Cloud computing is next generation technology wherein all resources will be available as a service through Internet. Cloud computing delivers software and services over networked connections, relying on a steady flow of throughput to and from the virtualized data center. Security issues and challenges in cloud environment, the security standards and management tools which are in place and recommended the best solutions.
Cloud computing is next generation technology wherein all resources will be available as a service through Internet. Cloud computing delivers software and services over networked connections, relying on a steady flow of throughput to and from the virtualized data center. Security issues and challenges in cloud environment, the security standards and management tools which are in place and recommended the best solutions.
Cloud computing is next generation technology wherein all resources will be available as a service through Internet. Cloud computing delivers software and services over networked connections, relying on a steady flow of throughput to and from the virtualized data center. Security issues and challenges in cloud environment, the security standards and management tools which are in place and recommended the best solutions.
AbstractCloud Computing is defined as a model for enabling
convenient, on-demand access to a shared pool of configurable
computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned. Cloud computing is next generation technology wherein all resources will be available as a service through internet. This is one of the fastest growing areas in IT industry; it offers benefits such as dynamic resource provisioning, automated administration of IT infrastructures, and sharing of unlimited CPU, bandwidth or storage space. In this paper we are listing out the security issues and challenges in cloud environment, the security standards and management tools which are in place and recommended the best solutions which we can rely on.
KeywordsCloud, Data centric protection, Security I. INTRODUCTION LOUD computing delivers software and services over networked connections, relying on a steady flow of throughput to and from the virtualized data center in order to maintain high service levels. Thanks to scalable virtualization technology, cloud computing gives users access to a set of pooled computing resources that share the following attributes: Multi-tenancy Highly scalable and elastic Self-provisioned Pay-per-use price model In contrast to the significant capital expenditures it takes to purchase and provision the launch of a traditional in-house operational site, as well as the months of lead time that effort involves, cloud computing lets administrators spin up virtual servers. They can provision necessary storage and launch an operational site within minutes or hours and for a fraction of historical costs. The virtualization that underlies cloud computing is very dynamic and allows a very high rate of change, says Budko as customers move data and applications among physical devices. What is missing is ability to manage it smoothly, avoiding a sprawl of unused or underused virtual machines that soak up electricity, cooling and management time possibly create security risks just as unmanaged physical servers do. Corporations and Business individuals are concerned about how security and compliance integrity can be Lovely Sasidharan, Asst Professor, AMCEC Bangalore(E-mail: lovely_sasidharan@yahoo.co.in) Neeth P.R, Lecturer, AMCEC Bangalore(E-mail:neethpr@gmail.com). Dr. Leela Reddy is working as Professor, PESIT, India. maintained in this new environment. According to IDC survey conducted by IT executives and business colleagues, the top issue in cloud computing is Security. Moving critical applications and sensitive data to public cloud is the major concern, because data is moving under the control of a third party (Cloud Service Provider)
TABLE I RATE THE CHALLENGES OR ISSUES OF CLOUD AS PER IDC SURVEY Security 87% Availability 83% Performance 82% On-demand Payment Model cost more 81% Lack of interoperability standards 80% Bringing back to inhouse may be difficult 79% Hard to integrate with in-house IT 76% Not enough ability to customize 76% II. SECURITY CONCERNS IN CLOUD COMPUTING Open systems and shared resources raise many security challenges, making security one of the major barriers to adopt cloud computing technologies [2].
Fig. 1 Security in 3-levels A. Infrastructure Security Network Level In network level, with private cloud there are no new attacks. Changes in the Organizations IT architecture will not change current network topology significantly. Security requirements in private cloud will not require changes in existing network topology. In Public cloud security requirements will require changes in existing topology. How existing network topology will interact with cloud providers network topology should be addressed. In this four significant risk factors are there: Ensuring the confidentiality and integrity of organizations data in- transit to and from public Security Issues and Solutions in Cloud Computing Lovely Sasidharan, Neeth P.R., Dr. Leela Reddy C Cloud Infrastructure Security Network level Host level Application Level International Conference on Computational Techniques and Artificial Intelligence (ICCTAI'2011) 61 cloud provider Ensuring proper access Control (authentication, authorization and auditing) to whatever resources which are using at public cloud provider. Ensuring the availability of the internet-facing resources in a public cloud that are being used by the organization. Replacing the establish model of the network zones and tiers with domains. B. Infrastructure Security Host Level For host security, we should consider the context of Context of cloud service delivery models (Saas, Paas, Iaas) and deployment models (public, private and hybrid) .The dynamic nature of cloud can bring new operational challenges. The operational model motivates rapid provisioning and fleet instances of VMs. Managing vulnerabilities and patches is therefore much harder, as the rate of change is much higher in a traditional data center. Some of new host security threats include: Stealing keys used to access and manage hosts(e.g., SSH private keys) Attacking unpatched, vulnerable services listening on standard ports (FTP , SSH , NetBIOS) Hijacking accounts that are not properly secured (i.e., weak or no passwords for standard accounts) Attacking systems that are not properly secured by host firewalls Deploying Trojans embedded in the software component in the VM or within the VM image(OS) itself Securing virtual server in the cloud requires strong operational security procedures. Here are some recommendations: 1. Use a secure by default configuration. Harden your image and use a standard hardened image for instantiating VMs (the guest OS) in a public cloud. 