A Valued Analysis of Information Security, Threats and Solutions for Cloud Computing

(1)

Volume 2, Issue 9, September 2013

648 www.ijarcsee.org

A Valued Analysis of Information Security, Threats and Solutions for

Cloud Computing

Kranti Kumar Dewangan[1] Akash Wanjari [2] Somesh Kumar Dewangan [3]

Department of Computer Science & Engineering

Disha Institute of Management & Technology

Raipur, C.G., India

Abstract:- Cloud computing is a prospering

technology that most organizations are considering for adoption as a cost effective strategy for managing IT. However, organizations also still consider the technology to be associated with many business risks that are not yet resolved. Such issues include security, privacy as well as legal and regulatory risks. We identify threats and security attributes applicable in cloud computing. We also select a framework suitable for identifying information security metrics. Cloud computing has become an increasingly popular means of delivering valuable, IT-enabled business services. Adopting cloud technology can be an affordable way to get access to a dynamically scalable, virtualized computing environment. The cloud provider is responsible for the environment, so organizations can make use of resources for short periods of time without having to maintain the environment when it is not being used. While cloud computing models are attractive because of their flexibility and cost effectiveness, certain challenges must be addressed in order to provide a viable option to traditional data services. First and foremost is the issue of security. The externalized aspect of outsourcing can make it harder to maintain data integrity and privacy, support data and service availability, demonstrate compliance, and secure highly available access to applications and information. In short, cloud computing can present an added level of risk. This paper discusses security, threats and availability-related challenges in cloud computing environments.

Introduction:- As more and more demands for

Information Technology (IT) services rise, there

are also increasing needs to expand IT architecture and infrastructures to provide more services. As a consequence, IT service providers are faced with challenges of expanding the structures and infrastructures with small expenditure and minimum time in order to provide rising demands from their customers. To address these business challenges and commercial interests, cloud computing architecture was developed. Cloud computing architecture is an environment of IT resources for particular services which is outsourced to customers [1]. In the context of cloud computing, the cloud service provider is known as cloud provider which is an organization that provides cloud computing service. On the other hand the organization that receives the cloud computing service is known as the cloud customer. Cloud computing is not a novel concept, however it is rising now and it will have major role in the next 10 years or more [1]. It is an increasing concept because of several reasons including reduction in cost and energy consumption of the shared computing resources (servers, software, storage, and networking)[2]. It also enables effective IT resources usage and increases flexibility for expanding new infrastructures in instant time.

1. Introduction:-

Cloud computing, an internet based computing

(2)

applications area of cloud computing not limited. It is latest technology in market.The topic of Cloud Computing is gaining more and more attention in the service research community. The main idea is to make applications available on flexible execution environments primarily located in the Internet. Several flavors are known, and three important ones are depicted in the figure below. Infrastructure as a service refers to the sharing of hardware resources for executing services, typically using virtualization technology. With this so-called Infrastructure as a Service (IaaS) approach, potentially multiple users use existing resources. The resources can easily be scaled up when demand increases, and are typically charged for on a per-pay-use basis. In the Platform as a Service (PaaS) approach, the offering also includes a software execution environment, such as an application server. In the Software as a Service approach (SaaS), complete applications are hosted on the Internet so that e.g. your word processing software isn’t installed locally on your PC anymore but runs on a server in the network and is accessed through a web browser.

2. Cloud computing security

Key references such as CSA’s security guidance [4] and top threats analysis [6], ENISA’s security assessment [3] and the cloud computing definitions from NIST [5] highlight different security issues related to cloud computing that require further studies for being appropriately handled and, consequently, for enhancing technology acceptance and adoption. Emphasis is given to the distinction between services in the form of software (SaaS), platform (PaaS) and infrastructure (IaaS), which are commonly used as the fundamental basis for cloud service classification. However, no other methods are standardized or even employed to organize cloud computing security aspects apart from cloud deployment models, service types or traditional security models.

