SECURITY ISSUSES IN CLOUD COMPUTING

Bhuvaneswari R
Asst.Professor in Computer Science , Thiruthangal Nadar College,
Chennai-51, email:msrbhuvan@gmail.com
ABSTRACT

Cloud computing can and does mean different things to different people. Nowadays all
type of businesses are looking forward to adopt an economical computing resource for their
business application, i.e. by introducing a new concept of cloud computing in their environment.
Cloud computing improves organizations performance by utilizing minimum resources and
management support, with a shared network, valuable resources, bandwidth, software’s and
hardware’s in a cost effective manner and limited service provider dealings. In a cloud
computing environment, the entire data reside over a set of networked resources, enabling the
data to be accessed through virtual machines. There are various issues that need to be deal with
respect to security and privacy in a cloud computing. But due to constantly increase in the
popularity of cloud computing there is an ever growing risk of security becoming a main and top
issue. Current paper proposes a backup plan required for overcoming the security issues in cloud
computing.

KEYWORDS

Cloud Computing, Network and Security issues, Backup recovery.

PURPOSE AND SCOPE

The purpose of this document is to provide an overview of cloud computing and the
security and privacy challenges involved. Current paper discuss in detail about cloud computing,
its types and Network/security issues related to it. In cloud computing the security issues are
possible in various levels (layers). Networks structure faces some attacks that are denial off
service attack, man in the middle attack, network sniffing, port scanning, SQL injection attack,
cross site scripting are discussed in this paper.

INTRODUCTION

Cloud computing is seen as a trend in the present scenario with almost all the
organizations trying to make an entry into it. The advantages of using cloud computing are: i)
reduced hardware and maintenance cost, ii) accessibility around the globe, and iii) flexibility and
the highly automated process wherein the customer need not worry about software up-gradation
which tends to be a daily matter [2, 3]. Cloud Computing has been defined as the new state of the
art technique that is capable of providing a flexible IT infrastructure, such that users need not
own the infrastructure supporting these services. This integrates features supporting high
scalability and multi-tenancy. Moreover, cloud computing minimizes the capital expenditure.
Besides the benefits associated with the cloud computing, there are different security issues
organization has to deal with inorder to separate one cloud users data from the other inorder to
maintain confidentiality/privacy, reliability and integrity [6]. Moreover as cloud service provider
has a complete control on the infrastructure, so security risk like manipulating or stealing of code
by service provider exist [1]. it offers three types of services. They are SaaS,PaaS,IaaS.

Software-as-a-Service (SaaS) is a model of service delivery whereby one or more applications

and the computational resources to run them are provided for use on demand as a turnkey
service. Its main purpose is to reduce the total cost of hardware and software development,
maintenance, and operations. Security provisions are carried out mainly by the cloud provider.
The cloud consumer does not manage or control the underlying cloud infrastructure or individual
applications, except for preference selections and limited administrative application settings.

Platform-as-a-Service (PaaS) is a model of service delivery whereby the computing platform is

provided as an on-demand service upon which applications can be developed and deployed. Its
main purpose is to reduce the cost and complexity of buying, housing, and managing the
underlying hardware and software components of the platform, including any needed program
and database development tools. The development environment is typically special purpose,
determined by the cloud provider and tailored to the design and architecture of its platform. The
cloud consumer has control over applications and application environment settings of the
platform. Security provisions are split between the cloud provider and the cloud consumer.

Infrastructure-as-a-Service (IaaS) is a model of service delivery whereby the basic computing

infrastructure of servers, software, and network equipment is provided as an on-demand service
upon which a platform to develop and execute applications can be established. Its main purpose
is to avoid purchasing, housing, and managing the basic hardware and software infrastructure
components, and instead obtain those resources as virtualized objects controllable via a service
interface. The cloud consumer generally has broad freedom to choose the operating system and
development environment to be hosted. Security provisions beyond the basic infrastructure are
carried out mainly by the cloud consumer.

There are four types of cloud computing models listed by NIST (2009):[14,17] private
cloud, public cloud, hybridcloud and community cloud.
1. Public Cloud: it is for the general public where resources, web applications, web services are
provided over the internet and any user can get the services from the cloud,. Public
Organizations helps in providing the infrastructure to execute the public cloud.

