Ecure Loud Rchitecture: Kashif Munir and Prof Dr. Sellapan Palaniappan
Ecure Loud Rchitecture: Kashif Munir and Prof Dr. Sellapan Palaniappan
Ecure Loud Rchitecture: Kashif Munir and Prof Dr. Sellapan Palaniappan
1, January 2013
School of Science and Engineering, Malaysia University of Science and Technology, Selangor, Malaysia
kashifbwp@hotmail.com
School of Science and Engineering, Malaysia University of Science and Technology, Selangor, Malaysia
sell@must.edu.my
ABSTRACT
Cloud computing is set of resources and services offered through the Internet. Cloud services are delivered from data centers located throughout the world. Cloud computing facilitates its consumers by providing virtual resources via internet. The biggest challenge in cloud computing is the security and privacy problems caused by its multi-tenancy nature and the outsourcing of infrastructure, sensitive data and critical applications. Enterprises are rapidly adopting cloud services for their businesses, measures need to be developed so that organizations can be assured of security in their businesses and can choose a suitable vendor for their computing needs. Cloud computing depends on the internet as a medium for users to access the required services at any time on pay-per-use pattern. However this technology is still in its initial stages of development, as it suffers from threats and vulnerabilities that prevent the users from trusting it. Various malicious activities from illegal users have threatened this technology such as data misuse, inflexible access control and limited monitoring. The occurrence of these threats may result into damaging or illegal access of critical and confidential data of users. In this paper we identify the most vulnerable security threats/attacks in cloud computing, which will enable both end users and vendors t o k n o w a b o u t the k e y se c ur it y threats associated with cloud computing and propose relevant solution directives to strengthen security in the Cloud environment. We also propose secure cloud architecture for organizations to strengthen the security.
KEYWORDS
Cloud Computing; Security and Privacy; Threats, Vulnerabilities, Secure Cloud Architecture.
1. INTRODUCTION
With Cloud Computing becoming a popular term on the Information Technology (IT) market, security and accountability has become important issues to highlight. There are a number of security issues/concerns associated with cloud computing but these issues fall into two broad categories: Security issues faced by cloud providers (organizations providing Software-, Platform-, or Infrastructure-as-a-Service via the cloud) and security issues faced by their customers.[1] In most cases, the provider must ensure that their infrastructure is secure and that their clients data and applications are protected while the customer must ensure that the provider has taken the proper security measures to protect their information.[2] Cloud computing has emerged as a way for IT businesses to increase capabilities on the fly without investing much in new infrastructure, training of personals or licensing new software [3].
DOI : 10.5121/acij.2013.4102
Figure 1: Cloud Computing represented as a stack of service NIST defines Cloud computing as a model for enabling ubiquitous, convenient, on demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and delivered with minimal managerial effort or service provider interaction [4]. It follows a simple pay as you go model, which allows an organization to pay for only the service they use. It eliminates the need to maintain an in-house data center by migrating enterprise data to a remote location at the Cloud providers site. Minimal investment, cost reduction, and rapid deployment are the main factors that drive industries to utilize Cloud services and allow them to focus on core business concerns and priorities rather than dealing with technical issues. According to [5], 91 % of the organizations in US and Europe agreed that reduction in cost is a major reason for them to migrate to Cloud environment. As shown in Figure. 1, Cloud services are offered in terms of Infrastructure-as-a- service (IaaS), Platform-as-a-service (PaaS), and Software-as-a-service (SaaS). It follows a bottom-up approach wherein at the infrastructure level; machine power is de- livered in terms of CPU consumption to memory allocation. On top of it, lies the layer that delivers an environment in terms of framework for application development, termed as PaaS. At the top level resides the application layer, delivering software outsourced through the Internet, eliminating the need for in-house maintenance of sophisticated software [6]. At the application layer, the end users can utilize software running at a remote site by Application Service Providers (ASPs). Here, customers need not buy and install costly software. They can pay for the usage and their concerns for maintenance are removed.
