Cloud Computing Security: Issues and Concerns

(1)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 3, March 2013)

331

Cloud Computing Security: Issues and Concerns

Naveen Dogra

1

, Harpreet Kaur

2

1,2_{Assistant Professor, Panjab University SSGRC, Hoshiarpur, Punjab}

Abstract— Cloud Computing is gaining the attention of

todays users and businesses. Network-based Cloud Computing is rapidly expanding as an alternative to conventional office-based computing. Cloud Computing provides suitable on-demand network access to a shared pool of computing resources. Several trends are opening up the era of Cloud Computing, which is the use of computer technology, used to make storage of huge amounts of data and information easier for organizations. Maintaining own servers to store all the information is quite expensive for individual and organizations. Cloud Computing allows to store and maintain data on remote servers that are managed by Cloud Service Providers (CSP) like Yahoo and Google. This data can then be accessed throughout the globe. But as more and more information of individuals and companies is placed in the cloud, concerns are beginning to grow about how safe an environment is. In this paper general charateristics if Clouds, benefits, security issues and requirements in the Cloud are discussed.

Keywords— Cloud Computing, security, privacy

I. INTRODUCTION

Cloud Computing allows computer users to have full access to applications, to software development and deployment environments, and to computing infrastructure assets such as data storage and processing. Cloud Computing is a large-scale parallel and distributed computing system. It consists of a collection of interconnected and virtualized computing resources that are managed to be one or more unified computing resources [1]. Through Cloud Computing services are delivered on demand to the end user over high speed internet. The main goal is to provide users with more flexible services in a transparent manner, cheaper, scalable, highly available and powerful computing resources [2]. Clouds aim to power the next generation data centers by designing them as a network of virtual services (hardware, database, user-interface) so that users are able to access and deploy applications from anywhere in the world on demand at competitive costs depending on users Quality of Service (QoS) requirements [2]. Cloud Computing means different things to different people. As a result, there are several definitions and proposals [4]. Vaquero et al. [4] have proposed a definition that is centered on scalability, pay-per-use utility model and virtualization.

According to Garner, Cloud Computing is a style of computing where service is provided across the Internet using different models and layers of abstraction. Armbrust et al. [5], [6] observe that ―Cloud Computing refers to both the applications delivered as services over the Internet and the hardware and system software in the data centers that provide those services‖. This definition captures the real essence of this new trend, where both software applications and hardware infrastructures are moved from private environment to third parties data centers and made accessible through the Internet. Certainly, the lack of a standard definition of Cloud Computing has generated not only market hypes, but also a fair amount of confusion. For this reason, recently there has been work on standardizing the definition of Cloud Computing. We adopt the definition of Cloud Computing provided by The National Institute of Standards and Technology (NIST) [7], as it covers, in our opinion, all the essential aspects of Cloud Computing [8].

NIST definition of Cloud Computing: Cloud Computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction [7].

Cloud promises huge cost benefits, quickness and scalability to the business. All business data and software are stored on servers at a remote location referred to as Data centers. Data center environment allows enterprises to run applications faster, with easier manageability and less maintenance effort, and more rapidly scale resources (e.g. servers, storage, and networking) to meet changing business needs [11]. A data center in Cloud environment holds information that end-users would more traditionally have stored on their computers. This raise concerns regarding user privacy protection because users must outsource their data [10]. The movement of data to centralized services could affect the privacy and security of users’ interactions with the files stored in Cloud storage space. Moving data into the Cloud offers great convenience to users since they don’t have to care about the complexities of direct hardware management. While these internet- based online services do provide huge amounts of storage space and customizable computing resources, this computing platform shift, however, eliminates the responsibility of local machines for data maintenance.

(2)

International Journal of Emerging Technology and Advanced Engineering

332 Essential Characteristics:

Following are the essential characteristics of Cloud community [7, 9, 15]:

On-demand self-service: A consumer has an access to computing capabilities, such as server time and network storage automatically without requiring human interaction with the service’s providers.

