VOL. 3, NO. 3, March 2012 Journal of Emerging Trends in Computing and Information Sciences ISSN 2079-8407 ©2009-2012 CIS Journal. All rights reserved. http://www.cisjournal.org Security Framework for Cloud Computing Environment: A Review Ayesha Malik, Muhammad Mohsin Nazir Department of Computer Science Lahore College for Women University, Lahore, Pakistan. ayesha_sadaqat@yahoo.com, mohsinsage@gmail.com ABSTRACT Cloud computing has become an important platform for companies to build their infrastructures upon. If companies are thinking to take advantage of cloud based systems, they will have to seriously reassess their current security strategies as well as the cloud-specific aspects to be a successful solution provider. The focus of this study, based on existing literature, is to define a methodology for cloud providers that will protect users’ data, information which is of high importance. Keywords: Cloud Computing, Security, Threats 1. INTRODUCTION Cloud computing is a model of information processing, storage, and delivery in which physical resources are provided to clients on demand. Instead of purchasing actual physical devices servers, storage, or any networking equipment, clients lease these resources from a cloud provider as an outsourced service. It can also be defined as “management of resources, applications and information as services over the cloud (internet) on demand”. Cloud computing is a model for convenient and on demand network access to group of computing resources that can be released with minimal management effort or provider interaction [1]. enabling a shared rapidly service 1.1. Characteristics Cloud computing has a wide range of characteristics some of which are as follows: • Shared Infrastructure: cloud environment uses an effective software model that allows sharing of physical services, storage and networking capabilities among users. The cloud infrastructure is to find out most of the available infrastructure across multiple users. • Network Access: Cloud services are accessed over a network from a wide range of devices such as PCs, laptops, and mobile devices by using standards based APIs. • Handle Metering: Cloud service providers store information of their clients for managing and optimizing the service and to provide reporting and billing information. Due to this, customers are payable for services according to how much they have actually used during the billing period. 1.2. Service Models Three types of models exist for providing services of cloud. These three models are often referred to as the “SPI Model (Software, Platform and Infrastructure) [4]”. • Software as a Service (SaaS): Customers obtain the Figure 1: Cloud Computing facility to access and use an application or service that is hosted in the cloud. As an example ‘Salesforce.com’, where necessary information for the interaction between the consumer and the service is hosted as part of the service in the cloud. • Platform as a Service (PaaS): Customers obtain access to the platforms by enabling them to organize their own software and applications in the cloud. • Infrastructure as a Service (IaaS): The facility provided to the customer is to lease processing, storage, and other fundamental computing resources. The customer does not manage or control the basic cloud infrastructure but has control over operating systems, storage, deployed applications. 390 VOL. 3, NO. 3, March 2012 Journal of Emerging Trends in Computing and Information Sciences ISSN 2079-8407 ©2009-2012 CIS Journal. All rights reserved. http://www.cisjournal.org 1.3. Deployment models In spite of the delivery model utilized, there are three primary ways in which cloud services can also deployed and are described. • Public cloud In Public cloud, customers can access web applications and services over the internet. Each individual customer has its own resources which are dynamically provided by a third party vendor(cloud providers). These providers facilitate multiple customers from multiple data centres, manages all the security measures and provides hardware and infrastructure for the cloud customers to operate. The customer has no idea about how the cloud is managed or what infrastructure is available. Customers of Public Cloud services are considered to be untrusted. • Private cloud In private clouds customers has complete control over that how data is managed and what security measures are in place while data processing in cloud. The customers of the service are considered “trusted.” Trusted customers of service are those who are considered to be part of an organization including employees, contractors, & business partners. • Hybrid Cloud Hybrid Clouds are a combination of public and private cloud within the same network. Private cloud customers can store personal information on their private cloud and use the public cloud for handling large amount of processing demands. Figure 2: Layers of the Cloud Delivery Model 2. SECURITY ISSUES IN CLOUD COMPUTING Cloud computing is a model for information and services by using existing technologies. It uses the internet infrastructure to allow communication between client side and server side services/applications[2]. Cloud service providers (CSP’s) exist between clients that