Professional Documents
Culture Documents
A Project Report
A Project Report
ON
The degree of
By
1) NACHIKET JADHAV
2) ANIKET MATODKAR
3) ANISH MANDHARE
1
CLOUD COMPUTING SECURITY ISSUES
ABSTRACT
Cloud computing is an emerging paradigm which has become today’s hottest research area due
its ability to reduce the costs associated with computing. In today’s era, it is most interesting
and enticing technology which is offering the services to its users on demand over the internet.
Since Cloud computing stores the data and disseminated resources in the open environment,
security has become the main obstacle which is hampering the deployment of Cloud
environments. Even though the Cloud Computing is promising and efficient, there are many
challenges for data security as there is no vicinity of the data for the Cloud user. In this report, I
with the help of related survey studied different research papers in the field of Cloud Security. I
identified different Issues, Vulnerabilities, Threads, Challenges and Risk associated to
Cloud Security. Some contribution and proposed techniques to Cloud Security by different
researchers are studied in-depth and mentioned in related work section
2
Table of Content
SR NO TITLE PAGE NO
1 3
ABSTRACT
2 INTRODUCTION 4
3 Evolution of cloudcomputing 5
4.1
Characteristic of cloud
7
computing
5 Need for security in cloud 8
5.1 9
Security & Privacy Attributes
5.3 10
Cloud Accountability
Vulnerability
7 Different approaches to cloud 15
computing
8 CONCLUSION 20
9 References 21
3
Introduction
4
Evolution of cloud computing
Cloud computing began to get both awareness and popularity in the early
2000s.When the concept of cloud computing originally came to prominence most
people did not fully understand what role it fulfilled or how it helped an
organization. In some cases people still do not fully understand the concept of
cloud computing. Cloud computing can refer to business intelligence (BI),
complex event processing (CEP), service-oriented architecture (SOA), Software as
a Service (SaaS), Web-oriented architecture (WOA), and even Enterprise 2.0. With
the advent and growing acceptance of cloud-based applications like Gmail, Google
Calendar, Flickr, Google Docs, and Delicious, more and more individuals are now
open to using a cloud computing environment than ever before. As this need has
continued to grow so has the support and surrounding infrastructure needed to
support it. To meet those needs companies like Google, Microsoft, and Amazon
have started growing server farms in order to provide companies with the ability to
store, process, and retrieve data while generating income for themselves. To meet
this need Google has brought on-line more than a million servers in over 30 data
centers across its global network. Microsoft is also investing billions to grow its
own cloud infrastructure. Microsoft is currently adding an estimated 20,000 servers
a month. With this amount of process, storage and computing power coming
online, the concept of cloud computing is more of a reality than ever before. The
growth of cloud computing had the net effect of businesses migrating to a new way
of managing their data infrastructure. This growth of cloud computing capabilities
has been described as driving massive centralization at its deep center to take
advantage of economies of scale in computing power, energy
consumption,cooling,and administration
5
Cloud security challenges
6
CHARACTERISTICS OF CLOUD COMPUTING
•Broad network access - Capabilities are available over the network and ac-cessed
through standard mechanisms that promote use by heterogeneous thinor thick
client platforms (e.g., mobile phones, laptops, and PDAs) as well asother
traditional or cloud based software services.
7
Need for security in cloud
•Network security Protecting the network over which cloud is running fromvarious
attacks DOS, DDOS, IP Spoofing, ARP Spoofing and any novel attacksthat
intruders may device. Attack on data affects a single user whereas a suc-cessful
attack on Network has the potential to affect multiple users. Thereforenetwork
security is of foremost importance
8
Security & Privacy Attributes
to be ensured .Therefore it should ensure that transport protocols provide both con-
fidentiality and integrity. Confidentiality and integrity of data transmission need to
ensure not only between enterprise storage and cloud storage but also between
different cloud storage services.[1].Threats to these attributes and Defence
strategies are discussing below
9
Cloud accountability
10
of cloud computing. From the cloud vendors perspective, in or-der to achieve
maximum profitability, the cloud providers choose to multiplex applications
belonging to different customers to keep high utilization. The multiplexing may
cause providers to incorrectly attribute resource consumption to customers or
implicitly bear additional costs, therefore reducing their cost effectiveness. For
example, I/O time and internal network bandwidth are not metered, even though
each incurs non-trivial cost. Additionally, meteringsharing effects, such as shared
memory
Defence strategies
11
• Accountable MapReduce(AMR): This problem has been addressed with Se-
cureMR, which adopts full task duplication to double check the processingresult.
