— Cloud computing services are developing at much faster rate as all big organizations are outsourcing their computational services or selling their idle computing resources. From a financial perspective migrating to the cloud remains a crucial factor as there are several aspects that must be taken into account by administrators before migrating to cloud. One of the most important aspect in cloud is the security as cloud security issues are mainly inherited from the solutions and techniques adopted to create cloud services including what the services are running and which kind of service/data will be placed on the cloud by cloud user.
There are a number of security issues associated with cloud computing but are not much addressed till now. These security issues can be faced by cloud providers or by their customers. The cloud provider should make sure that whatever services they are offering to their customers are secure and their customer’s data is safe while the customer should check that cloud providers are using security measures to keep their data safe.
Web Services are the essential feature of cloud computing. As web services helps in providing services easily to end users and manage cloud services, So, now-a-days all cloud providers support a large number of web services. But problem is that in hurry of implementing web services on cloud platform, some developers are making mistakes in their web services modules that are found by attacker in past and exploited[5].
— Cloud computing services are developing at much faster rate as all big organizations are outsourcing their computational services or selling their idle computing resources. From a financial perspective migrating to the cloud remains a crucial factor as there are several aspects that must be taken into account by administrators before migrating to cloud. One of the most important aspect in cloud is the security as cloud security issues are mainly inherited from the solutions and techniques adopted to create cloud services including what the services are running and which kind of service/data will be placed on the cloud by cloud user.
There are a number of security issues associated with cloud computing but are not much addressed till now. These security issues can be faced by cloud providers or by their customers. The cloud provider should make sure that whatever services they are offering to their customers are secure and their customer’s data is safe while the customer should check that cloud providers are using security measures to keep their data safe.
Web Services are the essential feature of cloud computing. As web services helps in providing services easily to end users and manage cloud services, So, now-a-days all cloud providers support a large number of web services. But problem is that in hurry of implementing web services on cloud platform, some developers are making mistakes in their web services modules that are found by attacker in past and exploited[5].
— Cloud computing services are developing at much faster rate as all big organizations are outsourcing their computational services or selling their idle computing resources. From a financial perspective migrating to the cloud remains a crucial factor as there are several aspects that must be taken into account by administrators before migrating to cloud. One of the most important aspect in cloud is the security as cloud security issues are mainly inherited from the solutions and techniques adopted to create cloud services including what the services are running and which kind of service/data will be placed on the cloud by cloud user.
There are a number of security issues associated with cloud computing but are not much addressed till now. These security issues can be faced by cloud providers or by their customers. The cloud provider should make sure that whatever services they are offering to their customers are secure and their customer’s data is safe while the customer should check that cloud providers are using security measures to keep their data safe.
Web Services are the essential feature of cloud computing. As web services helps in providing services easily to end users and manage cloud services, So, now-a-days all cloud providers support a large number of web services. But problem is that in hurry of implementing web services on cloud platform, some developers are making mistakes in their web services modules that are found by attacker in past and exploited[5].
International Journal of Engineering, Management & Sciences (IJEMS)
ISSN-2348 3733, Volume-1, Issue-7, July 2014
9 www.alliedjournals.com
Abstract Cloud computing services are developing at much faster rate as all big organizations are outsourcing their computational services or selling their idle computing resources. From a financial perspective migrating to the cloud remains a crucial factor as there are several aspects that must be taken into account by administrators before migrating to cloud. One of the most important aspect in cloud is the security as cloud security issues are mainly inherited from the solutions and techniques adopted to create cloud services including what the services are running and which kind of service/data will be placed on the cloud by cloud user. There are a number of security issues associated with cloud computing but are not much addressed till now. These security issues can be faced by cloud providers or by their customers. The cloud provider should make sure that whatever services they are offering to their customers are secure and their customers data is safe while the customer should check that cloud providers are using security measures to keep their data safe. Web Services are the essential feature of cloud computing. As web services helps in providing services easily to end users and manage cloud services, So, now-a-days all cloud providers support a large number of web services. But problem is that in hurry of implementing web services on cloud platform, some developers are making mistakes in their web services modules that are found by attacker in past and exploited[5].
