Security Issues in Cloud Computing
Mutum Zico Meetei
Department of Mathematics Jazan University Jazan, Saudi Arabia
Anita Goel
Department of Computer Science Dyal Singh College, University of Delhi
Delhi, India Abstract—Cloud computing provides the ability to utilize
scalable, distributed computing environments via the Internet. Over the years, cloud computing has grown from being a promising business concept to a fast growing sector in IT organizations. It has emerged as a promising hosting platform that allows an intelligent usage of a collection of applications, information and infrastructure comprised of pools of computer, network and storage resources. However, enterprise customers are still reluctant to deploy their business in the cloud. Security is one of the key factor which hampers growth of cloud computing. Some of the fundamental security challenges are data storage security, data transmission security, application security and security related to third-part resources. This paper focuses on security issues arising from the usage of cloud services.
Keywords-Cloud Computing, Security, Cloud Assessment
I. INTRODUCTION
There is little consensus on how to define cloud computing. It is precisely defined as an era of Internet-based development and computer technology. Cloud computing is a specialized distributed computing paradigm that offers dynamically scalable resources provisioned as a service over Internet. There are three main factors contributing to the surge and interests in Cloud Computing [1] - (1) a decrease in hardware cost and increase in computing power and storage capacity, and advent of multi-core architecture and modern supercomputers consisting of hundreds of thousands of cores; (2) exponentially growing data size in scientific instrumentation/simulation and Internet publishing and archiving; and (3) wide-spread adoption of services computing and web applications.
Cloud in general provides services at three different levels - Software as Service (SaaS), Platform as Service (PaaS) and Infrastructure as a Service (IaaS). SaaS is a software development model where applications are remotely hosted by an application or service provider and made available to customer via the Internet. SaaS offers customer with significant benefits, such as improved operational efficiency and reduced cost.
SaaS delivers special-purpose software that is remotely accessible by consumers via the Internet with a usage-based pricing model. Sales force is an industry leader in providing online CRM (Customer Relationship Management) services. Live Mesh from Microsoft allows files and folders to be shared and synchronized across multiple devices.
PaaS offers a high level integrated environment to build, test, and deploy custom applications. Generally, developers
will need to accept some restrictions on the type of software they can write in exchange for built-in application scalability. An example is Google’s App Engine [2], which enables users to build web applications on the same scalable systems that power Google applications.
IaaS provides hardware and software and equipment to deliver software application environments with a resource usage-based pricing model. It changes the way developers deploy their applications. Typical examples are Amazon EC2 (Elastic Cloud Computing) Service [3] and S3 (Simple Storage Service) [4] where compute and storage infrastructures are open to public access with a utility pricing model.
All these levels come with a promise to reduce expenditure and infrastructure. They offer a wide variety of products and advanced capabilities, automated scalability, pay-per-use, and on-demand provisioning. In spite of these advantages, security is most relevant inconvenience for fastening widespread adoption of the cloud, for many business-critical computations [5].
This paper describes various categories of security issues arising from usage of the cloud services. The underlying technology of cloud itself provides a major security threat. The paper is structured as follows: Section II describes types of cloud models. Section III discusses cloud computing open security. Section IV discusses cloud security assessment and Section V states the conclusion.
II. CLOUD COMPUTING
Cloud computing promises reliable services delivered through next-generation data centers that are built on Internet. Consumers are able to access applications and data from a cloud anywhere in the world, on demand. It is one of today’s most exciting technologies due to its ability to reduce costs associated with computing while increasing flexibility and scalability for computer process [15]. Recently, cloud computing paradigm has emerged as an energy efficient approach which enables ubiquitous, on-demand network accesses to a shared pool of flexibly reconfigurable computing resources including networks, servers, storage, applications, and services that can be rapidly deployed with minimal management effort or service provider interactions [16]. Cloud computing is a result of convergence of Grid computing, Utility computing and SaaS, and essentially represents the increasing trend towards external deployment of IT resources, such as computational power, storage or business applications, and obtaining them as services [6].