SecureMR requires that twice two different machines, which will doublethe total
processing time, execute a task. Additionally, SecureMR suffers falsepositive when
an identical faulty program processes the duplicated tasks.
12
Security Risk, Threats, Vulnerabilities
13
he technical risks classification includes problems or failures associated with the provided
services or technologies contacted from the cloud service provider. Examples of such risks
include, but not limited to, resource-sharing isolation problems, malicious (insiders or
outsiders) attacks on the cloud provider, and any possibility of data leakage on
download/upload through communication channels .
The legal risks classification refers to issues that surround data being exchanged across
multiple countries that have different laws and regulations concerning data traversal,
protection requirements and privacy laws. Examples of such risks include, but not limited to,
risks resulting from possible changes of jurisdiction and the liability or obligation of the
vendor in case of loss of data and/or business interruption.
Cloud Computing is based on a new utilization of technology and many risks that used to be
present in other technological implementations do still exist, and are realized as not cloud
specific. Risks like social engineering, physical security, lost or stolen backups, and loss or
compromise of security logs are just a few examples of such general security risks. The Cloud
Security Alliance (CSA) lists the following threats as the top risks associated with CC based
on their recent research: malicious insiders, data loss/leakage, abuse and nefarious use of CC
and shared technology vulnerabilities. Even though CSA prefers to prioritize risks, it easy to
see that each of the listed threats can be included in the ENISA categories or as non-cloud
specific, or general, security risk . Other researchers prefer to focus on
cloud specific vulnerabilities, without much focus on threats and risks. According to
such research, a particular vulnerability can be considered specific to cloud computing if it
meets any of the following criteria
It is intrinsic to or prevalent in a core technology of cloud computing, such as virtualization,
service-oriented architecture, and cryptography.
It has its root cause in one of essential cloud characteristics, such as elasticity, resource
pooling, and pay-as-you-go model
It is caused by cloud innovations making exiting (tried and tested) security controls hard
or impossible to implement; for example, management procedures that were created
initially for a fixed hardware structure do not port correctly to virtual machines.
It is prevalent in established state-of-the-art cloud services.
To appropriately assess the risks that are introduced to an organization when using cloud
computing, these four categories based on the Economist's Business Risk model
(Managing Business Risks in the Information Age, 1998) can be used to identify possible risks:
access, availability, infrastructure, and integrity . In paper authors identified top seven security
threads to CC that are listed below:
Cloud computing has become a common term over the last decade, but the service
sometimes creates confusion. With all the new cloud options and the phrase “as a
service” seemingly tacked onto everything imaginable, it’s helpful to take a step
back and look at the differences between the main types of cloud deployment and
the different types of cloud computing services.
Cloud deployment describes the way a cloud platform is implemented, how it’s
hosted, and who has access to it. All cloud computing deployments operate on the
same principle by virtualizing the computing power of servers into segmented,
software-driven applications that provide processing and storage capabilities
15
Public Cloud
Some public cloud examples include those offered by Amazon, Microsoft, or
Google. These companies provide both services and infrastructure, which are
shared by all customers. Public clouds typically have massive amounts of available
space, which translates into easy scalability. A public cloud is often recommended
for software development and collaborative projects. Companies can design their
applications to be portable, so that a project that’s tested in the public cloud can be
moved to the private cloud for production. Most cloud providers package their
computing resources as part of a service. Public cloud examples range from access
to a completely virtualized infrastructure that provides little more than raw
processing power and storage (Infrastructure as a Service, or IaaS) to specialized
software programs that are easy to implement and use (Software as a Service, or
SaaS).
The great advantage of a public cloud is its versatility and “pay as you go”
structure that allows customers to provision more capacity on demand. On the
downside, the essential infrastructure and operating system of the public cloud
remain under full control of the cloud provider. Customers may continue to use the
platform under the terms and conditions laid out by the provider, but they may
have difficulty repatriating their assets if they want to change providers. Should the
provider go out of business or make significant changes to the platform, customers
could be forced to make significant infrastructure changes on short notice. There’s
also the risk of an unpatched security vulnerability in the cloud architecture
exposing customers to risk.
