• No results found

Research in Cloud Computing Security Issues

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Research in Cloud Computing Security Issues"

Copied!
18
0
0

Loading.... (view fulltext now)

Download now ( 18 Page )

Full text

(1)

Page | 1

Research in Cloud Computing Security Issues

(2)

Page | 2

Abstract

This research paper has focused upon the various security risks in the domain of cloud computing services. The analysis of these risks and the analysis of the existing solutions have been provided in this report. Following the analysis of the risks and solutions, this paper has formed a framework for the solution of several issues in this domain. The framework has been evaluated to demonstrate the suitability of the solutions and also to demonstrate the fact that if the solutions are incorporated it will make the cloud more reliable and secure and will encourage more organisations into the adoption of the technology.

(3)

Page | 3

Contents

Abstract ... 2

1. Introduction ... 4

2. Issues in Cloud Services ... 4

3. Existing Solutions ... 6

4. Proposed Solution ... 10

Simple Object Access Protocol (SOAP) attack ... 10

Malware Attack ... 11

Flooding Attack... 11

Identity Theft ... 11

Accountability ... 12

5. Evaluation of the Proposed Framework ... 13

Addition of Toggle Bit to the SOAP message ... 13

Virtual Machine Manager ... 14

RSA and server collaboration ... 14

Biometric Techniques ... 14

Auditing: ... 15

6. Conclusion ... 15

References ... 17

(4)

Page | 4

1. Introduction

Cloud computing offers a vast new dimension to computing at a global level. With technology changing every day, businesses blooming into mega industries and growing still, information and data have become the most important resource. People need fast and easy access to all kinds of information all the time, whether they are travelling, attending conferences or flying to other parts of the world for business meetings. But with all the advantages and ease cloud computing punches in, there is obviously another side to the coin (Cheng, 2008).

2. Issues in Cloud Services

The first and foremost concern with cloud computing is data security. Important information is kept on the cloud being used as a platform. This data is critical to the person who owns it. If an external user were to gain access to this data it would mean disaster for him/her. On a similar matter, data is stored by companies on the cloud. If these were to be compromised, the company could easily tornado down into an abyss. In cloud computing, cloud space is offered by cloud vendors. These vendors have to make sure that the customers’ data is secure. But mostly, these vendors in turn outsources their work i.e. rents servers from other similar service providers because they are cost effective and they do not have the responsibility of maintaining the data in a proper fashion (Boneh & Waters, 2007). The customers do not come to know about this side of the story. They are just acquiring the cloud space without going into further issues. The cloud vendors are responsible for the customers’ data. External users may easily access the information kept on the cloud if it’s not properly secured. Since they keep the data on other servers, part of

(5)

Page | 5 their work is to monitor who has access to the data and who is maintaining the servers. Personal information may be compromised if not cautious. Malicious external users have various ways to attack the users: they may gain access to private data and remove them, steal all personal information, launch applications that are virus, worms etc infected to prevent access. If any of these happen, the responsibility lies with the cloud vendor who has to answer. Data loss may also occur if the vendor closes down. Since data abstraction is part and parcel of the cloud computing business, the users will have no idea how to access their data. All their data was maintained on the cloud by the vendor on either his server, or an external one. If he shuts shop, users have no access to their information, or do not even know where their data is. The data might not be even stored in their own country (Boneh et al, 2004).

So apart from the cloud vendors, there is also a certain level of security the user has to maintain. Before going into the cloud computing domain, users should make themselves fully aware of its positive and negative aspects. They should do a proper market research before deciding who they want their cloud vendor as. Since cloud computing does not differentiate between critical data and non-critical data, the user must be careful about what kind of information he/she want to store in the cloud space keeping in mind intrusion possibilities. The same cloud is being used by a huge number of people. Security is obviously very important. Through the cloud space of a user, an external user can gain access to the user’s hardware and applications too. Intrusion monitors must be setup and monitored constantly, at the user level as well as the cloud level, providing proper security to the data (Atniese et al, 2007).

