ABSTRACT

Cloud computing is basically an Internet-based network made up of large numbers of

servers - mostly based on open standards, modular and inexpensive. Clouds contain
vast amounts of information and provide a variety of services to large numbers of
people. The benefits of cloud computing are Reduced Data Leakage, Decrease evidence
acquisition time, they eliminate or reduce service downtime, they Forensic readiness, they
Decrease evidence transfer time. The main factor to be discussed is security of cloud
computing, which is a risk factor involved in major computing fields

CLOUDCOMPUTING

What is a Cloud computing?

• Cloud computing is Internet-
("CLOUD-") based development User of the cloud only care about the
and use of computer service or information they are accessing
• technology ("COMPUTING") - be it from their
Cloud computing is a general term for PCs, mobile devices, or anything else
anything that involves connected to the Internet - not about the
delivering hosted services over underlying details
the Internet. of how the cloud works.”
• It is used to describe both a
platform and type of application. HISTORY
• Cloud computing also describes The Cloud is a metaphor for the Internet,
applications that are extended to derived from its common depiction in
be accessible through the network diagrams
• Internet. (or more generally components which
are managed by others) as a cloud
• These cloud applications use
outline.
large data centers and powerful
The underlying concept dates back to
servers that host Web
1960 when John McCarthy opined that
• applications and Web services. "computation may
• Anyone with a suitable Internet someday be organized as a public
connection and a standard utility" (indeed it shares characteristics
browser can access a cloud with service bureaus
• application. which date back to the 1960s) and the
term The Cloud was already in
commercial use around
the turn of the 21st century. Cloud
computing solutions had started to
appear on the market,
though most of the focus at this time was
on Software as a service.
2007 saw increased activity, including Infrastructure-as-a-Service (IaaS):
Goggle, IBM and a number of Infrastructure-as-a-Service(IaaS) like
universities embarking on Amazon Web Services provides virtual
a large scale cloud computing research servers with unique
project, around the time the term started IP addresses and blocks of storage on
gaining popularity demand. Customers benefit from an API
in the mainstream press. It was a hot from which they
topic by mid-2008 and numerous cloud can control their servers. Because
computing events customers can pay for exactly the
had been scheduled. amount of service they use,
like for electricity or water, this service
is also called utility computing.
WHAT IS DRIVING CLOUD Platform-as-a-Service (PaaS):
COMPUTING? Platform-as-a-Service(PaaS) is a set of
The CLOUD COMPUTING is driving software and development tools hosted
in two types of categories .They are as on the provider's
follows: servers. Developers can create
applications using the provider's APIs.
• Customer perspective Google Apps is one of the
• Vendor perspective most famous Platform-as-a-Service
Customer perspective: providers. Developers should take notice
 In one word: economics that there aren't any
 Faster, simpler, cheaper to use cloud interoperability standards (yet), so some
computation. providers may not allow you to take
 No upfront capital required for your application and
servers and storage. put it on another platform.
Software-as-a-Service (SaaS):
 No ongoing for operational expenses
Software-as-a-Service (SaaS) is the
for running datacenter.
broadest market. In this case the
 Application can be run from provider allows the
anywhere. customer only to use its applications.
Vendor perspective: The software interacts with the
 Easier for application vendors to user through a user
reach new customers. interface. These applications can be
 Lowest cost way of delivering anything from web based email,
and supporting applications. to applications like
 Ability to use commodity server Twitter or Last.fm.
and storage hardware. Types by visibility:
 Ability to drive down data center Public cloud:
operational cots. Public cloud or external cloud describes
Types of services: cloud computing in the traditional
These services are broadly divided mainstream sense,
into three categories: whereby resources are dynamically
Infrastructure-as-a-Service (IaaS) provisioned on a fine-grained, self-
Platform-as-a-Service (PaaS) service basis over the
Software-as-a-Service (SaaS).