2. Protect the integrity of the hardened image from unauthorized access. 3. Safeguard the private keys required to access hosts in the private cloud. 4. Isolate the decryption keys from the cloud where the data is hosted 5. Include no authentication credentials in virtualized images except for a key to decrypt the file system key 6. Do not allow password based authentication for shell access 7. Require passwords for role-based access 8. Run only the required services and turn off the unused services (e.g., turn off FTP, print services, database services if they are not required) 9. Enable system auditing and event logging and log the security events to a dedicated log server. Isolate the log server with higher security protection, including accessing controls. III. TOP CLOUD COMPUTING THREATS A. Transparency Service providers must demonstrate the existence of effective and robust security controls, assuring customers that their information is properly secured against unauthorized access, change and destruction. Key questions to decide are: How much transparency is enough? What needs to be transparent? Will transparency aid malefactors? Key areas where supplier transparency is important include: What employees (of the provider) have access to customer information? Is segregation of duties between provider employees maintained? How are different customers information segregated? What controls are in place to prevent, detect and react to breaches? B. Privacy With privacy concerns growing across the globe it will be imperative for cloud computing service providers to prove to existing and prospective customers that privacy controls are in place and demonstrate their ability to prevent, detect and react to breaches in a timely manner. Information and reporting lines of communication need to be in place and agreed on before service provisioning commences. These communication channels should be tested periodically during operations. C. Compliance Most organizations today must comply with a litany of laws, regulations and standards. There are concerns with cloud computing that data may not be stored in one place and may not be easily retrievable. It is critical to ensure that if data are demanded by Cloud computing authorities, it can be provided without compromising other information. Audits completed represent a rare by legal, standard and regulatory authorities themselves demonstrate that there can be opportunity to plenty of overreach in such seizures. When using cloud services there is no guarantee that an enterprise can get its information when needed, and some providers are even reserving rework security the right to withhold information from authorities and IT controls D. Trans-border information flow When information can be stored anywhere in for a better the cloud, the physical location of the information can become an issue. Physical location dictates jurisdiction and legal obligation. Country laws governing personally tomorrow. identifiable information (PII) varies greatly. What is allowed in one country can be a violation in another. E. Certification Cloud computing service providers will need to provide their customers assurance that they are doing the right things. Independent assurance from third-party audits and/or service auditor reports should be a vital part of any assurance program in choosing a provider. Reputation, history and sustainability should all be factors to consider. International Conference on Computational Techniques and Artificial Intelligence (ICCTAI'2011) 62 F. Failure To perform to agreed-upon service levels can impact not only confidentiality but also availability, severely affecting business operations. The dynamic nature of cloud computing may result in confusion as to where information actually resides. When information retrieval is required, this may create delays. Third-party access to sensitive information creates a risk of compromise to confidential information. Due to the dynamic nature of the cloud, information may not be immediately located in the event of a disaster. Business continuity and disaster recovery plans must be well documented and tested. The cloud provider must understand the role it plays in terms of backups, incident response and recovery. Recovery time objectives should be stated in the contract. IV. STRATEGIES FOR ADDRESSING CLOUD COMPUTING RISKS Unauthorized access to data in the cloud is a significant concern. An enterprise must take an inventory of its information assets and ensure that data are properly classified and labeled. This will help to determine what should be specified when drafting a service level agreement (SLA), any need for encryption of data being transmitted or stored, and additional controls for information that is sensitive or of high value to the organization. SLA is one of the most effective tools the enterprise can use to ensure adequate protection of information entrusted to the cloud. The SLA will be the tool where customers can specify if joint control frameworks will be utilized and describe the expectation of an external, third- party audit. Clear expectations regarding the handling, usage, storage and availability of information must be articulated in the SLA. Additionally, requirements for business continuity and disaster recovery (discussed previously) will need to be communicated in the agreement. V. GOVERNANCE AND CHANGE ISSUES WITH CLOUD COMPUTING Typical governance activities such as goal setting, policy and standard development, defining roles and responsibilities, and managing risks must include special considerations when dealing with cloud technology and its providers. The cloud presents many unique situations for businesses