Companies like Google, Amazon, and IBM are major business houses. They are contracted with the work of the smaller companies. For instance, Twitter, a social networking and micro-blogging site outsources all its cloud storage functions to Google. All the data owned by Twitter

(6)

Page | 6 is maintained and monitored by Google instead of Twitter itself. This reduces cost of operation for twitter and increases its flexibility. Setting up of cloud infrastructure is a huge cost which they do not have to undertake now. Companies like HP, CISCO, specialize in setting up of this kind of infrastructure. These companies control the market and reap huge benefits by setting up more and more data centers within other organizations. It is their work to make sure that they cover security threats or hardware issue that might arise which might lead to any kind of data loss. On the other hand, the companies like Google have to keep monitoring the data because their data is available to the whole world. Anybody with high encryption and coding skills can break in if any flaw is discovered (Halpert, 2011).

Apart from the security issues, there are a huge number of policies that limit cloud computing and increase requirement for security. Just like Servers can be classified into Private, public, shared and virtual private servers, cloud is also differentiated into private, public and hybrid clouds. Private clouds are beneficial to large organizations since they protect data from public access. The data are particular to the company only. But most companies require parts of their information to be made available to the public. In these cases, hybrid clouds which provide a mix of public and private clouds are used. But hybrid clouds need to be monitored very well. The same cloud is being used by a large number of companies. For all the world knows, two competitors in the market may be using the same server. If one gains access to the data of another, disastrous consequences may result (Harold, 2011).

3. Existing Solutions

The solution to all the dangers of data hiding, loss, theft etc lies in using the best security and private clouds. Even though the cost is high, there are other sectors where companies and users

(7)

Page | 7 will be saving money such as renewing licenses, maintaining proper hardware, having several copies of the same software installed at different locations, and using software as services instead of precuts. In a cloud, users only pay for what they are using.

Security being the primary concern when it comes to cloud computation and cloud technology as a whole, there are a few other aspects to the cloud technology: customary security, third-party device control and data availability. Customary security includes the basic security threat types. i.e. network intrusions such as Trojans, worms and other infections. Third party device control includes third party users hacking into the cloud to control data and other software and using it for malicious purposes. Also, since cloud space is controlled generally by external parties, data handling and monitoring becomes a bigger concern. Data availability includes accessibility of data easily without hassles. But data itself has to be stored in an encrypted form to be more secured. Getting through the encryptions takes time increasing the hassle. Besides encryption another problem is during the server uptime. During server uptime, applications and processes are generally down. The cloud vendor assures an enterprise that he is running the organization’s applications and data. But he may, at the same time, be making available the same cloud to another organization, the result often being that the cloud collapses (Ponnusamy, 2010).

These traditional problems have solutions to an extent. But with the continuous advancement of technology, cloud technology has become a more secure environment in the recent times. Cloud technology encompasses a massive amount of data and computation techniques. But due to the lack of control of data in the cloud, the full potential of the cloud is not being recognized. As discussed above, one of the problems of cloud computation is third-party data control. What can be done in order to protect the organization’s data is build “internal clouds”. Because the cloud space is being served up by another enterprise, security concerns are very obvious. To

(8)

Page | 8 protect the data further, creating platforms within the original platform is one idea. This ensures a lockdown of data within the original cloud itself and provides greater control and accessibility (Shroff, 2010).

Intrusion problems have been there before clod computation existed even. Since the cloud exists beyond the firewall of the system, intrusion is further made easy. Security monitors for the clouds include Trend Micro, Panda Security and SafeNet etc which constantly monitor the cloud and scans it from malicious threats. Cloud technology utilizes a technology called Hypervisor. The hypervisor technology provided by the cloud vendors possesses potential threats. Problems have arisen in the past in hypervisor technology provided for cloud security in VM Ware and Microsoft’s Virtual PC and Virtual Server. Firewall and continuous scanning has been added to the more recent versions of these software. Phishing has also been a hindrance in case of cloud networks (Vaquero et al, 2009).

