Leading Security Threats and Issues in Cloud Computing

pp.10-15

Sapan Gupta¹, Premalata Sati²

• Asst Prof, Suresh Gyan Vihar University, Jaipur, India sapangupta@gmail.com

08premasati@gmail.com

Abstract— In order to move with the advancement and provide world class services to the clients it has become mandatory to adopt latest technologies and bringing a positive revolution in the business corporate. Today business demands are deployed over the networks enhancing competitive edges at a remarkable reduced cost. Over here we come across one such technology which has proved itself very promising in accelerating IT concepts- Cloud Computing. The term is into rigorous research since 1950s. And yet provides a platform to make ample research in bringing cent percent efficiency. It has brought the implementation of practical distributed systems reducing operational costs and building infrastructure. However, there had been a number of Enterprises where people are reluctant to use the worth praising features of cloud computing. And one of the key reasons behind this is “security”. There are threats to the storage of data on the virtual servers, transmission of data between distant ends, security related to the different applications and third party issues. This research paper focuses on the general security threats in the computation of clouds which altogether cannot be neglected. It shall provide a comprehensive study on the issues that lead to vulnerability in clouds emphasizing on the key challenges and thereafter providing the appropriate architecture for the security of the computations on cloud.

Keywords—Cloud Computing, Security threats,Access Control, confidentiality.

INTRODUCTION

With the advent of devices enabled with latest generation technologies, any kind of communication has become more pervasive and efficient from end to end. In the recent years cloud computing has proved this aspect and brought the client users more closely to their applications. All the different prominent services are deployed over the network in order to bring the concept of virtual realization saving both time and space to retrieve the information and store the data respectively. Before we take the security issues and threats into consideration, let us bring the cloud computing as a massive technology into limelight. Since 1950, rigorous research has been performed in the fields of cloud computation bringing positive enhancements and remarkable efficiency. With this advancement, a huge number of computer devices are connected via real-time communication network where same application program can be executed, practically implementing distributed computing. All this had been possible due to the concept of maximum utilization of shared resources and converged infrastructure.

In addition to this, these multiple shared users are dynamically re-allocated on the basis of online demand by the users of different countries in their respective time-zones.

Hence, cloud computing is interpreted as the very next natural step where all the online demands are met with the evolution of virtualized IT resources, services and products.

HAPPENINGS IN THE CLOUD

AN ALTHOUGH A PIONEER TECHNOLOGY, CLOUD COMPUTING CAME INTO LIMELIGHT IN OCTOBER 2007. BOTH GOOGLE AND

IBM COLLABORATED THEIR SERVICES AND ANNOUNCED THE “THE BLUE CLOUD”. IN THE SAME YEAR, A MULTI-UNIVERSITY

PROJECT WAS ANNOUNCED AND DESIGNED NAMED “ACADEMIC CLOUD COMPUTING INITIATIVE” OR ACCI. THE MAJOR

CONCERN IN THIS PROJECT WAS TO ADDRESS AND FACE THE CHALLENGES WHICH CAME ACROSS IN CLOUD COMPUTING.

Later in the year 2009, the first open source PAAS or Platform As a Service was launched by UC Santa Barbara. The AppScale was capable enough of running all the applications and services provided by Google App Engine.

Soon in October 2010, a project to configure the legal aspect and examine the infrastructure design was started, named-TClouds (Trustworthy Clouds). This project was funded by the 7^th Framework Program of European Commission of cloud computations.

Thereafter came a Cloud Computing White Paper in mid 2011, officially developed by Telecommunications Industry Association. The motive behind this paper was to analyze and overcome the integrated challenges, at the same time, finding the different set of opportunities between the US telecommunication standards and the services provided by cloud technology.

The concern grew in the December 2012 when Microsoft and IDC (International Data Corporation) focused on the requirement of millions of cloud certified IT workers for jobs in IT sector in their study.

There had been fine researches in the cloud computation in this year too. In early 2013, a multiple site project based on experimentation on clouds enabled with all kind of testing amenities was launched by BonFIRE. All the resources available were free to be transparently accessed. Appropriate control and observance features were added so as to engineer the relevant works in the future. As per the reports of April 2013, by the IT research experts in the industry, (Gartner .Inc), it was said that in the generation of web app both for mobile and PCs will embed cloud services. Recent prediction revealed that in the years to come, at least 40% of the projects based on the advance development of varied mobile app will be utilizing cloud backed services, offering better PaaS.

taken into consideration, as it is one of the prominent key issues that hamper the efficiency of business running by the corporate.