The availability service providers or models in cloud are SaaS, PaaS and IaaS. Depending of the types of resources provided by the cloud, distinct models are defined in Fig. 1.
SaaS PaaS IaaS
Figure 1. Cloud models and its accessibility
The right hand model provides basic components such as CPUs, memory, and storage, and it is denoted as IaaS. On top of IaaS, platform-oriented services allow usage of hosting environments tailored to a specific need. Web services are commonly used to provide access to IaaS. The left hand model provides its users with ready to use applications also known as SaaS. Web browser is used for accessing SaaS. The platform as service (PaaS) enables to deploy and dynamically scale web applications. In this case both the browser and web services approaches are found.
Currently there are four types of cloud development models offered, namely, a public, private, community and hybrid cloud.
A. Public Cloud
This model allows users to access the cloud via interfaces using mainstream web browsers. It is typically based on a pay-per-use model, similar to a prepaid electricity metering system which is flexible enough to cater for spikes in demand for cloud optimization [7]. Public clouds are less secure than other models because it places an additional observation to ensure all applications and data accessed on the public cloud are not subjected to malicious attacks.
B. Private Cloud
This model is operated for a private organization. It may be managed by the organization or third party. It is easy to align with security, compliance, and regulatory requirements, and provides more enterprise control over development and use. Utilization on the private cloud is more secure because of its specified internal exposure.
C. Community Cloud
A community cloud is shared by several organizations and supports a specific community that has communal concerns such as, mission, security, requirements, policy and compliance considerations. The goal of a community cloud is to have participating organizations realize the benefits of a public cloud such as multi-tenancy and a pay-as-you-go billing structure; with an added level of privacy, security and policy compliance, usually associated with a private cloud. The community cloud can be either on-premise or off-premise, and can be governed by participating organizations or by a third-party managed service provider.
D. Hybrid Cloud
A hybrid cloud is a composition of two or more clouds at least one private cloud and one public cloud. A hybrid cloud is typically offered in one of two ways: a vendor has a private cloud and forms a partnership with a public cloud provider, or a public cloud provider forms a partnership with a vendor that provides private cloud platforms. It provides more secure control of data and applications, and allows various parties to access information through Internet.
Fig. 2 shows pattern of cloud computing [8]. It is viewed as one of the most promising technology in computing today, inherently able to address a number of issues.
Figure 2. Cloud Computing Pattern
A number of key characteristics of cloud computing have been identified such as flexibility, elasticity, scalability of infrastructure, broad network access, location independent, reliability, economy of scale, cost effectiveness, and sustainability.
The implementation of cloud often contains advance security techniques, mostly available due to centralization of data and universal pattern. The homogenous resource pooled nature of cloud enables the provider to focus on all their security resources on securing the cloud pattern. However adoption of this pattern may introduce a number of security issues. These security issues are based on the cloud development model through which it is being delivered. Public cloud is often exposed to major risk where as private cloud seems to have lesser impact. In hybrid model, the data are outside of the premise infrastructure at some time. The hybrid cloud security is not just about the data, but also its location. It is required to ensure that location of the data has the right logical and physical security, and met all relevant standards. The cloud development model is illustrated in Table I.
TABLE I. CLOUD DEVELOPMENT MODEL
Type Management Location Access
Public cloud Third-party Off-premise Untrusted Private/community cloud Organisation or third-party On-premise or off-premise Trusted Hybrid cloud and third-part Organisation
On-premise and off-premise Trusted and Untrusted III. CLOUD COMPUTING OPEN SECURITY A. Data Storage Security
The cloud has different architecture based on the services they provided. In cloud computing, customers store their data in the cloud and no longer possess the data locally. Thus correctness and availability of the data file being stored on the cloud servers must be guaranteed. One of the key issues is to effectively detect any unauthorized data modification and corruption. From the perspective of data security, this has always been an important aspect of quality of service.