Even though the world’s top companies like Salesforce.com, Google, Facebook runs on cloud technology, other industries are still hesitant to join the cloud computation club. The main issue is trust. Divulging control to third party vendors for controlling the data of an enterprise is not a very enticing option to any business. Outsourcing computation without exerting control is the main issue. But vulnerabilities do exist in the cloud system. If the company to which the data is outsourced shuts down, all the data that it had stored is lost from the customers. Customers look to keep a trail of the data they have stored to make sure that their data is not being leaked or abused in any way. Even if it is, they want a system that will verify whether it has actually taken place or not. A solution in the form of Trusted Computing exists in the market. This system makes use of a separate monitor installed at a cloud server to audit the various tasks undertaken by the cloud server. This monitor is separately run from the server applications and has its own

(9)

Page | 9 OS. This ensures its isolation from the cloud system. It can just monitor the server tasks and provide a “proof of compliance” stating that no access policy has been violated to the user ensuring of his data security (Yan, 2007).

Another approach to data security is cryptography and encryption. Cryptographic methods makes the data usage limited. Searching and sorting the data becomes difficult for the users. In order to use encryption methods users have to know the exact addresses of the data in the cloud. This is a massive task for normal everyday users in the cloud itself. For eg.: Data stored as normal text can be easily accessed. If the very same data were to be encrypted, the same search methods would not find that data. However, in recent times, cryptographers have developed encryption schemes that enable users to use the same search and other operation algorithms to be used on the cloud data. In this method, called predicate encryption the users are given a key that is used to search the specified encrypted document. The encrypted document has the key associated with it. The search operation can be thus executed easily with the help of this key. Homomorphic Encryption and Private Information Retrieval are two of the earlier techniques used in encrypted computation. These methods allowed computations to be done on the encrypted document with decrypting it. These methods may find use in cloud computation in the future but require tweaking in their process to function in the seamless data connections in a cloud. This encryption enabled approach to protection is termed as Privacy Enhanced Business (Vaquero, 2009).

Keeping information from various organizations within the same cloud is a huge disadvantage. During the server uptime, all these organizations may be trying to access their data and applications all at once. Cloud technology fails to support such a vast amount of network traffic at the moment and collapses. To avoid such collapses and data breaches within the same cloud, there is a need to separate the data. This can be done by building internal clouds for each

(10)

Page | 10 user/organization based on different platforms within one platform itself. Another method is to use private clouds. This method increases the expenditure but ensures the localization and security of the data within one single cloud. Private clouds may be accessed from within the company’s own server infrastructure or may be accessed from the rented out cloud vendor (Shroff, 2010).

4. Proposed Solution

This report has highlighted the fact that the major problem with the usage of Cloud Computing Services is the issue of security. As the users do not have control over the physical location of the data and at times the same service provider can accommodate two competing companies the integrity and security is essential. The report has also focused on existing solutions towards providing security in cloud services. The concept of private clouds have been evaluated but Private Clouds need high infrastructure costs and also does not provide the benefits of a public cloud which provides high elasticity and scalability options and almost infinite resources. This section will analyze the vulnerabilities of the existing architecture and propose methods/measures for each area identified

Simple Object Access Protocol (SOAP) attack: In this type of attack the attacker or hacker uses the Transport Layer Services to duplicate the SOAP message and thus impersonate the sender. Once the SOAP message is received at the server and it is authenticated the hacker gets easy access to the Cloud Services. This attack can be solved by using a redundant bit in the header. When a SOAP message is duplicated this bit will be changed and thus the sender will be able to change the signature and send it back to the server. Thus the attack can be foiled by using a random signature method and increasing one bit in the SOAP header (Stallings, 2008).

