Security Framework for Cloud Computing Environment: A Review

VOL. 3, NO. 3, March 2012
Journal of Emerging Trends in Computing and Information Sciences
ISSN 2079-8407
©2009-2012 CIS Journal. All rights reserved.
http://www.cisjournal.org
Security Framework for Cloud Computing Environment: A Review
Ayesha Malik, Muhammad Mohsin Nazir
Department of Computer Science
Lahore College for Women University, Lahore, Pakistan.
ayesha_sadaqat@yahoo.com, mohsinsage@gmail.com
ABSTRACT
Cloud computing has become an important platform for companies to build their infrastructures upon. If companies are
thinking to take advantage of cloud based systems, they will have to seriously reassess their current security strategies as
well as the cloud-specific aspects to be a successful solution provider. The focus of this study, based on existing literature,
is to define a methodology for cloud providers that will protect users’ data, information which is of high importance.
Keywords: Cloud Computing, Security, Threats
1. INTRODUCTION
Cloud computing is a model of information
processing, storage, and delivery in which physical
resources are provided to clients on demand. Instead of
purchasing actual physical devices servers, storage, or any
networking equipment, clients lease these resources from
a cloud provider as an outsourced service.
It can also be defined as “management of resources,
applications and information as services over the cloud
(internet) on demand”.
Cloud computing is a model for
convenient and on demand network access to
group of computing resources that can be
released with minimal management effort or
provider interaction [1].
enabling
a shared
rapidly
service
1.1. Characteristics
Cloud computing has a wide range of characteristics
some of which are as follows:
• Shared Infrastructure: cloud environment uses an
effective software model that allows sharing of physical
services, storage and networking capabilities among users.
The cloud infrastructure is to find out most of the
available infrastructure across multiple users.
• Network Access: Cloud services are accessed over a
network from a wide range of devices such as PCs,
laptops, and mobile devices by using standards based
APIs.
• Handle Metering: Cloud service providers store
information of their clients for managing and optimizing
the service and to provide reporting and billing
information. Due to this, customers are payable for
services according to how much they have actually used
during the billing period.
1.2. Service Models
Three types of models exist for providing services
of cloud. These three models are often referred to as the
“SPI Model (Software, Platform and Infrastructure) [4]”.
• Software as a Service (SaaS): Customers obtain the
Figure 1: Cloud Computing
facility to access and use an application or service that is
hosted in the cloud. As an example ‘Salesforce.com’,
where necessary information for the interaction between
the consumer and the service is hosted as part of the
service in the cloud.
• Platform as a Service (PaaS): Customers obtain access
to the platforms by enabling them to organize their own
software and applications in the cloud.
• Infrastructure as a Service (IaaS): The facility
provided to the customer is to lease processing, storage,
and other fundamental computing resources. The customer
does not manage or control the basic cloud infrastructure
but has control over operating systems, storage, deployed
applications.
390
VOL. 3, NO. 3, March 2012
Journal of Emerging Trends in Computing and Information Sciences
ISSN 2079-8407
©2009-2012 CIS Journal. All rights reserved.
http://www.cisjournal.org
1.3. Deployment models
In spite of the delivery model utilized, there are
three primary ways in which cloud services can also
deployed and are described.
• Public cloud
In Public cloud, customers can access web
applications and services over the internet. Each
individual customer has its own resources which are
dynamically provided by a third party vendor(cloud
providers). These providers facilitate multiple customers
from multiple data centres, manages all the security
measures and provides hardware and infrastructure for
the cloud customers to operate. The customer has no
idea about how the cloud is managed or what
infrastructure is available. Customers of Public Cloud
services are considered to be untrusted.
• Private cloud
In private clouds customers has complete control
over that how data is managed and what security
measures are in place while data processing in cloud.
The customers of the service are considered
“trusted.” Trusted customers of service are those who are
considered to be part of an organization including
employees, contractors, & business partners.
• Hybrid Cloud
Hybrid Clouds are a combination of public and
private cloud within the same network. Private cloud
customers can store personal information on their private
cloud and use the public cloud for handling large amount
of
processing
demands.
Figure 2: Layers of the Cloud Delivery Model
2. SECURITY ISSUES IN CLOUD
COMPUTING
Cloud computing is a model for information and
services by using existing technologies. It uses the
internet infrastructure to allow communication between
client side and server side services/applications[2].
