International Journal on Advanced Computer Theory and Engineering (IJACTE)
_______________________________________________________________________________________________
Different IaaS Security Attributes and Comparison of Different Cloud
Providers
1
Ramdas N. Khatake, 2Shridevi C. Karande
MIT Pune, India
Email: 1ramdaskhatake@gmail.com, 2shridevi.karande@mitpune.edu.in
Abstract—Cloud computing is a model for enabling
ubiquitous, convenient, on-demand network access to a
shared pool of configurable computing resources like
networks, servers, storage, applications, and services that
can be rapidly provisioned and released with minimal
management effort or service provider interaction. Despite
such promises, cloud computing has not been adopted at a
pace that was expected. Among various reasons that
prevent its widespread adoption, the most serious issue
that Cloud Computing faces concerns its inability to insure
data Confidentiality, Integrity, Availability, Authenticity
and Privacy. Infrastructure as a service (IaaS) model
serves as the underlying basis for other delivery model, and
lack of security in this layer will certainly affect the other
delivery models, i.e. PaaS and SaaS that are built upon
IaaS layer. This paper provide the idea of infrastructure as
a service models different security attributes which ensures
the security in IaaS components and comparison of
different IaaS vendors with respect to security attributes.
To assure security at an Infrastructure as a Service
(IaaS) level, the provider is required to give security
guarantees from the hardware level to the hypervisor
while the consumer is required to ensure that the
software stack uploaded by him is free from security
risks. For Software as a Service (SaaS), the requirements
are completely one sided because only the provider is
required to guarantee security of the cloud but in IaaS
customer also required to manage their own cloud
security.
Section II describes IaaS model component, section III
describe the different security attributes related to IaaS
components and section IV describes comparison
between IaaS providers with respect to the security
attributes to assure the security.
II. INFRASTRUCTURE AS A SERVICE
Keywords—Cloud
Computing,
Cloud
Security,
Infrastructure as a Service, Data Privacy, Cloud Vendors.
I. INTRODUCTION
Cloud computing model is composed of five essential
characteristics On-demand self-service, broad network
access, Resource pooling, rapid elasticity, and measured
service. There are three service models three service
models that cloud computing can adopted Software as a
Service (SaaS), Platform as a Service (PaaS),
Infrastructure as a Service (IaaS), and four deployment
models are Private cloud, Public cloud, Community
cloud, Hybrid cloud[1].
To encourage the cloud based computing environment
its security challenges must be addressed in an
appropriate method and with proper service level
agreements between the cloud service provider and the
end user. According to the security guidance published
by the Cloud Security Alliance, the security risks faced
by the providers and consumers in Cloud Computing
depend on its deployment model and the manner in
which the Cloud services are consumed [2].
Cloud Computing system begins with its infrastructure.
IaaS provides the delivery of on demand shared
resources and computing services, which avoids the cost
of investing, operating and maintaining the hardware.
IaaS consist of the given components like Storage,
Network, Compute, Virtualization, User interface and
access management, Data management and Security
Automation.
2.1
Storage
IaaS provide the cloud storage as a service model in
which data is maintained, managed and backup remotely
and it is made available to users over the network. Cloud
storage delivers virtualized storage on demand over a
network based on consumer request [3]. When data
stored on cloud storage we need to consider the three
aspects of information security: Confidentiality,
Integrity and Availability.
Confidentiality: Confidentiality refers to limiting
information access and disclosure to authorized users
and preventing access by or disclosure to unauthorized
ones.
_______________________________________________________________________________________________
ISSN (Print): 2319-2526, Volume -3, Issue -6, 2014
13
International Journal on Advanced Computer Theory and Engineering (IJACTE)
_______________________________________________________________________________________________
Integrity: Integrity refers to the trustworthiness of
information resources.
Availability: Availability of information resources.
2.2
Network
IaaS provides the Cloud network to the consumer for
communication and accessing the services provided by
the provider. Cloud networking is a new networking
paradigm for building and managing secure private
networks over the public Internet by utilizing global
cloud computing infrastructure. In cloud networking,
traditional network functions and services including
connectivity, security, management and control, are
pushed to the cloud and delivered as a service [3][4].
2.3
Compute
Compute cloud is a web service that provides resizable
compute capacity in the cloud. It allows you to obtain
and configure capacity with minimal conflict. It also
provides complete control of your resources and lets you
run on computing environment. Compute cloud reduces
the time required to obtain and boot new server
instances, allowing you to quickly scale up or scale
down as requirement changes.