Despite vital research in the cloud computing technology, there had been a huge number of security threats and challenging issues which needs to be addressed both individually and technology as a whole. There had been critical warnings

Critical voices including GNU project initiator Richard Stallman and Oracle founder Larry Ellison warned that the whole concept is rife with privacy and ownership concerns and constitute merely a fad.

This paper basically focuses on these aspects and later on having a discussion on the remedies which can be adopted in order to minimize such affects. If one individual or an organization has to realize the advantages provided by the cloud computing technology, it becomes utmost important to ensure the safety of the network. At the same time there has to be complete and proper utilization of the allocated resources and group of scheduling methods as provided by the clouds. With this, it becomes imperative to protect your private information and other account details. So here we discuss some of these aspects which should be widely known while using the cloud services on network. Today cloud computing encompasses a huge number of technologies which include virtualization, transaction management, operating systems, databases, memory storage and control, load balancing etc. Hence it becomes very imperative to have a kind of mechanism which imparts robust security to the deployed cloud. The key feature that arises in security aspect is due to the concept of virtualization. The mapping performed from these virtual devices to the physical storage devices is the most critical phenomenon and should be executed efficiently and securely. For the sharing of data, certain security mechanisms have to be implemented which involves in encryption and decryption of data. Algorithms applied must be secure. Eventually, the team aims at protecting the all kinds of information and the critical data to be known only to the authorized individuals.

• SECURITY THREATS AND ISSUES

A   Over   the   years,   cloud   computing   has   emerged   as   a promising hosting platform that allow usage of collection of

applications,  infrastructure,  network  and  storage  resources. Enterprises  completely  relay  on  cloud  computing  for  theirbusiness  operations   by   deploying   all   kinds   of   technical mechanisms on the cloud. So, the security aspects should be Fortunately, the pressure on enterprise cloud providers makes it  possible   to   expose  the   data  security   tools.   HP   Cloud Connection  is  an  affiliation  of  SaaS  providers  who  have demonstrated best-of-breed customer security feature.

Cloud in general provides three types of services to its clients. They are software as a service or SAAS, platform as a services (PaaS), infrastructure as a service (IaaS). SaaS delivers special purpose software that is provided to the consumers which are to be accessed recently via internet with a usage-based pricing model. PaaS delivers a high level of integrated environment to build and deploy custom applications. IaaS provides hardware , software and other equipments to the software application with a resource usage based pricing model.

1. SECURITY ISSUES WITH SAAS

Saas enables the customers to make use of an application on a ‘pay-as-you-go’ basis and eliminates the need to install and run the application on its own hardware. Customers usually get access to these applications via a Web Browser. Among all other services of cloud computing SaaS requires more care in terms of security than others. The best way to provide security associated with application development involves a layered approach. Security cannot be at a single point into the network, instead it must be layered into network, the server, the codes and the database itself. For any SaaS provider to succeed they must generate confidence in their system by demonstrating superior security architecture. To alleviate the SaaS security concerns, the enterprise security team must

• be involved in assuming a productive role in making a critical examination of all SaaS relationships.
• Be very aware of the data compliance issues

involved in SaaS application.

• Be ready to reject those vendors which are not able to provide adequate access control, visibility or active monitoring.

1. PAAS AND ITS SECURITY ISSUES

PaaS is a platform for hosting business applications and storage .Vendors provides a PaaS model that offers a complete development environment in which application developers create and deploy their code. With this approach, instead of building a server environment to run an application and installing a development environment (Ruby, Python, .Net Framework etc) to create application on that particular server, the customer can just connect to a PaaS cloud provider, and start creating application that can be deployed worldwide.

Security considerations for PaaS include access and authorization issues that works with distributed application and storage.The primary focus of the PaaS model is on the protection of data and storage as a service. There have been many companies in the market that are developing their applications enabling PaaS architecture. For instance, OpsWorks is an application management service developed by Amazon Web Services, designed particularly to manage applications of any scale and complexity in the cloud. It is an integrated system at large and therefore controls resources management, application deployment, software updates and access control. OpsWorks is in competition with PaaS

mainstays Heroku, AppFog and Engine Yard. Most common PaaS examples are Google App Engine5 and Microsoft Azure.