Broad network access: The resources are available over the network and can be for promote use by heterogeneous client platforms.

Resource pooling: The computing resources are pooled together to serve multiple consumers using different models like a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. The customer has no control or knowledge of the exact location of the resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.

Rapid elasticity: Resources can be rapidly and elastically provisioned, in some cases automatically, to scale rapidly outward and inward corresponding with demand. To the consumer, the resources available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.

Measured Service: Cloud systems automatically control and optimize resource use by applying some level of abstraction as appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the service.

Service Models:

In addition to the above five essential characteristics, the Cloud have used the following three service models [7],[9],[15]:

Cloud Software as a Service (SaaS). The resources provided to the consumer are to use the provider’s applications running on a Cloud infrastructure. Cloud consumers release their applications on a hosting environment, which can be accessed through networks from various clients (e.g. web browser, PDA, etc.) by application users. The consumer does not manage or control the Cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, because of the limited user-specific application configuration settings. The common service providers of SaaS are Salesforce and gmail.

Cloud Platform as a Service (PaaS). The resources provided to the consumer are to organize the Cloud infrastructure consumer applications created using programming languages and tools supported by the provider. The consumer does not manage or control the Cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and application hosting environment configurations. The common service providers of PaaS are Force.com and Google App Engine.

Cloud Infrastructure as a Service (IaaS). The resources assigned to the consumer are to provide provision for processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run random software, which can include operating systems and applications. The consumer may not need to manage or control this Cloud infrastructure but has control over operating systems, storage, deployed applications; and possibly limited control of select networking components. Cloud consumers directly use IT infrastructures provided in the IaaS Cloud.

Deployment Models:

Cloud community propose the following three deployment model: [7],[9],[15]

Private cloud: The Cloud infrastructure is exclusively for the use of a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. In this infrastructure organization always require full control over critical activities that reside over the remote servers. Example of Private Cloud service providers are cloud.com, Eucalyptus and IBM.

Public cloud: The Cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the Cloud provider. Example of Public Cloud service providers are Amazon ECL, IBM, Rackspace and Verizon.

Hybrid cloud: The Cloud infrastructure is a composition of two or more distinct Cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., Cloud bursting for load balancing between clouds)."

(3)

International Journal of Emerging Technology and Advanced Engineering

333 II. CLOUD COMPUTING ARCHITECTURE

This section describes the architectural, business and various operation models of Cloud Computing.

A Layered Model of Cloud Computing

The Cloud Computing architecture can be divided into 4 layers [8]: the hardware/data center layer, the infrastructure layer, the platform layer and the application layer, as shown in Figure 1. We describe each of them in detail:

The Hardware Layer: This layer is implemented in the data centres and used for managing the physical resources of the Cloud, including physical servers, routers, switches, power and cooling systems. A data center has thousands of servers that are interconnected through switches, routers or other fabrics and are organized in racks. Hardware layer deals with issues like configuring hardware, fault tolerance, traffic management, power and cooling resource management [8].

Figure 1: Cloud Computing Architecture [8]

The Infrastructure Layer: This layer is also known as the virtualization layer, the infrastructure layer creates a pool of storage and computing resources by partitioning the physical resources using virtualization technologies such as Xen, KVM and VMware. Issues like dynamic resource mangement are dealt through virtualization technologies [8].

The Platform Layer: Above infrastructure layer, the platform layer exits and it consists of operating systems and application frameworks. The main aim of platform layer is to reduce the burden of deploying applications directly into VM containers. For example, Google App Engine operates at the platform layer to provide API support for implementing storage, database and business logic of typical web applications [8].

The Application Layer: At the highest level of the hierarchy, their exit an application layer.

Different from traditional applications, Cloud applications can leverage the automatic-scaling feature to achieve better performance, availability and lower operating cost. Compared to traditional service hosting environments such as dedicated server farms, the architecture of Cloud Computing is more modular. Each layer is loosely coupled with the layers above and below, allowing each layer to evolve separately. [8].