(11)

Page | 11

Malware Attack: In this type of attack the hacker tries to get into the cloud services by imposing as a user and trying to inject a malicious code into the services. If successful the hacker will gain control over the services and will be able to eaves drop on the network. For stopping such activities the easiest method would be to implement the File Allocation Table at the server end. From the FAT table the programs that are being used by the customers can be tracked. The service providers can also use the Virtual machine Managers (VMM) which will track the activities of the various VM’s at the customer end. As such any malicious attack can be detected and prevented (Stallings, 2006).

Flooding Attack: The Cloud Services are efficient because of the load balancing abilities that they offer. This allows the cloud to be elastic, but this also causes the problem of flooding attack on the cloud. The attacker sends heavy packets of junk data and thus overloads a particular server, the server thus fails to execute genuine requests and has to offload the process to another server where this process will be replicated. Thus this can also be termed as the Denial of Services (DoS) attack. The solution to this problem is use of encryption technology such as RSA algorithm which will ensure the genuineness of the packets before processing of the same. The servers can also be mutually collaborated together and when one server is overloaded new servers will be added on to the domain rather than offloading to an existing server. The name server will automatically add the new servers MAC (Carter, 2003).

Identity Theft: Perhaps this has been the most crucial problems with Internet. Once the hacker is able to obtain the id and the password of the user account, the hacker can do anything with the account. As digital identity does not require any physical identifications this is probably the easiest way to disrupt the user’s account. To tackle such nuisances there can be two methods

(12)

Page | 12 that can be adopted by the cloud computing services. Firstly after each usage the user would be sent an email which would describe the previous session and would also provide the user with a new password that has been auto generated. By changing passwords for every log-in this system can be safe to some extent. This will work only in cases where the user has accidentally disclosed the id and password, but this solution will not work if these details have been captured by the hacker through hacking into the system. For such cases the consideration of biometrics can be done. Biometric identification in the forms of finger prints, voice recognition or iris scan provide greater levels of security. These would definitely add up to the costs on the user end. Hence other behavioral biometric techniques such as key stroke dynamics where the rhythm of the keyboard strokes are measured and neural logic identifies the user. This technique would not add any cost on the client end (Harold, 2011).

Accountability: The concept of the Cloud Services is billing as per usage. Hence if there is no usage there is no bill. In case an account has been hacked and there is massive usage the user gets billed without having used and without having the knowledge that the account has been used. Even when a hacker uses malwares these devour a lot of resources and thus generates massive bills. Thus to counter such problems the cloud service providers need to ensure that proper auditing of the resource usage is done. Logs need to be maintained regarding the usage of resources and these logs need to be investigated properly in case there is some unusual billing. The Auditing report needs to have enough evidence regarding the usage of the resources and should be reliable and valid so that the clients are not billed unnecessarily (Vaquero, 2009).

This section discussed the various security threats that the cloud computing services face and also suggested various methods which can ensure that the security risks can be lowered if not nullified. Organisations use cloud computing services because these are cost effective and

(13)

Page | 13 provide scalable services. This also provides access to the data any time any where and as such enhances total mobility. However because of the associated security vulnerabilities organisations tend to shy away from using cloud computing services for data that is highly sensitive and confidential such as the financial data. This section provides suggestions which if implemented will make the system more secure and encourage more organisations to use cloud computational services. The next section will evaluate the methods that have been suggested in this section to analyze the effectiveness of these methods.

5. Evaluation of the Proposed Framework

Addition of Toggle Bit to the SOAP message: The SOAP attack is the simplest form of

attack and if effectively carried out this can create havoc in the system. This will provide the attacker with control over the system and the integrity of the data in the cloud will be lost. Previous solutions that exist provide firewalls and software security services but these will not be very effective against duplicated SOAP broadcasting. The addition of a toggle bit as suggested in this research will ensure that if the SOAP message is duplicated the signatures will be automatically be changed and as such the control will be still with the user and not the hacker. This solution at the broader level is simple yet effective. The addition of a single bit will not add on to the bandwidth but the mailer functionalities have to be added and also auto signature generation and negotiation needs to be added which will consume bandwidth and computational services. As cloud services are billed as per usage this would mean some additional billing but this will also ensure that if a hacker has planned an attack this will not be possible. As such this will provide security and integrity at only minimal additional expense (Halpert, 2011).