2. RELATED WORK
In [7] the authors discussed the security issues in a cloud computing environment. They focused on technical security issues arising from the usage of cloud services. They discussed security threats presented in the cloud such as VM-Level attacks, isolation failure, management interface compromise and compliance risks and their mitigation. They also presented cloud security architecture, using which; organizations can protect themselves against threats and attacks. According to the authors the key points for this architecture are: single-sign on, increased availability, defense in depth approach, single management console and Virtual Machine (VM) protection. In [8] the authors analyzed vulnerabilities and security risks specific to cloud computing systems. They defined four indicators for cloud-specific vulnerability including: 1) it is
10
intrinsic to or prevalent in core technology of cloud computing, 2) it has its root in one of NISTs essential cloud characteristics, 3) it is caused by cloud innovations making security controls hard to implement, 4) it is prevalent in established state-of-the- art cloud offerings. The authors were certain that additional cloud-specific vulnerabilities will be identified; others will become less of an issue as the field of cloud computing matures. However, they believe that using a precise definition of what constitutes vulnerability and the four indicators they identified will provide a level of precision and clarity that the current discourse about cloud computing security often lacks. In [9] the author discussed some vital issues to ensure a secure cloud environment. This included a basic view of security policies (e.g., inside threats, access control and system portability), software security (e.g., virtualization technology, host operating system, guest operating system and data encryption) and hardware security (e.g., backup, server location and firewall). The author concluded that an important issue for the future of cloud security is the use of open standards to avoid problems such as vendor lock-in and incompatibility. Furthermore, the author believes that although there are no security standards specific to cloud computing, conventional security concepts can be usefully applied. LaQuata Sumter et al. [10] sa ys: The rise in the scope of cloud computing has brought fear about the Internet security and the threat of security in cloud computing is continuously increasing. Consumers of the cloud computing services have serious concerns about the availability of their data when required. Users have server concern about the security and access mechanism i n c l o u d computing environment. To assure users that there information is secure, safe not accessible to unauthorized people, they have proposed the design of a system that will capture the movement and processing of the information kept on the cloud. They have identified there is need of security capture device on the cloud, which will definitely ensure users that their information is secure and safe from security threats and attacks. The proposed implementation is based on a case study and is implemented in a small cloud computing environment. They have claimed that there proposed security model for cloud computing is a practical model cloud computing. The advantage of their work is assurance of security to the end users of cloud. The limitation of this study is there proposed framework is not feasible for large scale cloud computing environments. Meiko Jensen et al. [11] have shown that to improve cloud computing security, the security capabilities of both web browsers and web service frameworks, should be strengthened. This can best be done by integrating the latter into the former. M. Jensen et al. [12] focus on special type of Denial of Service attacks on network based service that relies on message flooding techniques, overloading the victims with invalid requests. They describe some well known and some rather new attacks and discuss commonalities and approaches for countermeasures. Armbust M Fox et al. [13] discuss that resources should be virtualized to hide the implementation of how they are multiplexed and shared. Wayne [14]: In this paper benefits of cloud computing are highlighted along with the basic security issues that are still associated with cloud services. Shaping the security of critical systems is very important. Addressing the security issues faced by end users is extremely mandatory, Researchers and professionals must work on the security issues associated with cloud computing. Strong security policies must be designed to ensure data is safe and prevented from unauthorized access, in both corporate data centers and in the cloud
11
servers. This research brings primary problems in terms of cloud security, which are alleged to cloud computing security and privacy issues. Further the study gazes primary security and privacy Problems. It mainly focuses public clouds that needs significant consideration and presents required facts and figures to make organizations data security decisions. Key security issues identified and addressed in this paper are end user trust, Insider Access, Visibility, Risk Management, Client-Side Protection, Server-Side Protection, Access Control and Identity management. The strengths of their work is identification and discussion on cloud computing security issues which educates end users about security and private risks associated with cloud services. The weakness is that they havent proposed any tool or framework to address identifies issues. Rituik Dubey et al. [15] define different attacks scenarios and propose counter schemes for each. M. Okuhara et al. [16] explain how customers, despite their deep-seated concerns