Cloud Security Challenges - IEEE Xplore

5 downloads 38848 Views 1MB Size Report
Cloud Security Challenges. Gurudatt Kulkarni1, Nikita Chavan2,. 1, 2 Electronics &. Telecommunication Dept. Marathwada Mitra Mandal's. Polytechnic, Pune ...
2012 7th International Conference on Telecommunication Systems, Services, and Applications (TSSA)

Cloud Security Challenges Gurudatt Kulkarni1, Nikita Chavan2, 1, 2 Electronics & Telecommunication Dept. Marathwada Mitra Mandal’s Polytechnic, Pune, India [email protected]

Ruchira Chandorkar3, Rani Waghmare4, 3,4Electronics & Telecommunication Dept Marathwada Mitra Mandal’s Polytechnic, Pune, India

services from the cloud, Public Organizations helps in providing the infrastructure to execute the public cloud.

Abstract—Deploying cloud computing in an enterprise

infrastructure brings significant security concerns. Successful implementation of cloud computing in an enterprise requires proper planning and understanding of emerging risks, threats, vulnerabilities, and possible countermeasures. We believe enterprise should analyze the company/organization security risks, threats, and available countermeasures before adopting this technology. In a cloud computing environment, the entire data reside over a set of networked resources, enabling the data to be accessed through virtual machines. Since these data centers may lie in any corner of the world beyond the reach and control of users, there are multifarious security and privacy challenges that need to be understood and taken care of. Also, one can never deny the possibility of a server breakdown that has been witnessed, rather quite often in the recent times. There are various issues that need to be dealt with respect to security and privacy in a cloud computing scenario. This extensive survey paper aims to elaborate and analyze the numerous unresolved issues threatening the Cloud computing adoption and diffusion affecting the various stake-holders linked to it. Keywords - DoS attack, flooding attack, cloud, PaaS Introduction [1,2] Cloud computing provides different services rather than a unit of product. These services put forwarded 3 models: software as a service (SAAS), platform as a Service (PAAS), and infrastructure as a Service (IAAS) (Iyer and Henderson, 2010; Han, 2010, Mell and Grance, 2010). Figure1 Cloud Computing Service Models 1. SAAS: it is run by cloud service provider and mostly used by organizations. It is available to users through internet. 2. PAAS: It is a tool (Windows, LINUX) used by developers for developing Websites without installing any software on the system, and can be executed without any administrative expertise. 3. IAAS: It is operated, maintained and control by cloud service providers that support various operations like storage, hardware, servers and networking. There are four types of cloud computing models listed by NIST (2009): private cloud, public cloud, hybrid cloud and community cloud. A. Public Cloud: it is for the general public where resources, web applications, web services are provided over the internet and any user can get the

Rajnikant Palwe5, 5Department of Computer Engineering Marathwada Mitra Mandal’s Polytechnic, Pune, India

Figure1 Cloud Computing Service Models

B. Private Cloud: It is used by the organizations internally and is for a single organization, anyone within the organization can access the data, services and web applications but users outside the organizations cannot access the cloud. Infrastructure of private cloud is completely managed and corporate data are fully maintained by the organization itself. C. Hybrid Cloud: The Cloud is a combination of two or more clouds (public, private and community). Basically it is an environment in which multiple internal or external suppliers of cloud services are used. It is being used by most of the organizations (IBM and Junipers Network, 2009).

Figure2 Cloud Computing Type D.

Community Cloud: The cloud is basically the mixture of one or more public, private or hybrid clouds, which is shared by many organizations for a single cause (mostly security). Infrastructure is to be shared

978-1-4673-4550-7/12/$31.00 ©2012 IEEE

88

2012 7th International Conference on Telecommunication Systems, Services, and Applications (TSSA) by several organizations within specific community with common security, compliance objectives. It is managed by third party or managed internally. Its cost is lesser then public cloud but more than private cloud. I. CLOUD SECURITY [3, 4] Security is one of the concerns about cloud computing that is delaying its adoption. As only 5% turn over to cloud computing. One of the biggest security concerns about is that when you move your information over the cloud you will lose control of it. The cloud gives you to access data, but you have no way of ensuring no one else has access the data. In a cloudbased software environment, physical security is stronger because the loss of a client system doesn’t compromise data or software. Cloud computing seems offer some incredible benefits for communication: the availability of an incredible array of software application, access to lightning-quick processing power, unlimited storage, and the ability to easily. Cloud computing takes hold as 69% of all internet users have either stored data online or used a web-based software application. "Washington, DC – Some 69% of online Americans use webmail services, store data online, or use software programs such as word processing applications whose functionality is located on the web. In doing so, these users are making use of “cloud computing,” an emerging architecture by which data and applications reside in cyberspace, allowing users to access them through any webconnected device There are numerous security issues for cloud computing as it encompasses many technologies including networks, databases, operating systems, virtualization, resource scheduling, transaction management, load balancing, concurrency control and memory management.

