• No results found

Cloud Computing: Security Model Comprising Governance, Risk Management and Compliance.

N/A
N/A
Protected

Academic year: 2021

Share "Cloud Computing: Security Model Comprising Governance, Risk Management and Compliance."

Copied!
6
0
0

Loading.... (view fulltext now)

Full text

(1)

Cloud Computing: Security Model Comprising

Governance, Risk Management and

Compliance.

Abstract— Cloud security is a broad topic and any combination of policies, technologies, and controls to protect data, infrastructure and services from possible attacks. Security requirements in the cloud are very much different from traditional environments. Since cloud has a dynamic nature with small customer ownership of infrastructure, has broken traditional security architecture. We believe Security should be the joint responsibility of service provider and organization, no matter what kind of service model you are using. Security will be more effective when layered at each level of cloud technology and integrated with a common management platform. There is a hype of cloud in the market, but companies are not still ready to put their business in the cloud just because of security is prominent issues which does not grow the cloud computing business in the market .We focus on the area, i.e. application security, information security, infrastructure security and security monitoring by giving our own security model. This model surely protects our organizational physical as well as virtual assets by providing better security options.

KeywordsCloud computing, Threat, security

I. INTRODUCTION

The importance of Cloud Computing is increasing day by day and receiving a huge attention in the scientific and industrial communities. Cloud Computing appears as a computational paradigm as well as a distributed architecture and its main objective is to provide secure, quick, convenient data storage and net computing service, with all computing resources visualized as services and

delivered over the Internet [1, 2].Cloud computing is affordable means of delivering IT services and get access dynamic , scalable, virtualized environment. The cloud enhances collaboration, agility, scalability, availability, ability to adapt to fluctuations according to demand, accelerate development work, and provides potential for cost reduction through optimized and efficient computing [3,4].Cloud computing is a combination of different technologies such as virtualization , web 2.0 , Service oriented architecture and many more. Cloud computing has three distinct service models and three delivery models.

1.1 Service Model

In this section various types of service model(s) and their characteristics have been explained.

(a) Infrastructure as a Service Model, service provider provides virtual and physical hardware as a service and entire infrastructure is delivered over the internet. In this model client has more security control. Provider provides networking, virtualization, servers and storage [11].

Characteristics of IaaS are :

1. Utility computing service and billing model. 2. Automation of administrative tasks.

3. Dynamic scaling. 4. Desktop virtualization. 5. Policy-based services. 6. Internet connection

978-1-4799-4674-7/14/$31.00 © 2014 IEEE

Sumit Kr. Yadav

1

,

Fawaz S. Al-Anzi

2

, Jyoti Soni

3

1Indira Gandhi Delhi Technical University, Delhi, India; 2Computer Engineering Department, Kuwait University, Kuwait;

3Computer Engineering Department, Kuwait University, Kuwait;

(2)

Figure 1. Cloud computing m

(b)Platform as a Service Modelprovi for development and deployme applications by supporting entire ap cycle. Cloud provider is responsible o monitoring. Provider provides runtime OS, networking, servers, storage and Developer takes several benefits fro features could be easily changed with Geographically distributed developm obtain service from diverse source and on software development projects.

(c)Software as a Service Model,

hosted application through a web br SaaS model, Security, management an services provider's responsibility customer has minimal control or ext contrast, the PaaS model offers greate and greater customer control. [13, because of the relatively low degree IaaS offers greater tenant or custome security than does PaaS or SaaS [15] of SaaS are:

1. Computerized billing 2. Invoicing

3. Human Resource management

SAAS(Software as a

PAAS(Plateform as a

I

AAS(Infrstructure as a

PRIVATE

P

HYBRIDE

models ides a platform ent software pplication life or security and e, middleware, virtualization. om PaaS. OS h PaaS.[9, 10] ment tea can d work together consumer use rowser. In the nd control are because the tensibility. By er extensibility 14] Largely of abstraction, er control over ].Characteristic t 4. Collaboration 5. Document management 6. Service desk managemen

Figure 2. Resources in Cloud com

1.2 Delivery Models

(a) Private Cloud: In this mode not share their resources with any It is set up and maintained b Security can be very well implem [16, 17].

(b) Public Cloud:In this model s on the internet that can be billed basis and accessed by the web 19].

(c) Hybrid Cloud: Hybrid cloud business and technology requir Generally any private cloud external cloud.

