Kevin 1
Kevin Hall
Professor Refaei
ENGL 2089
07/1/2015
Security in Cloud Computing Literature Review
Security in the Cloud – Introduction
As dependability on technology continues to grow, we see an increase of storage and
power required to run a website and/or store data. The only logical solution to this growing
problem is to begin the transition to cloud computing. Cloud computing is divided into three
services; Software as a service (SaaS), Platform as a Service (PaaS), and Infrastructure as a
Service (IaaS) (Xiong 2014). These are necessary when someone doesn’t have the computing
power to do the desired task locally; so they seek outside resources that have an abundance of
cloud storage. Not only can they work directly on the cloud, which eliminates the need for
anything more than an internet connection, but they can also store data, which is available
anywhere the cloud is accessible. These two factors play a major role in why we must make the
transition into the cloud. However as more companies make this move, it gives more of an
incentive to hackers to try to break through the cloud. As the cloud evolves so do the hackers’
techniques. This makes it pretty difficult to keep these vital pieces of technology secure. During
this literature review we will be looking at different methodologies to help secure the cloud. But
it is imperative IT security specialists increase their efforts to secure what holds everyone's
information.
Kevin 2
Encryption, Encryption, Encryption
While there is no right answer to this looming problem, there are a lot of theories of what
we could do to at least improve on the current system in use. Tari and Xun (2015) look towards
“Homomorphic Encryption” as a possible solution. This type of encryption will allow an entry to
be carried out on encrypted data, thus creating encrypted results. When those results are
decrypted it should read as they were entered (Zahir 2015). This is done by a special algorithm
and the algorithms vary based on the cloud service being used. One of the formulas that Zahir
(2015) chose to use is: Ek(a) ⊕c Ek(b) = Ek(a ⊕p b) (Zahir 2015). Which will turn “Name:
John” into “Name: Ek(John)” on the surface. Note that this is one of hundreds of algorithms that
is in use. When it’s being transmitted it will likely be a long string of characters (A-z | 0-9) that
is only readable to someone who has the algorithm. The limitations to Homomorphic Encryption
is that it is restricted to only a single operation, whether that be addition or multiplication. This
makes it possible to hack into and if the algorithm is cracked, all of the data within that cloud
service could be under threat.
Two Factor Authentications
The previous ideology is similar to what Nagar and Suman (2014) published in their “Two
Factor Authentication using M-pin Server for Secure Cloud Computing Environments” article,
claiming that the M-pin 2FA (Two Factor Authentication) required some encryption. The Two
Factor Authentication is the basic username and password system that the user sees at any
website login (Watson 2014). They incorporate the M-pin to add a level of security to that
information. The M-pin is an identity based cryptosystem that uses elliptic curve to repair the
flaws of the original two factor authentication platform, PKI. An example the Nagar (2014) uses:
Kevin 3
At a bank we’re given a numerical pad to enter our 4 digit pass code into. Once the code is
entered, the M-pin is initialized and a secret key and token is created based off that entry. That
key is then placed in the HTML storage area and the token is sent to an Authentication Server
(AS) to be validated. Once validated the user will gain access to the account associated with that
information they entered. (Nagar 2014). The drawbacks of the 2FA are the simplicity of it. It
only takes someone looking over your shoulder while you’re entering the code to steal that
information.
Encryption in the IaaS
I mentioned before that there are three different services provided by the cloud; IaaS,
PaaS, and SaaS. Gonzales (2015) wrote an insightful paper on how to solely protect IaaS service.
The IaaS is the only tangible service of the three; it’s where the hardware, servers, and other
parts of the infrastructure are physically stored. Gonzales’s idea was to create Cloud Trusts both
virtually and physically. These Trusts put each part of the system in different enclaves. This
allowed them to specialize the way they secured an enclave based on its necessities. It also made
it so if the one enclave were to be infiltrated; they couldn’t reach other enclaves, preventing a
total breach. Similar to Nagar and Zahir, Gonzales (2015) uses the 2 factor- time limited token
code for their CSP (Cloud Service Provider) which shows regardless of how someone wants to
secure they will need some sort of authenticating process. Whether that is through a 3rd party
authenticating service or an in-house authenticating service. The Trust have the same issues that
other forms of encryption have, but breaking these systems down into multiple entities makes it
more time consuming for the hacker.
Smart-Frame
Kevin 4
The article by Baek (2015) introduced a solution that wasn’t found in any of the other
articles, and that’s the Smart-Frame. The Smart-Frame is a versatile information management
framework based on cloud computing technology. Their idea was to create three hierarchical
levels (Top, Regional, and End-User) where the first two levels consist of entirely cloud
computing and the last one uses a smart device. (Baek 2015). In addition to those, the security
solution they came up with was an identity based encryption, signature, and identity based proxy
re-encryption. The re-encryption gives proxies permission to alter the cipher text so that it can be
decrypted. This is the only instance of re-encryption I’ve found in an article during this research
and based off what I’ve read in the article, it looks to be a safe but timely option. One example
Baek (2015) articulated in the reading was the ENEL Telegestore project in Italy, considered the
first commercial project to use the smart grid technology. It was a huge success and several other
smart grid projects followed after their success (Baek 2015). While this article had a different
frame work and algorithm, it still used the basic principle of encryption to secure their cloud
services.
Conclusion
The answer to the cloud security issue is not black and white, and there will always be some grey
area. Obviously, we need to continue to innovate the cloud and bolster it up to its capabilities,
because we have barely scratched the surface of what can be done. The only way we can fix this
major problem is to stay one step ahead of the hackers, and I think that can be achieved by
implementing any of these brilliant ideas, but the Smart-Frame method seems to be proven the
most effective of those mentioned.
Kevin 5
Works Cited
(APA)
Tari, Zahir, and Xun Yi. "Security and Privacy in Cloud Computing." IEEE Cloud
Computing (2015): 30-38. Print.
Nagar, Nitin, and Ugrasen Suman. "Two Factor Authentication Using M-pin Server for Secure
Cloud Computing Environment." International Journal of Cloud Applications and
Computing (2014): 42-54. Print.
Gonzales, D. (2015). Cloud-Trust a Security Assessment Model for Infrastructure as a Service
(IaaS) Clouds. IEEE Cloud Computing.
Baek, Joonsang. (2015). A Secure Cloud Computing Based Framework for Big Data Information
Management of Smart Grid. IEEE Transactions on Cloud Computing, 3(2), 233-243.
Watson, P. (2014). Multilevel Security for Deploying Distributed Applications on Clouds,
Devices and Things. 381-385.
Xiong,J. (2014). A Secure Data Self-Destructing Scheme in Cloud Computing. IEEE
Transactions on Cloud Computing, 448-458.