AbstractCloud Computing is defined as a model for enabling

convenient, on-demand access to a shared pool of configurable

computing resources (e.g., networks, servers, storage, applications
and services) that can be rapidly provisioned. Cloud computing is
next generation technology wherein all resources will be available as
a service through internet. This is one of the fastest growing areas in
IT industry; it offers benefits such as dynamic resource provisioning,
automated administration of IT infrastructures, and sharing of
unlimited CPU, bandwidth or storage space. In this paper we are
listing out the security issues and challenges in cloud environment,
the security standards and management tools which are in place and
recommended the best solutions which we can rely on.

KeywordsCloud, Data centric protection, Security
I. INTRODUCTION
LOUD computing delivers software and services over
networked connections, relying on a steady flow of
throughput to and from the virtualized data center in order to
maintain high service levels. Thanks to scalable virtualization
technology, cloud computing gives users access to a set of
pooled computing resources that share the following
attributes:
Multi-tenancy
Highly scalable and elastic
Self-provisioned
Pay-per-use price model
In contrast to the significant capital expenditures it takes to
purchase and provision the launch of a traditional in-house
operational site, as well as the months of lead time that effort
involves, cloud computing lets administrators spin up virtual
servers. They can provision necessary storage and launch an
operational site within minutes or hours and for a fraction of
historical costs. The virtualization that underlies cloud
computing is very dynamic and allows a very high rate of
change, says Budko as customers move data and applications
among physical devices. What is missing is ability to manage
it smoothly, avoiding a sprawl of unused or underused virtual
machines that soak up electricity, cooling and management
time possibly create security risks just as unmanaged physical
servers do. Corporations and Business individuals are
concerned about how security and compliance integrity can be
Lovely Sasidharan, Asst Professor, AMCEC Bangalore(E-mail:
lovely_sasidharan@yahoo.co.in)
Neeth P.R, Lecturer, AMCEC Bangalore(E-mail:neethpr@gmail.com).
Dr. Leela Reddy is working as Professor, PESIT, India.
maintained in this new environment.
According to IDC survey conducted by IT executives and
business colleagues, the top issue in cloud computing is
Security. Moving critical applications and sensitive data to
public cloud is the major concern, because data is moving
under the control of a third party (Cloud Service Provider)

TABLE I
RATE THE CHALLENGES OR ISSUES OF CLOUD AS PER IDC SURVEY
Security 87%
Availability 83%
Performance 82%
On-demand Payment Model cost more 81%
Lack of interoperability standards 80%
Bringing back to inhouse may be difficult 79%
Hard to integrate with in-house IT 76%
Not enough ability to customize 76%
II. SECURITY CONCERNS IN CLOUD COMPUTING
Open systems and shared resources raise many security
challenges, making security one of the major barriers to adopt
cloud computing technologies [2].