Aiming to concentrate and organize information related to cloud security and to facilitate future studies, in this section we identify the main problems in the area and group them into a

model composed of seven categories, based on the aforementioned references. Namely, the categories are: network security, interfaces, data security, virtualization, governance, compliance and legal issues. Each category includes several potential security problems, resulting in a classification with subdivisions that highlights the main issues identified in the base references: 1. Network security: Problems associated with network communications and configurations regarding cloud computing infrastructures. The ideal network security solution is to have cloud services as an extension of customers’ existing internal networks [7], adopting the same protection measures and security precautions that are locally implemented and allowing them to extend local strategies to any remote resource or process [8].

(a) Transfer security: Distributed architectures, massive resource sharing and virtual machine (VM) instances synchronization imply more data in transit in the cloud, thus requiring VPN mechanisms for protecting the system against sniffing, spoofing, man-in-the-middle and side-channel attacks.

(b) Firewalling: Firewalls protect the provider’s internal cloud infrastructure against insiders and outsiders [9]. They also enable VM isolation, fine-grained filtering for addresses and ports, prevention of Denial-of-Service (DoS) and detection of external security assessment procedures. Efforts for developing consistent firewall and similar security measures specific for cloud environments [10,11] reveal the urge for adapting existing solutions for this new computing paradigm.

(c) Security configuration: Configuration of protocols, systems and technologies to provide the required levels of security and privacy without compromising performance or efficiency.

2. Interfaces: Concentrates all issues related to user, administrative and programming interfaces for using and controlling clouds.

(3)

(b) Administrative interface: Enables remote control of resources in an IaaS (VM management), development for PaaS (coding, eploying, testing) and application tools for SaaS (user access control, configurations).

(c) User interface: End-user interface for exploring provided resources and tools (the service itself), implying the need of adopting measures for securing the environment.

(d) Authentication: Mechanisms required to enable access to the cloud [14]. Most services rely on regular accounts [13,15,16] consequently being susceptible to a plethora of attacks whose consequences are boosted by multi-tenancy and resource sharing.

3. Data security: Protection of data in terms of confidentiality, availability and integrity (which can be applied not only to cloud environments, but any solution requiring basic security levels) (a) Cryptography: Most employed practice to secure sensitive data [18], thoroughly required by industry, state and federal regulations.

(b) Redundancy: Essential to avoid data loss. Most business models rely on information technology for its core functionalities and processes [19] and, thus, mission-critical data integrity and availability must be ensured.

(c) Disposal: Elementary data disposal techniques are insufficient and commonly referred as deletion .In the cloud, the complete destruction of data, including log references and hidden backup registries, is an important requirement [20].

4.Virtualization: Isolation between VMs, hypervisor vulnerabilities and other problems associated to the use of virtualization technologies.

(a)Hypervisor vulnerabilities: The hypervisor is the main software component of virtualization. Even though there are known security vulnerabilities for hypervisors, solutions are still scarce and often proprietary, demanding further studies to harden these security aspects.

(b) Isolation: Although logically isolated, all VMs share the same hardware and consequently the same resources, allowing malicious entities to exploit data leaks and cross-VM attacks. The concept of isolation can also be applied to more

fine-grained assets, such as computational resources, storage and memory

(c)Data leakage: Exploit hypervisor vulnerabilities and lack of isolation controls in order to leak data from virtualized infrastructures, obtaining sensitive customer data and affecting confidentiality and integrity.

(d) Cross-VM attacks: Includes attempts to estimate provider traffic rates in order to steal cryptographic keys and increase chances of VM placement attacks. One example consists in overlapping memory and storage regions initially dedicated to a single virtual. machine, which also enables other isolation-related attacks.

5. Governance: Issues related to (losing) administrative and security controls in cloud computing solutions [21].

(a) Data control: Moving data to the cloud means losing control over redundancy, location, file systems and other relevant configurations.

(b) Security control: Loss of governance over security mechanisms and policies, as terms of use prohibit customer-side vulnerability assessment and penetration tests while insufficient Service Level Agreements (SLA) lead to security gaps.

