Comparative Analysis Of Cloud Computing Security Issues

COMPARATIVE ANALYSIS OF CLOUD COMPUTING

SECURITY ISSUES

AKRAM MUJAHID

, TARIQ MAHMOOD

, W

NATASH ALI MIAN

akram.mujahid@ue.edu.pk, tmsherazi@yahoo.com 2

Department of Computer Science and Information Technology, The University of Lahore, Lahore muhammad.waseem@cs.uol.edu.pk

3_{School of Computer and Information Technology, Beaconhouse National University, Lahore} natash.ali@bnu.edu.pk

Revised December, 2013

ABSTRACT. Almost all the organizations are seriously thinking to adopt the cloud computingservices, seeing its benefits in terms of cost, accessibility, availability, flexibility andhighly automated process of updation. Cloud Computing enhance the current capabilitiesdynamically without further investment. Cloud Computing is a band of resources, applicationsand services. In cloud computing customer’s access IT related services in terms of infrastructure platform and software without getting knowledge of underlying technologies. With the executionof cloud computing, organizations have strong concerns about the security of their data.Organizations are hesitating to take initiatives in the deployment of their businesses due to data security problem. This paper gives an overview of cloud computing and analysis of security issues in cloud computing.

Keywords: Security Issues, Security Challenges, Cloud Computing, Cloud Security Model

1. Introduction. Idea of centralized computing was initiated in 1969 J.C.R in the form of ARPANET Now it is emerging in the form of Cloud Computing. Cloud Computing becoming the most famous technology due to its distinct features. Now its implementation is reality. In Cloud Computing data resides on service provider side, Different users from different sites connecting the server simultaneously using virtualization. The Cloud Computing consists of three main stake holders, Cloud Service Provider, Client and users. Cloud computing is defined by many authors and organizations but most authentic definition is by NIST. NIST defined cloud comoputing as a model which enabled convenient, on-demand networkaccess to a share pool of computing resources which are quickly provided and released by less struggle or cloud service provider interaction [14]. Cloud computing is new emerging field of computing in which resources are available at flexible envoirnment and at low cost. Due to its dynamic and enhanced features individuals and organizations are going to switch towards cloud. Cloud service provider provides the cloud servies at economy of scale, effecticve and efficient access. Its emergence is from distributed computing and the term cloud computing is used in different range of interpretations[15]. Three cloud service model are mainly used in cloud computing architecture which are discussed as under [16]:

1.1. Cloud Service Models. Normally Cloud Computing is divided into three layers; Infrastructure as a service, (IaaS), Platform as a service (PaaS) and software as a service (SaaS). IaaS provides computing facility, storage and other hardware resources.PaaS provides platforms in terms of operating and other system software that can be used build system applications by the users. SaaS deals with using any application through cloud [3].

1.2. Cloud Deployment Models.There are primarily four cloud deployment models, which are discussed below.

VAWKUM Transactions on Computer Sciences

http://vfast.org/index.php/VTCS@ 2013 ISSN: 2308-8168

The Private Cloud.The private cloud is developed for a single organization. It may be controlled by that organization or the by the service provider. All the resources are reserved for that organization [2].

The Public Cloud.Public cloud is available to everyone who wants to get the services of cloud computing and the organization who is providing these server is owner of the cloud. Google is one of the examples of public cloud. The Hybrid Cloud.The hybrid cloud computing combine the features of other deployment models as well. It is more flexible. The Community Cloud.The community model is shared by all those customers who have common interests.

Figure 1: Cloud Computing Architecture

Figure 1 demonstrates the cloud computing environment in which different cloud users are accessing the services of cloud while cloud services providers are also providing different application, platform and infrastructure services [3]. The rest of the document is organized as follows. Section II gives a summary of existing related work from different authors. Section III presents analysis of some security issues. Sections IV is about conclusion

2. Security Issues in Cloud Computing.There are some impediments that acting as a fence in the adoption of cloud computing. They Consists of:

2.1. Application Security. Application level security relates the use of different resources so that it can offer security to applications in a manner so that unauthorized users cannot access the network services. In cloud computing normally security measures are taken at network and transport layer of the OSI model. It is necessary to use tools and technologies to implement the security at the application layer [8].There are a number of factors involved in the security of applications. The first point is the coding of application, then the server or hardware that is used to run application, and network through which it is accessed. The ten most important threats are highlighted by Open Web Application Security Project (OWASP) [10] [8].