Apart from these security concerns there had been several deterrents to adopt cloud technology worldwide. These basically relate to aspects like complexity and costs, data security, regulations and legalities, migration, availability of services, robustness and reliability, privacy issues, limited customization, lack of standards etc. No doubt, that the cloud offers fast deployment of data applications which meets the needs of reality and at the same time improving productivity. Still the above factors are concerning towards its worldwide growth and adoption. And Internet paves the platform to all its cloud providers and users a communication infrastructure so as to have standard and secure transfer of data. Efficiency and security are the prominent goals to achieve in this transmission of information and other relevant operations. There had been compromise in such effective transmission.

1. DATA TRANSMISSION SECURITY

XSS or Cross site Scripting aims to introduce malwares and worms and hijack the user sessions. It also contributes in defacing the websites and creating an illusion of false pages over the internet browsers. XML corrupt leads to poisoning and corruption of data traffic between server and browsers. Insecure Cryptographic Storage results in attack to those web applications which do not make appropriate use of cryptographic functions to secure secret information. Failing in the encryption of the web traffic also open the vulnerabilities to attack. Malicious File Execution is a kind of attack where the data file might contain malicious scripts when XML or other framework tries to accept file from other user. Injection Flaws are another kind of vulnerable event in which the data transmitted by users has no proper validation, and eventually leads to manipulation of queries on server.

VII.        APPLICATION SECURITY

Applications at large envelope all procedural functions, hardware and software so as to implement protection in the applications and prevent those from unwanted external threats. Hackers are too smart to breach the security firewalls. They manipulate the user applications, delete sensitive files, steal or modify the information. Cloud computing as fully relies over the Internet, opens the vulnerabilities towards various security threats. To prevent this to some extent, SaaS was introduced. As discussed, it runs behind the firewall in PCs or LANs. Attacks which usually target the software applications and services consequently results in at least 39% of data compromise. These security threats categorize into Insecure direct object reference, Security miss configuration, Injection flaw like SQL, Failure to restrict URL access, invalidated redirects and forwards, Cross-site request forgery, Cross-site scripting, Broken authentication, Insecure cryptographic storage and Insufficient transport layer protection.

The requirements which are needed to overcome above threats are Communication protection, Access control, Privacy in multitenant environment, Data protection from exposure (remnants).

VIII.       PRE–REQUISITES TO SECURITY ARCHITECTURE

So far more or less it is understood that there is an urgent need to thoroughly go through all the security measures which are required to get through different vulnerabilities. So here we come a security architecture which would act robustly so as to implement most of the security concerns. Prior to this architecture proposal, here are some of the fundamental features which are imperative to exist in pipeline with all the cloud computations. They are briefly discussed here.

• Confidentiality: This basically enhances the surety that only authorized users have the rights to access protected information and all the data residing on the cloud shall remain confidential. With the help of Internet, users store data on remotely located servers which are operated by single/many cloud providers. With the enormous increase in the number of applications, parties and devices there had been equivalent increase in the access points. Here comes the risk of data compromise when data is controlled by number of parties and cloud vendors.

Confidentiality altogether plays a vital role in the maintenance of data belonging to worldwide different organizations and spread over multiple distributed data warehouses. Standard Cryptographic algorithms involving proper encryption and decryption of data files must be embedded on cloud architectures so as to ensure confidentiality.

Infrastructure reusability had been one of the prominent characteristics of cloud computations. But it is noticed that due to data remnants, although unintentionally, data confidentiality is breached. In addition to this, due to lack of hardware and virtual separation between multiple set of users on one infrastructure, the concept of data remnant eventually leads to unwilling availability of confidential data. Possibilities also exits that a user claiming huge disk spaces may search for sensitive information from discarded junks of data files.

• Availability: This is again a critical security requirement for successful cloud computations. According to this aspect, the available information is accessible and hence can be used by authentic enterprises. Partial and complete loss to this feature can lead to some serious threats. These are equipment outages, denial of service attacks and natural disasters. The imperative goal of‘availability’ is to ensure that all the users of cloud have secure access to their information any time and

any place. And it is also applicable in situation where security breaches. And this availability is also in case of hardware which are directly linked with the software. It is the responsibility of all the providers of the cloud to respond immediately to the requests of their respective clients. At times, it becomes difficult to recognize the threats which have an impact on availability. These attacks are based on user’s network like Distributed Denial of Service attack or the availability of cloud provider. When taking multi-tenant environment, if one of the tenant is targeted, this will significantly have an adverse impact on other tenants as well. Hence we need a kind of multi-tier architecture which is able to execute on a huge number of data servers. Apart from this, at the time of application development there must be resiliency to both software and hardware associated with it.