clouds. It is clear that the security issue has played the most important role in hindering Cloud computing acceptance. Without doubt, putting your data, running your software on someone else's hard disk using someone else's CPU appears daunting to many. Well-known security issues such as data loss, phishing, and botnet (running remotely on a collection of machines) pose serious threats to organization's data and software. Moreover, the multi-tenancy model and the pooled computing resources in cloud computing has introduced new security challenges that require novel techniques to tackle with. For example, hackers can use Cloud to organize botnet as Cloud often provides more reliable infrastructure services at a relatively cheaper price for them to start an attack. A. Malware-injection attack problem In the cloud system, as the client’s request is executed based on authentication and authorization; there is a huge possibility of Meta data exchange between the web server and web browser. An attacker can take advantage during this exchange of metadata. Either the adversary makes his own instance or the adversary may try to intrude with malicious code. In this case, either the injected malicious service or code appears as one of the valid instance services running in the cloud. If the attacker is successful, then the cloud service will suffer from eavesdropping and deadlocks, which forces a legitimate user to wait until the completion of a job which was not generated by the user. This type of attack is also known as a meta-data spoofing attack.

Figure 4 Malware Protection Figure 3 Cloud Security View

Therefore, security issues for many of these systems and technologies are applicable to cloud computing. For example, the network that interconnects the systems in a cloud has to be secure. Furthermore, virtualization paradigm in cloud computing results in several security concerns. For example, mapping the virtual machines to the physical machines has to be carried out securely. Data security involves encrypting the data as well as ensuring that appropriate policies are enforced for data sharing. In addition, resource allocation and memory management algorithms have to be secure. Finally, data mining techniques may be applicable to malware detection in

B. Flooding attack problem In a cloud system, all the computational servers work in a service specific manner, with internal communication between them. Whenever a server is overloaded or has reached the threshold limit, it transfers some of its jobs to a nearest and similar service-specific server to offload itself. This sharing approach makes the cloud more efficient and faster executing requests. When an adversary has achieved the authorization to make a request to the cloud, then he/she can easily create bogus data and pose these requests to the cloud server. When processing these

978-1-4673-4550-7/12/$31.00 ©2012 IEEE

89

2012 7th International Conference on Telecommunication Systems, Services, and Applications (TSSA) requests, the server first checks the authenticity of the requested jobs. Non-legitimate requests must be checked to determine their authenticity, but checking consumes CPU utilization, memory and engages the IaaS to a great extent, and as a result the server will offload its services to another server. Again, the same thing will occur and the adversary is successful in engaging the whole cloud system just by interrupting the usual processing of one server, in essence flooding the system. C. Accountability check problem The payment method in a cloud System is ―No use No bill‖. When customer launches an instance, the duration of the instance, the amount of data transfer in the network and the number of CPU cycles per user are all recorded. Based on this recorded information, the customer is charged. So, when an attacker has engaged the cloud with a malicious service or runs malicious code, which consumes a lot of computational power and storage from the cloud server, then the legitimate account holder is charged for this kind of computation. As a result, a dispute arises and the provider’s business reputation is hampered.

Figure 5 an example for attribute-based encryption

D. Browser Security In a cloud computing system, the computational processes are completed in the cloud server whereas the client side just send a request and wait for the result. Web browser is a common method to connect to the cloud systems. Before a client can request for services on the cloud system, the client is required to authenticate himself whether he has an authority to use the cloud system or not. In the security point of view, these days, web browsers rely heavily upon SSL/TLS process. They are not able to apply WSSecurity concept (XML Signature and XML Encryption) to the authentication process. As a consequence, when a web browser requests a service from the web service in a cloud system, it cannot use XML Signature to sign the client’s credentials (e.g. username and password) in order to authenticate the user and XML Encryption to encrypt the SOAP message in order to protect data from unauthorized

