Reviewing the Security Challenges and their
Countermeasures in Cloud Computing
Kamayani
Assistant Professor, PG Dept of Computer Science, BBK DAV College for Women, Amritsar
Email id: [email protected]
A B S T R A C T
Cloud computing is an internet based computing model composed of hardware, software, networking and service components which are available to users anywhere, anytime on demand. It eliminates the requirements for setting up of high-cost computing infrastructure for IT-based solutions and services needed by an organization. However, cloud Computing presents an added level of risk as the essential services are often outsourced to a third party, which results in several security and privacy challenges that need to be addressed. This paper aims at presenting the important threats to cloud computing and their possible solutions.
Indexed Terms: attacks, challenges, cloud computing, countermeasures, hacker, security
I. INTRODUCTION
Cloud computing can be defined as a model devised for providing convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction, and consumed on a pay-per-use basis. Cloud computing refers to both the applications delivered as services over the Internet and the hardware and systems software in the datacenters that provide those services.
In a cloud based computing infrastructure, the resources are normally in someone else's premise or network and accessed remotely by the cloud users. Processing is done remotely implying the fact that the data and other elements from a person need to be transmitted to the cloud infrastructure or server for processing; and the output is returned upon completion of required processing [1].
The importance of Cloud Computing is increasing and irrespective of the size of the companies, more and more companies are adopting this new economical computing resource in their environment. A study by Gartner [2] considered Cloud Computing as the first among the top 10 most important technologies and with a better prospect in successive years by companies and organizations. Many companies and organizations are seriously considering the adoption of cloud computing to cut down on costs and benefit from the new opportunities and alternatives that it offers.
Though cloud computing aim at providing better utilization of resources at low cost, it is fraught with several threats primary being the security. The main reason behind the security issue faced by cloud computing is due to the basic architecture of cloud which uses distributed resources in an open environment. The risks, threats, vulnerabilities and possible countermeasures associated with cloud computing need to be understood clearly before adopting it.
II. SECURITY CONCERNS
Cloud computing due to its multi-tenancy architecture faces a number of security challenges. Cloud computing and cloud service providers need to address a number of challenges that affects security in the cloud.
According to Schneir “security is both a feeling and a reality. And they are not the same”. The reality of security is based on the probability of different risks and how effective the various mitigation strategies are in place in dealing with the perceived risks. Security is also a feeling based on the psychological reaction to both the risks and the countermeasures [3]. Hence, cloud computing need to address the potential security risks effectively so that the clients feel safe and secure. Compared to traditional technologies, the cloud offers distributed, heterogeneous and totally virtualized resources to its client. Therefore, traditional security mechanisms such as identity, authentication, and authorization are no longer enough for clouds in their current form [4]. Following are some of the common security issues experienced in cloud computing.
A. SQL Injection Attack
In this type of attack a malicious code is inserted into a standard SQL code which enables attackers to gain unauthorized access to a database containing sensitive information. In this attack, hackers use special characters in order to retrieve data from tables. For example in the where clause if we use the condition 1=1, this may return the entire table since 1=1 is always true.
B. Cross Site Scripting (XSS) Attacks
In this type of attack the hacker redirects the user to its own website and hack its credentials. Cross site scripting attacks can provide the way to buffer overflows, DOS attacks and inserting spiteful software in to the web browsers for violation of user’s credentials [7].
C. Man in the Middle attacks (MITM)
This type of attack occurs when the secure socket layer is not properly configured. If the two parties are communicating and the SSL is not properly configured then the data transfer between the two parties can easily be hacked by the third party.
D. Denial of Service Attacks (DoS)
These attacks aim in making the target network/computer resources unavailable. The attacker floods the victim host with a huge number of packets in a short amount of time. DoS is concerned only with consuming bandwidth and resources of the target network/computer. The attacker uses a spoofed IP address as the source IP address to make tracking and stopping of DoS very difficult. Furthermore, the attacker can even use multiple compromised machines which he has already hijacked to attack the victim machine at the same time (this attack is known as Distributed DoS) and it is very difficult to track and stop [11]. In DDoS the attack is relayed from different dynamic networks which have already been compromised. The attackers control the flow of information by allowing some information available at different times.
E. DNS Attacks
In this type of attack, the user even having called the server by name is directed to some other hacked cloud.
F. XML Signature Wrapping Attack
When a client requests services to a web server through a web browser, the service is interacted using Simple Object Access Protocol (SOAP) messages that are transmitted through HTTP protocol with an Extensible Markup Language (XML) format. In order to ensure confidentiality and data integrity of SOAP messages a security mechanism, WS-Security (Web Services Security), for web service is applied. It uses
digital signature to get the message signed and encryption technique to encrypt the content of the message. Wrapping attacks use XML signature wrapping (or XML rewriting) to exploit a weakness when web servers validate signed requests. The attack is done during the translation of SOAP messages between a legitimate user and the web server. By duplicating the user’s account and password in the login period, the hacker embeds a bogus element (the wrapper) into the message structure, moves the original message body under the wrapper, replaces the content of the message with malicious code, and then sends the message to the server. Since the original body is still valid, the server will be tricked into authorizing the message that has actually been altered. As a result, the hacker is able to gain unauthorized access to protected resources and process the intended operations [13].