Cloud service providers (CSP’s) exist between clients
that offers cloud platforms for their customers to use
and create their own web services.
When making decisions to adopt cloud services,
privacy or security has always been a major issue. To deal
with these issues, the cloud provider must build up
sufficient controls to provide such level of security than
the organization would have if the cloud were not used.
The major security challenge is that the owner of the data
has no control on their data processing.
Due to involvement of many technologies
including networks, databases, operating systems,
resource scheduling, transaction management,
concurrency control and memory management
[3],various security issues arises in cloud computing.
Top seven security threats to cloud computing
discovered by “Cloud Security Alliance” (CSA) are [4]:
•
•
•
•
•
•
•
Abuse and Nefarious Use of Cloud Computing
Insecure Application Programming Interfaces
Malicious Insiders.
Shared Technology Vulnerabilities
Data Loss/Leakage
Account, Service & Traffic Hijacking.
Unknown Risk Profile
Our research is to focus on Insecure Application
Programming Interfaces, Data Loss/Leakage their risks
and solutions for this.
3. LITERATURE REVIEW
• “Enabling Public Veri
fiability and
Data
Dynamics for Storage Security in Cloud
Computing (2009)” describes that “Cloud
Computing has been envisioned as the nextgeneration architecture of IT Enterprise. It moves
the application software and databases to the
centralized large data centers, where the
management of the data and services may not be
fully trustworthy. This unique paradigm brings
about many new security challenges, which have
not been well understood. This work studies the
problem of ensuring the integrity of data storage
in Cloud Computing. We first identify the
difficulties and potential security problems of
direct extensions with fully dynamic data updates
from prior works and then show how to construct
an elegant verification scheme for seamless
integration of these two salient features in our
protocol design.
• “Data Management in the Cloud: Limitations
and Opportunities, March 2009” is focused to
discuss the limitations and opportunities of
deploying data management issues on these
emerging cloud computing platforms. We
speculate that large scale data analysis tasks,
decision support systems, and application
391
VOL. 3, NO. 3, March 2012
Journal of Emerging Trends in Computing and Information Sciences
ISSN 2079-8407
©2009-2012 CIS Journal. All rights reserved.
http://www.cisjournal.org
specifically data marts are more likely to take
advantage of cloud computing platforms than
operational, transactional database systems (at
least initially). We present a list of features that a
DBMS designed for large scale data analysis tasks
running on an Amazon-style offering should
contain. We then discuss some currently available
open source and commercial database options that
can be used to perform such analysis tasks, and
conclude that none of these options, as presently
architected, match the requisite features. We thus
express the need for a new DBMS, designed
specifically for cloud computing environments.
•
•
•
“Security Guidance for Critical Areas of Focus
in Cloud Computing, April 2009”, is intended to
provide
security
practitioners
with
a
comprehensive roadmap for being proactive in
developing positive and secure relationships with
cloud providers. Much of this guidance is also
quite relevant to the cloud provider to improve the
quality and security of their service offerings. As
with any initial venture, there will certainly be
guidance that we could improve upon. We will
quite likely modify the number of domains and
change the focus of some areas of concern.
“Controlling Data in the Cloud: Outsourcing
Computation without Outsourcing Control
(2009)”, “characterizes the problems and their
impact on adoption. In addition, and equally
importantly, we describe how the combination
of existing research thrusts has the potential
to alleviate many of the concerns impeding
adoption. In particular, we argue that with
continued research advances in trusted
computing
and
computation-supporting
encryption,
life
in
the cloud can be
advantageous from a business intelligence
standpoint over the isolated alternative that is
more common today.
“CryptoNET: Software Protection and Secure
Execution Environment (2010)”, describes
protection of software modules which is based on
strong encryption techniques, for example public
key encryption and digital signature. These
protected software modules are encapsulated in
our designed XML file which describes a general
syntax of protected software modules. In addition,
our designed system also securely distributes
software modules to authorized user. Secure
software distribution system is based on well
established standards and protocols like FIPS-196
based extended strong authentication protocol and
SAML based authorization security policies. We
also designed secure execution environment
which is capable to execute signed and encrypted
software modules, supports standard security
services and network security protocols. These
are: transparent handling of certificates, use of
FIPS-201 compliant smart cards, single-sign-on
protocol, strong authentication protocol, and
secure asynchronous sessions”.