parties. The web browser has to use SSL/TLS to encrypt the credential and use SSL/TLS 4-way handshake process in order to authenticate the client. Nevertheless, SSL/TLS only supports point-to-point communications, meaning that if there is a middle tier between the client and the cloud server, such as a proxy server or firewall, the data has to be decrypted on the intermediary host. E. Service Provider Security Issues The public cloud computing surroundings offered by the cloud supplier and make sure that a cloud computing resolution satisfies organizational security and privacy needs. The cloud supplier to provision the safety controls necessary to safeguard the organization’s information and applications, and additionally the proof provided regarding the effectiveness of these controls migrating organizational information and functions into the cloud. F. Identity and access management [3, 5,6] Identity and Access Management (IAM) features are Authorization, Authentication, and Auditing (AAA) of users accessing cloud services. In any organization “trust boundary” is mostly static and is monitored and controlled for applications which are deployed within the organization’s perimeter. In a private data center, it managed the trust boundary encompasses the network, systems, and applications. And it is secured via network security controls including intrusion prevention systems (IPSs), intrusion detection systems (IDSs), virtual private networks (VPNs), and multifactor authentication. With cloud computing, the organization’s trust boundary will become dynamic and the application, system, and network boundary of an organization will extend into the service provider domain. Application security and user access controls will compensate for the loss of network control and to strengthen risk assurance. Strong authorization, authentication based on claims or role, trusted sources with user activity monitoring, identity federation , accurate attributes, single sign-on (SSO), and auditing. G. Privacy Privacy is the one of the Security issue in cloud computing. Personal information regulations vary across the world and number of restrictions placed by number of countries whether it stored outside of the country. For a cloud service provider, in every jurisdiction a single level of service that is acceptable. Based on contractual commitments data can store within specific countries for privacy regulations, but this is difficult to verify. In Private and confidential customer data fast rising for the consequences and potential costs of mistakes for companies that handle. But professionals develop the security services and the cloud service privacy practices. An effective assessment strategy must cover data protection, compliance, privacy, identity

978-1-4673-4550-7/12/$31.00 ©2012 IEEE

90

2012 7th International Conference on Telecommunication Systems, Services, and Applications (TSSA) management, secure operations, and other related security and legal issues. H. Securing Data in Transmission [6,7] Encryption techniques are used for data in transmission. To provide the protection for data only goes where the customer wants it to go by using authentication and integrity and is not modified in transmission. SSL/TLS protocols are used here. In Cloud environment most of the data is not encrypted in the processing time. But to process data, for any application that data must be unencrypted. In a fully homomorphism encryption scheme advance in cryptography, which allows data to be processed without being decrypted.

For many applications, we not only need information assurance but also mission assurance. Therefore, even if an adversary has entered the system, the objective is to thwart the adversary so that the enterprise has time to carry out the mission. As such, building trust applications from untrusted components will be a major aspect with respect to cloud security. ACKNOWLEDGMENT Mr.Gurudatt Kulkarni one of the authors is indebted to Principal Prof. Mrs. Rujuta Desai for giving permission for sending the paper to the conference. Mrs. Rani Waghmare is also thankful to the Vice President Mr. S.D. Ganage & Secretary Mr. B.G. Jadhav, Marathwada Mitra Mandal for giving permission to send the paper for publication. We would also like to thanks our colleagues such as Lecturer Mrs. Geeta Joshi and Jayant Gambhir for supporting us. REFERENCES [1]

[2] [3]

[4] Figure 6 Encryption Technique

To provide the confidentiality and integrity of datain-transmission to and from cloud provider by using access controls like authorization, authentication, auditing for using resources, and ensure the availability of the Internet-facing resources at cloud provider. Man-in-the-middle attacks is cryptographic attack is carried out when an attacker can place themselves in the communication’s path between the users. Here, there is the possibility that they can interrupt and change communications.

[5]

[6] [7] [8]

Dikaiakos et.al, “Cloud Computing: Distributed Internet Computing for IT and Scientific Research”, IEEE, Volume 13, Issue 5, Sept.-Oct. 2009, Page: 10 - 13. Liang-Jie Zhang et.al, “CCOA: Cloud Computing Open Architecture”, IEEE, 6-10 July 2009, Page(s):607 – 616. Tripathi, A.; Mishra, A.; IT Div., Gorakhpur Centre, Gorakhpur, India “Cloud Computing Security Considerations”, Signal Processing, Communications and Computing (ICSPCC), 2011 IEEE International Conference M. A. Rahaman, A. Schaad, and M. Rits. Towards secure SOAP message exchange in a SOA. In SWS ’06: Proceedings of the 3rd ACM workshop on Secure Web Services, pages 77–84, New York, NY, USA, 2006. ACM Press. Meiko Jenson, Jorg Schwenk, Nils Gruschka, Luigi Lo Iacono. On Technical Security Issues in Cloud Computing. IEEE International Conference on Cloud Computing 2009. D. Kormann and A. Rubin, ―Risks of the passport single sign on protocol, no. 1–6, pp. 51–58, 2000. http://www.sys-con.com/node/1203943 Handbook on securing cyber-physical Critical infrastructure, 2012, Pages 389-410, shucheng Yu, Wenjing Lou, Kui Ren

CONCLUSION Although Cloud computing can be seen as a new phenomenon which is set to revolutionise the way we use the Internet, there is much to be cautious about. There are many new technologies emerging at a rapid rate, each with technological advancements and with the potential of making human’s lives easier. There are several other security challenges including security aspects of virtualization. We believe that due to the complexity of the cloud, it will be difficult to achieve end-toend security. However, the challenge we have is to ensure more secure operations even if some parts of the cloud fail.

978-1-4673-4550-7/12/$31.00 ©2012 IEEE

91