2.4
Virtualization
Virtualization is the one of the most important elements
that makes cloud computing. In computing virtualization
means to create a virtual version of a device or resource,
such as a server, storage device, network or even
an operating system where the framework divides the
resource into one or more execution environments.
Virtualization associated with following technologies
[4][5].
Storage virtualization: the amalgamation of multiple
network storage devices into what appears to be a single
storage unit.
Server virtualization: the partitioning a physical server
into smaller virtual servers.
Operating system-level virtualization: a type of server
virtualization technology which works at the operating
system (kernel) layer.
Network virtualization: using network resources through
a logical segmentation of a single physical network.
2.5
User Interface and Access Management
IaaS provides the simple and intuitive web-based user
interface for accessing and managing cloud services.
With the help of Console or Application Programming
Interface (API) you can manage your account, managing
security credentials and accessing the cloud services.
Figure. 1. IaaS model
2.6
Data Management
The rapid adoption of cloud-based applications,
platforms, and infrastructure has resulted in more
fragmented data scattered across the enterprise both
inside and outside of the firewall, increasing the demand
for a robust cloud data management solution [3]. In data
management we consider mostly transactional data
management and analytical data management. It is hard
to maintain ACID guarantees in the face of data
replication over large geographic distances.
2.7
Security Automation
Security automation helps you code in the practices that
make your data meet your organization's security policy.
It includes identifying vulnerabilities on running
instances as well as patching those vulnerabilities [6][7].
Security automation starts with application design.
Consider the requirements for access to data in transit, at
rest, and in process.
III. SECURITY ATTRIBUTES IN CLOUD
COMPUTING
3.1
Authentication and User Management
Authentication and user management unit provide the
idea about how to manage the individual user account,
group account, active directory and LDAP
authentication, and multifactor authentication.
3.1.1
Individual User Accounts
You can create users, assign them individual security
credentials that are access keys, passwords, and MultiFactor Authentication devices or request temporary
security credentials to provide users access to services
and resources. You can manage permissions in order to
control which operations a user can perform.
_______________________________________________________________________________________________
ISSN (Print): 2319-2526, Volume -3, Issue -6, 2014
14
International Journal on Advanced Computer Theory and Engineering (IJACTE)
_______________________________________________________________________________________________
3.1.2
User Groups
A group is a collection of users. Groups let you assign
permissions to a collection of users, which can make it
easier to manage the permissions for those users based
on change in responsibilities. Only one change to update
permissions for multiple users
3.1.3
Active Directory and LDAP Authentication
Active Directory (AD) is a directory service created by
Microsoft. Active Directory is popularly used in
organizations with Windows based networks to manage
users and establish policy controls. It helps to
Administrators centralize creation of usernames and
passwords, and specify roles and access levels for IT
resources across the cloud. This greatly simplifies the
task of administrators, as they save the effort of
managing administration for multiple instances
separately for each user.
with a decryption key. Encryption is a powerful security
mechanism because it can make decryption
mathematically infeasible if you do not possess the
decryption key.
3.3
Data storage unit provide the key management storage,
data integrity and tampering check in multitenant
environment.
3.3.1
3.1.4
Multifactor Authentication
Multi-Factor authentication (MFA) is an approach
to authentication which requires the presentation of two
or more of the three independent authentication factors:
A knowledge factor something only the user knows,
a possession factor something only the user has and
an inherence factor something only the user is.
3.2
Data Privacy and Confidentiality
Data Privacy and Confidentiality unit provide the idea
about Stored Data Encryption and Data Encryption at
Transmission.
3.2.1
Stored Data Encryption
Data encryption, which prevents data visibility in the
event of its unauthorized access or theft, is commonly
used to protect Data in Motion and increasingly
recognized as an optimal method for protecting Data at
Rest. Stored data encryption includes strong encryption
methods such as AES, RSA, SHA-256 [8]. When access
control such as username and password fails then
encrypted data remain encrypted.
3.2.2
Data Encryption at Transmission
Sensitive information that travels over an intranet or the
Internet can be protected by encryption. Encryption is
the mutation of information into a form readable only
Key Management
Key management is the management of cryptographic
keys in a cryptosystem. This includes dealing with the
generation, exchange, storage, use, and replacement of
keys. It includes cryptographic protocol design, key
servers, user procedures, and other relevant protocols
[3].
3.3.2
Lightweight directory access protocol is an open,
vendor-neutral,
industry
standard application
protocol for accessing and maintaining distributed
directory information services over an Internet
Protocol (IP) network. Common usage of LDAP is to
provide a single sign on where one password for a user
is shared between many services.
Data Storage
Data Integrity and Tampering check:
Data Integrity as the word in itself explains the
completeness or wholeness of the data which is the basic
requirement of the information technology. As Data
Integrity is an essential in databases similarly in
integrity of data.
