More Related Content
More from Editor IJARCET (20)
70 74
- 1. ISSN: 2278 â 1323
International Journal of Advanced Research in Computer Engineering & Technology
Volume 1, Issue 5, July 2012
An Initial Approach to Provide Security in
Cloud Network
Dr. S. Srinivasu, K.P.R KrishnaChaitanya, K.Naresh Kumar
Abstract: -Cloud computing is a flexible, cost-effective and BENEFITS FOR THE CLOUD COMMUNITY
proven delivery platform for providing business or With the exponential increase in data deposited
consumer IT services over the Internet. Cloud resources in cloud environments (both public and private),
can be rapidly deployed and easily scaled, with all research in the area of data, information, and knowledge
processes, applications and services provisioned âon
demandâ regardless of user location or device. As a result,
stored and processed in the cloud is timely. Data is
cloud computing gives organizations the opportunity to stored in many different forms, and processed in a
increase their service delivery efficiencies, streamline IT myriad of methods. There is a need for an authoritative
management and better align IT services with dynamic voice in making sense of the key concerns with data
business requirements. In many ways, cloud computing storage and processing techniques. There is also an
offers the âbest of both worldsâ providing solid support for urgent requirement to align current practices with
core business functions along with the capacity to develop governance, risk and compliance regulations.
new and innovative services. Although the benefits of cloud Cloud providers have recognized the cloud
computing are clear, so is the need to develop proper
security for cloud implementations. Because without a security concern and are working hard to address it. In
security policy, the availability of cloud service can be fact, cloud security is becoming a key differentiator and
compromised. The policy begins with assessing the risk to competitive edge between cloud providers. By applying
the network and building a team to respond. Continuation the strongest security techniques and practices, cloud
of the policy requires implementing a cloud security [1, 5] security may soon be raised far above the level that IT
change management practice and monitoring the network departments achieve using their own hardware and
for security violations in cloud. software.
Before customers will entrust their IT needs to
Key Words: Cloud computing, Policy Management, Security
Violations, Cloud Services, DHCP Servers, Cloud Controls
a cloud services [2], they need two things: first,
Matrix. assurance that the cloud infrastructure is secure and
compliant, and second, visibility into their own security
I.INTRODUCTION and compliance in cloud or managed infrastructure.
Cloud computing provides Internet-based Managed service and cloud providers have the
services, computing, and storage for users in all markets technology and support they need to address these cloud
including financial, healthcare, and government. This computing security concerns. That means customers can
new approach to computing allows users to avoid move to the cloud with confidence. It also means you,
upfront hardware and software investments, gain as a provider, have the opportunity for unprecedented
flexibility, collaborate with others, and take advantage growth and market differentiation in this highly
of the sophisticated services that cloud providers offer. competitive space. So it is very important to develop a
However, security is a huge concern for cloud users. cloud service which possess highly secure. For that each
Cloud services and virtualization are driving cloud resource center [4] has to fallow below strategy
significant shifts in IT spending and deployments.
Cloud services give companies the flexibility to · define policy management.
purchase infrastructure, applications, and services, from · perform a risk analysis on that.
third-party providers with the goal of freeing up internal · taking counter action for that.
resources and recognizing cost savings. Virtualization
allows maximum utilization of hardware and software, II. UPSIDES AND DOWNSIDES OF THE CLOUD
increasing cost savings, as well. Cloud computing is being adopted at a rapid
_______________________ rate because it has a large number of upsides for all
Dr. S. Srinivasu, CSE, Anurag Engineering College, (e-mail:
sanikommusrinu@gmail.com). Kodad, AP, India, 9849676303. kinds of businesses and increases efficiency. Enterprises
KPR Krishna Chaitanya, IT, Anurag Engineering College, (e- are reducing storage costs by using online storage
mail: krishnachaitanya.kpr@gmail.com). Kodad, AP, India, solution providers. This allows the enterprise to store
9491892935.
