Professional Documents
Culture Documents
A Survey of Cloud Computing Security Challenges and Solutions
A Survey of Cloud Computing Security Challenges and Solutions
52 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 1, January 2016
Cloud Service Provider (CSP) outsources storage, • The host can Start, shutdown, pause, and
servers, hardware, networking components, etc. to restart VMs.
the consumer in IaaS model. CSP owns the • Monitoring and configuration of resources
equipment and responsible for housing, running which are available to the VMs, these
and maintaining it. In this model, consumer pays include: CPU, memory, disk, and network
on per-use basis. Characteristics and components usage of VMs.
of IaaS include [14]: • Adjust the number of CPUs, the amount
of memory, the amount and number of
• Service Level Agreement (SLA) virtual disks, and a number of virtual
• Dynamic scaling network interfaces which are available to
• Automation of administrative tasks a VM.
• Utility computing service and billing • Monitoring the applications which are
model running inside the VM.
• Internet connective • View, copy, and possibly modify, data
• Desktop virtualization stored on the VM's virtual disks.
Unfortunately, the system admin or any
The virtualization risks and vulnerabilities that authorized user who has privileged control
affect particularly IaaS delivery model are: over the backend can misuse these procedures.
[17]
1- Security threats sourced from host
a- Monitoring VMs from host 2- Security threats sourced from other
VM
The control point in virtual environment is the host a- Monitoring VMs from other VM
machine there are implications that allow the host Monitoring VMs could violate security and
to monitor and communicate with VM applications privacy, but the new architecture of CPUs,
up running. Therefore, it is more necessary to integrated with a memory protection feature, could
strictly protect the host machines than protecting prevent security and privacy violation. A major
distinctive VMs [25]. VM-level protection is reason for adopting virtualization is to isolate
crucial in cloud computing environment. The security tools from an untrusted VM by moving
enterprise can co-locate applications with different them to a separate trusted secure VM [14, 15].
trust levels on the same host and can defend VMs b- Communication between VMs
in a shared multi-tenant environment. This enables One of the most critical threads that threaten
enterprises to maximize the benefits of exchanging information between virtual machines
virtualization. VM-level protection allows VMs to is how it's deployed. Sharing resources between
stay secure in today’s dynamic data centers. Also, VMs may strip security of each VM for instance
as VMs travel between different environments – collaboration using application such as shared
from on-premise virtual servers to private clouds to clipboard that allow exchanging data between VMs
public clouds, and even between cloud vendors. and the host assisting malicious program in VMs,
[15] this situation violate security and privacy. Also, a
b- Communications between VMs and malicious VM can has chance to access other VMs
host through shard memory [16 ].
The data transfer between VMs and the host flow c- Denial of Service (DoS):
between VMs shared virtual resources; in fact the A DoS attack is a trying to denial services that
host can monitor the network traffic of its own provide to authorize users for example when trying
hosted VMs. This can be considering useful to access site we see that due to overloading of the
features for attackers and they may use it such as server with the requests to access the site, we are unable
shared clipboard which allows data to transfer to access the site and observe an error. This happens
between VMs and the host using cooperating when the number of requests that can be handled by a
server exceeds its capacity, the Dos attack marking
malicious program in VMS [17].
carting part of clouds inaccessible to the users [26].
It is not generally considered a bug or limitation Usage of an Intrusion Detection System (IDS) one of
the useful method of defense against this type of attacks
when one can initiate monitoring, change, or
[27].
communication with a VM application from the 3- Networks & Internet Connectivity attacks
53 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 1, January 2016
Practical solutions and techniques for eliminating security, but the responsibility for verifying this
these attacks or reducing their impacts are listed as belongs to the client [1].
follows: Practical solutions and techniques for eliminating
1- Logical network segmentation these attacks or reducing their impacts are listed as
2- Firewalls implementing follows:
3- Traffic encryption • Encapsulation Encapsulating access
4- Network monitoring control policies with objects can be one of
the solutions to resolve Privileged access
III- Platform as Services (PaaS) • Policy enforcement points (PEPs) A
Policy Enforcement Point (PEP) is the
security challenges logical entity or place on a server that
PaaS is a way to rent hardware over the Internet, makes admission control and policy
PaaS provide capability to manage application decisions in response to a request from a
without installing any platform or tools on their user wanting to access a resource on a
local machines, PaaS refers to providing platform computer or network server. And this
layer resources this layer including operating consider solution for distributed system
system support and software development [20]
frameworks in which it can used to build higher – • Trusted Computing Base (TCB) is a
level services. [23], developer gets many collection of executable code and
advantages from PaaS these are: configuration files that is assumed to be
• OS operating system can be changed and secure. TCB is thoroughly analyzed for
upgraded as many time as need. security flaws and installed as a layer over
• PaaS allow geographically distributed the operating system and provides a
teams to sharing information to develop standardized application programming
software projects [14]. interface (API) for the user objects,
The use of virtual machines act as a motivated in encryption seems to be the best possible
the PaaS layer in Cloud computing. Virtual solution.[21]
machines have to be protected against malicious
attacks such as cloud malware. Therefore
maintaining the integrity of applications and well
IV- Software as Services (SaaS)
enforcing accurate authentication checks during the security Challenges
transfer of data across the entire networking SaaS also called "software on demand" using SaaS
channels is fundamental[18] provider licenses an application to customers either
PaaS security threat can be summarize as: on demand through a subscription or at no charge
a- Data location and this consider part of utility computing model,
The actual platform is not in a single host, the where all technology in the cloud accessed over
platform can be thought as group of cluster hosts, internet as service. SaaS was basically widely
in fact the location of your data cannot be isolated deployed for sales force automation and Customer
to specific sector on specific host, this will add Relationship Management (CRM). Now, it has
more security over head as far as a single location become common place for many business tasks,
is easier to secure than many. including computerized billing, invoicing, human
Another security issue is that the duplication of resource management, financials, document
data creates high availability of data for developers management, service desk management and
and users this distributed data remains like other collaboration [14]. Software as a service
data the big difference in this case in the exact applications are accessed using web browsers over
location is unknown [ 24]. the Internet. Therefore, web browser security is
b- Privileged access vitally important. Information security officers will
One of the most popular features in PaaS is the need to consider various methods of securing SaaS
advertised software developers to use debug. applications. Web Services (WS) security,
Debug grants access to data and memory locations Extendable Markup Language (XML) encryption,
in order to allow the developers to modify values Secure Socket Layer (SSL) and available options
to test various outcomes we consider the debug which are used in enforcing data protection
provide the desired tool for both developers and transmitted over the Internet [18]
hackers. [20] The service provider has to verify that their
c- Distributed systems multiple users do not violates privacy of the other
The PaaS file system is often highly distributed. users, also it is very essential for user to verify that
The nodes can be independent while cloud service the right security measures are in place mean while
provider (CSP) owns the cluster so most likely to it is difficult to get an assurance that the
standardized configuration paths will be in place. application will be available when needed [19].
The CSP should be able to provide the necessary SaaS security threat can be summarize as
54 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 1, January 2016
55 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 14, No. 1, January 2016
56 https://sites.google.com/site/ijcsis/
ISSN 1947-5500