Fig. 1 Security in 3-levels
A. Infrastructure Security Network Level
In network level, with private cloud there are no new
attacks. Changes in the Organizations IT architecture will not
change current network topology significantly. Security
requirements in private cloud will not require changes in
existing network topology.
In Public cloud security requirements will require changes
in existing topology. How existing network topology will
interact with cloud providers network topology should be
addressed. In this four significant risk factors are there:
Ensuring the confidentiality and integrity of
organizations data in- transit to and from public
Security Issues and Solutions in Cloud
Computing
Lovely Sasidharan, Neeth P.R., Dr. Leela Reddy
C
Cloud
Infrastructure
Security
Network level Host level Application
Level
International Conference on Computational Techniques and Artificial Intelligence (ICCTAI'2011)
61
cloud provider
Ensuring proper access Control (authentication,
authorization and auditing) to whatever resources
which are using at public cloud provider.
Ensuring the availability of the internet-facing
resources in a public cloud that are being used by the
organization.
Replacing the establish model of the network zones
and tiers with domains.
B. Infrastructure Security Host Level
For host security, we should consider the context of
Context of cloud service delivery models (Saas, Paas, Iaas)
and deployment models (public, private and hybrid) .The
dynamic nature of cloud can bring new operational
challenges. The operational model motivates rapid
provisioning and fleet instances of VMs. Managing
vulnerabilities and patches is therefore much harder, as the
rate of change is much higher in a traditional data center.
Some of new host security threats include:
Stealing keys used to access and manage hosts(e.g.,
SSH private keys)
Attacking unpatched, vulnerable services listening on
standard ports (FTP , SSH , NetBIOS)
Hijacking accounts that are not properly secured (i.e.,
weak or no passwords for standard accounts)
Attacking systems that are not properly secured by
host firewalls
Deploying Trojans embedded in the software
component in the VM or within the VM image(OS)
itself
Securing virtual server in the cloud requires strong
operational security procedures. Here are some
recommendations:
1. Use a secure by default configuration. Harden your
image and use a standard hardened image for
instantiating VMs (the guest OS) in a public cloud.
2. Protect the integrity of the hardened image from
unauthorized access.
3. Safeguard the private keys required to access hosts in
the private cloud.
4. Isolate the decryption keys from the cloud where the
data is hosted
5. Include no authentication credentials in virtualized
images except for a key to decrypt the file system key
6. Do not allow password based authentication for shell
access
7. Require passwords for role-based access
8. Run only the required services and turn off the
unused services (e.g., turn off FTP, print services,
database services if they are not required)
9. Enable system auditing and event logging and log the
security events to a dedicated log server. Isolate the
log server with higher security protection, including
accessing controls.
III. TOP CLOUD COMPUTING THREATS
A. Transparency
Service providers must demonstrate the existence of
effective and robust security controls, assuring customers that
their information is properly secured against unauthorized
access, change and destruction. Key questions to decide are:
How much transparency is enough? What needs to be
transparent? Will transparency aid malefactors? Key areas
where supplier transparency is important include: What
employees (of the provider) have access to customer
information? Is segregation of duties between provider
employees maintained? How are different customers
information segregated? What controls are in place to prevent,
detect and react to breaches?
B. Privacy
With privacy concerns growing across the globe it will be
imperative for cloud computing service providers to prove to
existing and prospective customers that privacy controls are in
place and demonstrate their ability to prevent, detect and react
to breaches in a timely manner. Information and reporting
lines of communication need to be in place and agreed on
before service provisioning commences. These
communication channels should be tested periodically during
operations.
C. Compliance
Most organizations today must comply with a litany of
laws, regulations and standards. There are concerns with
cloud computing that data may not be stored in one place and
may not be easily retrievable. It is critical to ensure that if data
are demanded by Cloud computing authorities, it can be
provided without compromising other information. Audits
completed represent a rare by legal, standard and regulatory
authorities themselves demonstrate that there can be
opportunity to plenty of overreach in such seizures. When
using cloud services there is no guarantee that an enterprise
can get its information when needed, and some providers are
even reserving rework security the right to withhold
information from authorities and IT controls
D. Trans-border information flow
When information can be stored anywhere in for a better
the cloud, the physical location of the information can become
an issue. Physical location dictates jurisdiction and legal
obligation. Country laws governing personally tomorrow.
identifiable information (PII) varies greatly. What is allowed
in one country can be a violation in another.
E. Certification
Cloud computing service providers will need to provide
their customers assurance that they are doing the right
things. Independent assurance from third-party audits and/or
service auditor reports should be a vital part of any assurance
program in choosing a provider. Reputation, history and
sustainability should all be factors to consider.
International Conference on Computational Techniques and Artificial Intelligence (ICCTAI'2011)
62
F. Failure
To perform to agreed-upon service levels can impact not
only confidentiality but also availability, severely affecting
business operations. The dynamic nature of cloud computing
may result in confusion as to where information actually
resides. When information retrieval is required, this may
create delays. Third-party access to sensitive information
creates a risk of compromise to confidential information. Due
to the dynamic nature of the cloud, information may not be
immediately located in the event of a disaster. Business
continuity and disaster recovery plans must be well
documented and tested. The cloud provider must understand
the role it plays in terms of backups, incident response and
recovery. Recovery time objectives should be stated in the
contract.
IV. STRATEGIES FOR ADDRESSING CLOUD COMPUTING RISKS
Unauthorized access to data in the cloud is a significant
concern. An enterprise must take an inventory of its
information assets and ensure that data are properly classified
and labeled. This will help to determine what should be
specified when drafting a service level agreement (SLA), any
need for encryption of data being transmitted or stored, and
additional controls for information that is sensitive or of high