K. Naresh Kumar, CSE, Anurag Engineering College, (e-mail:
massive amounts of data on third party servers. One of
nareshk03@ gmail.com). Kodad, AP, India, 9849777621. the major advantages is that the storage capacity is
scalable and thus, the enterprise only pays for the
70
All Rights Reserved © 2012 IJARCET
- 2. ISSN: 2278 â 1323
International Journal of Advanced Research in Computer Engineering & Technology
Volume 1, Issue 5, July 2012
amount of storage that it needs. Additionally, access to insight on the subject including the Security Guidance
the data is available through any Internet connection. for Critical Areas of Focus in Cloud Computing and
Scalability and allocation of resources are the Cloud Controls Matrix (CCM) [8] both available from
major advantages of virtualization. Virtualization allows the Cloud Security Alliance (CSA).
administrators to use processing power more efficiently
and share resources across hardware devices by III. DEFINE POLICY MANAGEMENT AND
servicing multi-tenant customers. Administrators can PERFORM A RISK ANALYSIS ON THAT.
bring up virtual machines (VMs) [6] and servers quickly While the public IT cloud has a silver lining for many
without having the overhead of ordering or provisioning adopters, it isnât without draw-backs, especially in
new hardware. Hardware resources that are no longer regards to data protection. Once data has gone into a
required for a service or application can be reassigned public cloud, data security and governance control is
quickly and extra processing power can be consumed by transferred in whole or part to the cloud provider. Yet
other services for maximum efficiency. By leveraging cloud providers are not assuming responsibility, e.g.
all the available processing power and un-tethering the Amazonâs web services contract states âwe strive to
hardware from a single server model, cost efficiencies keep your content secure, but cannot guarantee that we
are realized in both private and public clouds. will be successful at doing so, given the nature of the
Though the introduction of cloud computing is internetâ. When handing over the data, the enterprise
by no means the first technology shift to cause major forfeits all control of the security of the data, unless they
security concerns, it is a significant milestone. Until protect the data beforehand.
recently, most organizations have stored and managed One of the best ways to leverage the cost and
their most critical information assets in physically efficiency benefits of the cloud and virtualization while
separated data centers either on their own premises or keeping sensitive information secure, is to protect the
within rented cages at large hosting providers. data using a security solution that delivers data-centric,
But these upsides are tempered with potential file-level encryption that is portable across all
downsides. Minimizing the data security risks, while computing platforms and operating systems and works
moving and storing data, was easier for organizations to within a private, public or hybrid cloud computing
control within private data centers than within the cloud. environment.
Storing data in the cloud means that data will be Now a dayâs preventing security threats
intermingled on shared servers. If companies leap into coming from outside cloud is not a big deal. if it is
cloud without considering the unintended consequences, within the organization ?
critical corporate data like customer information and Hence it is recommend creating usage policy
intellectual property are at increased risk. statements that outline users' roles and responsibilities
One of the most concerning downsides is the with regard to security. Create a general policy that
potential loss of control over some or all of the cloud covers all network systems in cloud and data within the
environment that houses the data. Cloud computing is company. If any company has identified specific
often divided into three main service types: actions that could result in punitive or disciplinary
Infrastructure as a Service (IaaS), Platform as a Service actions against an employee, these actions and how to
(PaaS) and Software as a Service (SaaS) and each avoid them should be clearly articulated in this
impacts data control and governance a little differently. document.
With IaaS, the customer may have full control of the Low Risk Systems or data or virtual machines in cloud
actual server configuration granting them more risk that if compromised (data viewed by unauthorized
management control over the environment and data. In personnel, data corrupted, or data lost) would not
PaaS, the provider manages the hardware and disrupt the business or cause legal or financial
underlying operating system [7] which limits enterprise ramifications. The targeted system or data can be easily
risk management capabilities on those components. restored and does not permit further access of other
With SaaS, both the platform and the infrastructure are systems.
fully managed by the cloud provider which means if the Medium Risk Systems or data or virtual machines in
underlying operating system or service isnât configured cloud that if compromised (data viewed by unauthorized
properly the data in the higher layer application may be personnel, data corrupted, or data lost) would cause a
at risk. moderate disruption in the business, minor legal or
There are a number of ways to protect data in financial ramifications, or provide further access to
the cloud. Some have already been referenced, such as other systems. The targeted system or data requires a
access controls and monitoring. The purpose of this moderate effort to restore or the restoration process is
document is not to provide a comprehensive overview disruptive to the system.
of cloud security. There are a number of excellent
resources for readers that are looking for additional
71
All Rights Reserved © 2012 IJARCET
- 3. ISSN: 2278 â 1323
International Journal of Advanced Research in Computer Engineering & Technology
Volume 1, Issue 5, July 2012
High Risk Systems or data or virtual machines in cloud Administrators
that if compromised (data viewed by unauthorized for device
personnel, data corrupted, or data lost) would cause an Access configuration
extreme disruption in the business, cause major legal or Firewall network High (support staff
financial ramifications, or threaten the health and safety device only); All
of a person. The targeted system or data requires others for use
significant effort to restore or the restoration process is as a transport
disruptive to the business or other systems.