III. CONTROL OF RESOURCES IN ACLOUD

It is sometimes affirmed that when compared to traditional on premises computing, Cloud Computing requires consumers to give up two important capabilities to their providers: [7,9]

Control: it is the responsibility of the provider to decide, who and what is allowed to access consumer data and programs, and who has the ability to perform actions like erasing data or disconnecting a network and also that what type of actions have been taken that would not challenge the consumer's intent.

Visibility: the ability to monitor, with high confidence, the status of a consumer's data and programs and how consumer data and programs are being accessed by others.

The extent to which consumers may need to surrender control or visibility depends on a number of factors including physical ownership and the ability to configure protective access boundary mechanisms around a consumer’s computing resources.

IV. SECURITY

Providers generally state that they are not responsible for the impacts of security breaches or for security, i.e., unauthorized modification or disclosure of consumer data, or service interruptions caused by malicious activity. Data processed in a public Cloud and applications running in a public Cloud may experience different security exposures. Service agreements are explicit about placing security risks on consumers. In some cases, providers promise to use best efforts to protect consumer data, but all of the providers surveyed disclaim security responsibility for data breach, data loss, or service interruptions by limiting remedies to service credits for failure to meet availability promises. Information Security

Information security [9] means protecting the confidentiality and integrity of data and ensuring data availability. An organization that owns and runs its IT operations will normally take the following types of measures for its data security:

Infrastructure

LaLayer

Hardware Layer Hardware Layer

e

Layer

Platforms

Applications

Hardware Layer

(4)

International Journal of Emerging Technology and Advanced Engineering

334

 Organizational/Administrative controls specifying who can perform data related operations such as creation, access, disclosure, transport, and destruction.

 Physical Controls for protecting storage media and the facilities housing storage devices.

 Technical Controls for Identity and Access Management (IAM), encryption of data at rest and in transit, and other data audit-handling requirements for complying with regulatory requirements.

When an organization subscribe to a cloud, all the data generated and processed will physically resides with the owner of the cloud and operated by a provider. The fundamental issue is whether a consumer can obtain a guarantee that a provider is implementing the same or equivalent controls that the consumer would have implemented.

Data that a consumer wants to move to a cloud may need specific levels of audit logging, alert generation, activity reporting, and data retention.

Data Privacy

Privacy [9] addresses the confidentiality of data for specific entities, such as consumers or others whose information is processed in a system. Privacy carries legal and liability concerns, and should be viewed not only as a technical challenge but also as a legal and ethical concern. Protecting privacy in any computing system is a technical challenge; in a Cloud, setting this challenge is complicated by the distributed nature of clouds and the possible lack of consumer awareness over where data is stored and who has or can have access.

System Integrity

Clouds require protection against intentional subversion of the functionality of a cloud. Within a Cloud there are stakeholders: consumers, providers, and a variety of administrators. The ability to partition access rights to each of these groups, while keeping malicious attacks at bay, is a key attribute of maintaining Cloud integrity. In a Cloud setting, any lack of visibility into a cloud's mechanisms makes it more difficult for consumers to check the integrity of cloud-hosted applications.[9]

V. SECURITY ISSUES

Cloud Computing presents specific challenges to privacy and security. When using cloud-based services, one is entrusting the third party for their data storage and security.

Cloud-sourcing involves the use of many services, and many Cloud based services provide services to each other, and thus cloud-based products may have to share your information with third parties if they are involved in processing or transferring of your information. [22]

Each cloud-based service has its own terms and conditions, or service level agreement, that the user agrees to before signing to a Cloud, and these services agreements are often updated. There must be proper awareness about privacy and security issues around Cloud Computing. People need to be aware of terms and conditions of the Cloud service providers as well as keep up with updates.

