Kevin 1 Security in Cloud Computing Literature Review By Kevin Hall Security in the Cloud – Introduction As our dependability on technology continues to grow, we see an increase of storage and power required to run a website and/or store data. The only logical solution to this growing problem is to begin the transition to cloud computing. Cloud computing is divided into three services; Software as a service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS)[Describe each of these?]. These are necessary when someone doesn’t have the computing power to do the desired task locally; so they seek outside resources that have an abundance of cloud storage. Not only can they work directly on the cloud, which eliminates the need for anything, more than an internet connection. But they can also store data which is available anywhere the cloud accessible. These two factors play a major role in why we must make the transition into the cloud. However as more people make this move, it gives more of an incentive to hackers to try to break through the cloud. As the cloud evolves so does the hacker’s techniques. This makes it pretty difficult to keep these vital pieces of technology secure. During this literature review we will be looking at different methodologies to help secure the cloud. But it is imperative IT security specialists increase their efforts to secure what holds everyone's information. Encryption, Encryption, Encryption While there is no right answer to this looming problem, there are a lot of theories of what we could do to at least improve on the current system in use. Zahir Tari looks towards “Homomorphic Encryption” as a possible solution. This type of encryption will allow an entry to Kevin 2 be carried out on encrypted data, thus creating encrypted results. When those results are decrypted it should read as they were entered (Zahir). This is done by a special algorithm and the algorithms vary based on the cloud service being used. One of the formulas that Zahir chose to use is: Ek(a) ⊕c Ek(b) = Ek(a ⊕p b)(Zahir). Which will turn “Name: John” into “Name: Ek(John)” on the surface. Note that this is one of hundreds of algorithms that is in use. When it’s being transmitted it will likely be a long string of characters (A-z| 0-9) that is only readable to someone who has the algorithm. The limitations to Homomorphic Encryption is that it is restricted to only a single operation, whether that be addition or multiplication. This makes it possible to hack into and if the algorithm is cracked, all of the data within that cloud service could be under threat. Two Factor Authentication The previous ideology is similar to what Nitin Nagar published in his “Two Factor Authentication using M-pin Server for Secure Cloud Computing Environments” article, claiming that the M-pin 2FA (Two Factor Authentication) required some encryption. The Two Factor Authentication is the basic username and password system that the user sees at any website login. They incorporate the M-pin to add a level of security to that information. The M-pin is an identity based cryptosystem that uses elliptic curve to repair the flaws of the original two factor authentication platform, PKI (elaborate on PKI?). An example the Nagar uses: At a bank we’re given a numerical pad to enter our 4 digit pass code into. Once the code is entered, the M-pin is initialized and a secret key and token is created based off that entry. That key is then placed in the HTML storage area (elaborate?) and the token is sent to an Authentication Server (AS) to be validated. Once validated the user will gain access to the account associated with that information they entered. (Nitin). Kevin 3 Encryption in the IaaS I mentioned before that there are three different services provided by the cloud; IaaS, PaaS, and SaaS. Dan Gonzales wrote an insightful paper on how to solely protect IaaS service. The IaaS is the only tangible of the three, it’s where the hardware, servers, and other parts of the infrastructure are physically stored. Gonzales’s idea was to create a cloud trusts both virtually and physically. These trust put each part of the system in different enclaves. This allowed them to specialize the way they secured an enclave based on its necessities. It also made it so if the one enclave were to be infiltrated; they couldn’t reach other enclaves, preventing a total breach. Similar to Nagar and Zahir, Gonzales uses the 2 factor- time limited token code for their CSP (Cloud Service Provider) which shows regardless of how someone wants to secure they will need some sort of authenticating process. Whether that be through a 3rd party authenticating service or an in house authenticating service. Smart-Frame The article by Joonsang introduced a solution that wasn’t found in any of the other articles, and that’s the Smart-Frame. The Smart-Frame is a versatile information management framework based on cloud computing technology. Their idea was to create three hierarchical levels (Top, Regional, and End-User) where the first two levels consist of entirely cloud computing and the last one uses a smart device. (Joonsang). In addition to those, the security solution they came up with was an identity based encryption, signature, and identity based proxy re-encryption. The re-encryption gives proxies permission to alter the cipher text so that it can be decrypted. This is the first instance of recryption I’ve found in an article and based off the evidence shown in the article it looks to be a safe but timely option. One example expressed in Kevin 4 the reading was the ENEL Telegestore project in Italy, considered the first commercial project to use the smart grid technology. It was a huge success and several other smart grid projects followed after their success (Joonsang). While this article had a different frame work and algorithm, it still used the basic principle of encryption to secure their cloud services. Conclusion The answer to the cloud security issue is not black and white, and there will always be some grey area. Obviously we need to continue to innovate the cloud and bolster it up to its capabilities, because we have barely scratched the surface of what can be done. The only way we can fix this major problem is to stay one step ahead of the hackers, and think that can be achieved by implementing Joonsang’s idea, the Smart-Fame ideology. Kevin 5 Works Cited (APA) Tari, Zahir, and Xun Yi. "Security and Privacy in Cloud Computing." IEEE Cloud Computing (2015): 30-38. Print. Nagar, Nitin, and Ugrasen Suman. "Two Factor Authentication Using M-pin Server for Secure Cloud Computing Environment." International Journal of Cloud Applications and Computing (2014): 42-54. Print. Gonzales, D. (2015). Cloud-Trust a Security Assessment Model for Infrastructure as a Service (IaaS) Clouds. IEEE Cloud Computing. Baek, J. (2015). A Secure Cloud Computing Based Framework for Big Data Information Management of Smart Grid. IEEE Transactions on Cloud Computing, 3(2), 233-243. Watson, P. (2014). Multilevel Security for Deploying Distributed Applications on Clouds, Devices and Things. 381-385. Xiong, J. (2014). A Secure Data Self-Destructing Scheme in Cloud Computing. IEEE Transactions on Cloud Computing, 448-458.