2. CLOUD COMPUTNG SEC

Cloud computing is an emergin delivers IT services online, on d resources and lower cost[11]. advantages, but still suffering fro

Service)

Service )

a Service)

PUBLIC

nt mputing environment el cloud owner does y other organization. by an organization. mented in this model services are provided on a "pay per rule"

browser [8, 18, and is designed to meet ement of customer. is associated with CURITY ISSUES g technology which demand with shared Cloud has lot of om various securities

(3)

related issues. One of the most prominent security issues is with privacy and compliance. We discuss various such issues in Table1.

Description Threat(According to

Cloud security Alliance(CSA)[6]

Top most threat of cloud computing is Abuse and nefarious use. For example botnets to spread spam and malware. Attacker can upload malware to thousands of computers and use cloud infrastructure to attack another machine.

Abuse and Nefarious Use of Cloud Computing

Through application programming interface customer can get access to cloud service. Security of cloud is depends on security of interface. API must be implemented by secure access control, authentication and encryption mechanism.

Insecure Application Programming Interfaces

Malicious insider can get unauthorized access of cloud resource which can be a greater loss of business.

Malicious Insiders

SQL injection, command injection, insecure direct object references, and cross-site scripting are the possible attack through which attacker manipulate customer data.

Customer-data manipulation

Data leakage happens when the data gets into the wrong hands while it is being transferred, stored, audited or processed.

Data Loss/Leakage

An account theft is another issue, can be performed by different ways such as social engineering and weak credentials. Examples of these threads are man-in-middle attack, phishing, denial of service attack.

Account, Service & Traffic Hijacking

Data cannot be completely removed and attacker can reconstruct data again.

Data scavenging

An attacker can create a VM image which consist of malicious code such as a Trojan horse and store it in the provider repository.

Malicious VM creation

Table 1. Security threat in cloud environments

3. SECURITY MODEL FOR CLOUD

For achieving business objectives all the security domains should work in an effective manner. For the same figure 3 represents how governance, risk management plan and compliance act together to effectively enforce the security program at each layer. Security in application layer is also important to enforce the access policies effectively.

Physical infrastructure security is also important to provide the effective controls over the infrastructure within the organization as physical presence was an important element of identity. (otherwise physical access can easily make the security compromised)[11]. A through security model can be

(4)

easily made more understandable with the help of figure 3.

Figure 3. Security model for cloud computing

3.1 Security Governance, Risk Management and Compliance

The fundamental responsibility of the organization is to identify and implement process, controls and organizational structure so that effective security governance, risk management and compliance could be possibly achieved. Governance is any set of policies, law and technologies that work within organization and give direction to achieve a security objective.[5, 6, 20] Some responsibilities of the organization are:

1. Access risk of cloud provider

2. Protect sensitive data 3. Understand legal issues

4. Information life cycle management 5. Portability and interoperability

Organization should implement framework for effective risk management and measure the performance of risk management framework by metrics. Service level agreement are implemented by an organization to ensure security requirement enforce.[12]

3.2 People & Identity management

1. Only authorized user can access assets of organization.

2. Identity federation approach is applied or authentication and authorization.

3. We should rely on Single sign-on capability for user log on.

4. Managing identities and leveraging directory service to provide access control.

5. Web based identity management is a good option.

3.3 Application Security

1. Cloud provider should follow a secure development process.

2. XML signature and XML encryption method should be used to protect applications from XML attacks and web service attacks.

3.4 Information Security

1. Data and information security is top most concern. 2. Need to focus how data is stored, processed, compliance and audit.

3. Standard encryption method and managing encryption key should be used to protect data privacy.

4. Policy based security or trusted virtual domain should be implemented so that data/ information problem could be solved.[7]

5. Intrusion detection and prevention system should be built.

3.5Physical Infrastructure Security

1. Safeguards including Bio metric access control, close circuit television monitoring (CTV).

2. Doors should be equipped with alarms.

3.A Computer based access controlled system (CAS) uses badge readers to restrict access to only those with approval to enter controlled areas.

(5)

3.6 Necessary steps for security of cloud [20]

4.CONCLUSION

Cloud computing provides lots of advantages but today, cloud computing is suffering from security. Security is a biggest concern of client these days. If client want to take full advantage of cloud computing so client must ensure about data, infrastructure and application security. In this paper we provide a security model for cloud which secures organizational physical and virtual assets.