I. INTRODUCTION Cloud computing security (sometimes referred to simply as "cloud security") is an evolving sub-domain of computer security, network security, and, more broadly, information security. It refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. Cloud computing is regarded as the important growth point of IT after the Internet. According to IDC forecasts, the cloud computing market will reach $42 billion in 2012. In addition, because the cloud computing concepts of development accord with the low carbon economy and green computing, is likely to be the soul of the future network, so countries pay great attention to it now[5]. On the other hand, there are many key problems in cloud computing. As the report made by IDC in 2009 shows, service security, stability and performance are the first three market challenges. Based on the investigation released by Forrester
Manuscript received July 23, 2014. Priyanka Singh, Department of Information Technology, Rajasthan Technical University, Jaipur, India, Dr. Vijay Singh Rathore, Department of Computer Science, Rajasthan Institute of Engg & Tech, Jaipur, India, Research in November 2009, about 51% of SEMs regarded security and privacy as the most important reasons abandoning cloud services [7]. In 2009 Google, Microsoft, Amazon and other cloud computing Services Company suffered a major failure, resulting in thousands of customer information services affected, further exacerbating the industry's cloud computing security concerns. The security issue is an important factor related to the healthy development of cloud computing.
II. CHALLENGES IN CLOUD COMPUTING SECURITY Security issues occur mainly due to three elements: a flaw in software development, attacker gets to know about the flaw, and finally when attacker uses that flaw to exploit the target service or system [3]. To exploit a flaw, an attacker somehow must have some technique or tool to connect to target service so that attacker can access the service and exploit flaw. When it comes to security issues in web services, its vulnerability in any web service running on a service that can be used to gain access to server or it may give access to some information carried over that web service[10]. To find vulnerability is a web service we can use a web application security scanner that allows us the automated vulnerability detection of our web application. Generally Web application vulnerability scanners can look for a huge variety of vulnerabilities, like: Server configuration errors Input and Output validation Specific problems related to that particular web service. So, depending on how the security issues in web services can provide access information or server data, we can categorise security issues in web services as follows. A. Bypassing Authentication Authentication is the method by which users can verify their identity to server to get access the services. Authentication can be done using a set of credentials that can verify the users identity [12]. For example of an identity can be like a username, fingerprint etc., while a credential can be password, fingerprint scan etc. Attacker may bypass authentication in web services by gaining users credentials in several ways like: Dictionary attacks: Attacker can perform a dictionary attack on server to find credentials of users. Network eavesdropping: In this method attacker tries to steals the users identity and credentials by reading network traffic on users network. Brute force attacks: Brute force attack may be also performed on server to find credentials of user when dictionary attack fails but it takes much more time than dictionary attack. Challenges in Cloud Computing Security Priyanka Singh, Dr. Vijay Singh Rathore
Challenges in Cloud Computing Security 10 www.alliedjournals.com Credential theft: Attacker can steal credentials of users by stealing data from server, phishing users and social engineering of users. Cookie replay attacks: This attack happens when somehow attacker gains access to cookie of a user and uses that cookie to gain access to the users account. To stop these attacks user may use following Countermeasures: Always use strong password. Do not share credentials with anybody. Whenever possible use HTTPS only. Web service providers should use generators random session IDs. B. Session replay Attacks In Session replay attack, attacker somehow gains access to session cookie of user and then uses that cookie to gain access to account of user. An attacker capture session cookie from messages sent over the network and analyses these packets to find cookie of the user[13]. This attack is possible when messages are not encrypted or poorly encrypted that can be easily decoded. To avoid session replay attack user may use following countermeasures: If possible use only encrypted connection in web services. Do not use persistent cookies when accessing web services over public systems. C. Session Hijacking Sessions are used by the application to maintain stateful communication with user over time a period of time during using of that web service. To maintain session applications generally makes use of a session cookie or session ID. As a session allows a user to as many as service request until session is expired without asking again for credentials, so if attacker could somehow gain access to the session ID or session cookie, then attacker can also gain access to users session on original user's behalf[6]. Session hijacking may possible if attacker has ability to perform attacks like: Session replay: If attacker can access messages from the users network when channel over network in unencrypted and can find session key in the message. Then attacker can use that session key for session hijacking. Users leaves account without singing out successfully: If due to some error or by mistake users was not able to log out from his account and then attacker uses that system then attacker may use users session and server will never know if its attacker or real user. If an application places session identifiers in query strings, then attacker may find the session identifier by looking at sent URL. To prevent session hijacking users may follow these countermeasures: Dont use persistent session cookies until its required. Always logout before leaving the system. Use HTTPS whenever possible. Server administrators should use minimal time of expiry of session keys that may minimize prolonged use of session keys.