Cloud computing inevitably poses new challenging security threats since traditional cryptographic primitives. Data security protection cannot be directly adopted due to users’ loss of control of data under cloud computing. Therefore, verification of correct data storage in the cloud must be conducted without explicit knowledge of the whole data. Secondly, cloud computing is not just a third party data warehouse. The data stored in the cloud may be frequently updated by the users, including insertion, deletion, modification, appending, reordering, etc. To ensure storage correctness under dynamic data update is hence of paramount importance. However, this dynamic feature also makes traditional integrity insurance techniques futile and entails new solutions. Last but not the least, the deployment of cloud computing is powered by data centers running in a simultaneous, cooperated and distributed manner. Individual user’s data is redundantly stored in multiple physical locations to further reduce the data integrity threats. Therefore, distributed protocols for storage correctness assurance will be of most importance in achieving a robust and secure cloud data storage system in the real world [9].
Methods of data storage protection, such as redaction, truncations, obfuscation, and other, should be viewed with great concern. The data storage security pattern in cloud is illustrated in Fig. 3.
Figure 3. Data storage security pattern in Cloud
The third part services within the cloud, lead to establishment of necessary trust level and provide solution to security services. The data is stored in a centralized location
called cloud storage server, having a large size of data storage. Its processing is somewhere on servers, so the client has to trust the provider on availability as well as data security. The service level agreement has to be standardized to gain trust between the providers and the client.
B. Data Transmission Security
Internet is communication infrastructure for cloud providers to transfer their data. Providing secure and efficient transmission of data is an important component of cloud computing and forms the foundation for information management and other operations
Some of the threat events compromising data transmission security are given as follows:
• Cross site Scripting (XSS): script executes in victims browsers to hijack user sessions, deface web sites, and introduce worms etc [10].
• Injection Flaws: the data sent by the users to a web application is not properly validated, which can manipulate a query on the server.
• Malicious File Execution: XML or any other
framework which accepts a file from the user is vulnerable to this attack, as the file can contain a malicious script.
• XML corrupt: XML traffic between the server and the browser is poisoned and corrupted.
• Insecure Cryptographic Storage: web applications which do not use cryptographic functions to protect data transmission lead to an attack
• Insecure Communication: failing to encrypt network traffic leads to an attack.
C. Application Security
Application security is the use of software, hardware, and procedural methods to protect applications from external threats. Security measures built into applications and a sound application security routine minimize likelihood that hackers will be able to manipulate applications and access, steal, modify, or delete sensitive data. Security is becoming an increasingly important concern during development, as applications become more frequently accessible over networks and are, as a result, vulnerable to a wide variety of threats.
SaaS is the software developed over the internet to run behind a firewall in local area network or personal computer. The main characteristics include Network-based access to, and management of, commercially available software and managing activities from central locations rather than at each customer’s site, enabling customers to access application remotely via the web. Attacks targeting applications, software, and services were far most common technique, representing 39% of all the hacking activity leading to data compromise [11]. Some of the current application security threats are: Injection flaw like SQL, Cross-site scripting, Broken authentication, Insecure direct object reference, Cross-site request forgery, Security miss configuration, Insecure cryptographic storage, Failure to restrict URL access, Cloud Storage server Third Party User Data Flow Securit Security
Insufficient transport layer protection and invalidated redirects and forwards. The security requirements at the application level are summarized as follows:
• Privacy in multitenant environment • Data protection from exposure (remnants) • Access control
• Communication protection • Software security
• Service availability D. Security on Cloud Integrity
When running an application on cloud system, requires configuring a suitable backup routine so that it is safe in the event of a data-loss incident. It does not matter if this is a corrupt entry in a database file, deletion of user data or even a more disastrous data loss. Usually, the data requires to backup to portable media on a regular basis.
IaaS or explicit service implementation modules (PaaS) are responsibility of a cloud computing system. Cloud system is responsible for determining and eventually instantiating a free-to-use instance of requested service implementation type on request of any user. Then, the address for accessing that new instance is to be communicated back to the requesting user. Generally, this task requires some metadata on the service implementation modules, at least for identification purposes. For the specific PaaS, case of web services provided via the cloud, this metadata may also cover all web service description documents related to the specific service implementation. For instance, the web service description document itself should not only be present within the service implementation instance, but also be provided by the cloud system in order to deliver it to its users on demand. Most of these metadata descriptions are usually required by any user prior to service invocation in order to determine the appropriateness of a service for a specific purpose. Thus, these metadata should be stored outside of the cloud system, resulting in a necessity to maintain the correct association of metadata and service implementation instances [17].