Storages is an essential in the cloud, it is a major factor
that affecting on the performance of the cloud. The data
integrity provides the validity of the data, assuring the
consistency or regularity of the data. It is the complete
mechanism of writing of the data in a reliable manner to
the persistent data storages which can be retrieved in the
same format without any changes later [9][10].
Check tampering is a type of fraudulent disbursement
scheme whereby an employee either prepares a
fraudulent check for his own benefit, or intercepts a
check intended for a third party and converts the check
to his own benefit.
3.4
Cloud Security Certificate
Cloud security certificate unit provide the certificates
like SSAE-16 certification, FIPS 140-2, PCI-DSS level
1.
3.4.1
SSAE 16-certified facility
The Statements on Standards for Attestation
Engagements (SSAE 16) is an attestation standard
established by the AICPA to report on the controls and
services provided to customers. As opposed to the SAS
70 audit standard, compliance with the SSAE 16
attestation standard requires the data center’s
management to provide a written assertion about the fair
presentation of the system’s design, controls, and
operational effectiveness. This statement, along with an
independent auditor’s evaluation of controls like Data
_______________________________________________________________________________________________
ISSN (Print): 2319-2526, Volume -3, Issue -6, 2014
15
International Journal on Advanced Computer Theory and Engineering (IJACTE)
_______________________________________________________________________________________________
Foundry’s
organization,
security and
change
management systems, are considered when determining
SSAE 16 compliance.
IT security standards, including SSAE 16 certified
facility(formerly SAS 70), FIPS 140-2 compliant, PCI
DSS Level 1 compliant [11].
3.4.2
4.2
FIPS 140-2 compliant
GoGrid
The National
Institute
of
Standards
and
Technology (NIST) issued the FIPS 140 Publication
Series to coordinate the requirements and standards for
cryptography modules that include both hardware and
software components. Protection of a cryptographic
module within a security system is necessary to maintain
the confidentiality and integrity of the information
protected by the module. This standard specifies the
security requirements that will be satisfied by a
cryptographic module.
GoGrid enables companies to evaluate and run multiple,
on-demand Big Data solutions quickly, simply, reliably,
securely, and cost-effectively [12]. As the leader in
Open Data Services (ODS), GoGrid is committed to
delivering purpose-built Big Data solutions and services
for the management and integration of open source,
commercial, and proprietary technologies across
multiple platforms. Data centers are SSAE-16 Type II
(formerly SAS-70 Type II) compliant and internal
security procedures are PCI-DSS compliant.
3.4.3
4.3
PCI DSS Level 1 compliant
The PCI Security Standards Council offers robust and
comprehensive standards and supporting materials to
enhance payment card data security. These materials
include a framework of specifications, tools,
measurements and support resources to help
organizations ensure the safe handling of cardholder
information at every step. The keystone is the PCI Data
Security Standard (PCI DSS), which provides an
actionable framework for developing a robust payment
card data security process including prevention,
detection and appropriate reaction to security incidents.
IV. INFRASTRUCTURE AS A SERVICE
PROVIDERS
This section provides the comparison of different IaaS
cloud service providers.
4.1
Amazon Web services
AWS operates the cloud infrastructure that you use to
provision a variety of basic computing resources such as
processing and storage. The AWS infrastructure
includes the facilities, network, and hardware as well as
some operational software (e.g., host OS, virtualization
software, etc.) that support the provisioning and use of
these resources. The AWS infrastructure is designed and
managed according to security best practices as well as a
variety of security compliance standards. As an AWS
customer, you can be assured that you’re building web
architectures on top of some of the most secure
computing infrastructure in the world [11].
AWS provides to its customers is designed and managed
in alignment with best security practices and a variety of
Rackspace
The Rackspace Cloud is a set of cloud computing
products and services billed on a utility computing basis
from the US based company Rackspace [13]. Offerings
include web application hosting or platform as a
service (Cloud Sites), Cloud Storage (Cloud Files),
virtual private server (Cloud Servers), load balancers,
databases, backup, and monitoring.
4.4
Google Compute Engine
Google Compute Engine (GCE) is the Infrastructure as a
Service (IaaS) component of Google Cloud Platform
which is built on the global infrastructure that runs
Google’s search engine, Gmail, YouTube and other
services [14].
Google Compute Engine enables users to launch virtual
machines (VMs) on demand. VMs can be launched from
the standard images or custom images created by users.
GCE users need to get authenticated based on OAuth 2.0
before launching the VMs. Google Compute Engine can
be accessed via the Developer Console, RESTful
API or Command Line Interface.