offers cloud platforms for their customers to use and create their own web services. When making decisions to adopt cloud services, privacy or security has always been a major issue. To deal with these issues, the cloud provider must build up sufficient controls to provide such level of security than the organization would have if the cloud were not used. The major security challenge is that the owner of the data has no control on their data processing. Due to involvement of many technologies including networks, databases, operating systems, resource scheduling, transaction management, concurrency control and memory management [3],various security issues arises in cloud computing. Top seven security threats to cloud computing discovered by “Cloud Security Alliance” (CSA) are [4]: • • • • • • • Abuse and Nefarious Use of Cloud Computing Insecure Application Programming Interfaces Malicious Insiders. Shared Technology Vulnerabilities Data Loss/Leakage Account, Service & Traffic Hijacking. Unknown Risk Profile Our research is to focus on Insecure Application Programming Interfaces, Data Loss/Leakage their risks and solutions for this. 3. LITERATURE REVIEW • “Enabling Public Veri fiability and Data Dynamics for Storage Security in Cloud Computing (2009)” describes that “Cloud Computing has been envisioned as the nextgeneration architecture of IT Enterprise. It moves the application software and databases to the centralized large data centers, where the management of the data and services may not be fully trustworthy. This unique paradigm brings about many new security challenges, which have not been well understood. This work studies the problem of ensuring the integrity of data storage in Cloud Computing. We first identify the difficulties and potential security problems of direct extensions with fully dynamic data updates from prior works and then show how to construct an elegant verification scheme for seamless integration of these two salient features in our protocol design. • “Data Management in the Cloud: Limitations and Opportunities, March 2009” is focused to discuss the limitations and opportunities of deploying data management issues on these emerging cloud computing platforms. We speculate that large scale data analysis tasks, decision support systems, and application 391 VOL. 3, NO. 3, March 2012 Journal of Emerging Trends in Computing and Information Sciences ISSN 2079-8407 ©2009-2012 CIS Journal. All rights reserved. http://www.cisjournal.org specifically data marts are more likely to take advantage of cloud computing platforms than operational, transactional database systems (at least initially). We present a list of features that a DBMS designed for large scale data analysis tasks running on an Amazon-style offering should contain. We then discuss some currently available open source and commercial database options that can be used to perform such analysis tasks, and conclude that none of these options, as presently architected, match the requisite features. We thus express the need for a new DBMS, designed specifically for cloud computing environments. • • • “Security Guidance for Critical Areas of Focus in Cloud Computing, April 2009”, is intended to provide security practitioners with a comprehensive roadmap for being proactive in developing positive and secure relationships with cloud providers. Much of this guidance is also quite relevant to the cloud provider to improve the quality and security of their service offerings. As with any initial venture, there will certainly be guidance that we could improve upon. We will quite likely modify the number of domains and change the focus of some areas of concern. “Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control (2009)”, “characterizes the problems and their impact on adoption. In addition, and equally importantly, we describe how the combination of existing research thrusts has the potential to alleviate many of the concerns impeding adoption. In particular, we argue that with continued research advances in trusted computing and computation-supporting encryption, life in the cloud can be advantageous from a business intelligence standpoint over the isolated alternative that is more common today. “CryptoNET: Software Protection and Secure Execution Environment (2010)”, describes protection of software modules which is based on strong encryption techniques, for example public key encryption and digital signature. These protected software modules are encapsulated in our designed XML file which describes a general syntax of protected software modules. In addition, our designed system also securely distributes software modules to authorized user. Secure software distribution system is based on well established standards and protocols like FIPS-196 based extended strong authentication protocol and SAML based authorization security policies. We also designed secure execution environment which is capable to execute signed and encrypted software modules, supports standard security services and network security protocols. These are: transparent handling of certificates, use of FIPS-201 compliant smart cards, single-sign-on protocol, strong authentication protocol, and secure asynchronous sessions”. • “Security