The information stored by Cloud services is subject to the legal, regulatory and policy environments of the country .As more and more information is stored in the Cloud these issues become significant, and Cloud Computing will continue to offer challenges to national policy and regulation as well as to internet governance, on how best to resolve privacy and security issues.

Security concerns have been raised due to the new computing model introduced by Cloud Computing, which is characterized by off-premises computing, lost control of IT infrastructure, service oriented computing, and virtualization, and so on. Security concerns from users can be briefly summarized as follows [14]:

• System failure and Data availability: When keeping data at remote systems owned by others, data owners may suffer from system failures of the service provider.

• Data error: Client data should be error free on the cloud. The data is stored on the Cloud which is remote to the client. If the correct storage strategy is not used data might not be stored correctly on the storage server of the Cloud.

• Data Migratibility: Users that adopt Cloud Computing may want their data to be migrated to other Clouds but this procedure is subject to the risk that their data cannot be migrated to other clouds.

• Long-term availability: Consumer must be sure that data must be available every time even if the Cloud Computing provider will get acquired and swallowed up by a larger company.

• Data location: Client has no idea of the whereabouts of data or exactly where the data is hosted. In fact, one might not even know what country it will be stored in.

• Data segregation: Client has to be sure that encryption must be available at all stages, and that these encryption schemes were designed and tested by experienced professionals.

(5)

International Journal of Emerging Technology and Advanced Engineering

335

• Data Recovery: Clouds provides the data recovery to some extent in case of a disaster. Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure.

VI. CONCLUSION

The Cloud provides many options for the everyday computer user as well as large and small businesses. It opens up the world of computing to a broader range of uses and increases the ease of use by giving access through any internet connection. With this increased relieve, there comes some drawbacks also. The end user has less control over the information, knowledge and software’s that are being used. Clouds are more subjected to the data theft, malicious access, and unsecured internet access. Though the Cloud Computing had many security breaches, privacy and integrity concerns but still Cloud Computing environment provides great deal of advantages and convenience to the end users by providing the services like Software as a Service which reduces the licencing cost of the software, infrastructure as a Service which reduces the infrastructual cost of company. Efforts have been made to enforce confidentiality, integrity and privacy of data. This is an emerging computing environment, but before shifting to Cloud one has to consider the options in terms of what type of Cloud will be best according to the needs, what type of provider will be most useful, and what the reputation and responsibilities of the providers.

REFERENCES

[1 ] Mohamed- K Hussein and Mohamed-H Mousa, ― A Light-weight Data Replication for Cloud Data Centers Environment‖, International Journal of Engineering and Innovative Technology Vol. 1, no. 6, pp. 169-175, 2012.

[2 ] Buyya R, Yeo CS, Venugopal S, Broberg J, Brandic I, ―Cloud

computing and

Emerging IT platforms: Vision, Hype, and Reality for Delivering Computing as the 5th Utility‖, Future Generation Computer Systems, vol.25, no.6, pp. 599-616, 2009.

[3 ] Parkhill D, ―The Challenge of the Computer Utility‖, Addison-Wesley, Reading, 1966.

[4 ] L. M. Vaquero, L. Rodero-Merino, J. Caceres, and M. Lindner, ―A break in the clouds: towards a cloud definition,‖ SIGCOMM Computer Communication Review, vol. 39, pp. 50–55, 2008. [5 ] M. Armbrust, A. Fox, R. Griffith, A.D.Joseph, R.Katz,

A.Konwinski, G.Lee, D. Patterson, A. Rabkin, I. Stoica, and M. Zaharia, ―A view of cloud computing‖, Communications of the ACM, vol. 53, no. 4, pp. 50–58, 2010.

[6 ] Suraj Pandey, ―Scheduling and Management of Data Intensive

Application Workflows in Grid and Cloud Computing

Environments‖, Ph.D. dissertation, The University of Melbourne, Australia, 2010.

