or no capital expenditure since the required infrastructure is owned by the service provider, massive scalability, multi tenancy, and device and location independence allowing consumers remote access to systems using nearly any current available technology. On the surface, it appears that XaaS is a potentially game-changing technology that could reshape IT. However, most CIOs still depend on internal infrastructures because they are not convinced that cloud computing is ready for prime time. Many contend that if you want real reliability, you must write more reliable applications. Regardless of one’s view on the readiness of cloud computing to meet corporate IT requirements, it cannot be ignored. The concept of pay-as-you-go applications, development platforms, processing power, storage, or any other cloud-enabled services has emerged and can be expected to reshape IT over the next decade. 4.5 Virtualization and Private Clouds Virtualization of computers or operating systems hides the physical characteristics of a computing platform from users; instead it shows another abstract computing platform. A
  • 13. Cloud Computing Security Issues in Infrastructure as a Service 13 Dept. Of ISE, SJBIT hypervisor is a piece of virtualization software that allows multiple operating systems to run on a host computer concurrently. Virtualization providers include VMware, Microsoft, and Citrix Systems. Virtualization is an enabler of cloud computing. Recently some vendors have described solutions that emulate cloud computing on private networks, referring to these as “private” or “internal” clouds (where “public” or “external” cloud describes cloud computing in the traditional mainstream sense). Private cloud products claim to deliver some of the benefits of cloud computing without the pitfalls. Hybrid solutions are also possible: building internal clouds and connecting customer data centers to those of external cloud providers. It has been reported that Eli Lilly wants to benefit from both internal and external clouds3 and that Amylin6 is looking at private cloud VMware as a complement to EC2. Other experts, however, are skeptical: one has even gone as far as to describe private clouds as absolute rubbish.7 Platform Computing has recently launched a cloud management system, Platform ISF, enabling customers to manage workload across both virtual and physical environments and support multiple hypervisors and operating systems from a single interface. VMware, the market leader in virtualization technology, is moving into cloud technologies in a big way, with vSphere 4. The company is building a huge partner network of service providers and is also releasing a “vCloud API”. VMware wants customers to build a series of “virtual data centers”, each tailored to meet different requirements, and then have the ability to move workloads in the virtual data centers to the infrastructure provided by cloud vendors. Cisco, EMC and VMware have formed a new venture called Acadia. Its strategy for private cloud computing is based on Cisco’s servers and networking, VMware’s server virtualization and EMC’s storage. (Note, by the way, that EMC owns nearly 85% of VMware.) Other vendors, such as Google, disagree with VMware’s emphasis on private clouds; in return VMware says Google’s online applications are not ready for the enterprise.
  • 14. Cloud Computing Security Issues in Infrastructure as a Service 14 Dept. Of ISE, SJBIT CHAPTER - 5 Cloud Security Alliance (CSA) Model Understanding the relationships and dependencies between Cloud Computing models is critical to understanding Cloud Computing security risks. IaaS is the foundation of all cloud services, with PaaS building upon IaaS, and SaaS in turn building upon PaaS as described in the Cloud Reference Model diagram. In this way, just as capabilities are inherited, so are information security issues and risk. It is important to note that commercial cloud providers may not neatly fit into the layered service models. Nevertheless, the reference model is important for relating real-world services to an architectural framework and understanding the resources and services requiring security analysis. IaaS includes the entire infrastructure resource stack from the facilities to the hardware platforms that reside in them. It incorporates the capability to abstract resources (or not), as well as deliver physical and logical connectivity to those resources. Ultimately, IaaS provides a set of APIs which allow management and other forms of interaction with the infrastructure by consumers. 5.1 Key points to CSA model: i. IaaS is the most basic level of service with PaaS and SaaS next two above levels of service. ii. Moving upwards each of the service inherits capabilities and security concerns of the model beneath. iii. IaaS provides the infrastructure, PaaS provides platform development environment and SaaS provides operating environment. iv. IaaS has the least level of integrated functionalities and integrated security while SaaS has the most. v. This model describes the security boundaries at which cloud service provider's responsibility ends and the consumer's responsibilities begin.
