Sumita Mukund, Student, Northeastern University

I.

Abstract:

Cloud computing is the compilation of Software as a Service (SaaS), combined with those services being sold (Utility Computing). Cloud services are extremely attractive to companies because they allow developers to create internet services without the expenses of hardware, or the threat of overprovisioning/under provisioning for a service that either doesnt perform, or overextends the available resources. The following paper examines how security is currently applied to the cloud, research on improving cloud security, and determines what the best approach to this complex issue is.

II.

Introduction:

One of the biggest buzzwords in technology news today is cloud computing. Cloud computing applies SaaS and Utility Computing as a package to companies so that they may source their storage needs elsewhere. The cloud promises elasticity to companies who would rather have a more fluid payment and storage model with the ability to track changes in usage. This means that most cloud services have built in dashboards that calculate computing/storage usage vs. cost and relay them directly to the user so that they can adjust their usage accordingly. The cloud also allows users to access data at any time, all the user needs is their laptop, thus increasing productivity. The major draws to cloud computing are the savings, ease of use, and increased speed of projects. According to Financial Systems News, Cloud vendors are growing at a rate of 90% per annum. Cloud services are a rapidly developing market, but there is one area of weakness within the cloud: security. The weaknesses in the way security is currently being applied to the cloud leaves it open to attack, but with new research being done on how to strengthen the cloud, those gaps could be disappearing in the near future. III. How Security is Currently Applied to Cloud Computing

There are several facets of security that present concerns: the interconnecting network between systems in a cloud, the mapping of VM to physical machines, data security (encryption), and memory management all have to be secure for the cloud to be considered fully secure (Security Issues for Computing). Cloud computing security can be broken down into 2 overarching layers: user workloads have to be run separately so that a malware agent cannot enter and each user has to keep their workload secure. There are deterrent controls which aim to prevent attacks on a system but do not reduce vulnerability. Preventative controls try to patch vulnerable areas of the cloud to

avoid attacks. Correct controls try to reduce damage caused by an attack, and detective controls signal to preventative/corrective controls that an attack is occurring. The purpose of a combination of controls is to reduce the risk of an attack on a cloud server. a. Current Practices Secure practices are extremely important to companies because of the nature of the information and data that they deal with. An attack on the security of a company can cost millions of dollars. In a report published by Gartner in 2009, seven security factors were identified for customers selecting a cloud vendor:

Access control: Who is allowed to see or manage your data? Regulatory compliance: How faithfully does the vendor adhere to security certifications? Location of data: Where is your data physically being stored? Data segregation: How well is your data kept distinct from other data? Recovery mechanisms: What happens when disaster strikes? Investigative support: How open and accessible is information? Long-term integrity: Will your data be available if the company folds or gets swallowed up by a larger company? b. A Brief Study of the Challenges that Cloud Security Faces

Companies such as Amazon try to employ these tactics within their cloud services. Amazon EC2 is an Infrastructure as-a-Service cloud provider where users rent virtualized servers (called instances) on an hourly base (ISECLAB). Amazon sets up the instances to be the responsibility of the user (Access Control). That is, the security is placed in the hands of the user, as opposed to Amazon. The graduate researchers immediately noticed that while the relationship between the user and the provider is clearly defined, the relationship between the user and the virtual image provider is not clear (Regulatory Compliance). In a test run by graduate researchers, the software vulnerabilities of the Amazon EC2 cloud were tested by creating an automated system that instantiates an AMI and runs a test suite in a Remote Scanner and Local Scanner. The Remote Scanner retrieves all open ports and returns the index page of the web application that the user installs. The Local Scanner uploads and runs tests for vulnerability. There are four different tests: general, privacy, network, and security. Due to the nature of this paper, the security test results are what we will focus on. The security test looks for known rootkits (malware that hides certain programs from detection so that a hacker can have continued access to a computer) in Windows and Linux machines. The security risks that the research group found that there were two instances of malware infection. When they went back to manually confirm the first instance of malware, the infected files did not exist. Their belief is that the AMI was compromised by an automatically propagating malware during test execution. After the group concluded their experiments, they contacted the Amazon Security Team with their findings. They claim that Amazon reacted quickly and released a tutorial to help their customers protect their secure data.

Research such as this is vital for the continual improvement of cloud security. What is demonstrates is that there are several holes within the cloud. The one described above (rootkit security) is only one of the many tests that the group ran and found gaps in. The integration of security software within the cloud is not a one dimensional problem and in the next section, we will discuss the potential solutions and research that can lead to a safer cloud.

IV.