Issues for cloud computing (2010)” discusses security issues for cloud computing and present a layered framework for secure clouds and then focus on two of the layers, i.e., the storage layer and the data layer. In particular, the authors discuss a scheme for secure third party publications of documents in a cloud. Next, the paper will converse secure federated query processing with map Reduce and Hadoop, and discuss the use of secure co-processors for cloud computing. Finally, the authors discuss XACML implementation for Hadoop and discuss their beliefs that building trusted applications from untrusted components will be a major aspect of secure cloud computing. • “Deployment Models: Towards Eliminating Security Concerns from Cloud Computing (2010)” claims that Cloud computing has become a popular choice as an alternative to investing new IT systems. When making decisions on adopting cloud computing related solutions, security has always been a major concern. This article summarizes security concerns in cloud computing and proposes five service deployment models to ease these concerns. The proposed models provide different security related features to address different requirements and scenarios and can serve as reference models for deployment. • “A survey on security issues in service delivery models of cloud computing (2010)”, discusses that the architecture of cloud poses such a threat to the security of the existing technologies when deployed in a cloud environment. Cloud service users need to be vigilant in understanding the risks of data breaches in this new environment. In this paper, a survey of the different security risks that pose a threat to the cloud is presented. This paper is a survey more specifically to the different security issues that has emanated due to the nature of the service delivery models of a cloud computing system. • “Addressing cloud computing security issues (2010)”, aims at twofold; firstly to evaluate cloud security by identifying unique security requirements and secondly to attempt to present a viable solution that eliminates these potential threats. This paper proposes introducing a Trusted Third Party, tasked with assuring specific security characteristics within a cloud environment. The proposed solution calls upon cryptography, specifically Public Key Infrastructure operating in concert with SSO and LDAP, to ensure the authentication, integrity and confidentiality of involved data and communications. The solution, 392 VOL. 3, NO. 3, March 2012 Journal of Emerging Trends in Computing and Information Sciences ISSN 2079-8407 ©2009-2012 CIS Journal. All rights reserved. http://www.cisjournal.org presents a horizontal level of service, available to all implicated entities, that realizes a security mesh, within which essential trust is maintained. • • “Information security and cloud computing (2011)” gives a description of cloud computing followed by a general description of information security issues and solutions, and a brief description of issues linking cloud computing with information security. Security solutions must make a trade-off between the amount of security and its performance cost and impact on the end-user experiences. This is accentuated in a cloud computing environment where users desiring different levels of security share the same resources. An essential issue for cloud computing is the perception of security, which is beyond the simple technical details of security solutions. This paper includes a list of a few key information security challenges that also present significant research opportunities. Solving these key problems will encourage the widespread adoption of cloud computing. architecture that centralizes server resources on a scalable platform so as to provide on demand computing resources and services. Cloud computing has become a variable platform for companies to build their infrastructures upon. If companies are to consider taking advantage of cloud based systems, they will be faced with the task of seriously reassessing their current security strategy, as well as the cloud-specific aspects that need to be assessed. We outline here what cloud computing is, the various cloud deployment models and the main security risks and issues that are currently present within the cloud computing industry. 4. PROBLEM STATEMENT Our research focus is to provide a solution for the threats that are the major issue for anyone when they want to adopt cloud services for their work. For this purpose, a framework should be designed for execution of data and information securely in cloud environment. It will protect users’ data, messages, information against various attacks. Some of the most common attacks are described in Table1. Objectives of this research are to study the major threats arising in cloud environment, technologies used and problems that still there. Table 1: Different Security Attacks “Security issues in cloud computing(2011)” mentions that Cloud Computing is a distributed Name of Attack Tampering Description An attacker may alter information either stored in local files, database or is sent over public network. Eavesdropping/Information Disclosure This type of attack occurs when attacker gains access in the data