2. Private Cloud: It is used by the organizations internally and is for a single organization,
anyone within the organization can access the data, services and web applications but users
outside the organizations cannot access the cloud. Infrastruture of private cloud are completely
managed and corporate data are fully maintained by the organization itself.

3. Hybrid Cloud: The Cloud is a combination of two or more clouds (public, private and
community). Basically it is an environment in which multiple internal or external suppliers of
cloud services are used. It is being used by most of the organizations.[9].

4. Community Cloud: The cloud is basically the mixture of one or more public, private or
hybrid clouds, which is shared by many organizations for a single cause (mostly security).
Infrastructure is to be shared by several organizations within specific community with common
security, compliance objectives. It is managed by third party or managed internally. Its cost is
lesser then public cloud but more than private cloud.
THE SECURITY AND PRIVACY UPSIDE

While one of the biggest obstacles facing public cloud computing is security, the cloud
computing paradigm provides opportunities for innovation in provisioning security services that
hold the prospect of improving the overall security of some organizations. Opportunities for
improved security also benefit privacy. That is, effective privacy can exist only upon a sound
foundation of information security. However, privacy, just as security, has broad organizational,
operational, and technical implications. While some aspects of privacy are closely related to the
confidentiality, integrity, and availability objectives of security, other aspects are not. Instead,
they involve important privacy-related principles and considerations that are addressed in law,
regulations, and OMB guidance [5,8]
Potential areas of improvement where organizations may derive security and privacy
benefits from transitioning to a public cloud computing environment include the
following:

Staff Specialization. Cloud providers, just as other organizations with large-scale

computing facilities, have an opportunity for staff to specialize in security, privacy, and
other areas of high interest and concern to the organization. Through increased
specialization, there is an opportunity for staff members to gain in-depth experience and
training, take remedial actions, and make improvements to security and privacy.
Platform Strength. Greater uniformity and homogeneity facilitate platform
hardening and enable better automation of security management activities like
configuration control, vulnerability testing, security audits, and security patching of
platform components. Similarly, infrastructure homogeneity benefits management
controls employed to protect privacy. On the other hand, homogeneity means that a
single flaw will be manifested throughout the cloud, potentially impacting all tenants and
services.
Resource Availability. The scalability of cloud computing facilities allows for
greater availability. Redundancy and disaster recovery capabilities are built into cloud
computing environments and on-demand resource capacity can be used for better
resilience when faced with increased service demands or distributed denial of service
attacks, and for quicker recovery from serious incidents. Availability can also bolster
privacy through better opportunities for individuals to access and correct records and for
records to be ready for use when needed for the purposes collected. In some cases,
however, such resiliency and capacity can have a downside.

Backup and Recovery. The backup and recovery policies and procedures of a cloud
provider may be superior to those of the organization and may be more robust. Data
maintained within a cloud can be more available, faster to restore, and more reliable in
many circumstances than that maintained in a traditional data center, and also meet
offsite backup storage and geographical compliance requirements.
Mobile Endpoints. The architecture of a cloud solution extends to the client at the
service endpoint that is used to access hosted applications. Cloud clients can be general-
 purpose Web browsers or more special-purpose applications. Since the main
computational resources needed by cloud-based applications are typically held by the
cloud provider, clients can generally be lightweight computationally and easily supported
on laptops, notebooks, and netbooks, as well as embedded devices such as smart phones
and tablets, benefiting the productivity of an increasingly mobile workforce.
Data Concentration. Data maintained and processed in a public cloud may present
less of a risk to an organization with a mobile workforce than having that data dispersed
on portable computers, embedded devices, or removable media out in the field, where
theft and loss routinely occur. That is not to say, however, that no risk exists when data is
concentrated.