Internet, via web applications/web IT, there is some uncertainty whether
services, from an off-site third-party they are a reality even within the same
provider who firm. Analysts also
shares resources and bills on a fine- claim that within five years a "huge
grained utility computing basis. percentage" of small and medium
Hybrid cloud: enterprises will get most
A hybrid cloud environment consisting of their computing resources from
of multiple internal and/or external external cloud computing providers as
providers] "will be they "will not have
typical for most enterprises". A hybrid economies of scale to make it worth
cloud can describe configuration staying in the IT business" or be able to
combining a local device, afford private clouds.
such as a Plug computer with cloud Analysts have reported on Platform's
services. It can also describe view that private clouds are a stepping
configurations combining virtual stone to external
and physical, colocated assets—for clouds, particularly for the financial
example, a mostly virtualized services, and that future datacenters will
environment that requires look like internal
physical servers, routers, or other clouds.
hardware such as a network appliance The term has also been used in the
acting as a firewall or logical rather than physical sense, for
spam filter. example in reference to
Private cloud: platform as a service offerings, though
Private cloud and internal cloud are such offerings including Microsoft's
neologisms that some vendors have Azure Services Platform are not
recently used to describe available for on-premises deployment.
offerings that emulate cloud computing
on private networks. These (typically
virtualisation How does cloud computing work?
automation) products claim to "deliver Supercomputers today are used mainly
some benefits of cloud computing by the military, government intelligence
without the pitfalls", agencies,
capitalising on data security, corporate universities and research labs, and large
governance, and reliability concerns. companies to tackle enormously
They have been complex
criticized on the basis that users "still calculations for such tasks as simulating
have to buy, build, and manage them" nuclear explosions, predicting climate
and as such do not change, designing
benefit from lower up-front capital costs airplanes, and analyzing which proteins
and less hands-on management[, in the body are likely to bind with
essentially "[lacking] potential new drugs.
the economic model that makes cloud Cloud computing aims to apply that kind
computing such an intriguing concept". of power—measured in the tens of
While an analyst predicted in 2008 that trillions of
private cloud networks would be the
future of corporate
computations per second—to problems
like analyzing risk in financial
portfolios, delivering
personalized medical information, even
powering immersive computer games, in
a way that users
can tap through the Web. It does that by
networking large groups of servers that
often use
low-cost consumer PC technology, with
specialized connections to spread data-
processing
chores across them. By contrast, the
newest and most powerful desktop PCs
process only about
3 billion computations a second. Let's
say you're an executive at a large
corporation. Your
particular responsibilities include
making sure that all of your employees A typical cloud computing system
have the right Soon, there may be an alternative for
hardware and software they need to do executives like you. Instead of installing
their jobs. Buying computers for a suite of
everyone isn't software for each computer, you'd only
enough -- you also have to purchase have to load one application. That
software or software licenses to give application would
employees the tools allow workers to log into a Web-based
they require. Whenever you have a new service which hosts all the programs the
hire, you have to buy more software or user would
make sure need for his or her job. Remote machines
your current software license allows owned by another company would run
another user. It's so stressful that you everything
find it difficult to go. from e-mail to word processing to
complex data analysis programs. It's
called cloud computing,
and it could change the entire computer
industry.
In a cloud computing system, there's a
significant workload shift. Local
computers no longer have
to do all the heavy lifting when it comes
to running applications. The network of
computers that
make up the cloud handles them instead.
Hardware and software demands on the
user's side
decrease. The only thing the user's backup tapes? The data “landmines” of
computer needs to be able to run is the today could be greatly reduced by the
cloud computing Cloud
system's interface software, which can as thin client technology becomes
be as simple as a Web browser, and the prevalent. Small, temporary caches on
cloud's network handheld devices
takes care of the rest. or Netbook computers pose less risk than
There's a good chance you've already transporting data buckets in the form of
used some form of cloud computing. If laptops.
you have an Ask the CISO of any large company if
e-mail account with a Web-based e-mail all laptops have company ‘mandated’
service like Hotmail, Yahoo! Mail or controls
Gmail, then you've consistently applied; e.g. full disk
had some experience with cloud encryption. You’ll see the answer by
computing. Instead of running an e-mail looking at the
program on your whites of their eyes. Despite best efforts
computer, you log in to a Web e-mail around asset management and endpoint
account remotely. The software and security
storage for your we continue to see embarrassing and
account doesn't exist on your computer disturbing misses. And what about
-- it's on the service's computer cloud. SMBs? How many
SEVEN TECHNICAL SECURITY use encryption for sensitive data, or even
BENEFITS OF THE have a data classification policy in
CLOUD: place?