D. Man-in-the-middle attack In Man-in-the-middle attack, an attacker tries to steal messages from communication channel between the client and the service. The attacker if gains access to communication channel then he may read message directly and can modify them if channel is unencrypted [7]. If channel is encrypted then user can only read and modify messages if he can decrypt the messages sent over the channel. To decrypt messages sent over encrypted channel attacker needs to know encryption key that is possible if attacker starts monitoring the channel before the server and client starts communication. In that scenario when user wants to connect to server, user will ask to the server for his public key. If attacker can stop this message than attacker will ask for the public key from the server on users behalf but keeps the original public key sent by the server with him and generates two pair of public and private key on his own, sends one public key to client on behalf of server and other public key to server on behalf of client. So, now whenever server send any message, attacker will capture the message and decode it using its private key and after looking into message, attacker will forward that message to client after encrypting with clients public. Same thing is followed when user is sending message to server. Now server and client will think that they are using encrypted channel but really its session is under watch even the connection is encrypted. To prevent Man-in-the-middle we need to secure our communication channel between client and server but this not possible completely as generally different network segments are controlled by different agencies and rarely they uses all security measures and protocols to stop access to communication channel. E. Cross-site request forgery attack In Cross-site request forgery (CSRF) attack, an attacker tricks a user into visiting a site where the user actually has an account and is currently logged in to the account. This attack also known as a one-click attack because user is tricked to click on link that has a malicious exploit that will perform action on behalf of a user on logged in website. While cross-site scripting (XSS) takes advantage of users trust in a website to perform attack, whereas cross-site request forgery (CSRF) takes advantage of a websites trust in web browser to perform attack. III. GENERAL REQUIREMENTS ON CLOUD SECURITY Security is in general related to the important aspects of confidentiality, integrity, availability and privacy. A. Confidentiality Confidentiality refers to only authorized users or systems having the permission and ability to access protected data. Confidentiality is to ensure that user data which resides in the cloud cannot be accessed by unauthorized party. In cloud computing, confidentiality plays a major part especially in maintaining control over organizations data situated across multiple distributed databases [2]. International Journal of Engineering, Management & Sciences (IJEMS) ISSN-2348 3733, Volume-1, Issue-7, July 2014 11 www.alliedjournals.com
Asserting confidentiality of users profiles and protecting their data, which is virtually accessed, allows for information security protocols to be enforced at various different layers of cloud applications. Confidentiality can be achieved through proper encryption techniques taking the type of encryption into consideration: symmetric or asymmetric encryption algorithms, also key length and key management in case of the symmetric cipher [11]. Actually, it is all based on the cloud provider. It also depends on the customers awareness that they can encrypt their information prior to uploading it. Also, the cloud provider should ensure proper deployment of encryption standards using NIST standards in [5]. Data confidentiality in the cloud is correlated to user authentication. Protecting a users account from theft is an instance of a larger problem of controlling access to objects, including memory, devices, software, etc. Authentication is the process of establishing confidence in user identities, while they are presented to an information system. Lack of strong authentication can lead to unauthorized access to users account on a cloud, leading to a breach in privacy.
Fig. 1 Cloud Computing Security-A Biggest Concern B. Integrity Integrity means that assets can be modified only by authorized parties or in authorized ways. Integrity may be associated with data, software and hardware. Data Integrity refers to protecting data from unauthorized deletion, modification or fabrication. Managing an entitys admittance and rights to specific enterprise resources ensures that valuable data and services are not abused or misappropriated [1]. Moreover, integrity preserving mechanisms offer a greater visibility into determining who or what may have altered data or system information, potentially affecting their integrity (accountability). Cloud users should not only worry about the confidentiality of data stored in the cloud but also the data integrity. Data could be encrypted to provide confidentiality, there is, however, no guarantee that the data has not been altered while it resides in the cloud. A cloud computing provider is trusted to maintain data integrity and accuracy [15]. C. Availability Availability is one of the most critical information security requirements in cloud computing. Availability refers to the property of a system being accessible and usable upon demand by an authorized entity. In simple terms, availability means that an organization has its full set of computing resources accessible and usable at all times. Availability can be affected temporarily or permanently, and a loss can be partial or complete. Denial of service attacks, equipment outages, and natural disasters are all threats to availability [14]. The goal of availability for cloud systems (including applications and infrastructures) is to ensure the users can use them at any time, at any place. This is one of the prime concerns of mission and safety critical organizations. D. Privacy Privacy is the desire of a person to control the disclosure of personal information. Privacy is an important issue for cloud computing, both in terms of legal compliance and user trust [9]. Privacy is a core issue in all the challenges, including the need to protect identity information, policy components during integration, and transaction histories. By migrating workloads to a shared multi-tenant infrastructure, customers, private information faces increased risk of potential unauthorized access and exposure [4]. Cloud providers must assure their customers and provide a high degree of transparency into their operations and privacy assurance. Privacy protection mechanisms must be embedded in all security solution.