Next assign this risk level to each core network Administrators
devices, distribution network devices, access network DNS for
devices, network monitoring devices in cloud. If we and Network configuration;
Medium
implement the same thing at Network equipment such DHCP applications General and
as switches, routers, DNS servers, and DHCP servers servers privileged
[3] can allow further access into the network, and are users for use
therefore either medium or high risk devices. It is also
Administrators
possible that corruption of this equipment could cause
for
the network itself to collapse. If we do so 80% problem
configuration;
is slaved.
External All others for
Once you've assigned a risk level, it's necessary Network
e-mail Low mail transport
to identify the types of users of that cloud environment. application
server between the
Internet and
Admin of that cloud: responsible for internal users the internal
and network resources. mail server
Internal users: It helps to provide limitation for
local users while accessing cloud services. Administrators
for
Outside Partners External users with a need to Internal
Network configuration;
access some resources. e-mail Medium
application All other
server
internal users
Risk Types of for use
System Description
Level Users Taking Counter action (Responding to risk)
Administrators
for device IV. APPROVING SECURITY CHANGES
configuration Security changes are defined as changes to
ATM Core network
High (support staff network equipment that have a possible impact on the
switches device
only); All overall security of the cloud service .the security policy
others for use should identify specific security configuration
as a transport requirements in non-technical terms. In other words,
instead of defining a requirement as "No outside sources
Administrators
FTP connections will be permitted through the firewall",
for device
define the requirement as "Outside connections should
Distribution configuration
Network not be able to retrieve files from the inside network".
network High (support staff
routers Admin will need to define a unique set of requirements
device only); All
for that organization.
others for use
The security team should review the list of
as a transport
plain language requirements to identify specific network
Administrators configuration or design issues that meet the
for device requirements. Once the team has created the required
configuration network configuration changes to implement the
ISDN or Access
(support staff security policy, you can apply these to any future
dial up network Medium
only); Partners configuration changes. While it's possible for the
servers device
and privileged security team to review all changes, this process allows
users for them to only review changes that pose enough risk to
special access warrant special treatment.
72
All Rights Reserved © 2012 IJARCET
- 4. ISSN: 2278 â 1323
International Journal of Advanced Research in Computer Engineering & Technology
Volume 1, Issue 5, July 2012
Security Violations first to detect the violation. It should trigger a
When a violation is detected, the ability to notification to the operations center, which in turn
protect network equipment, determine the extent of the should notify the security team, using a pager if
intrusion, and recover normal operations depends on necessary.
quick decisions. Having these decisions made ahead of To resolve this problem we can use the RSA
time makes responding to an intrusion much more Adaptive Authentication as a solution.RSA Adaptive
manageable. The first action following the detection of Authentication is a comprehensive authentication and
an intrusion is the notification of the security team. risk management Platform providing cost-effective
Without a procedure in place, there will be considerable protection for an entire user base. Adaptive
delay in getting the correct people to apply the correct Authentication monitors and authenticates user activities
response. Define a procedure in your security policy that based on risk levels, institutional policies and customer
is available 24 hours a day, 7 days a week. Next you segmentation and can be implemented with most
should define the level of authority given to the security existing authentication methods including:
team to make changes, and in what order the changes Invisible authentication: Device identification and
should be made. Possible corrective actions are: profiling
Out-of-band authentication: Phone call, SMS or e-
· Implementing changes to prevent further access to mail
the violation. Challenge questions: Question- or knowledge-based
· Isolating the violated systems. authentication
· Contacting the carrier or ISP in an attempt to trace Multi-credential framework: For those organizations
the attack. wanting more choices, Adaptive Authentication is
There are two reasons for collecting and designed to easily integrate with a large selection of
maintaining information during a security attack: to other authentication methods. The Multi-credential
determine the extent to which systems have been Framework allows organizations to develop
compromised by a security attack, and to prosecute authentication methods via RSA Professional Services,
external violations. The type of information and the âin-houseâ or through third parties, to customize
manner in which you collect it differs according to your Adaptive Authentication.