E. Security related to Third-Party
In cryptography, a Trusted Third Party (TTP) is an entity which facilitates secure interactions between two parties. The scope of a TTP within the cloud is to provide end-to-end security services, which are scalable, based on standards and useful across different domains, geographical areas and specialization sectors. The establishment and the assurance of a trust relationship between two transacting parties shall be concluded as a result of specific acceptances, techniques and mechanisms. The Third Party reviews all critical transaction communications between the parties, based on the ease of creating fraudulent digital content. Introducing a Trusted Third Party can specifically address loss of traditional security boundary by producing trusted security domains. A Trusted Third Party is an impartial organization delivering business confidence, through commercial and technical security features, to an electronic transaction. It supplies technically and
legally reliable means of carrying out, facilitating, producing independent evidence about and/or arbitrating on an electronic transaction. Its services are provided and underwritten by technical, legal, financial and/or structural means [12].
The data and applications held by a third party are complex; there is also a potential lack of control and transparency when a third party holds the data. Some of the security requirements on third part are as follows:
• Low and High level confidentiality, • Server and Client Authentication, • Creation of Security Domain,
• Cryptographic Separation of Data, and • Certificate-Based Authorization.
IV. CLOUD SECURITY ASSESSMENT A. Risk of Cloud Computing
The European Network and Information Security Agency (ENISA), provides a basic description of the potential risks involved with cloud computing [18]. Threats are identified by analyzing different use cases. It also provides an approach to determine the likelihood and impact of each threat, and the risk levels are estimated by using a risk estimation table which is based on ISO/IEC 27005:2008. Security risk on cloud computing would be high, if both the probability of the event and its impacts are high. Risks are divided into four categories:
• Policy and Organization risk • Legal risk
• Technical risk
• Risk not specified to the cloud.
The security risk assessment provides a significant role in increasing trust in a commercial service, and thus helps to the adoption of cloud computing. The traditional assessment need to refine in order to fit the dynamic nature of cloud.
B. Probability of Risk
Security risk may be defined as a combination of probability or frequency of security threat event and magnitude of its consequence, using their product [12]. Evaluating the probability of threats on the current cloud security is not easy, due to lack of sufficient updated data. For example, in case of spoofing attacks, critical data need is the frequency of occurrence of such attacks on all enterprise systems. However such data are not readily available.
According to SANS report [13], attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits. The data breach cases investigated by Verizon Business during 2012, 29% involved exploitation of default or guessable passwords [14]. Password exploits were followed by backdoor malware at 26%; use of stolen log-in credentials (24%); exploitation of backdoor or command and control
channels (23%); key loggers and spyware (18%); and SQL injection attacks (13%).
TABLE II. PROBABILITY OF THREAT ON SECURITY
Attack Type Number of events reports transactions Number of P
Default password X1 t1 0.29 Backdoor malware X2 t2 0.26 Log in Credentials X3 t3 0.24 Exploitation of control channels X4 t4 0.23 Spyware X5 t5 0.18 SQL Injection X6 t6 0.13
We can calculate probability P of threat on security, if we assume that a given server system is accessed t times for SQL queries during a day and among them x events were Injection attacks. Table II, shows the probability of seven major threats on Enterprise Internet system.
The mean of Risk or Expected value of threat λ, is given as:
n λ = Σ xi pi
i=1
The probability of occurrence of next k threat on security can be calculated by using the Poisson approximation. To be precise, let us assume a time interval [0, t] and denoted by number of event x within the interval. We break the interval into n nonoverlapping subintervals, each of length t/n.
Then letting ∞
P(k) = λ λ
! where k = 1, 2, 3,…,n.