(14)

Page | 14

Virtual Machine Manager: The VMM technology that has been suggested in this research is

an existing solution and has proven to be highly effective. This solution suggests usage of the File Allocation Table (FAT) which is the most common allocation table used across operating systems and as such the compatibility will not be an issue. This service if implemented will allow constant monitoring of the services and packets across the network and in case of any suspicious packets being transferred across the network the event will be logged. Thus the attacks of malwares can be stopped by using such methods; however this will require additional computational powers in the form of checking the packets and also comparing them to the FAT.

RSA and server collaboration: The current technologies in the cloud services allow elasticity and load balancing and hence the flooding attacks are easy to achieve. Data packets if flooded to a server will flood the server and this server will then pass its other requests to another server which is already busy and might flood that server as well. The solution suggested in this research suggests passing on the requests to a fresh server and hence flooding can be controlled. This also suggests the usage of encryption technologies to avoid such data packets being transmitted across the network. This means that the cloud service providers need to have additional back up servers at their end which can be pooled in when there is a problem of overloading (Stallings, 2008).

Biometric Techniques: Data integrity and security are of prime concern for any

organisation. The current techniques used provide for security through id and password but these are not very safe as they can be accidentally revealed or can be hacked by an expert hacker. The use of biometric techniques will provide greater integrity and reliability. The use of template based biometric techniques such as thumb scans and iris scans need additional resources both for

(15)

Page | 15 storing the data and also for scanning purposes. As such this research suggests the usage of template free techniques (behavioral biometric techniques) in the form of key stroke dynamics. This needs no additional resource at the clients end and also ensures greater security and reliability of the system. As this is a behavioral pattern this becomes almost impossible to replicate and as such the data stored will be much safer (Woodword, 2003).

Auditing: The cloud services bill as per usage and hence when there are attacks on the services the bills generated are much higher as the malicious codes used by the hackers require heavy computational powers. The auditing mechanisms suggested in this research will ensure that in case of such ambiguity the service providers map the usage and carry out proper auditing. Proper records of the activities if maintained will provide accurate details of the usage and any malicious activities would be detectable. Hence the service providers can ensure that the user is not billed extra for services that were not used.

This section evaluated the methods that have been discussed in this research. The evaluation of the methods suggests that these methods can be quite effective in increasing the reliability and the security of the cloud services at minimal cost increases. The cost can also be absorbed because the use of such techniques will make the clouds safer and encourage more organisations into the usage of public clouds (Yan, 2007).

6. Conclusion

This paper has evaluated the cloud services in great details. Following the literature review of cloud computing services, this report has detailed the vulnerabilities of the cloud computing services. One of the prime concerns of cloud services is the security concern. As the users are not

(16)

Page | 16 aware about the exact location of the data this can be a major issue for the cloud services. This research has also evaluated the current solutions to such issues. The current solutions provide for security through Service Level Agreements and provisioning of hardware and software firewalls. These have not been much effective as research has shown that organisations tend to shy away from cloud services when confidential and sensitive data is concerned. This research has further provided solutions in the form of addition of toggle bits, Virtual Machine managers, encryption technologies and Biometric security. All of these have been evaluated by this research paper to show that these methods if implemented within the cloud services will enhance the security and reliability of the services and will allow organisations into adopting cloud services for sensitive and confidential data as well.