  • 15. Cloud Computing Security Issues in Infrastructure as a Service 15 Dept. Of ISE, SJBIT vi. Any security mechanism below the security boundary must be built into the system and above should be maintained by the consumer. Figure 5.1:- Cloud Computing Cloud Security Alliance (CSA) Model
  • 16. Cloud Computing Security Issues in Infrastructure as a Service 16 Dept. Of ISE, SJBIT CHAPTER- 6 Cloud Computing Security Issues In order to ensure that data is secure (that it cannot be accessed by unauthorized users or simply lost) and that data privacy is maintained, cloud providers attend to the following areas in Security and Privacy issues. Figure 6.1: - Security Architecture Design A security architecture framework should be established with consideration of processes (enterprise authentication and authorization, access control, confidentiality, integrity, no repudiation, security management, etc.), operational procedures, technology
  • 17. Cloud Computing Security Issues in Infrastructure as a Service 17 Dept. Of ISE, SJBIT specifications, people and organizational management, and security program compliance and reporting. A security architecture document should be developed that defines security and privacy principles to meet business objectives. Documentation is required for management controls and metrics specific to asset classification and control, physical security, system access controls, network and computer management, application development and maintenance, business continuity, and compliance. A design and implementation program should also be integrated with the formal system development life cycle to include a business case, requirements definition, design, and implementation plans. Technology and design methods should be included, as well as the security processes necessary to provide the following services across all technology layers: i. Authentication ii. Authorization iii. Availability iv. Confidentiality v. Integrity vi. Accountability vii. Privacy The creation of a secure architecture provides the engineers, data center operations personnel, and network operations personnel a common blueprint to design, build, and test the security of the applications and systems. Design reviews of new changes can be better assessed against this architecture to assure that they conform to the principles described in the architecture, allowing for more consistent and effective design reviews.
  • 18. Cloud Computing Security Issues in Infrastructure as a Service 18 Dept. Of ISE, SJBIT CHAPTER- 7 Deployment Model in Cloud Computing 7.1 Public Cloud The deployment of a public cloud computing system is characterized on the one hand by the public availability of the cloud service offering and on the other hand by the public network that is used to communicate with the cloud service. The cloud services and cloud resources are procured from very large resource pools that are shared by all end users. These IT factories, which tend to be specifically built for running cloud computing systems, provision the resources precisely according to required quantities. By optimizing operation, support, and maintenance, the cloud provider can achieve significant economies of scale, leading to low prices for cloud resources. In addition, public cloud portfolios employ techniques for resource optimization; however, these are transparent for end users and represent a potential threat to the security of the system. If a cloud provider runs several datacenters, for instance, resources can be assigned in such a way that the load is uniformly distributed between all centers. Figure 7.1 : Three users accessing a public cloud
  • 19. Cloud Computing Security Issues in Infrastructure as a Service 19 Dept. Of ISE, SJBIT Some of the best-known examples of public cloud systems are Amazon Web Services (AWS) containing the Elastic Compute Cloud (EC2) and the Simple Storage Service (S3) which form an IaaS cloud offering and the Google App Engine with provides a PaaS to its customers. The customer relationship management (CRM) solution Salesforce.com is the best-known example in the area of SaaS cloud offerings. 7.2 Private Cloud Private cloud computing systems emulate public cloud service offerings within an organization’s boundaries to make services accessible for one designated organization. Private cloud computing systems make use of virtualization solutions and focus on consolidating distributed IT services often within data centers belonging to the company. The chief advantage of these systems is that the enterprise retains full control over corporate data, security guidelines, and system performance. In contrast, private cloud offerings are usually not as large-scale as public cloud offerings resulting in worse economies of scale. Figure 7.2: A user accessing a private cloud 7.3 Hybrid Cloud A hybrid cloud service deployment model implements the required processes by combining the cloud services of different cloud computing systems, e.g. private and public cloud