Once the probability of threat on cloud security is calculated, it would be useful to identify high risk threats on cloud security.
V. CONCLUSION
In this paper, the focus is on security issues in cloud computing. It is a vital to take security and privacy into account when designing and using cloud computing services. We discussed security challenges such as data storage security, data transmission security, application security, security on cloud integrity and security related to third-part resources. To identify high risk threat on the cloud security, a probability of threat is also derived. We conclude that to enhance the revolutionary of
cloud computing in the Internet, it is essential to strengthen the security capabilities.
REFERENCES
[1] I. Foster, Y. Zhao, I.Raicu, S.Lu, “Cloud Computing and Grid Computing 360-Degree Compared,” CoRR, abs/0901.0131, 2009.
[2] Google App Engine, http://code.google.com/appengine/, 2012.
[3] Amazon Elastic Compute Cloud (Amazon EC2),
http://aws.amazon.com/ec2, accessed on 2012.
[4] Amazon Simple Storage Service (Amazon S3),
http://aws.amazon.com/s3, accessed on 2012.
[5] Y. Chen, V. Paxson, RH. Katz, “Whats new about cloud computing security,” Tech.Rep.UCB/EECS-2010-5, EECS Department, University of California, Berkeley, 2010.
[6] K. Stanoevska-Slabeva, T. Wozniak, “Grid and Cloud Computing-A Business Perspective on Technology and Applications,” Springer-Verlag, Berlin, Heidelberg, 2010.
[7] S. Ramgovind, MM. Eloff and E.Smith, “The Management of Security in Cloud Computing,” Information Security for South Africa (ISSA), IEEE, 2010.
[8] Open Security Architecture, http://www.opensecurityarchitecture.org/ ,access on 2012.
[9] Q. Wang, C. Wang, J. Li, K. Ren, and W. Lou, "Enabling public verifiability and data dynamics for storage security in cloud computing," in Proc. of ESORICS'09, Saint Malo, France, Sep. 2009.
[10] P. Saripalli, and B. Walters, "QUIRC: A Quantitative Impact and Risk Assessment Framework for Cloud Security," 2010 IEEE 3rd Intl. Conf. on Cloud Computing; Miami, FL, July, 2010.
[11] D. Zissis, D. Lekkas, ‘‘Addressing cloud computing security issues,’’
Future Generation Computer Systems, 1---10, 2010.
[12] K.P. Saripalli, N.M Mahasenan, and E.M Cook, Risk and hazard
assessment for projects involving the geological sequestration of CO2 In: Gale, J. and Y. Kaya (eds.) Sixth International Greenhouse Gas
Control Conference, Kyoto, Japan, pp. 285–289, Elsevier Ltd. 2003.
[13] The Top Cyber Security Risks, SAN Institute Report (Sept. 2009)
http://www.sans.org/top-cyber-security-risks/,accessed on 2012.
[14] RSA: Five Top Internet Security Threats in 2012 http://www.notebookreview.com/default.asp?newsID=6310, accessed on 2012.
[15] F.Sabahi, “Cloud Computing Security Threats and Responses,” International Conference on Communication Software and Networks ( ICCSN) , IEEE, 2011.
[16] J. Li, B. Li, T. Wo, C. Hu, J. Huai, L. Liu, K. Lam, “Cyberguarder: a virtualization security assurance architecture for green cloud computing,” Future Generation Computer Systems, 28 (2) pp. 379–390, 2012.
[17] J.-S. Pan, S.-M. Chen, N.T. Nguyen (Eds.), “On cloud Computing Security Issues,” ACIIDS 2012, Part II, LNAI 7197, pp. 560–569, 2012. [18] IDC Cloud Computing 2012, “IT Cloud Services Forecast,”
![Fig. 2 shows pattern of cloud computing [8]. It is viewed as one of the most promising technology in computing today, inherently able to address a number of issues](https://thumb-us.123doks.com/thumbv2/123dok_us/804175.2601640/2.892.467.847.327.659/pattern-computing-viewed-promising-technology-computing-inherently-address.webp)