•
“Security Issues for cloud computing (2010)”
discusses security issues for cloud computing and
present a layered framework for secure clouds and
then focus on two of the layers, i.e., the storage
layer and the data layer. In particular, the authors
discuss a scheme for secure third party
publications of documents in a cloud. Next, the
paper will converse secure federated query
processing with map Reduce and Hadoop, and
discuss the use of secure co-processors for cloud
computing. Finally, the authors discuss XACML
implementation for Hadoop and discuss their
beliefs that building trusted applications from
untrusted components will be a major aspect of
secure cloud computing.
•
“Deployment Models: Towards Eliminating
Security Concerns from Cloud Computing
(2010)” claims that Cloud computing has become
a popular choice as an alternative to investing new
IT systems. When making decisions on adopting
cloud computing related solutions, security has
always been a major concern. This article
summarizes security concerns in cloud computing
and proposes five service deployment models to
ease these concerns. The proposed models
provide different security related features to
address different requirements and scenarios and
can serve as reference models for deployment.
•
“A survey on security issues in service delivery
models of cloud computing (2010)”, discusses
that the architecture of cloud poses such a threat
to the security of the existing technologies when
deployed in a cloud environment. Cloud service
users need to be vigilant in understanding the
risks of data breaches in this new environment. In
this paper, a survey of the different security risks
that pose a threat to the cloud is presented. This
paper is a survey more specifically to the different
security issues that has emanated due to the nature
of the service delivery models of a cloud
computing system.
•
“Addressing cloud computing security issues
(2010)”, aims at twofold; firstly to evaluate cloud
security by identifying unique security
requirements and secondly to attempt to present a
viable solution that eliminates these potential
threats. This paper proposes introducing a Trusted
Third Party, tasked with assuring specific security
characteristics within a cloud environment. The
proposed solution calls upon cryptography,
specifically Public Key Infrastructure operating in
concert with SSO and LDAP, to ensure the
authentication, integrity and confidentiality of
involved data and communications. The solution,
392
VOL. 3, NO. 3, March 2012
Journal of Emerging Trends in Computing and Information Sciences
ISSN 2079-8407
©2009-2012 CIS Journal. All rights reserved.
http://www.cisjournal.org
presents a horizontal level of service, available to
all implicated entities, that realizes a security
mesh, within which essential trust is maintained.
•
•
“Information security and cloud computing
(2011)” gives a description of cloud computing
followed by a general description of information
security issues and solutions, and a brief
description
of
issues
linking
cloud
computing
with
information
security.
Security solutions must make a trade-off
between the amount of security and its
performance cost and impact on the end-user
experiences. This is accentuated in a cloud
computing environment where users desiring
different levels of security share the same
resources. An essential issue for cloud computing
is the perception of security, which is beyond the
simple technical details of security solutions. This
paper includes a list of a few key information
security challenges that also present significant
research opportunities. Solving these key
problems will encourage the widespread adoption
of cloud computing.
architecture that centralizes server resources on a
scalable platform so as to provide on demand
computing resources and services. Cloud
computing has become a variable platform for
companies to build their infrastructures upon.
If companies are to consider taking advantage of
cloud based systems, they will be faced with the
task of seriously reassessing their current security
strategy, as well as the cloud-specific aspects that
need to be assessed. We outline here what cloud
computing is, the various cloud deployment
models and the main security risks and issues that
are currently present within the cloud computing
industry.
4. PROBLEM STATEMENT
Our research focus is to provide a solution for the
threats that are the major issue for anyone when they want
to adopt cloud services for their work. For this purpose, a
framework should be designed for execution of data and
information securely in cloud environment. It will protect
users’ data, messages, information against various attacks.
Some of the most common attacks are described in Table1.
Objectives of this research are to study the major
threats arising in cloud environment, technologies used
and problems that still there.
Table 1: Different Security Attacks
“Security issues in cloud computing(2011)”
mentions that Cloud Computing is a distributed
Name of Attack
Tampering
Description
An attacker may alter information either stored in local files, database or is sent
over public network.
Eavesdropping/Information
Disclosure
This type of attack occurs when attacker gains access in the data path and gains
access to monitor and read the messages.
Repudiation
Sender tries to repudiate, or refute the validity of a statement or contract which
is sent by him/her.
An attacker may access unauthorized to information and resources
This type of attack occurs when an attacks infiltrates the communication
channel in order to monitor the communication and modify the messages for
malicious purposes
A replay attack is defined as when an attacker or originator sends a valid data
with intention to use it maliciously or fraudulently.