16
Private Cloud
Private clouds usually reside behind a firewall and are utilized by a single
organization. A completely on-premises cloud may be the preferred solution for
businesses with very tight regulatory requirements, though private clouds
implemented through a colocation provider are gaining in popularity. Authorized
users can access, utilize, and store data in the private cloud from anywhere, just
like they could with a public cloud. The difference is that no one else can access or
utilize those computing resources. Private cloud solutions offer both security and
control, but these benefits come at a cost. The company that owns the cloud is
responsible for both software and infrastructure, making this a less economical
model than the public cloud.
The additional control offered by a private cloud makes it easier to restrict access
to valuable assets and ensures that a company will be able to move its data and
applications where it wants, whenever it wants. Furthermore, since the private
cloud isn’t controlled by an outside vendor, there’s no risk of sudden changes
disrupting the company’s entire infrastructure. A private cloud solution will also
not be affected by a public cloud provider’s system downtime. But private clouds
also lack the versatility of public clouds. They can only be expanded by adding
more physical compute and storage capacity, making it difficult to scale operations
quickly should the business need arise.
17
Hybrid Cloud
Hybrid clouds combine public clouds with private clouds. They are designed to
allow the two platforms to interact seamlessly, with data and applications moving
smoothly from one to the other.
The primary advantage of a hybrid cloud model is its ability to provide the scalable
computing power of a public cloud with the security and control of a private cloud.
Data can be stored safely behind the firewalls and encryption protocols of the
private cloud, then moved securely into a public cloud environment when needed.
This is especially helpful in the age of big data analytics, when industries like
healthcare must adhere to strict data privacy regulations while also using
sophisticated algorithms powered by artificial intelligence (AI) to derive actionable
insights from huge masses of unstructured data.
There are two commonly used types of hybrid cloud architecture. Cloudbursting
uses a private cloud as its primary cloud, storing data and housing proprietary
applications in a secure environment. When service demands increase, however,
the private cloud’s infrastructure may not have the capacity to keep up. That’s
where the public cloud comes in. A cloudbursting model uses the public cloud’s
computing resources to supplement the private cloud, allowing the company to
handle increased traffic without having to purchase new servers or other
infrastructure.
The second type of hybrid cloud model also runs most applications and houses
data in a private cloud environment, but outsources non-critical applications to a
public cloud provider. This arrangement is common for organizations that need to
access specialized development tools (like Adobe Creative Cloud), basic
productivity software (like Microsoft Office 365), or CRM platforms (like
Salesforce). Multi-cloud architecture is often deployed here, incorporating multiple
cloud service providers to meet a variety of unique organizational needs.
18
Community Cloud
Although not as commonly used as the other three models, community clouds are a
collaborative, multi-tenant platform used by several distinct organizations to share
the same applications. The users are typically operating within the same industry
or field and share common concerns in terms of security, compliance, and
performance.
In essence, a community cloud is a private cloud that functions much like a public
cloud. The platform itself is managed privately, either in a data center or on-
premises. Authorized users are then segmented within that environment. These
deployments are commonly used by government agencies, healthcare
organizations, financial services firms, and other professional communities.
19
CONCLUSION
Very new technology has its pros and cons, similar is the case with cloud
computing.
Although cloud computing provides easy data storage and access. But there are
several issues related to storing and managing data, that is not controlled by owner
of the data. This paper discussed security issues for cloud. These issues include
cloud
integrity, cloud confidentiality, cloud availability, cloud privacy. There are several
threats to cloud confidentiality including cross-VM attack and Malicious sysadmin.
On the other hand integrity of cloud is compromised due to data loss and dishonest
computation in remote servers. Denial of Service attack(Dos) is the most common
attack which is also possible in cloud computing network. This attack attempts to
prevent the data available to its intended users. The last issue is cloud privacy and
it is similar to cloud confidentiality. if cloud confidentiality is at risk, cloud privacy
will also be at risk
20
References
Papers:
[2] K. Ren, C. Wang and Q. Wang, ”Security Challenges for the Public Cloud”,
InternetComputing, IEEE , vol.16, no.1, pp.69-73, Jan/Feb 2012.
[3] Z. Xiao and Y. Xiao, ”Security and Privacy in Cloud Computing ”,IEEE
Commun.Surveys and Tutorials, vol. 15, no.2, pp.843 - 859, Second quarter 2013.
[4] Cloud Security Alliance (CSA). Security Guidance for Critical Areasof Focus
in Cloud Computing V2.1, (Released December 17,
2009).(http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf. Accessed
Jan. 13,2011.)
21