to address. One large governance issue is that business unit personnel, who previously were forced to go through IT, can now bypass IT and receive services directly from the cloud. It is, therefore, paramount that information security policies address uses for cloud services. VI. PROBLEM PRESENTATION As more applications turn to SSL to help keep users secure, they may also be inadvertently hampering the ability of enterprises to ensure malicious code and exploits are not slithering through network traffic from the endpoint with the growth of social networking, Web mail and Instant Messaging are still growing strong. Compared to a year ago, Instant Messaging traffic has doubled, while Web mail and social networking have grown about 5 fold. Users are also using a mix of ways to share files, Palo Alto's numbers show. File Transfer Protocol, Peer-to-Peer networking, and browser based file sharing are used with 92 percent, 82 percent, and 91 percent frequency, respectively. With the rise of applications using encryption, some measures to be taken to protect the infrastructure Technologies that detect botnet activity can correlate attempts to connect with network nodes identified as compromised, malicious, or recognized points of command- and-control, regardless whether the attempt seeks to encrypt traffic, says Crawford Another method is to turn to proxies as a type of traffic cop to inspect traffic to some degree. These can be complemented with policies that restrict or block encrypted traffic that doesn't pass through 'official' channels. However, some of these strategies may be limited in their usefulness if legitimate traffic cannot be directed through these accepted channels or unauthorized traffic cannot be sufficiently restrained. VII. SUGGESTED SOLUTION FOR SECURITY ISSUES IN CLOUD One important way to increase data protection, confidentiality and integrity is to ensure that the data is protected in transit and at rest within the cloud using file-level encryption. As the CSA Security Guidance points out, encryption offers the benefits of minimum reliance on the cloud service provider and lack of dependence on detection of operational failure. Data-centric protection through encryption renders the data unusable to anyone that does not have the key to decrypt it. No matter whether the data is in motion or at rest, it remains protected. The owner of the decryption keys maintains the security of that data and can decide who and what to allow access to the data. Encryption procedures can be integrated into the existing workflow for cloud services. For example, an admin could encrypt all backup data before sending into the storage cloud. An executive can protect corporate IP before putting it into the private cloud. And a sales representative could encrypt a private customer contract before sending it to a collaborative worksite, like Share point, in the public cloud. Different operating systems on different computing platforms and want to share that data securely inside or outside of the private or public cloud. One of the best security solutions for cloud and virtualized environments is data- centric, file-level encryption that is portable across all computing platforms and operating systems, and works within a private, public or hybrid cloud. VIII. PUBLICATION PRINCIPLES A. Required compliance framework Not to give permission for every customer to access data centers. Instead an agreed-upon compliance framework that allows customers to order off a menu of tests and get the results. International Conference on Computational Techniques and Artificial Intelligence (ICCTAI'2011) 63 B. Standardized framework required Amazon has a view; Yahoo has a view; Google has a view, McNerney says. But all our approaches are still different. The next wave is that all of us will have to come together with a framework that we will have to use to make it super-productive on the Web. For example, the companies need to agree on a way of handling universal IDs. The problems with federated identity on the Internet have not been solved in the standards, Customers are going to expect that this (cloud services) is an interoperable environment for them. IX. CONCLUSION Public cloud providers manage both the cloud infrastructure and the personal data that run it. One way to ensure that data in the cloud is protected is to choose a security solution that encrypts the data at the file-level before it leaves a trusted zone. IT administrators and end-users can take back some control over their data protection needs by using a security solution that is data-centric because it protects that data, is portable across all computing platforms and operating systems, and works within any computing environment. Used properly, data centric encryption security prevents unauthorized access and tampering regardless of where the data travels, and means organizations can enjoy the business benefits of cloud computing without putting sensitive data at risk. REFERENCES [1] February 8, 2011, IDC Forecasts U.S. Public IT Cloud Services Revenue to Grow 21.6%,, http://www.idc.com/about/viewpressrelease.jsp. [2] http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf. [3] http://srmsblog.burtongroup.com/2008/01/five-immutable.html vCloudSecurity Alliance, December 2009 Security Guidance for Critical Areas of Focus in Cloud Computing V2.1, [4] http://aws portal.amazon.com/gp/aws/developer/terms-and- conditions.html [5] http://www.idc.com/about/viewpressrelease.jsp? [6] containerId=prUS22605110§ionId=null&elementId=null&pageTyp e=SYNOPSIS [7] iiiAmazon Web ServicesTM Customer Agreement, Updated September 25, 2008, Section 7.2.Security Group SRMS Blog, J anuary 08, 2008, Five Immutable Laws of Virtualization Security, [8] http://www.idc.com/about/viewpressrelease.jsp?containerId=prUS22692 511§ionId=null&elementId=null&pageType=SYNOPSIS IDC Press Release, December 6, 2010, Worldwide Market for Enterprise Server Virtualization to Reach $19.3 Billion by 2014, [9] IDC Press Release, February 8, 2011, IDC Forecasts U.S. Public IT Cloud Services [10] Cloud Security and Privacy, an Enterprise Perspective on Risks and Compliance. TimMather, Subra Kumaraswamy , Shahed Latif
International Conference on Computational Techniques and Artificial Intelligence (ICCTAI'2011) 64