THE SECURITY AND PRIVACY DOWNSIDE

Besides its many potential benefits for security and privacy, public cloud computing also
brings with it potential areas of concern, when compared with computing environments found in
traditional data centers. Some of the more fundamental concerns include the following:

System Complexity. A public cloud computing environment is extremely complex

compared with that of a traditional data center. Many components make up a public
cloud, resulting in a large attack surface. Security depends not only on the correctness
and effectiveness of many components, but also on the interactions among them.
Challenges exist in understanding and securing application programming interfaces that
are often proprietary to a cloud provider. The number of possible interactions between
components increases as the square of the number of components, which pushes the level
of complexity upward.

Shared Multi-tenant Environment. Public cloud services offered by providers have

a serious underlying complication—client organizations typically share components and
resources with other consumers that are unknown to them. An attacker could pose as a
consumer to exploit vulnerabilities from within the cloud environment, overcome the
separation mechanisms, and gain unauthorized access. Access to organizational data and
resources could also inadvertently be exposed to other consumers or be blocked from
legitimate consumers through a configuration or software error [16]
Internet-facing Services. Public cloud services are delivered over the Internet,
exposing the administrative interfaces used to self-service and manage an account, as
well as non-administrative interfaces used to access deployed services.6 Applications and
data that were previously accessed from the confines of an organization’s intranet, but
moved to a public cloud, must now face increased risk from network threats that were
previously defended against at the perimeter of the organization’s intranet and from new
threats that target the exposed interfaces. The performance and quality of services
delivered over the Internet may also be at issue. The effect is somewhat analogous to the
inclusion of wireless access points into an organization’s intranet at the onset of that
technology, necessitating additional safeguards for secure use.
 Loss of Control. While security and privacy concerns in cloud computing services
are similar to those of traditional non-cloud services, they are amplified by external
control over organizational assets and the potential for mismanagement of those assets.
Transitioning to a public cloud requires a transfer of responsibility and control to the
cloud provider over information as well as system components that were previously
under the organization’s direct control. The transition is usually accompanied by the lack
of a direct point of contact with the management of operations and influence over
decisions made about the computing environment. Loss of control over both the physical
and logical aspects of the system and data diminishes the organization’s ability to
maintain situational awareness, weigh alternatives, set priorities, and effect changes in
security and privacy that are in the best interest of the organization. Legal protections for
privacy may also be affected when information is stored with a third-party service
provider [12, 15]. Under such conditions, maintaining accountability can be more
challenging, offsetting some of the potential benefits discussed earlier.

NETWORK ISSUES IN CLOUD COMPUTING

There are different network issues occur in cloud computing some of which are discussed
below:
Denial of Service:
When hackers overflows a network server or web server with frequent request of services
to damage the network, the denial of service cannot keep up with them, server could not
legitimate client regular requests. For example a hacker hijacks the web server that could stop the
functionality of the web server from providing the services. In cloud computing, hacker attack on
the server by sending thousands of requests to the server that server is unable to respond to the
regular clients in this way server will not work properly. Counter measure for this attack is
to reduce the privileges of the user that connected to a server. This will help to reduce the DOS
attack. [10,15]

Man in the Middle Attack:

This is another issue of network security that will happen if secure socket layer (SSL) is
not properly configured. For example if two parties are communicating with each other and SSL
is not properly installed then all the data communication between two parties could be hack by
the middle party. Counter measure for this attack is SSL should properly install and it should
check before communication with other authorized parties.

Network Sniffing:
Another type of attack is network sniffer, it is a more critical issue of network security in
which unencrypted data are hacked through network for example an attacker can hack passwords
that are not properly encrypted during communication. If the communication parties not used
encryption techniques for data security then attacker can capture the data during transmission as
a third party. Counter measure for this attack is parties should used encryption methods for
securing there data.

Port Scanning:
 There may be some issues regarding port scanning that could be used by an attacker as
Port 80(HTTP) is always open that is used for providing the web services to the user. Other ports
such as 21(FTP) etc are not opened all the time it will open when needed therefore ports should
be secured by encrypted until and unless the server software is configured properly. Counter
measure for this attack is that firewall is used to secure the data from port attacks.

SQL Injection Attack:

SQL injection attacks are the attacks where a hackers uses the special characters to return
the data for example in SQL scripting the query end up with where clause that may be modified
by adding more information in it. For example an argument value of variable y or 1==1 may
cause the return of full table because 1==1is always seems to be true.