[7 ] Peter Mell and Tim Grance,―The NIST Definition of Cloud Computing‖, National Institute of Science and Technology. Retrieved 24 July 2011.

[8 ] Q. Zhang, L. Cheng, and R. Boutaba. Cloud computing, ―State of-the-Art and Research Challenges‖, Journal of Internet Services and Applications, Springer London, vol. 1, no. 1, pp.7–18, 2010. [9 ] Lee Badger, Tim Grance, Robert Patt-Corner, Jeff Voas ―Cloud

Computing Synopsis and Recommendations‖ NIST Special Publication 800-146.

[10 ] Cong Wang, Qian Wang, Kui Ren, Wenjing Lou ―Ensuring Data Storage Security in Cloud Computing‖ in Proc. of IWQoS’09, July 2009, pp. 1–9.

[11 ] Cong Wang, Qian Wang, Kui Ren, Wenjing Lou, "Towards Secure and Dependable Storage Services in Cloud Computing," IEEE transactions on Services Computing, 06 May 2011.

[12 ] Venkatesa Kumar V, Poornima G ―Ensuring Data Integrity in Cloud Computing‖ Journal of Computer Applications ISSN: 0974 – 1925, Volume-5, Issue EICA2012-4, February 10, 2012

[13 ] K.Valli Madhavi, R.Tamilkodi , R.BalaDinakar, ‖Data Storage Security in Cloud Computing for Ensuring Effective and Flexible Distributed System‖

[14 ] Anil Gupta, Parag Pande, Aaftab Qureshi & Vaibhav Sharma, ―A proposed Solution: Data Availability and Error Correction in Cloud Computing‖ International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (4) : 2011

[15 ] Tharam Dillon, Chen Wu and Elizabeth Chang. ―Cloud Computing: Issues and Challenges‖ 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[16 ] Deepanchakaravarthi Purushothaman and Dr.Sunitha Abburu,‖ An

Approach for Data Storage Security in Cloud Computing‖ IJCSI

International Journal of Computer Science Issues, Vol. 9, Issue 2, March 2012

[17 ] Qian Wang, Cong Wang, Kui Ren, Wenjing Lou and Jin Li,‖ Enabling Public Auditability and Data Dynamics for Storage Security in Cloud Computing‖ 14th European Symposium on Research in Computer Security (ESORICS’09)

[18 ] B.AmarNadh Reddy, P.Raja Sekhar Reddy,‖ Effective Data Distribution Techniques for Multi-Cloud Storage in Cloud Computing‖ International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 5, September- October 2012, pp.1130-1134

[19 ] Richard Chow, Philippe Golle, Markus Jakobsson, Elaine Shi, Jessica Staddon, Ryusuke Masuoka, Jesus Molina,‖ Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control‖ CCSW’09, November 13, 2009, Chicago, Illinois, USA. [20 ] Ian Foster, Yong Zhao, Ioan Raicu, Shiyong Lu, ―Cloud Computing

and Grid Computing 360-Degree Compared‖

[21 ] Jayant Baliga, Robert W. A. Ayre, Kerry Hinton, and Rodney S. Tucker, ―Green Cloud Computing: Balancing Energy in Processing, Storage, and Transport‖ 2010 IEEE 99, No. 1, January 2011 | Proceedings of the IEEE

[22 ] Article 29 Data Protection Working Party,‖ Opinion 05/2012 on Cloud Computing‖, 01037/12/EN WP 196.

[23 ] Renee Berry and Matthew Reisman,’ Policy Challenges of Cross-Border Cloud Computing‖, U.S. International Trade Commission , Journal of international commerce and economics.

[24 ] Ning Cao,‖ Secure and Reliable Data Outsourcing in Cloud Computing‖, A Dissertation, July 2012

[25 ] Alexa Huth and James Cebula, ―The Basics of Cloud Computing‖, 2011 Carnegie Mellon University. Produced for US-CERT, a government organization.