2.2. Multi-tenancy Issue. In multi-tenancy environment a single instance of software serves multiple tenants. It is

difficult to protect user’s data from unauthorized users accessing the same physical server [2] [7].

Figure 2: Multi-Tendency Architecture

Figure 3 is about multi-tendency architecture. In this architecture multiple users from different sites will access the cloud services. It will create a network congestion problem. We will resolve this issue by bifurcating different services in to layered approach.

2.3. Data Security.Data security and protection can be analyzed using a data life cycle. See the figure below [10].

Phase 1 Generation Phase 2 Transfer Phase 3 Use Phase 4 Share Phase 5 Storage Phase 6 Archival Phase 7 Destruction Figure 3: Data Security Life Cycle

A two phase approach can be used to secure to secure the data in cloud computing. First phase is related to transmitting and storing of data while second is related to the retrieval of data from the cloud. First phase includes storing of data, classification, index building and encryption and message authentication code [11].

2.4. Accessibility.In SaaS model, users accessing different application from different locations using public and private networks. This diversity imposes severe security concerns.one of the main concern is to provide accurate and uninterruptable access to the cloud resources [10].

2.5. Lock-in. lock-in may be classified as data lock-in and vendor lock-in. Data lock-in occurs when a user wants to jump to another cloud provider but due to the lack of standardized API he cannot took his data back. Vendor lock-in is a situation in which a customer using a servicecannot easily transition to a competitor’sservice [1] [7]. 2.6. Data privacy.Acloud provider’s data center lies in one country and the customer using the service from another country, in this case customer’s data is owned and under the control of service provider, customer has no direct control over his data [1].

2.7. Data Protection.Multiple users from different sites sharing the cloud computing infrastructure at the same time, hence data of each user is stored and processed in shared environment. Any malicious entity may temper the data [1].

locations. Attacks like wire tapping, denial of service, masquerading, disruption of service, modification of a message will definitely effect the security of cloud computing [1] [5].

Figure4: Cloud Computing Security Environment (users as well as service provider’s base)

Figure 2 is explanation of very important issue of cloud computing which is security. We will implement firewall and Virtual Private Network (VPN) to access secure data from cloud so that our cloud user access data trustworthy.

2.9. Virtualization Security.With the implementation of the virtualization technology using hypervisor new threats are another challenge for service providers. In the multi-tenancy environment man in the middle attack may affect resources. Also weak hypervisor may also be affected by different attacks [5].

2.10. Identity Management. To access the cloud computing each user is assigned identity to access the cloud computing services and applications. Any malicious entity may impersonate a legitimate user and access a cloud resources leading to unavailability of a service for actual user. Also user may cross its rights while accessing cloud computing. In other words authentication and authorization issues should be resolved [1].

2.11. Cloud Standards.Standards with common interest are necessary to get the interoperability among clouds. Data lock-in and Vendor Lock-in issues occurs due to lack of standards [2].

2.12. Securing Data in Transmission.Security of data during transmission is another alarming challenge. Strong encryption and decryption techniques are necessary to exchange the data between service provider and customer. Necessary tools and technologies should be implemented to provide the confidentiality and integrity of data during transmission [3].

2.13. Audit and Compliance.To check and verify the authenticated users an organization has to implement different policies in house and out of the network. This measurement must be according to the organizations as well as state polices. It must be implemented in such a way so that it cannot violate the rules and regulations. [3].

2.14. Abstraction.Cloud service provider provides abstraction by hiding the complexities in its infrastructure and platform. Users have no knowledge about the storage of its data. In other words issue of transparency rising in user mind [4].

2.15. Lack of Execution Controls.The user has no control over remote execution environment, therefore important issues like memory management, I/O calls, access to external shared resources and data are outside the control of the user. The user would like to verify and monitor hits and requests to ensure that no illegal operation is performed [4].

2.16. Service Level Agreement. A service level agreement is a document that describes the relationship between two parties, the service provider and customer. It highlights the customer requirements, simplifies difficult issues, and provides a framework for understanding. [6].