  • 20. Cloud Computing Security Issues in Infrastructure as a Service 20 Dept. Of ISE, SJBIT services. The hybrid model is also suitable for enterprises in which the transition to full outsourcing has already been completed, for instance, to combine community cloud services with public cloud services. Figure 7.3: Hybrid cloud usage 7.4 Community Cloud In a community cloud, organizations with similar requirements share a cloud infrastructure. It may be understood as a generalization of a private cloud, a private cloud being an infrastructure which is only accessible by one certain organization. Figure 7.4: Three users accessing a community cloud
  • 21. Cloud Computing Security Issues in Infrastructure as a Service 21 Dept. Of ISE, SJBIT CHAPTER- 8 SECURITY CONTROL Although the term Cloud Computing is widely used, it is important to note that all Cloud Models are not the same. As such, it is critical that organizations don't apply a broad brush one-size fits all approach to security across all models. Cloud Models can be segmented into Software as a Service (Saas), Platform as a service (PaaS) and Integration as a Service (IaaS). When an organization is considering Cloud security it should consider both the differences and similarities between these three segments of Cloud Models: 8.1 SaaS This particular model is focused on managing access to applications. For example, policy controls may dictate that a sales person can only download particular information from sales CRM applications. For example, they are only permitted to download certain leads, within certain geographies or during local office working hours. In effect, the security officer needs to focus on establishing controls regarding users' access to applications. Figure 8.1:- Cloud Service Model
  • 22. Cloud Computing Security Issues in Infrastructure as a Service 22 Dept. Of ISE, SJBIT 8.2 PaaS The primary focus of this model is on protecting data. This is especially important in the case of storage as a service. An important element to consider within PaaS is the ability to plan against the possibility of an outage from a Cloud provider. The security operation needs to consider providing for the ability to load balance across providers to ensure fail over of services in the event of an outage. Another key consideration should be the ability to encrypt the data whilst stored on a third-party platform and to be aware of the regulatory issues that may apply to data availability in different geographies. 8.3 IaaS Within this model the focus is on managing virtual machines. The CSOs priority is to overlay a governance framework to enable the organization to put controls in place regarding how virtual machines are created and spun down thus avoiding uncontrolled access and potential costly wastage.
  • 23. Cloud Computing Security Issues in Infrastructure as a Service 23 Dept. Of ISE, SJBIT CHAPTER - 9 THREATS AND SOLUTIONS SUMMARY FOR IAAS Table 9.1: Threats and solutions summary for IaaS A Security Model for IaaS (SMI) as a guide for assessing and enhancing security in each layer of IaaS delivery model . SMI model consists of three sides: IaaS components, security model, and the restriction level. The front side of the cubic model is the components of IaaS which were discussed thoroughly in the previous sections. The security model side includes three vertical entities where each entity covers the entire IaaS components. The first entity is
  • 24. Cloud Computing Security Issues in Infrastructure as a Service 24 Dept. Of ISE, SJBIT Secure Configuration Policy (SCP) to guarantee a secure configuration for each layer in IaaS Hardware, Software, or SLA configurations; usually, miss-configuration incidents could jeopardize the entire security of the system. The second is a Secure Resources Management Policy (SRMP) that controls the management roles and privileges. The last entity is the Security Policy Monitoring and Auditing (SPMA) which is significant to track the system life cycle. The restriction policy side specifies the level of restriction for security model entities. The level of restriction starts from loose to tight depending on the provider, the client, and the service requirements. Nevertheless, we hope SMI model be a good start for the standardization of IaaS layers. This model indicates the relation between IaaS components and security requirements, and eases security improvement in individual layers to achieve a total secure IaaS system.