value to the organization. SLA is one of the most effective
tools the enterprise can use to ensure adequate protection of
information entrusted to the cloud. The SLA will be the tool
where customers can specify if joint control frameworks will
be utilized and describe the expectation of an external, third-
party audit. Clear expectations regarding the handling, usage,
storage and availability of information must be articulated in
the SLA. Additionally, requirements for business continuity
and disaster recovery (discussed previously) will need to be
communicated in the agreement.
V. GOVERNANCE AND CHANGE ISSUES WITH CLOUD
COMPUTING
Typical governance activities such as goal setting, policy
and standard development, defining roles and responsibilities,
and managing risks must include special considerations when
dealing with cloud technology and its providers. The cloud
presents many unique situations for businesses to address.
One large governance issue is that business unit personnel,
who previously were forced to go through IT, can now bypass
IT and receive services directly from the cloud. It is, therefore,
paramount that information security policies address uses for
cloud services.
VI. PROBLEM PRESENTATION
As more applications turn to SSL to help keep users secure,
they may also be inadvertently hampering the ability of
enterprises to ensure malicious code and exploits are not
slithering through network traffic from the endpoint with the
growth of social networking, Web mail and Instant Messaging
are still growing strong. Compared to a year ago, Instant
Messaging traffic has doubled, while Web mail and social
networking have grown about 5 fold. Users are also using a
mix of ways to share files, Palo Alto's numbers show. File
Transfer Protocol, Peer-to-Peer networking, and browser
based file sharing are used with 92 percent, 82 percent, and 91
percent frequency, respectively. With the rise of applications
using encryption, some measures to be taken to protect the
infrastructure Technologies that detect botnet activity can
correlate attempts to connect with network nodes identified as
compromised, malicious, or recognized points of command-
and-control, regardless whether the attempt seeks to encrypt
traffic, says Crawford Another method is to turn to proxies as
a type of traffic cop to inspect traffic to some degree. These
can be complemented with policies that restrict or block
encrypted traffic that doesn't pass through 'official' channels.
However, some of these strategies may be limited in their
usefulness if legitimate traffic cannot be directed through
these accepted channels or unauthorized traffic cannot be
sufficiently restrained.
VII. SUGGESTED SOLUTION FOR SECURITY ISSUES IN CLOUD
One important way to increase data protection,
confidentiality and integrity is to ensure that the data is
protected in transit and at rest within the cloud using file-level
encryption. As the CSA Security Guidance points out,
encryption offers the benefits of minimum reliance on the
cloud service provider and lack of dependence on detection of
operational failure. Data-centric protection through
encryption renders the data unusable to anyone that does not
have the key to decrypt it. No matter whether the data is in
motion or at rest, it remains protected. The owner of the
decryption keys maintains the security of that data and can
decide who and what to allow access to the data. Encryption
procedures can be integrated into the existing workflow for
cloud services. For example, an admin could encrypt all
backup data before sending into the storage cloud. An
executive can protect corporate IP before putting it into the
private cloud. And a sales representative could encrypt a
private customer contract before sending it to a collaborative
worksite, like Share point, in the public cloud.
Different operating systems on different computing
platforms and want to share that data securely inside or
outside of the private or public cloud. One of the best security
solutions for cloud and virtualized environments is data-
centric, file-level encryption that is portable across all
computing platforms and operating systems, and works within
a private, public or hybrid cloud.
VIII. PUBLICATION PRINCIPLES
A. Required compliance framework
Not to give permission for every customer to access data
centers. Instead an agreed-upon compliance framework that
allows customers to order off a menu of tests and get the
results.
International Conference on Computational Techniques and Artificial Intelligence (ICCTAI'2011)
63
B. Standardized framework required
Amazon has a view; Yahoo has a view; Google has a
view, McNerney says. But all our approaches are still
different. The next wave is that all of us will have to come
together with a framework that we will have to use to make it
super-productive on the Web.
For example, the companies need to agree on a way of
handling universal IDs. The problems with federated identity
on the Internet have not been solved in the standards,
Customers are going to expect that this (cloud services) is
an interoperable environment for them.
IX. CONCLUSION
Public cloud providers manage both the cloud infrastructure
and the personal data that run it. One way to ensure that data
in the cloud is protected is to choose a security solution that
encrypts the data at the file-level before it leaves a trusted
zone. IT administrators and end-users can take back some
control over their data protection needs by using a security
solution that is data-centric because it protects that data, is
portable across all computing platforms and operating
systems, and works within any computing environment. Used
properly, data centric encryption security prevents
unauthorized access and tampering regardless of where the
data travels, and means organizations can enjoy the business
benefits of cloud computing without putting sensitive data at
risk.
REFERENCES
[1] February 8, 2011, IDC Forecasts U.S. Public IT Cloud Services
Revenue to Grow 21.6%,,
http://www.idc.com/about/viewpressrelease.jsp.
[2] http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf.
[3] http://srmsblog.burtongroup.com/2008/01/five-immutable.html
vCloudSecurity Alliance, December 2009 Security Guidance for
Critical Areas of Focus in Cloud Computing V2.1,
[4] http://aws portal.amazon.com/gp/aws/developer/terms-and-
conditions.html
[5] http://www.idc.com/about/viewpressrelease.jsp?
[6] containerId=prUS22605110&sectionId=null&elementId=null&pageTyp
e=SYNOPSIS
[7] iiiAmazon Web ServicesTM Customer Agreement, Updated September
25, 2008, Section 7.2.Security Group SRMS Blog, J anuary 08, 2008,
Five Immutable Laws of Virtualization Security,
[8] http://www.idc.com/about/viewpressrelease.jsp?containerId=prUS22692
511&sectionId=null&elementId=null&pageType=SYNOPSIS IDC Press
Release, December 6, 2010, Worldwide Market for Enterprise Server
Virtualization to Reach $19.3 Billion by 2014,
[9] IDC Press Release, February 8, 2011, IDC Forecasts U.S. Public IT
Cloud Services
[10] Cloud Security and Privacy, an Enterprise Perspective on Risks and
Compliance. TimMather, Subra Kumaraswamy , Shahed Latif






International Conference on Computational Techniques and Artificial Intelligence (ICCTAI'2011)
64