goal. Site-to-user authentication: Assuring users that they
To determine the extent of the violation, do the are transacting with a legitimate Website by displaying a
following: personal security image and caption that has been pre-
1. Record the event by obtaining sniffer traces of selected by the user at login.
the network, copies of log files, active user accounts,
and network connections. V. CONCLUSION
2. Limit further compromise by disabling accounts,
disconnecting network equipment from the network, and A cloud is an attractive infrastructure solution
disconnecting from the Internet. for web applications since it enables web applications to
dynamically adjust its infrastructure capacity on
3. Backup the compromised system to aid in a demand. Hence along with services is important to
detailed analysis of the damage and method of attack. concentrate on security also. Policy management may
Look for other signs of compromise. Often solve security problem. But it will not give 100%
when a system is compromised, there are other systems alternate for the security problems in cloud services.
or Accounts involved. Hence we have to check alternates for every time.
4. Maintain and review security device log files and Because security problems in cloud computing does not
network monitoring log files, as they often provide clues have the permanent solutions.
to the method of attack.
Following this example, create a monitoring
policy for each area identified in your risk analysis. We
recommend monitoring lowârisk equipment weekly,
mediumârisk equipment daily and highârisk equipment
hourly. If you require more rapid detection, monitor on
a shorter time frame.
Lastly, your security policy should address
how to notify the security team of security violations.
Often, your network monitoring software will be the
73
All Rights Reserved © 2012 IJARCET
- 5. ISSN: 2278 â 1323
International Journal of Advanced Research in Computer Engineering & Technology
Volume 1, Issue 5, July 2012
REFERENCE Author Profile
1. https://cloudsecurityalliance.org/ Dr. S. Srinivasu received Ph.D
(Computer Science Engineering)
2. AT&TCloudServices:https://www.synaptic.att.com/cloudu from University of Allahabad,
ser/compute_overview.htm Master of Technology from
Mahatma Gandhi Kashi Vidyapeet,
3. DHCPServer:http://technet.microsoft.com/en- Varanasi, U.P. His research interests
us/windowsserver/dd448608.aspx include Network Security and
Cryptography (Security). He is
4. CloudResourceCenter:http://www.deitel.com/ResourceCen currently working as a Professor in
ters/Programming/CloudComputing/tabid/3057/ the department of Computer Science
Default.aspx and Engineering in Anurag
Engineering College, Kodad. He is a life member of ISTE and
5. NISTCloudReferenceandArchitecture:http://collaborate.nis member of CSI.
t.gov/twiki-cloud-computing/bin/view/
CloudComputing/ReferenceArchitectureTaxonomy.
K.P.R.Krishna Chaitanya received
6. VirtualMachines:Virtualizationvs.Emulation: Master of Technology (Computer
http://www.griffincaprio.com/blog/2006/08/virtual- Science & Engineering) from
machines-virtualization-vs-emulation.html Jawaharlal Nehru Technological
University (JNTUH). My research
7. OperatingSystem: http://www.computerhope.com/os.htm interests include Information Security,
Cloud Computing and Grid
8. https://cloudsecurityalliance.org/research/ccm/(Cloud Computing. Presently working as an
Control Matrix) Assistant Professor in the department
of IT in Anurag Engineering College
(AEC), Ananthagiri(V), Kodad(M), Nalgonda(Dt.), Andhra
Pradesh, India. He is a professional member of ACM.
K. Naresh Kumar received Master of
Computer Applications (MCA) from
Osmania University. Master of
Technology (Computer Science &
Engineering) from Jawaharlal Nehru
Technological University (JNTUH).
My research interests include
Information Security, Web Services,
Cloud Computing and Mobile
Computing. Presently working as an
Associate Professor in the department
of CSE in Anurag Engineering College (AEC),
Ananthagiri(V), Kodad(M), Nalgonda(Dt.), Andhra Pradesh,
India.
74
All Rights Reserved © 2012 IJARCET