Cross Site Scripting:

It is a type of attack in which user enters right URL of a website and hacker on the other
site redirect the user to its own website and hack its credentials. For example user entered the
URL in address bar and attacker redirects the user to hacker site and then he will obtain the
sensitive data of the user. Cross site scripting attacks can provide the way to buffer overflows,
DOS attacks and inserting spiteful software in to the web browsers for violation of user’s
credentials.

CONCLUSION
Cloud computing is a new term that is introduced in business environment where users
can interact directly with the virtualized resources and safe the cost for the consumers. Some
security issues and their counter measures are discussed in this paper. It has several models to
protect its data for the business users. An organization used private clouds within its organization
to prevent from loss of data.

REFERENCES
[1] Booth, D. (2004). Web service architecture. Retrieved from http://www.w3.org:
[2] Jamil, D., & Zaki, H. (2011a). cloud computing security. International Journal of Engineering
Science and Technology (IJEST) , Vol.3 No.4, 3478-3483.
[3] Vouk, M. (2008). Cloud Computing-Issues, Research and Implication. "Journal of
Computing and Information Technology - CIT" , Vol. 16 No.4, pp. 235–246.
[4]. Yang, A. (2003). Guide to XML Web Services Security. Retrieved from
http://www.cgisecurity.com
[5] Ren, K., & Lou, W. (2009). Ensuring Data Storage Security in Cloud Computing. Retrieved
from http://www.ece.iit.edu
[6] R. Gellman, “Privacy in the clouds: Risks to privacy and confidentiality from cloud
computing,” The World Privacy Forum, 2009. http://www.worldprivacyforum.org
[7] K. Vieira, A. Schulter, C. B. Westphall, and C. M. Westphall, “Intrusion detection techniques
for Grid and Cloud Computing Environment,” IT Professional, IEEE Computer Society, vol. 12,
issue 4, pp. 38-43, 2010.
[8] Cong Wang, Qian Wang, Kui Ren, and Wenjing Lou, “Ensuring Data Storage Security in
Cloud Computing,” 17th International workshop on Quality of Service, USA, pp.1-9, July 13-15,
2009
[9] Michael Armbrust et al., A View of Cloud Computing, Communications of the ACM,
Association for Computing Machinery, Vol. 53, No. 4, April 2010.
[10] Frederick M. Avolio, Best Practices in Network Security, Network Computing, March 20,
2000, <URL: http://www.networkcomputing.com/1105/1105f2.html>.
[11] David Binning, Top Five Cloud Computing Security Issues, Computer Weekly, April 24,
2009, <URL: http://www.computerweekly.com/Articles/2010/01/12/235782/Top-five-cloud-
computing-security-issues.htm>.
[12] Encryption and Key Management, Cloud Security Alliance, January 12, 2011, <URL:
https://wiki.cloudsecurityalliance.org/guidance/index.php/Encryption_and_Key_Management>
[13] Alistair B. Dawson, Understanding Electronic Discovery and Solving Its Problems, 56th
Annual Program on Oil and Gas Law, The Center for American and International Law, February
17-18, 2005, Houston, Texas, <URL: http://www.brsfirm.com/publications/docs/00037W.pdf>
[14] Peter Mell, and Tim Grance, "The NIST Definition of Cloud Computing," 2009,
http://www.wheresmyserver.co.nz/storage/media/faq-files/clouddef-v15.pdf,
[15] Balachandra Reddy Kandukuri, Ramakrishna Paturi and Atanu Rakshit, "Cloud Security
Issues," in Proceedings of the 2009 IEEE International Conference on Services Computing,
2009, pp. 517-520.
1[6] Meiko Jensen, Jörg Schwenk, Nils Gruschka and Luigi Lo Iacono, "On Technical Security
Issues in Cloud Computing," in IEEE ICCC, Bangalore 2009, pp. 109-116.
[17] NIST. October, (2010). National Vulnerability Database (NVD). Available:
http://nvd.nist.gov/home.cfm