(c) Lock-in: User potential dependency on a particular service provider due to lack of well-established standards (protocols and data formats), consequently becoming particularly vulnerable to migrations and service termination. 6. Legal issues: Aspects related to judicial requirements and law, such as multiple data locations and privilege management.

(a) Data location: Customer data held in multiple jurisdictions depending on geographic location are affected, directly or indirectly, by subpoena law-enforcement measures.

(b) E-discovery: As a result of a law-enforcement measures, hardware might be confiscated for investigations related to a particular customer, affecting all customers whose data were stored in the same hardware. Data disclosure is critical in this case.

(4)

(d) legislation: Juridical concerns related to new concepts introduced by cloud computing

3. Security concerns

The results obtained for the number of citations on security issues is shown in Figure 5. The three major problems identified in these references are legal issues, compliance and loss of control over data. These legal- and governance related concerns are followed by the first technical issue, isolation, with 7% of citations. The least cited problems are related to security configuration concerns, loss of service (albeit this is also related to compliance, which is a major problem), firewalling and interfaces. Grouping the concerns using the categories presented in section “Cloud computing security” leads to the construction of Figure 6. This figure shows that legal and governance issues represent a clear majority with 73% of concern citations, showing a deep consideration of legal issues such as data location and e-discovery, or governance ones like loss of control over security and data. The technical issue more intensively evaluated (12%) is virtualization, followed by data security, interfaces and network security. Virtualization is one of the main novelties employed by cloud computing in terms of technologies employed, considering virtual infrastructures, scalability and resource sharing, and its related problems represent the first major technical concern.

Figure 1 Security Problems

4. Information security

Sys Admin, Audit, Network, Security (SANS) defines information security as processes and methodologies which are intended to protect sensitive information or data from unauthorized access, disclosure, modification, or use. The form of the protected data or information can be electronic, printed, or other forms. Information security encompasses three fundamental security attributes namely confidentiality, availability and integrity. The presence of these attributes characterizes a secured information.Besides these three fundamental attributes, non-repudiation and accountability complement the characteristic of secured information . The five attributes of information security are shown in figure 2

Figure 2

The five attributes described as follows:

i. Confidentiality. This attribute concerns with

protecting the sensitive information from the unauthorized disclosure.

ii. Integrity. This attribute concerns with

accuracy, completeness and validity of information in regards with business requirement and expectations.

iii. Availability .This attribute concerns with

information being operational and accessible whenever it is required by the business process now as well as in the future. Further, the information must be inaccessible to unauthorized users

iv. Accountability This attribute concerns with

(5)

v. Non-repudiation. This attribute concerns with

the ability to prevent users from denying the responsibility of the actions performed.

5. Identified relevant security attributes

Through analysis twenty two (22) threats were identified in cloud computing as summarized in figure 3 with detailed results presented in appendix A. These threats include unclear ownership and responsibility of data protection, identity theft, data theft, unauthorized modification, malware attacks, denial of service (DOS), lack of data segregation, data inconsistency, inadequate authentication and authorization, unauthorized access, eavesdropping, service disruption, phishing attack, audit difficulty, Insecure Interfaces and APIs, regulatory and legal issues, difficult bugs detection, and difficult intruder (malicious user) detection. Through brainstorming, we reached consensus on security attributes applicable in cloud computing. These attributes are confidentiality, integrity, availability and accountability. The summary of the results is presented in table 1.

For instance, 36% of the identified threats affect confidentiality. These results show that all identified information security attributes are almost of relevancy to the cloud computing.