Select Research to Improve Cloud Security

In the study presented above, significant risks were shown in a seemingly secure cloud. While creating a tutorial for users to increase security is a good band-aid solution, the larger issues are the gaps in cloud security. Here, two new pieces of research regarding cloud security are compared to determine which would be the best option for cloud companies to implement with the greatest success rate. a. Virtual Machine Introspection Virtual Machine Introspection (VMI) is the process of looking at a virtual machine from the outside in order to study the software inside it. Research on VMI indicates that it can be prescriptive in detecting an intrusion within a cloud service before an attack occurs because it increases visibility. Garfinkel and Rosenblum claim that VMIs, are strongly isolated from the host they are monitoring. This gives them a high degree of attack resistance and allows them to continue observing and reporting with integrity even if the host has been corrupted. (Garfinkel). The virtual machine monitor is what helps create a VMI Intrusion Detection System (IDS). What this software does is create a virtualization of the hardware of one (physical) machine and then partition it into different virtual machines. The VMI promises to be more secure than current practices of cloud security because it isolates software by running it in a VM, inspects all states of a VM, and interposes on VM operations which give them the ability to be notified in case of code attempting to modify a register. The group tested their prototype, Livewire. They test effectiveness of their security policies against common attacks, and tested the performance of Livewire on sample work loads. Their results indicated that the multiple scanners and detectors that Livewire implemented worked to either prevent or detect various different attacks. Overall, their conclusions indicate that VMI is a valid approach to detect intrusions in virtual machines at an acceptable performance rate. b. Cryptographic Cloud Storage Microsoft presented last year, research on Cryptographic Cloud Storage. CCS relies on a data processer, data verifier, and a token generator. CCS relies on cryptography to create a secure

cloud system. CCS creates a cryptographic key for an application (master key) that is stored locally on the application creators machine. Whenever the creator uploads data to the cloud, the data processor is called. It then attaches metadata, and encrypts and encodes the data and metadata. When the creator wants to check the state of their data, the data verifier uses the master key to call the cloud storage provider and get the necessary information. When the creator wants to retrieve data, the token generator creates a token and a decryption key. Microsoft claims that the CCS system is more effective because the data is controlled by the customer, and the security properties are cryptography based rather than laws or physical security controls. c. Which is a better option? It is my opinion that Virtual Machine Introspection proves to be a better potential solution to cloud security. The reason being that it applies security to several layers of a cloud storage system such that attacks are prevented before they happen. Although cryptography is a historically documented security measure, the research presented by the graduate students on Amazon EC2 indicate that putting data control in the hands of the user gives them a false sense of security, thus opening the door for more attacks. CCS has not been as thoroughly tested as the Livewire VMI that Stanford researchers developed. Both VMI and CCS present unique and powerful tools to improve cloud security. However, the use of isolation, inspection, and interposition of the VMI makes it a better option. By creating a multilayer approach to cloud security the VMM can encapsulate a virtual machine and create checkpoints, rather than deal with an attack after the fact. V. Conclusions

Here I will lay out my conclusions [Not yet decided what my conclusions are] VI. Acknowledgements

VII.

References (not yet properly cited)

http://www.iseclab.org/people/embyte/papers/securecloud.pdf

http://suif.stanford.edu/papers/vmi-ndss03.pdf
http://www.sis.pitt.edu/~jjoshi/courses/IS2620/Spring13/S&P.pdf
http://incoming-proxy.ist.edu.gr/stfs_public/cs/msc/ReadingMaterial_MMSESEPE_oct2011/00_newrefdocs/sepe/Security%20in%20the%20Cloud%20(ACM_communications%2020 10).pdf http://research.microsoft.com/en-us/people/klauter/cryptostoragerlcps.pdf

http://www.utdallas.edu/~hamlen/hamlen-ijisp10.pdf http://research.microsoft.com/en-us/projects/cryptocloud/ http://www.idi.ntnu.no/emner/tdt60/papers/Cloud_Computing_Security_Risk.pdf

http://technet.microsoft.com/en-us/magazine/hh641415.aspx

Sumita, You have a great foundation for your final paper here. You haven't yet decided what your conclusions are, but I think the assimilation of ideas you have presented so far leaves you with a few very viable options. I like your organization of ideas and I think it does the reader justice with its concise transfer of information. Ways you can improve include putting visuals into your paper, and deciding what your conclusion is ;). I think a few charts might help get your ideas across. Honestly, most of the topics you are discussing are slightly over my head, as I have never been savvy with information in this field. With my general lack of knowledge aside, I was able to grasp a lot of the concepts you mentioned. Don't forget your in-text citations! I think your paper is coming along well, good luck with the final draft.

-Dustin