and uneasiness about cloud computing, can enjoy the benefits of the cloud without worry if cloud services providers use appropriate architectures for implementing security measures. They also describe the security problems that surround cloud computing and outline Fujitsus security architecture for solving them. [17] takes a detailed look at cloud computing security risks and conclude that, as computing takes a step forward to cloud computing, security should not move backward. Users should not accept moving backward in terms of security, and computing technology and security both, must advance together. [18] shows that some of the cutting edge technologies for cloud security are: self-protecting data, trusted monitors, and searchable encryption. With the integration of these technologies into their solutions, customers will have even more trust in their cloud provider. [19] discusses the fundamental trusted computing technologies on which latest approaches to cloud security are based. [20] argues that, with continued research advances in trusted computing and computationsupporting encryption, life in the cloud can be advantageous from a business-intelligence stand point, over the isolated alternative that is more common now a days. [21] describes Amazon Web Services (AWS) physical and operational security processes for network and infrastructure under Amazon Web Services (AWS) management. It also gives service specific security implementations for Amazon Web Services (AWS).
External network attacks in the cloud are increasing at a notable rate. Malicious user outside the Cloud often performs DoS or DDoS attacks to aect the availability of Cloud services and resources. Port scanning, IP spoong, DNS poisoning, phishing are also executed to gain access of Cloud resources. A malicious user can capture and analyze the data in the packets sent over this network by packet sniffing. IP spoofing occurs when a malicious user impersonates a legitimate users IP address where they could access information that they would not have been able to access otherwise. Availability is very important. Not having access to services when needed can be a disaster for anyone especially in the case of being denied service. This can occur when exhaustion of the host servers causes requests from legitimate consumers to be denied. This can cost a company large amounts of money and time if the services they depend on to operate are not available. Internal attacker (authorized user) can easily get access to other users resources without being detected. An insider has higher privileges and knowledge (related to network, security mechanism and resources to attack) than the external attacker. Therefore, it is easy for an insider to penetrate an attack than external attackers.
implementations, which can twist strong encryption into weak encryption or sometimes no encryption at all. For example in cloud virtualization providers uses virtualization software to partition servers into images that are provided to the users as on-demand services [24]. Although utilization of those VMs into cloud providers' data centres provides more flexible and efficient setup than traditional servers but they don't have enough access to generate random numbers needed to properly encrypt data. This is one of the fundamental problems of cryptography. How do computers produce truly random numbers that can't be guessed or replicated? In PCs, OS typically monitors users' mouse movements and key strokes to gather random bits of data that are collected in a so-called Entropy Pool (a set of unpredictable numbers that encryption software automatically pulls to generate random encryption passkeys). In servers, one that don't have access to a keyboard or mouse, random numbers are also pulled from the unpredictable movements of the computer's hard drive. VMs that act as physical machines but are simulated with software have fewer sources of entropy. For example Linux-based VMs, gather random numbers only from the exact millisecond time on their internal clocks and that is not enough to generate strong keys for encryption [25].
14
Mitigation: Some of the mitigation strategies to address this threat include security policies, strong authentication, and activity monitoring.
16
6.3.1 VM Escape
In this type of attack, an attackers program running in a VM breaks the isolation layer in order to run with the hypervisors root privileges instead with the VM privileges. This allows an attacker to interact directly with the hypervisor. Therefore, VM Escape from the isolation is provided by the virtual layer. By VM Escape, an attacker gets access to the host OS and the other VMs running on the physical machine.
end users do not send sensitive or critical information outside of the corporate network. DLP help a network administrator control what data end users can transfer.
hypervisor to hypervisor at the click of a button, whatever protection you've chosen has to handle these activities with ease. Plus, as the number of VMs increases in the data center, it becomes harder to account for, manage and protect them. And if unauthorized people gain access to the hypervisor, they can take advantage of the lack of controls and modify all the VMs housed there. These virtual machines are vulnerable like their physical counterparts. Hence, to adequately protect virtual machines, t h e y should he isolated from o t h e r network segments and deep inspection at the network level should be implemented to prevent them both from internal and external threats. Illegal internal access should be restricted by implementing intrusion prevention systems and unauthorized external access should be protected by using secure remote access technologies like IPSec or SSL VPN.