Usually threats exploit security weaknesses existing in the computing environment. The authors categorize threats into four classes namely interception, interruption, modification and fabrication. If these threats become actualized the result is a compromise of one or more security attributes which are confidentiality, integrity, availability and accountability. Cloud computing being an emerging technology, we intended to identify threats in such a computing environment. We observed lack of common vocabulary for the threats among the studies we found. As a result, we avoided listing threats with different names but which in principal meant the same thing. Therefore a threat name of more preference to us was considered. For instance, Cloud Security Alliance (CSA). defines “account or service

hijacking” threat in cloud computing to include phishing threat. However, we define phishing as its own threat and differentiate it from account or service hijacking.We discovered that among the 21 threats, insecure data storage, malware attacks, DDOS/DOS attacks, and unauthorized access threats are the top threats discussed by most researchers. The researchers argue that cloud provider might have full control over the customers’ information kept in the storage which can lead to customers privacy violation. For malware attacks threat, Lietal argue that as a public data center which is commonly accessed through internet browsers, the cloud is very prone to virus, intrusion and malicious attacks targeting the application layer data. In the case of DDoS/DoS threat, Cayircietal. present that this threat is attractive to attackers due to massive number of customers, huge databases and high number of processes in cloud computing environment. This scenario then attracts attackers to use multiple identities to consume as much cloud resource as possible. For unauthorized access threats, Paquette et al argue that the physical data storage may be distributed among several servers over several regions which may lead to easy security compromise.

(6)

to identify vulnerabilities in the target system. Considering these factors, therefore it is possible that some threats experienced in traditional computing may become harder to materialize in cloud computing. This is because in cloud computing the attacker is likely to encounter different situation to achieve intended objectives. For instance, in some circumstances the attacker may require to have very specialized knowledge and tools to successful attack the target system. Some of the threats which we consider that might cause more challenges to the attacker in the cloud includes DDoS and physical theft of hardware. DDoS may be considered harder in cloud computing environment because it is expected that it is more cost effective to establish geographically dispersed redundancy computing resources than it would be in traditional

computing. In case of theft of hardware, it may also be considered more cost effective to have a physically secured datacenter in cloud computing than it would be in traditional computing. However, it should be clear that we did not investigate these issues deeply to draw a sound conclusion. It should also be noted that whether certain threats are being properly mitigated in cloud computing than in traditional computing will still depend on security soundness of a specific cloud provider in collaboration with customers. We therefore have the opinions that the matter still warrants for future in-depth investigation. Therefore we advise organizations to consider all these threats, prioritize and mitigate those threats that are most likely to affect their outsourced cloud computing services

.

Figure 3

6. Information security attributes and threats in cloud computing

Information security in cloud computing environment is gaining more attention from the academia. Further, this suggests that the public community is striving to address information security issues in the cloud which has been

(7)

denial of service are among the threats in traditional computing. Pfleeger and Pfleeger argue that information security threats ultimately compromise the security attributes namely confidentiality, integrity and availability. Among the threats identified by include repudiation, social engineering attacks, deliberate acts of theft, willful damages, unauthorized use, and deviations in quality of service.

We observe some commonality when we consider the threats identified in this study as presented in section 7 with those presented by Pfleeger and Pfleeger as well as by Samyetal. This suggests that cloud computing is exposed to the same information security threats as the traditional computing. This conclusion is in agreement with CSA who argues that security controls in the cloud computing are the same as those in traditional computing environment. As CSA further argues that depending on cloud

computing model deployed organizations operating in the cloud are likely to face more challenging threats

Figure 4

The results presented in figure 2 identify four information security attributes namely confidentiality, integrity, availability and accountability. Figure 4 further presents that confidentiality, integrity, availability and accountability recorded 36%, 22%, 25% and 17% respectively. These results suggest that of the four attributes identified, confidentiality is considered more important followed by availability, integrity and accountability. Based on these results, it is apparent that the identified attributes are the same as those presented by Previous researchers for traditional computing. The fact that non-repudiation was not identified as one of the attributes of information security may be due to lack of common vocabulary in information security as a discipline. This argument maybe considered true as even

Pfleeger and Pfleeger do not present non-repudiation as an attribute of information security. In fact Pfleeger and Pfleeger only present three attributes namely confidentiality, integrity and availability. This may also be contributed by the facts that cloud computing is still an immature technology. Despite this discrepancy, we argue that non-repudiation is among the attributes of information security which is even more important to be considered in cloud computing. This is true because in cloud computing mostly computing resources are managed by the cloud provider whilst the cloud customers still wish to maintain control over the services. In other words parties involved in the cloud should not be in a situation whereby one of them can deny to have participated in committing

a certain transaction.