• Privacy: While operating with cloud technologies, privacy is again one of the major concerns for any organization, since their major dealing is with the personal data of their clients. Appropriate legal framework are need to set for ensuring accurate confidentiality protection. Cloud provider has to face various challenges towards the privacy issue, since data stored in the cloud is processed in multiple locations at various service provider’s datacenters which might be located anywhere in the world. Thus risk of privacy increases. Whenever data is to be used within the cloud processing, it must be first approved by the data subjects. In a shared multi-tenant infrastructure where workloads are migrated, it is the client’s private information which faces the risk of unauthorized access and disclosure. Therefore it is the responsibility of the respective providers to assure their clients privacy with the high degree of privacy mechanisms and assurance.
• Integrity: The featured aspect of Integrity includes both computation as well as data integrity. When we are concerned of the data which is to be fetched from the varied cloud servers, there should be automatic detection standards for the harm and violation of losing essential data or any kind of compromization which may alter the data. While the Computation Integrity deals with the issues related to the set of programs which execute with no link to the cloud suppliers, or any kind of malicious malware users. This of course makes us understand of the detection of such incorrectness if it takes place. Any kind of manipulations with the data or dishonest computation should be readily reported and necessary actions must be taken.

So far we have been discussing about important fundamental parameters which must be endorsed to make any cloud computation efficient to operate. Here in this section, a proposed security architecture is designed and all its whereabouts are thoroughly discussed.

Fig. Proposed Security Architecture for Cloud Computing in an Enterprise.

Above figure fully explains and show us diagrammatically that how corporate multi-national enterprises and connected and dependent on the cloud for most of its operations. It also describes the security mechanism which can be embedded in to the infrastructure of any organization. The consulting services establishes all the objectives and the relevant targets for information security. Monitoring Services are used to monitor incidents, gather and analyze analog management logs. Assessment Services are used to address the security reports, audits and gather evidence for obtaining authentication.

1. CONCLUSIONS

Cloud computing as a technology if used in a way that it secures all your data and private information without any kind of hindrance to its operating efficiency, is very good. There are huge number of advantages provided by virtualization and working of processes on cloud, which are also discussed above. It should be the initiatives of the big enterprises to

implement  such  security in  their  organizations,  and  set  an

example for the small IT companies and hubs all over the world.

REFERENCES

• Huaglory Tianfield School of Engineering and Built Environment Grasgow Caledonion University , UK. Security Issues In Cloud Computing .2012 IEEE International Conference on Systems, Man and Cybernetics October 14-17,2012,COEX, Seoul Korea.
• Constantinos Evangelinos  and  Chris  Hill.  Cloud Computing for parallel scientific HPC Applications:Feasibility of running Coupled Atmosphere-Ocean climate models on Amazon’s EC2. Paper presented at the CCA-08 in Chicago.

• Subashini and, V.Kavitha . A survey on security issues in service delivery models of cloud computing. Journal of Network and Computer Applications.
• Kevin Hamlen,Murat kantarcioghu,Latifur Khan,Bhavani Thuraisingham. Sec urity Issues For Cloud Computing. International Journal of Information Security and Privacy, 4(2), 39-51, April-June 2010 39 .
• Abhishek Goel, Shikha Goel. Security Issues In Cloud Computing. International Journal of Application orInnovatioinEngineering&Management (IJAIEM).Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com. Volume 1, Issue 4, December 2012

• Vishal Jain,Mahesh Kumar Madan. Information Retrieval through Multi-Agent System with Data Miningin Cloud Computing. Vishal Jain et al,Int.J.Comp.Tech.Appl,Vol 3 (1), 62-66. IJCTA | JAN-FEB 2012

• Mladen A. Vouk. Cloud Computing – Issues,Research and Implementations. Journal of Computing and Information Technology – CIT 16, 2008, 4, 235–246 ,doi:10.2498/cit.1001391.
• RunTest: Assuring Integrity of Dataflow Processing in Cloud  Computing  Infrastructures  Juan  Du,   Wei   Wei,Xiaohui Gu, and Ting Yu Department of Computer Science North Carolina State University Raleigh, North Carolina,USA {jdu,wwei5}@ ncsu.edu, {gu,yu}@ csc.ncsu.edu