• Monitoring benefits: central
storage is easier to control and
monitor. The flipside is
the nightmare scenario of
comprehensive data theft. However, I
would rather spend my time
as a security professional figuring out
smart ways to protect and monitor access
to data
stored in one place (with the benefit of
situational advantage) than trying to
figure out
all the places where the company data
1. CENTRALIZED DATA: resides across a myriad of thick clients!
• Reduced Data Leakage: this is
You can get
the benefit I hear most from the benefits of Thin Clients today but
Cloud providers - and in my Cloud Storage provides a way to
view they are right. How many laptops centralize the data
do we need to lose before we get this? faster and potentially cheaper. The
How many logistical challenge today is getting
Terabytes of data to
the Cloud in the first place.
2. INCIDENT RESPONSE / hours whilst I dig around in the
FORENSICS: RAID Array hoping that my
• Forensic readiness: with physical acqusition toolkit is
Infrastructure as a Service (IaaS) compatible (and that the version
providers, I can build a of RAID firmware isn’t
dedicated forensic server in the same supported by my forensic
Cloud as my company and place it software). Abstracting the
offline, ready for hardware removes a barrier to
use when needed. I would only need even doing forensics in some
pay for storage until an incident happens situations.
and I need to • Decrease evidence transfer
bring it online. I don’t need to call time: In the same Cloud, bit fot
someone to bring it online or install bit copies are super fast - made
some kind of faster by that replicated,
remote boot software - I just click a distributed file system my Cloud
button in the Cloud Providers web provider engineered for me.
interface. If I have From a network traffic
multiple incident responders, I can give perspective, it may even be free
them a copy of the VM so we can to make the copy in the same
distribute the Cloud. Without the Cloud, I
forensic workload based on the job at would have to a lot of time
hand or as new sources of evidence arise consuming and expensive
and need provisioning of physical devices.
analysis. To fully realise this benefit, I only pay for the storage as long
commercial forensic software vendors as I need the evidence.
would • Eliminate forensic image
need to move away from archaic, verification time: Some Cloud
physical dongle based licensing schemes Storage implementations expose
to a network a cryptographic checksum or
licensing model. hash. For example, Amazon S3
• Decrease evidence acquisition generates an MD5 hash
time: if a server in the Cloud gets automagically when you store an
compromised (i.e. object. In theory you no longer
broken into), I can now clone that server need to generate time-consuming
at the click of a mouse and make the MD5 checksums using external
cloned tools - it’s already there.
disks instantly available to my Cloud • Decrease time to access
Forensics server. I didn’t need to “find” protected documents: Immense
storage CPU power opens some doors.
or have it “ready, waiting and unused” - Did the suspect password protect
its just there. a document that is relevant to the
• Eliminate or reduce service investigation? You can now test
downtime: Note that in the a wider range of candidate
above scenario I didn’t have to passwords in less time to speed
go tell the COO that the system investigations.
needs to be taken offline for
3. PASSWORD ASSURANCE size. Now you can ‘opt-in’ easily - if
TESTING (AKA you are willing to pay for the
CRACKING): enhanced logging, you can do so.