Identity spoofing occurs when an attacker impersonates the users as the
originator of the message in order to gain access on a network.
When new versions are released, a differential analysis of the new and old
version would indicate where differences in the code exist.
Viruses and worms are very common and well known attacks. These are piece
of code that decrease the performance of hardware and application even these
malicious codes corrupts files on local file system.
Elevation of Privileges
Man-in-the-Middle Attack
Replay Attack
Identity Spoofing
Differential Analysis
Threat
Viruses and Worms
5. METHODOLOGY
API’s are the interfaces that customers use to
interact with cloud services, for secure processing,
interfaces must have secure verification, access control,
encryption mechanisms especially when third parties start
to build on them. For this purpose we need to analyze [4]:
• Security model of cloud provider interfaces.
• Ensure strong authentication and access controls are
implemented in performance with encrypted transmission.
• Understand the dependency chain associated with the
API.
Furthermore when data deleted without any backup
or encoding key loss/unauthorized access, data is always
393
VOL. 3, NO. 3, March 2012
Journal of Emerging Trends in Computing and Information Sciences
ISSN 2079-8407
©2009-2012 CIS Journal. All rights reserved.
http://www.cisjournal.org
in danger of being lost or stolen. To provide solution for
this, we need to:
•
•
•
•
Implement fault free API access control.
Mechanism used for encryption and protection of
data should be secure.
Data protection analysis done at both design and run
time.
Provider backup and preservation strategies must be
defined.
We focus on summarized details of what cloud
computing is, its various models regarding to services and
deployment ,main security risks and issues and to propose
a possible solution that will provide more security to data
of customers from that are currently present within the
cloud computing services.
6. CONCLUSION
Currently various techniques used for protection
of data, secure data such as:
• Mirage Image Management System [5]
This system addresses the problems related to
safe management of the virtual machine images that
summarize each application of the cloud.
• Client Based Privacy Manager [6]
It helps to reduce the threat of data leakage
and loss of private data that processed in the cloud, as
well as provides additional privacy related benefits.
• Transparent Cloud Protection System (TCPS) [7]
This is a protection system for clouds designed at
clearly monitoring the reliability of cloud components.
TCPS is planned to protect the integrity of distributed
computing by allowing the cloud to monitor infrastructure
components.
But still cloud service providers face problems
like fully securing users’ information (sometimes data is
encrypted successfully but its decryption is not possible
because of key loss) so such system should exist to secure
information.
REFERENCES
[1] Peter Mell and Tim Grance, “The NIST Definition of
Cloud Computing”, October 7, 2009, version 15, National
Institute of Standards and Technology (NIST).
(www.csrc.nist.gov )
[2] Kevin Curran, Sean Carlin and Mervyn Adams
“Security issues in cloud computing”, publishedin August
2011, Elixir Network Engg.
(www.elixirjournal.org )
[3] Kevin Hemalen, Murat Kantarcioglu, Latifur Khan,
and Bhavani Thuraisingham, The University of Texas at
Dallas, USA, “Security Issues for cloud computing”,
April-June 2010,international Journal of Information
Security and Privacy.
[4] “Security Guidance for Critical Areas of Focus in
Cloud Computing”, April 2009, presented by Cloud
Security Alliance (CSA).
[5] Jinpeng Wei, Xiaolan Zhang, Glenn Ammons,
VasanthBala and PengNing, “Managing security of virtual
machine images in a cloud environment”, November
2009, Proceedings of the 2009 ACM workshop on Cloud
computing security pages 91-96.
[6] Miranda Mowbray and Siani Pearson, “A ClientBased Privacy Manager for Cloud computing”, June
2009,Proceedings of the Fourth International ICST
Conference on communication system software and
middleware.
• Secure and Efficient Access to Outsourced Data
[8]
[7] Flavio Lombardi and Roberto Di Pietro, “Transparent
Security for Cloud”, March 2010, Proceedings of the 2010
ACM Symposium on Applied Computing, pages 414-415.
Providing secure and efficient access to
outsourced data is an important factor of cloud
computing and forms the foundation for information
management and other operations.
[8] WeichaoWang,Zhiwei Li, Rodney Owens and Bharat
Bhargava, “Secure and Efficient Access to Outsourced
Data”, November 2009, Proceedings of the ACM
workshop on Cloud computing security, pages 55-65.
394