7.LIST OF THREATS AND SECURITY ATTRIBUTES APPLICABLE IN CLOUD COMPUTING

The main outcome of phase 1 of this study is to identify threats and security attributes

(8)

S/N Threats Threat Description Security Attribute

Affected

1 Unclear

ownership and responsibility of data protection

Lack of clear ownership and defined

responsibilities for data protection may result in failure of meeting regulatory and legal obligations

Accountability

2 Identity theft Identity theft in the cloud may lead to compromise of confidentiality and integrity

of the data

Integrity/Confidentia lity

(Authorization/ Authentication)

3 Unauthorized modification

Unauthorized modification of virtual images due to lack of adequate access controls

Confidentiality, Integrity, Availability

4 Data theft Data in the cloud machine is not be

encrypted which results in breach of confidentiality

Confidentiality

5 Malware Attacks

Cloud clients may be attacked by malware

injected in the cloud or in the network connection between cloud customer and cloud provider. Malware includes rootkit attack, Trojan horses, Cross Site-Scripting (XSS) attacks and viruses.

Confidentiality, Integrity, Availability

6 Denial of service/ Distributed Denial of Service

(DOS/DDOS)

As a web based service, cloud is vulnerable

to DOS attack leading to unavailability of cloud computing services

Availability

7 Lack of data segregation

In multi-tenancy cloud environment, there is

a risk of one customer accessing or compromising data of other customers

Confidentiality, Integrity, Availability 8 Unauthorized

access

Rogue users and service provider’s staff may

access cloud customers data due to extension of organization boundaries in the cloud

Integrity, Availability, Confidentiality

9 Data loss Risks of losing data due to sharing in the Cloud

Availability, Confidentiality

10 Data

inconsistency

Risks of data inconsistency due to

interfacing with internal systems that are not in the cloud. Further, data inconsistency may be caused by dynamic update (inserting, deletion, modification) from multiple customers.

(9)

11 Eavesdropping Data interception as the data might be transmitted in clear form

Confidentiality

12 Loss of business

Risk of cloud provider going out of business Availability, Accountability

13 Insecure data storage

The risk of data being stored at an un trusted cloud provider resulting into compromise of privacy and data confidentiality cloud provider resulting into compromise of privacy and data confidentiality.

Confidentiality

14 Cloud provider espionage

The worry of theft of company proprietary information by cloud provider.

Confidentiality

15 Service disruption

Disruption of business operations due to

break down, unavailability of cloud services, or insufficient resource capacity provided by cloud provider.

Availability

16

Phishing attack

Phishing/social engineering attacks to cloud Provider

Confidentiality

17 Audit difficulty

Audit difficulty of third party cloud provider

as the data maybe distributed across several geographical locations

Accountability

18 Insecure Interfaces and APIs

Insecure API including weak authentication and access control may compromise of cloud

customers information

Accountability

19 Regulatory and legal issues

Difficult to enforce customers’ IT legal and

regulatory issues as the data is stored outside the organizations

Confidentiality, Integrity

20 Difficult bugs detection

Cloud providers face difficulty in detecting bugs in cloud environment as it has huge database as well as high number of services and customers

21 Difficult intruder (malicious user) detection

Difficult to detect intruder as the cloud is accessed by multiple users from many

different customers using simple devices.