3. ANALYSIS OF SECURITY ISSUES

4. Table 1: Analysis of Security Issues

Issues Description/Specific Effects Countermeasures

Data Security Normally involves the protection of data

from three

apects.Confidentiality,availability and integrity[9]

Cryptographic techniques are implemented to secure the data, data should be redundant and in cases we need to delete the data, it should be deleted from the root. Network Security Involves the security of network from

attacks such as spoofing, sniffing, man in the middle, denial of service.[9]

Firewall and VPN measures are taken. Systems, technologies and protocols should be properly configured.

Virtualization Security

Hypervisor is the main target of hackers. Allocation and deallocation of memory, storage and other resources. Hidden attacks.[5]

Network separation and monitoring may be implemented

Audit and Compliance

Problem of the verification of authorization and authentication records, and also to check the compliances with predefined standards and policies.[13]

Logs of all the requests should be maintained.

Privileged user’s Monitoring is necessary.

Each provider should define policies clearly to highlight legal concerns.

5. CONCLUSION. Cloud computing infrastructure security is depended upon trusted computing resources andnetwork cryptography. Corporate data msut be secure from hackers and cloud service provider must implement security policies and authentication mechanism at data center. There are lot of organizaions which are making standarards for privacy, secutiry, regulatory and compliance matters. Switching from traditional infrastructure to cloud infrastructure is risk due to secutiry issess. Qualitative and qualitative anaylsis must be done while taking decision and its an activity of risk management. Risk must be cautiously measured so that data must be secure at any cost while accessing resources from cloud infrastructure. On the other hand too many restrictions in network may create inefficient and ineffective network access. Balance between control mechanism and expected risk against any application must be ensured.

REFERENCES

[1]. Shaikh, R., & Sasikumar, M. (2012). Security issues in cloud computing: A survey. International Journal of Computer Applications, 44(19), 4-10.

[2]. Rong, C., Nguyen, S. T., & Jaatun, M. G. (2013). Beyond lightning: A survey on security challenges in cloud computing. Computers & Electrical Engineering,39(1), 47-54.

[3]. Kulkarni, G., Gambhir, J., Patil, T., & Dongare, A. (2012, June). A security aspects in cloud computing. In Software Engineering and Service Science (ICSESS), 2012 IEEE 3rd International Conference on (pp. 547-550). IEEE

[4]. Sengupta, S., Kaulgud, V., & Sharma, V. S. (2011, July). Cloud computing security--trends and research directions. In Services (SERVICES), 2011 IEEE World Congress on (pp. 524-531). IEEE

[5]. Sharif, F., & Hafeez, A. (2012). “The Analysis of Cloud Computing Major Security Concerns & their Solutions. Journal of Information & Communication Technology, 6(2), 48-53.

[6]. Kandukuri, B. R., Paturi, V. R., & Rakshit, A. (2009, September). Cloud security issues. In Services Computing, 2009. SCC'09. IEEE International Conference on (pp. 517-520). IEEE

[7] Behl, A., & Behl, K. (2012, October). An analysis of cloud computing security issues. In Information and

Communication Technologies (WICT), 2012 World Congress on (pp. 109-114). IEEE.

[8] Nelson Gonzaalez,Charles Miers, Fernando REdigoloo, “A quantity analysis of current security concerns

[9] and solutions for cloud computing,” (2011) Third International Conference on cloud computing Technology 18 and Science.

[10] Hashizume, K., Rosado, D. G., Fernández-Medina, E., & Fernandez, E. B. (2013). An analysis of security

issues for cloud computing. Journal of Internet Services and Applications, 4(1), 1-13.

[11] Sood, S. K. (2012). A combined approach to ensure data security in cloud computing. Journal of Network and Computer Applications, 35(6), 1831-1838.

[12] Johnson, R. E. (2010, June). Cloud computing security challenges and methods to remotely augment a cloud's

security posture. In Information Society (i-Society), 2010 International Conference on (pp. 179-181). IEEE.

[13] Huaglory Tianfield, “Security Issues in Cloud Computing ,“ IEEE. 978-1-4673-1714-6/2010

[14] P. Mell, T. Grance, The NIST Definition of Cloud Computing, Version 15, National Institute of Standards and Technology, October 7, (2009), http://csrc.nist.gov/groups/SNS/cloud-computing

[15] Fowler, G. A., & Worthen, B. (2009). The internet industry is on a cloud-whatever that may mean. The Wall Street Journal.