path and gains access to monitor and read the messages. Repudiation Sender tries to repudiate, or refute the validity of a statement or contract which is sent by him/her. An attacker may access unauthorized to information and resources This type of attack occurs when an attacks infiltrates the communication channel in order to monitor the communication and modify the messages for malicious purposes A replay attack is defined as when an attacker or originator sends a valid data with intention to use it maliciously or fraudulently. Identity spoofing occurs when an attacker impersonates the users as the originator of the message in order to gain access on a network. When new versions are released, a differential analysis of the new and old version would indicate where differences in the code exist. Viruses and worms are very common and well known attacks. These are piece of code that decrease the performance of hardware and application even these malicious codes corrupts files on local file system. Elevation of Privileges Man-in-the-Middle Attack Replay Attack Identity Spoofing Differential Analysis Threat Viruses and Worms 5. METHODOLOGY API’s are the interfaces that customers use to interact with cloud services, for secure processing, interfaces must have secure verification, access control, encryption mechanisms especially when third parties start to build on them. For this purpose we need to analyze [4]: • Security model of cloud provider interfaces. • Ensure strong authentication and access controls are implemented in performance with encrypted transmission. • Understand the dependency chain associated with the API. Furthermore when data deleted without any backup or encoding key loss/unauthorized access, data is always 393 VOL. 3, NO. 3, March 2012 Journal of Emerging Trends in Computing and Information Sciences ISSN 2079-8407 ©2009-2012 CIS Journal. All rights reserved. http://www.cisjournal.org in danger of being lost or stolen. To provide solution for this, we need to: • • • • Implement fault free API access control. Mechanism used for encryption and protection of data should be secure. Data protection analysis done at both design and run time. Provider backup and preservation strategies must be defined. We focus on summarized details of what cloud computing is, its various models regarding to services and deployment ,main security risks and issues and to propose a possible solution that will provide more security to data of customers from that are currently present within the cloud computing services. 6. CONCLUSION Currently various techniques used for protection of data, secure data such as: • Mirage Image Management System [5] This system addresses the problems related to safe management of the virtual machine images that summarize each application of the cloud. • Client Based Privacy Manager [6] It helps to reduce the threat of data leakage and loss of private data that processed in the cloud, as well as provides additional privacy related benefits. • Transparent Cloud Protection System (TCPS) [7] This is a protection system for clouds designed at clearly monitoring the reliability of cloud components. TCPS is planned to protect the integrity of distributed computing by allowing the cloud to monitor infrastructure components. But still cloud service providers face problems like fully securing users’ information (sometimes data is encrypted successfully but its decryption is not possible because of key loss) so such system should exist to secure information. REFERENCES [1] Peter Mell and Tim Grance, “The NIST Definition of Cloud Computing”, October 7, 2009, version 15, National Institute of Standards and Technology (NIST). (www.csrc.nist.gov ) [2] Kevin Curran, Sean Carlin and Mervyn Adams “Security issues in cloud computing”, publishedin August 2011, Elixir Network Engg. (www.elixirjournal.org ) [3] Kevin Hemalen, Murat Kantarcioglu, Latifur Khan, and Bhavani Thuraisingham, The University of Texas at Dallas, USA, “Security Issues for cloud computing”, April-June 2010,international Journal of Information Security and Privacy. [4] “Security Guidance for Critical Areas of Focus in Cloud Computing”, April 2009, presented by Cloud Security Alliance (CSA). [5] Jinpeng Wei, Xiaolan Zhang, Glenn Ammons, VasanthBala and PengNing, “Managing security of virtual machine images in a cloud environment”, November 2009, Proceedings of the 2009 ACM workshop on Cloud computing security pages 91-96. [6] Miranda Mowbray and Siani Pearson, “A ClientBased Privacy Manager for Cloud computing”, June 2009,Proceedings of the Fourth International ICST Conference on communication system software and middleware. • Secure and Efficient Access to Outsourced Data [8] [7] Flavio Lombardi and Roberto Di Pietro, “Transparent Security for Cloud”, March 2010, Proceedings of the 2010 ACM Symposium on Applied Computing, pages 414-415. Providing secure and efficient access to outsourced data is an important factor of cloud computing and forms the foundation for information management and other operations. [8] WeichaoWang,Zhiwei Li, Rodney Owens and Bharat Bhargava, “Secure and Efficient Access to Outsourced Data”, November 2009, Proceedings of the ACM workshop on Cloud computing security, pages 55-65. 394