8. CONCLUSION
In this research paper we have discussed the characteristics of a cloud security that contains threats/attacks and vulnerabilities. Organizations that are implementing cloud computing by expanding their on-premise infrastructure, should be aware of the security challenges faced by cloud computing. To protect against the compromise of the compliance integrity and security of their applications and data, defense in depth approach must be applied. This line of defense includes firewall, Intrusion detection and prevention, integrity monitoring, log inspection, and malware protection. Proactive organizations and service providers should apply this protection on their cloud infrastructure, to achieve security so that they could take advantage of cloud computing ahead of their competitors. In this paper, a physical cloud computing security architecture has been presented. In future, the proposed architecture may be modified with the advancement of security technologies used for implementing this physical cloud security architecture. By considering the contributions from several IT industries worldwide, its obvious that cloud computing will be one of the leading strategic and innovative technologies in the near future.
REFERENCES
[1] "Swamp Computing" a.k.a. Cloud Computing". Web Security Journal. 2009-12-28. Retrieved 201001-25. [2] "Thunderclouds: Managing SOA-Cloud Risk", Philip Wik". Service Technology Magazine. 2011-10. Retrieved 2011-21-21. [3] What cloud computing really means. InfoWorld. http://www.infoworld.com/d/cloudcomputing/what-cloud-computing-really-means-031?page=0,0 [4] Mell P, Grance T (2011) The nist definition of cloud computing (draft). http://csrc.nist.gov/publications/drafts/800145/Draft-SP-800-145_cloud-definition.pdf [5] Ponemon (2011) Security of cloud computing providers study. http://www.ca.com/~/media/Files/ IndustryResearch/security-of-cloud-computing-providers-final-april-2011.pdf [6] Software as a service-Wikipedia. Wikipedia. http://en.wikipedia.org/wiki/Software_as_a_service [7] A. Tripathi and A. Mishra, Cloud computing security considerations IEEE Int. conference on signalprocessing, communication and computing (ICSPCC), 14-16 Sept., Xi'an, Shaanxi, China, 2011 [8] Vadym Mukhin, Artem Volokyta, Security Risk Analysis for Cloud Computing Systems The 6th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, Prague, Czech Republic, 15-17 September 2011 [9] Mathisen, Security Challenges and Solutions in Cloud Computing 5th IEEE International Conference on Digital Ecosystems and Technologies (IEEE DEST2011) , Daejeon, Korea, 31 May -3 June 2011 [10] R. LaQuata Sumter, Cloud Computing: Security Risk Classification , ACMSE 2010, Oxford, USA 20
Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013 [11] Meiko Jensen ,Jorg Sehwenk et al., On Technical Security,Issues icloud Computing IEEE International conference on cloud Computing, 2009. [12] M.Jensen ,N.Gruschka et al., The impact of flooding Attacks on network based servicesProceedings of the IEEE International conference on Availiabilty,Reliability and Security (ARES) 2008. [13] Armbrust ,M. ,Fox, A., Griffth, R., et al Above the clouds: A Berkeley View of Cloud Computing , UCB/EECS-2009-28,EECS Department University of California Berkeley, 2009 http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.pdf [14] Wayne A. Jansen, Cloud Hooks: Security and Privacy Issues in Cloud Computing , 44th Hawaii International Conference on System Sciesnces 2011. [15] Rituik Dubey et al., Addressing Security issues in Cloud Computinghttp://www.contrib.andrew.cmu.edu/~rdubey/index_files/cloud%20com puting.pdf [16] M. Okuhara et al., Security Architecture for Cloud Computing, www.fujitsu.com/downloads/MAG/vol46-4/paper09.pdf [17] A Security Analysis of Cloud Computing http://cloudcomputing.sys- con.com/node/1203943 [18] Cloud Security Questions? Here are some answershttp://cloudcomputing.syscon.com/node/1330353 [19] Cloud Computing and Security A Natural Match, Trusted Computing Group(TCG) http://www.trustedcomputinggroup.org [20] Controlling Data in the Cloud:Outsourcing Computation without outsourcing Control http://www.parc.com/content/attachments/ControllingDataInTheCloud- CCSW-09.pdf [21] Amazon Web services: Overview of Security processes September 2008 http://aws.amazon.com [22] T. Schreiber, Session Riding a Widespread Vulnerability in Today'sWeb Applications [Online], Available: http://www.securenet.de/papers/Session_Riding.pdf, white paper, 2004. [Accessed: 20-Jul-2011]. [23] J., Grimes, P., Jaeger, J., Lin, Weathering the Storm: The Policy Implications of Cloud Computing [Online], Availablehttp://ischools.org/images/iConferences/CloudAbstract13109F INAL.pdf , [Accessed: 19-Jul-2011]. [24] B. Grobauer, T. Walloschek, and E. Stocker, Understanding Cloud Computing Vulnerabilities, Security & Privacy, IEEE, vol. 9, no. 2, pp.50-57, 2011. [25] A., Greenberg, Why Cloud Computing Needs More Chaos [Online],Available:http://www.forbes.com/2009/07/30/cloud-computing- security-technology-cionetwork-cloud-computing.html, 2009, [Accessed: 20-Jul-2011]. [26] Top 7 threats to cloud computing. HELP NET SECURITY. http://www.netsecurity.org/secworld.php?id=8943 [27] Rion Dutta, Planning for Single SignOn, White Paper, MIEL e- Security Pvt [28] M. Armbrust, et al., A view of cloud computing. Commun. ACM. vol. 53 (2010), pp. 50-58 [29] Miranda Mowbray and Siani Pearson, A client-based privacy manager for cloud computing. In Proc. Fourth International Conference on Communication System Software and Middleware (ComsWare), Dublin, Ireland, 16-19 June 2009. Authors Kashif Munir receives his BSc degree in Mathematics and Physics from Islamia University Bahawalpur in 1999. He received his MSc degree in Information Technology from University Sains Malaysia in 2001. He also obtained another MS degree in Software Engineering from University of Malaya, Malaysia in 2005. His research area was in the field secure network for mobile devices, Cloud and pervasive computing. Mr. Kashif was the lecturer at Stamford College, Malaysia. Currently, he is Lecturer in the Computer Science & Engineering Unit at Hafr Al-Batin Community College\KFUPM, Saudi Arabia. He is doing his PhD at Malaysian University of Science and Technology, Malaysia.
21
Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013 Prof. Dr. Sellappan Palaniappan is currently the Acting Provost and the Dean of School of Science and Engineering at Malaysia University of Science and Technology (MUST). Prior to joining MUST, he was an Associate Professor at the Faculty of Computer Science and Information Technology, University of Malaya. He holds a PhD in Interdisciplinary Information Science from the University of Pittsburgh and a Master in Computer Science from the University of London. Dr. Sellappan is a recipient of several Government research grants and has published numerous journals, conference papers and IT books. He has served as an IT Consultant for several local and international agencies such as the Asian Development Bank, the United Nations Development Programme, the World Bank and the Government of Malaysia. He has conducted workshops for companies. He is also an external examiner/assessor for several public and private universities. He was a member of IEEE (USA), Chartered Engineering Council (UK) and British Computer Society (UK), and is currently a member of the Malaysian National Computer Confederation (MNCC).
22