  • 25. Cloud Computing Security Issues in Infrastructure as a Service 25 Dept. Of ISE, SJBIT Conclusions In cloud computing, end-to-end security is critical. Building blocks from TCG and commercial products built on these principles will help make the cloud environment more secure. Ongoing research from TCG and operating system or device security vendors will take advantage of the TPM using additional software to enhance its capability for cloud computing. Other research on cloud computing security is under way at several companies. Today, the good news is that most cloud security issues can be addressed with well-known, existing techniques. The TPM can be an independent entity that works on behalf of cloud computing customers. Inside every server in the cloud, the TPM and associated software can check what is installed on each machine and verify the machine’s health and proper performance. When it detects a problem, TNC technology can immediately restrict access to a device or server. For securing data at rest in the cloud or in clients that access cloud data, self-encrypting drives based on Trusted Storage provide the ultimately secure solution. Organizations that have already implemented TCG-based solutions can leverage their corporate investment in hardware, software and policies and re-use them for cloud computing. If cloud computing represents an organization’s initial implementation of TCG- based technology (used by the cloud provider), the rest of the organization should be re- evaluated for areas where TCG technology can provide improved internal security, including: activating TPMs, use of self-encrypting drives and network access control through TNC. In an emerging discipline, like cloud computing, security needs to be analyzed more frequently. With advancement in cloud technologies and increasing number of cloud users, data security dimensions will continuously increase. In this paper, we have analyzed the data security risks and vulnerabilities which are present in current cloud computing environments. The most obvious finding to emerge from this study is that, there is a need of better trust management. We have built a risk analysis approach based on the prominent security
  • 26. Cloud Computing Security Issues in Infrastructure as a Service 26 Dept. Of ISE, SJBIT issues. The security analysis and risk analysis approach will help service providers to ensure their customers about the data security. Similarly, the approach can also be used by cloud service users to perform risk analysis before putting their critical data in a security sensitive cloud. At present, there is a lack of structured analysis approaches that can be used for risk analysis in cloud computing environments. The approach suggested in this paper is a first step towards analyzing data security risks. This approach is easily adaptable for automation of risk analysis.
  • 27. Cloud Computing Security Issues in Infrastructure as a Service 27 Dept. Of ISE, SJBIT References [1] R. Buyya, C. S. Yeo, and S. Venugopal, “Market-Oriented Cloud Computing: Vision, Hype, and Reality for Delivering IT Servicesas Computing Utilities,” Proceedings of the 10th IEEE International Conference on High Performance Computing and Communications, p. 9, August 2008. [Online]. Available: http://arxiv.org/abs/0808.3558. [2] SLA Management Team, SLA Management Handbook, 4th ed. Enterprise Perspective, 2004. [3] G. Frankova, Service Level Agreements: Web Services and Security, ser. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer Berlin Heidelberg, 2007, vol. 4607. [4] P. Patel, A. Ranabahu, and A. Sheth, “Service Level Agreement in Cloud Computing,” Cloud Workshops at OOPSLA09, 2009. [Online]. Available: http://knoesis.wright.edu/aboutus/visitors/summer2009/PatelReport.pdf [5] D. Nurmi, R. Wolski, C. Grzegorczyk, G. Obertelli, S. Soman, L. Youseff, and D. Zagorodnov, “The Eucalyptus Open-Source Cloud- Computing System,” Cluster Computing and the Grid, IEEE International Symposium on, vol. 0, pp. 124–131, 2009. [6] T. Mather, S. Kumaraswamy, and S. Latif, Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance, 1st ed., 2009. [Online]. Available: http://books.google.com/books?id=BHazecOuDLYC&pgis=1 [7] R. Kanneganti and P. Chodavarapu, SOA Security. Manning Publications, 2008. [Online]. Available: http://www.amazon.com/SOASecurity- Ramarao Kanneganti/dp/1932394680 [8] M. McIntosh and P. Austel, “XML signature element wrapping attacks and countermeasures,” Workshop On Secure Web Services, 2005. URL: [1] http://en.wikipedia.org/wiki/Cloud_Computing [2] http://www.cloudsecurityalliance.org [3] http://cloudcomputing.sys-con.com/node/1330353