• Decrease password cracking Granular logging makes compliance
time: if your organization and investigations easier.
regularly tests password strength 5. IMPROVE THE STATE OF
by running password crackers SECURITY SOFTWARE
you can use Cloud Compute to (PERFORMANCE):
decrease crack time and you only • Drive vendors to create more
pay for what you use. Ironically, efficient security software:
your cracking costs go up as Billable CPU cycles get noticed.
people choose better More attention will be paid to
passwords ;-). inefficient processes; e.g. poorly
• Keep cracking activities to tuned security agents. Process
dedicated machines: if today accounting will make a
you use a distributed password comeback as customers target
cracker to spread the load across ‘expensive’ processes. Security
non-production machines, you vendors that understand how to
can now put those agents in squeeze the most performance
dedicated Compute instances - from their software will win.
and thus stop mixing sensitive 6. SECURE BUILDS:
credentials with other workloads. • Pre-hardened, change control
4. LOGGING: builds: this is primarily a benefit
• “Unlimited”, pay per drink of virtualization based Cloud
storage: logging is often an Computing. Now you get a
afterthought, consequently chance to start ’secure’ (by your
insufficient disk space is allocated own definition) - you create your
and logging is either non-existant or Gold Image VM and clone away.
minimal. Cloud Storage changes all There are ways to do this today
this - no more ‘guessing’ how much with bare-metal OS installs but
storage you need for standard logs. frequently these require
• Improve log indexing and search: additional 3rd party tools, are
with your logs in the Cloud you can time consuming to clone or add
leverage Cloud Compute to index yet another agent to each
those logs in real-time and get the endpoint.
benefit of instant search results. • Reduce exposure through
What is different here? The Compute patching offline: Gold images
instances can be plumbed in and can be kept up securely kept up
scale as needed based on the logging to date. Offline VMs can be
load - meaning a true real-time view. conveniently patched “off” the
• Getting compliant with Extended network.
logging: most modern operating • Easier to test impact of security
systems offer extended logging in changes: this is a big one. Spin
the form of a C2 audit trail. This is up a copy of your production
rarely enabled for fear of environment, implement a
performance degradation and log security change and test the
 impact at low cost, with minimal physical and logical security of the data,
startup time. This is a big deal authenticating users across firewalls by
and removes a major barrier to relying on vendor's authentication
‘doing’ security in production schemes etc., but assuming challenges as
environments. fears is not a smart strategy.
7. SECURITY TESTING:
• Reduce cost of testing security: Latency: Just because something runs
a SaaS provider only passes on a on a cloud it does not mean it has
portion of their security testing latency. My opinion is quite the
costs. By sharing the same opposite. The cloud computing if done
application as a service, you properly has opportunities to reduce
don’t foot the expensive security latency based on its architectural
code review and/or penetration advantages such as massively parallel
test. Even with Platform as a processing capabilities and distributed
Service (PaaS) where your computing. The web-based applications
developers get to write code, in early days went through the same
there are potential cost perception issues and now people don't
economies of scale (particularly worry about latency while shopping at
around use of code scanning Amazon.com or editing a document on
tools that sweep source code for Google docs served to them over a
security weaknesses). cloud. The cloud is going to get better
Adoption fears and strategic and better and the IT has no strategic
innovation opportunities advantages to own and maintain the data
Adoption-fears centers. In fact the data centers are easy
Security: Many IT executives make to shut down but the applications are not
decisions based on the perceived and the CIOs should take any and all
security risk instead of the real security opportunities that they get to move the
risk. IT has traditionally feared the loss data centers away if they can.
of control for SaaS deployments based
on an assumption that if you cannot SLA: Recent Amazon EC2 meltdown
control something it must be unsecured. and RIM's network outage created a
I recall the anxiety about the web debate around the availability of a highly
services deployment where people got centralized infrastructure and their
really worked up on the security of web SLAs. The real problem is not a bad
services because the users could invoke SLA but lack of one. The IT needs a
an internal business process from outside phone number that they can call in an
of a firewall. unexpected event and have an up front
The IT will have to get used to the idea estimate about the downtime to manage
of software being delivered outside from the expectations. May be I am
a firewall that gets meshed up with on- simplifying it too much but this is the
premise software before it reaches the crux of the situation. The fear is not so
end user. The intranet, extranet, DMZ, much about 24x7 availability since an
and the internet boundaries have started on-premise system hardly promises that
to blur and this indeed imposes some but what bothers IT the most is inability
serious security challenges such as to quantify the impact on business in an
relying on a cloud vendor for the event of non-availability of a system and
set and manage expectations upstream the cloud. Google App Engine for cloud
and downstream. The non-existent SLA computing is a good example to start
is a real issue and I believe there is a creating applications on-premise that can
great service innovation opportunity for eventually run on Google's cloud and
ISVs and partners to help CIOs with the Amazon's AMI is expanding day-by-day
adoption of the cloud computing by to allow people to push their applications
providing a rock solid SLA and on Amazon's cloud. Here is a quick
transparency into the defect resolution comparison of Google and Amazon in
process. their cloud computing efforts. Elastra's
solution to deploy EnterpriseDB on the
Strategic innovation opportunities cloud is also a good example of how
Seamless infrastructure virtualization: organizations can outsource IT on the
If you have ever attempted to connect to cloud.