(10)

8. Security solutions

When analyzing citations for solutions, we used the same approach described in the beginning of this section. The results are presented in Figure 5,which shows the percentage of solutions in each category defined in section “Cloud computing security”, and also in Figure 6, which highlights the contribution of each individual sub-category. When we see figure 6 it is easy to observe that the number of citations covering security problems related to legal issues, compliance and governance is high respectively 24%, 22%, and 17%); however, the same also happens when we consider the number of references proposing solutions for those issues (which represent respectively 29%, 27%, and 14% of the total number of citations). The situation is completely different when we analyze technical aspects such as virtualization, isolation and data leakage. Indeed, virtualization amounts for 12% of problem references and only 3% for solutions. Isolation is a perfect example of such discrepancy as the number of citations for such problems represents 7% in Figure 5, while solutions correspond to only 1% of the graph from Figure 6. We note that, for this specific issue, special care has been taken when assessing the most popular virtual machine solution providers aiming to verify their

concerns and available solutions. A conclusion that can be drawn from this situation is that such concerns are also signiﬁcant but yet little is available in terms of solutions. This indicates the need of evaluating potential areas still to be developed in order to provide better security conditions when migrating data and processes in the cloud.

Figure 5

(11)

9. Conclusion:- In this paper we

discuss about different threats and different types of solution for to prevent the threats in cloud computing.

8. REFERENCES

1. IDC (2009) Cloud Computing 2010 – An IDC

2. Armbrust M, Fox A, Griffith R, Joseph AD, Katz RH, Konwinski A, Lee Above the Clouds: Gonzalez et al. Journal of Cloud

Computing: Advances, Systems and

Applications 2012

3. Catteddu D, Hogben G (2009) Benefits, risks and recommendations for information security. Tech. rep., European Network and Information Security Agency

4. CSA (2009) Security Guidance for Critical Areas of Focus in Cloud Computing. Tech. rep., Cloud Security Alliance

5. Mell P, Grance T (2009) The NIST Definition of Cloud Computing.

6. Hubbard D, Jr LJH, Sutton M (2010) Top Threats to Cloud Computing. Tech. rep., Cloud Security Alliance.

7. Tompkins D (2009) Security for Cloud-based Enterprise Applications.

8. Jensen M, Schwenk J, Gruschka N, Iacono LL (2009) On Technical Security 9. TrendMicro (2010) Cloud Computing Security - Making Virtual Machines Cloud-Ready. Trend Micro White Paper

10. Genovese S (2009) Akamai Introduces Cloud-Based Firewall.

11. Hulme GV (2011) CloudPassage aims to ease cloud server security management. 12. Google (2011) Google App Engine. code.google.com/appengine

13. Amazon (2011) Elastic Compute Cloud (EC2). aws.amazon.com/ec2/

14. Kaufman C, Venkatapathy R (2010) Windows Azure Security Overview.

15. Musthaler L (2009) Cost-effective data encryption in the cloud. Network World 16. Lyle M (2011) Redundancy in Data Storage. Define the Cloud

17. Mogull R (2009) Cloud Data Security: Archive and Delete (Rough Cut). securosis.com/blog/cloud-data-security-archive-and-delete-rough-cut/

18. Brandic I, Dustdar S, Anstett T, Schumm D, Leymann F (2010) Compliant Cloud Computing (C3): Architecture and Language Support for User-driven Compliance Management in Clouds. In: 2010 IEEE 3rd International Conference on Cloud Computing. pp 244–251

19. Brodkin J (2008) Gartner: Seven cloud computing security risks. http://www.infoworld.com/d/security- entral/gartner-seven-cloudcomputing-security-risks-853

20. Kandukuri BR, Paturi R, Rakshit A (2009) Cloud Security Issues. In: Proceedings of the 2009 IEEE International Conference on Services Computing, SCC ’09

21. Young E (2009) Cloud Computing - The role of internal audit

22. Ramireddy S, Chakraborthy R, Raghu TS, Rao HR (2010) Privacy and Security Practices in the Arena of Cloud Computing - A Research in Progress.

23. NIST (2011) NIST Cloud Computing Reference Architecture: SP 500-292. http://collaborate.nist.gov/twiki-cloudcomputing/pub/