(17)

Page | 17

References

Ateniese, G., Burns, R., Curtmola, R., Herring, J., Kissner, L., Z., Peterson, and Song, D., (2007). Provable Data Possession at Untrusted Stores. In CCS. 2007.

Boneh, B., Di Crescenzo, G., Ostrovsky, R., and Persiano, G., (2004). Public Key Encryption with Keyword Search. In EUROCRYPT.

Boneh, D and Waters, B. (2007).Conjunctive, Subset, and Range Queries on Encrypted Data. In The Fourth Theory of Cryptography Conference (TCC 2007)

Carter, G., (2003). LDAP System Administration. 3rd Ed. O’Reilly: Canada.

CHENG, D. (2008). PaaS-onomics: A CIO’s Guide to using Platform-as-a-Service to Lower Costs of Application Initiatives While Improving the Business Value of IT. Tech. Rep: LongJump.

Halpert, B., (2011). Auditing Cloud Computing: A Security and Privacy Guide. 4th Ed. Penguin: London.

Harold, F., (2011). Information Security Management Handbook. 5th Ed. Pearson: Canada Hill, R., (2010). Cloud Computing for Enterprise Architectures. 2nd Ed. Prentice Hall: Canada

Nikolas, V.B., (2009). Biometrics: theory, methods, and applications. Cambridge University Press: Cambridge.

Ponnusamy, D., (2010). Cloud Computing Security Issues. TMH: India

(18)

Page | 18 Shroff, G., (2010). Enterprise Cloud Computing: Technology, Architecture, Applications. 3rd Ed. McGraw Hill: New York.

Stallings, W., (2006). Cryptography and Network Security. 4th Edition. Pearson education: India

Stallings, W., (2008). Network Security Essentials. 5th Ed. Pearson education: India

Vaquero, L.M., Merino, L.R., Caceres, J., Lindner, A., (2009). A Break in the Clouds: Towards a Cloud Definition. 39 (1).

Woodword, J., (2003). Biometrics. 3rd Edition. McGraw Hill: Osborne.

Yan, S., (2007). Cryptanalytic Attacks on RSA. 3rd Ed. Springer: USA

References

Download now ( PDF - 18 Page - 479.68 KB )

Related documents

KPDS KASIM 2003 KPDS KASIM AKIN DİL EĞİTİM MERKEZİ Atatürk Bulvarı No: 169 Kızılay ANKARA

During the past few decades four East Asian economies - South Korea, Taiwan, Singapore and Hong Kong - have achieved the fastest rates of economic growth the world has ever seen.

Accuracy of AVS Life Expectancy Reports

We are able to conclude that Life Equity LLC can assume to pay an additional 2.634 years, or 31.603 months, of premium payments when an insured’s primary impairment is cancer..

Prevalence of Sick Building Syndrome among Employees of Shahid Beheshti Hospital in Kashan

1 M.Sc of Health, Safety and Environment Management, Department of Health, Safety and Environment Management, Faculty of Health, Kashan University of Medical Sciences, Kashan, Iran•

1. TENDER DESCRIPTION

10 crores or more and experience of minimum three years or more to establish and operate computerised ticketing system on contractual basis at the National

Protocols and Policies. The Lighthouse Medical Practice. Complaints

Parliamentary and Health Service Ombudsman (PHSO) are the final step of the complaints system, giving you an independent and last resort to have your complaint looked at.

Validation Date: 29/11/2013. Ratified Date: 14/01/2014. Review dates may alter if any significant changes are made

Where the complainant wishes to make a formal complaint, staff should ensure that they give them the appropriate complaints leaflet and support and that the Patient

Building the Positive Law Firm: The Legal Profession at Its Best

The 2008 financial collapse catalyzed sweeping changes in the legal profession that resulted in dwindling work for law firms and client demands for deep price discounts. But most

New York s Emergency Medical Services and Surprise Bills Law

For out-of-network physician services provided to an insured that do not include an assignment of benefits, or provided to an uninsured patient, such patient may submit the