Second Life behind the firewall you BENEFITS:
would know that it requires punching Cloud computing infrastructures can
few holes into the firewall to let certain allow enterprises to achieve more
unique transports pass through and that's efficient use of their
not a viable option in many cases. This IT Hardware and software investments.
is an intra-infrastructure communication They do this by breaking down the
challenge. I am glad to see IBM's physical
attempt to create a virtual cloud inside inherent in isolated systems, and
firewall to deploy some of the regions of automating the management of the group
the Second Life with seamless of systems as a
navigation in and out of the firewall. single entity.
This is a great example of a single sign Cloud computing is an example of an
on that extends beyond the network and ultimately virtualized system, and a
hardware virtualization to form natural evolution
infrastructure virtualization with for Data centers that employ automated
seamless security. systems management, workload
balancing, and virtualization
Hybrid systems: The IBM example also technologies. A cloud infrastructure can
illustrates the potential of a hybrid be a cost efficient model for delivering
system that combines an on-premise information services
system with remote infrastructure to Application:
support seamless cloud computing. This A cloud application leverages cloud
could be a great start for many computing in software architecture,
organizations that are on the bottom of often eliminating the need
the S curve of cloud computing to install and run the application on the
adoption. Organizations should consider customer's own computer, thus
pushing non-critical applications on a alleviating the burden of
cloud with loose integration with on- software maintenance, ongoing
premise systems to begin the cloud operation, and support. For example:
computing journey and as the cloud  Peer-to-peer / volunteer computing
infrastructure matures and some (BOINC, Skype)
concerns are alleviated IT could consider
pushing more and more applications on
 Web applications (Webmail, including the ‘flip side’ to these benefits,
Facebook, Twitter, YouTube, however if you read this blog regularly
Yammer) you should recognise some.
 Security as a service (MessageLabs, We believe the Cloud offers Small and
Purewire, ScanSafe, Zscaler) Medium Businesses major potential
 Software as a service (Google Apps, security benefits. Frequently SMBs
Salesforce,Nivio,Learn.com, Zoho, struggle with limited or non-existent
BigGyan.com) in-house INFOSEC resources and
 Software plus services (Microsoft budgets. The caveat is that the Cloud
Online Services) market is still very new - security
 Storage [Distributed] offerings are somewhat foggy - making
selection tricky. Clearly, not all Cloud
 Content distribution (BitTorrent,
providers will offer the same security.
Amazon CloudFront)
 Synchronisation (Dropbox, Live
Mesh, SpiderOak, ZumoDrive REFERENCES:
CONCLUSION: Web guild.org
In my view, there are some strong http://www.webguild.org/
technical security arguments in favour of How stuff works.com
Cloud Computing - assuming we can http://communication.howstuffworks
find ways to manage the risks. With this .com/
new paradigm come challenges and Cloud security.org
opportunities. The challenges are getting http://cloudsecurity.org
plenty of attention - I’m regularly IBM
afforded the opportunity to comment on http://www.ibm.com/developerworks
them, plus obviously I cover them on /websphere/zones/hipods/
this blog. However, lets not lose sight of Google suggest
the potential upside. http://www.google.com/webhp?
Some benefits depend on the Cloud complete=1&hl=en
service used and therefore do not apply
across the board. For example; I see no
solid forensic benefits with SaaS. Also,
for space reasons, I’m purposely not