5.REFERENCES

[1] Zhao G, Liu J, Tang Y, Sun W, Zhang F, Ye X, Tang N (2009) Cloud Computing: A Statistics Aspect of Users. In: First International Conference on Cloud Computing (CloudCom), Beijing, China. Springer Berlin, Heidelberg,pp 347–358

[2] Zhang S, Zhang S, Chen X, Huo X (2010) Cloud Computing Research and Development Trend. In: Second International

Conference on Future Networks (ICFN’10), Sanya, Hainan, China. IEEE Computer Society, Washington, DC, USA, pp 93–97 [3]. Cloud Security Alliance (2011) Security guidance for critical areas of focus inCloud Computing V3.0.. Available: https://cloudsecurityalliance.org/ guidance/csaguide.v3.0.pdf [4]. Khalid A (2010) Cloud Computing: applying issues in Small Business. In:International Conference on Signal Acquisition and Processing (ICSAP’10),pp 278–281

[5]. Mather T, Kumaraswamy S, Latif S (2009) Cloud Security and Privacy. O’Reilly Media, Inc., Sebastopol, CA

[6].S. Ghemawat, H. Gobioff, and S. Leung, “The Google file

system,” in Proceedings of the 19th Symposium on Operating

Systems Principles (OSDI’2003), 2003, pp. 29–43.

[7]. Li W, Ping L (2009) Trust model to enhance Security and interoperability of Cloud environment. In: Proceedings of the 1st International conference on Cloud Computing. Springer Berlin Heidelberg, Beijing, China, pp 69–79

[8]. Rittinghouse JW, Ransome JF (2009) Security in the Cloud. In: Cloud Computing. Implementation, Management, and Security, CRC Press

[9]. Kitchenham B (2004) Procedures for perfoming systematic review, software engineering group. Department of Computer Scinece Keele University, United Kingdom and Empirical Software Engineering, National ICT Australia Ltd, Australia. TR/SE-0401

[10]. Kitchenham B, Charters S (2007) Guidelines for performing systematic literature reviews in software engineering. Version 2.3 University of keele (software engineering group, school of computer science and mathematics) and Durham. Department of Conputer Science, UK

[11]. http://www.cloudsecurityalliance.org

[12]. Brereton P, Kitchenham BA, Budgen D, Turner M, Khalil M (2007) Lessons from applying the systematic literature review process within the software engineering domain. J Syst Softw 80(4):571–583.

[13]. Zissis, Dimitrios, and Dimitrios Lekkas. "Addressing cloud

computing security issues." Future Generation Computer

Systems 28.3 (2012): 583-592.

[14]. Bhadauria, Rohit, and Sugata Sanyal. "Survey on Security Issues in Cloud Computing and Associated Mitigation Techniques." International Journal of computer applications 47 (2012).

[15]. Harnik, Danny, et al. "Secure access mechanism for cloud

storage." Scalable Computing: Practice and Experience 12.3

(6)

[16]. Pappas, Vasilis, et al. "CloudFence: Data Flow Tracking as a Cloud Service."Research in Attacks, Intrusions, and Defenses. Springer Berlin Heidelberg, 2013. 411-431.

[17]. Seccombe, A., et al. "Security guidance for critical areas of focus in cloud computing, v2. 1." Cloud Security Alliance (2009). [18]. Song, Dawn, et al. "Cloud data protection for the masses." IEEE Computer45.1 (2012): 39-45.

[19]. Saidi, Mustapha Ben, and Abderrahim Marzouk. "Access Control Protocol for Cloud Systems Based On the Model TOrBAC."

[20]. Eludiora, Safiriyu, et al. "A User Identity Management Protocol for Cloud Computing Paradigm." International Journal of Communications, Network & System Sciences 4.3 (2011).

Figure

Figure 1. Cloud computing m
Table 1. Security threat in cloud environments

References

Related documents

Body weight gain of male 3-week-old Muscovy ducks was higher than the females, while the highest relative growth of male ducks was obtained at an early

Although the Port Companies will continue to be state-owned, the law provides for the necessary investments in the port terminals to be made through the award of concessions to

Senior Manager 1 of University X stated: ‘Through online education [we] offer access on the continent where higher education par- ticipation is even lower than in South Africa,

Furthermore, while symbolic execution systems often avoid reasoning precisely about symbolic memory accesses (e.g., access- ing a symbolic offset in an array), C OMMUTER ’s test

Be trained in an LPS class (as specified for Categories I, II, and III: Residents, Professional Staff With Admitting Privileges, and Professional Staff Without Admitting Privileges,

The area constitutes the largest continuous stretch of forest north of the Missouri River in the state and is sanctuary to a unique wildlife population that includes deer,

CONDITION: The development shall not be occupied until a Flood Emergency Plan (based on the submitted Flood Risk Assessment) has been submitted to, and approved in writing by,