IV. CONCLUSION This paper emphasizes on the concept of cloud computing security. Cloud computing is regarded as the important growth point of IT after the Internet. Security is the biggest concern for cloud computing .Security is in general related to the important aspects of confidentiality, integrity, availability and privacy. Various security risks were pointed out. A cloud computing scenario can be modelled using three different classes of participants: service users, service instances and the cloud. Security attacks surface areas classification was described in brief. Web Services in the cloud computing are challenged by several security issues. The attacks described earlier illustrate how easily an insufficiently secured Web Service server can be affected with a single or few web vulnerabilities. While some of the vulnerabilities are caused by implementation weaknesses, most of them exploit fundamental protocols by abusing the given WS-related standards. Thus, in order to cope with these threats, Web Service developers and adopters must be aware of the vulnerabilities and their potential impact. Web servers can also be affected by some web vulnerabilities. Thus, to cope with these security issues, Web Service developers have to be aware of these security issues. As in cloud nearly all services are running over web, so in
Challenges in Cloud Computing Security 12 www.alliedjournals.com cloud also these security issues may appear. So, web services in cloud must also be secured. REFERENCES [1] Overview of Attacks on cloud Computing, Ajey Singh, Dr. Maneesh Shrivastava, IJEIT, Volume 1,Issue 4,April 2012. [2] Dikaiakos et.al, Cloud Computing: Distributed Internet Computing for IT and Scientific Research, IEEE, Volume 13, Issue 5, Sept.-Oct. 2009, Page: 10 - 13. [3] Wang Laifu, Shen Jun Jin Huamin. Research on Cloud Computing Security, Telecommunications Science, 2010,26(6)67-70. [4] Huaglory Tianfield,"Security Issues in Cloud Computing" 2012 IEEE International Conference on Systems, Man, and Cybernetics October 14-17, 2012, COEX, Seoul, Korea. [5] Rosenblum M., Garfinkel T., "Virtual Machine Monitor: Current Technology and Future Trends", Published by the IEEE Computer Society, 2005. [6] ] L. M. Kaufman, Data security in the world of cloud computing, IEEE Security & Privacy, vol. 7, no. 4, 2009, pp. 61-64. [7] Ajay Jangra, Renu Bala, A Survey On Various Possible Vulnerabilities And Attacks In Cloud Computing Environment, ISSN 2229-6166 Volume 3 Issue 1 January 2012. [8] ] W. Jansen and T. Grance, Guidelines on Security and Privacy in Public Cloud Computing, National Institute of Standards and Technology (NIST), January 2011, http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cl oud-computing.pdf. [9] European Network and Information Security Agency, Cloud Computing Benefits, risks and recommendations for information security, November 2009, http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing -risk-assessment. [10] Gartner, From Secure Virtualization to Secure Private Clouds, October 2010, http://www.vmware.com/files/pdf/analysts/Gartner-From-Secure-Virt ualization-to-Secure-Private-Clouds.pdf. [11] Jericho Forum, Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration, April 2009, http://www.opengroup.org/jericho/cloud_cube_model_v1.0.pdf. [12] K. Scarfone, M. Souppaya and P. Hoffman, Guide to Security for Full Virtualization Technologies, National Institute of Standards and Technology (NIST), January 2011, http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.p df [13] Jyotiprakash Sahoo,Subasish Mohapatra,Radha Lath, Virtualization: A Survey On Concepts, Taxonomy And Associated Security Issues, 2010 IEEE [14] Anas BOUAYAD, Asmae BLILA T, Nour el houda MEJHED, Mohammed EL GHAZI, Cloud computing : security challenges, 2012 IEEE [15] Gurudatt Kulkarni, Nikita Chavan,Ruchira Chandorkar ,Rajnikant Palwe, Cloud Security Challenges, 2012 7th International Conference on Telecommunication Systems, Services, and Applications (TSSA). [16] Akhil Behl, Emerging Security Challenges in Cloud Computing, 2011 IEEE.