G. Packet Sniffing
It is the type of attack in which unencrypted data are hacked through applications which can capture data packets flowing in a network. For example, if the two parties which are communicating and have not used encryption techniques for data secutiy, then the attacker can capture this insecured data during transmission as third party.
H. Cookie Poisoning
It involves changing or modifying the contents of cookie to have an unauthorized access to an application or to a webpage. Cookies basically contain the user’s identity related credentials and once these cookies are accessible, the content of these cookies can be forged to impersonate an authorized user [15].
III. COUNTERMEASURES
A. SQL Injection Attack
To mitigate SQL injection attack, it is necessary to remove all stored procedures that are rarely used. Also, assign the least possible privileges to users who have permissions to access the database [5]. [6] Suggests using a proxy based architecture towards preventing SQL Injection attacks which dynamically detects and extracts users’ inputs for suspected SQL control sequences.
B. Cross Site Scripting (XSS) Attacks
Various techniques like active content filtering, content based data leakage prevention technology, and web application vulnerability detection technology have been proposed to prevent XSS attacks [8]. Another approach that minimizes the dependency on web browsers towards identifying untrusted content over the network has been proposed in [9].
C. Man in the Middle attacks (MITM)
In order to avoid such attacks, SSL should be properly installed and it should be checked before any communication between users. Techniques such as evaluating software as a service security, separate endpoint and server security processes, evaluating virtualization at the end-point have also been implemented to handle such kind of attack [10].
D. Denial of Service Attacks (DoS)
Usage of an Intrusion Detection System (IDS) is the most popular method of defense against this type of attacks [12]. Also the privileges of the user who is connected to the server must be reduced.
DNS threats can be reduced by implementing Domain Name System Security Extensions.
F. XML Signature Wrapping Attack
Such Attacks can be reduced by utilizing digital certificates approved by a third party. Certificates use the mixture of WS security and XML signature which enables the server to reject suspicious messages from the clients.
G. Packet Sniffing
A malicious sniffing detection platform based on ARP (address resolution protocol) and RTT (round trip time) can be used to detect a sniffing system running on a network [14]. Also, user must use encryption for securing their data.
H. Cookie Poisoning
This type of attack can be avoided either by performing regular cookie cleanup or implementing an encryption scheme for the cookie data [8].
IV. CONCLUSION
Cloud computing is a relatively new concept that offers a huge plethora of benefits to its users. However, there are a number of security issues which hinder its large scale adoption by various organizations. This paper reviews some of the major security challenges faced by cloud computing and presents the corresponding solutions to deal with them.
V. REFERENCES
[1] Monjur Ahmed, Mohammad Ashraf Hossain,”Cloud Computing and Security Issues in the Cloud”,
International Journal of Network Security & Its Applications Vol.6, No.1, January 2014. [2] A Gartner,”Gartner identifies the Top 10 strategic technologies for 2011”, 15 July 2011.
[3] Bruce Schneir,” The Psychology of Security”, AFRICACRYPT 2008, LNCS 5023, pp. 50–79, 2008. [4] Li W, Ping L,”Trust Model to Enhance Security and Interoperability of Cloud Environment”,
Proceedings of the 1st International Conference on Cloud Computing, 2009.
[5] Rohit Bhadauria, Rituparna Chaki, Nabendu Chaki,”A Survey on Security Issues in Cloud Computing”, http://arxiv.org/ftp/arxiv/papers/1109/1109.5388.pdf
[6] A Liu, Y Yuan, A Stavrou,”SQL Prob: A Proxybased Architecture towards Preventing SQL Injection Attacks”, SAC March 8-12, 2009.
[7] A Yang,”Guide to XML Web Services Security”, 2003.
[8] D Gollman,”Securing Web Application”, Information Security Technical Report, Vol 13, Issue 1, 2008.
[9] Ter Louw, VN Venkatakrishnan,”Blueprint: Robust Prevention of Cross-Site Scripting Attacks for Existing Browsers”, 30th IEEE Symposium on Security and Privacy, pp 331-346, May 2009.
[11] Nidal M Turab, Anas Abu Taleb, Shadi R Masadeh,”Cloud Computing Challenges and Solutions”, International Journal of Computer Networks & Communications, Volume 5, No.5, September 2013.
[12] K Vieira, A Schulter, CB Westphall, CM Westphall,”Intrusion Detection Techniques for Grid and Cloud Computing Environment”, IT Professional IEEE Computer Society Volume 12, Issue 4, pp 38-43, 2010.
[13] Te–Shun Chou,”Security Threats on Cloud Computing Vulnerabilities”, International Journal of Computer Science & Information Technology, Volume 5, No.3, June 2013.
[14] Zouheir Trabelsi, Hamza Rahmani, Kamal Kaouech, Mounir Frikha,”Malicious Sniffing System Detection Platform” , Proceedings of the 2004 International Symposium on Applications and the Internet, pp 201-207, 2004.
[15] Vahid Ashktorab, Seyed Reza Taghizadeh,”Security Threats and Countermeasures in Cloud Computing”, International Journal of Application or Innovation in Engineering 7 Management, Volume 1, Issue 2, October 2012.