4.5
vSphere
In vSphere ESXi handles user authentication and
supports user and group permissions [15][16]. In
addition, you can encrypt connections to the vSphere
Client and SDK. ESXi and vCenter Server support
standard X.509 version 3 (X.509v3) certificates to
encrypt session information sent over Secure Socket
Layer (SSL) protocol connections between components.
If SSL is enabled, data is private, protected, and cannot
be modified in transit without detection.
_______________________________________________________________________________________________
ISSN (Print): 2319-2526, Volume -3, Issue -6, 2014
16
International Journal on Advanced Computer Theory and Engineering (IJACTE)
_______________________________________________________________________________________________
Table I Comparison Of Iaas Providers
Security Attributes
Individual user
accounts
Amazon Web
Services
With the help of
Identity Access
Management(IAM)
assign them
individual security
credential
Identity Access
Management roles
allow you to delegate
access to users or
services
GoGrid
RackSpace
Google Compute
Engine
Yes, using API.
vSphere
Yes, Console
Access
Yes, Customers have
root/administrator
access to manage
users and groups.
Allow
Administrator
to insert a layer
of access
control by
assigning a
specific task to
specific user
Yes, custom
Yes, Customers have
root/administrator
access to manage
users and groups.
Yes, for API layer.
Yes through
ESX console
N/A, Rackspace does
not provide
AD/LDAP
authentication
however IaaS
customers can
implement their own
solution.
YES, Rackspace can
provide Multifactor
authentication for
Rack Connected
systems (Hybrid of
Cloud and Dedicated
infrastructure).
No, customers are
responsible for data
encryption
Yes, for API access
ESX Console
Yes, Two- Step
Authentication
Uses
proximity
sensors,
biometrics,
key cards or
key fobs
Yes, transparently
for all running VM
disk data using
AES-128.
Encryption happens
before data touches
local disk or leaves
the host machine
Yes, HTTPS for all
API traffic. All VM
to VM traffic is
over Google's
private network
Storage DRS
Yes, using
API
AD/LDAP
authentication
Amazon Identity and
Access Management
(IAM) enable identity
federation between
your corporate
directory and AWS
services.
Multifactor
authentication
Enable Multi Factor
Authentication for
AWS account using
RSA token or QR
code
Yes, Token
based
Authentication
individual IP
address
Stored data
encryption
Server Side
Encryption for
Amazon S3 and
Amazon Glacier,
encrypt data using
AES-256
No
Data
transmission
encryption
Yes, via Virtual
Private Cloud and
Secure socket layer
on portal
Yes, via
Virtual Private
Network,
Secure Socket
Layer on portal
N/A, Rackspace
customers would
determine
transmission
encryption.
Key
Management
Each EC2 instance
has an assigned
private key. Keys can
be managed through
the AWS web
console.
N/A
Administrative level
via API and console
access
and
must
authenticate
using
persistent API or
keys. Customers can
regenerate API keys
on-demand to help
ensure that their API
access
is
not
compromised.
Created and
managed by cloud
service provider
Trend Micro
provide the
key no need
to manage
separate key
server
Data Integrity
and Tampering
Integrity checks using
the CRC32 Algorithm
Yes, custom
Rackspace customers
have
Yes, for persistent
disk, checksums,
With the help
of Data
Data Storage
Data Privacy and Confidentiality
User management and Authentication
User groups
Infrastructure as a Service Providers
ESXi and
vCenter
Server
component
communicate
securely over
Secure Socket
Layer
_______________________________________________________________________________________________
ISSN (Print): 2319-2526, Volume -3, Issue -6, 2014
17
International Journal on Advanced Computer Theory and Engineering (IJACTE)
_______________________________________________________________________________________________
Security Attributes
Infrastructure as a Service Providers
Amazon Web
Services
GoGrid
RackSpace
Yes
Yes
root/administrator
access to their servers
and can implement
data integrity or
tampering checking
system to meet their
needs.
Yes
Yes, Virtual private
cloud and GovCloud
No
Yes
Yes
Cloud security
Check
SSAE 16
certified
facility(formerly
SAS 70)
FIPS 140-2
compliant
PCI DSS Level 1
compliant
V. CONCLUSION
I have shown different IaaS component related security
attributes or security techniques used by different cloud
vendors. The concepts I have discussed here will help to
build a strong architecture for security in the field of
cloud computation. This kind of structured security will
also be able to improve customer satisfaction to a great
extent and will attract more investors in this cloud
computation concept for industrial as well as future
research farms. Lastly, I propose to build strong
theoretical concepts for security in order to build a more
generalized architecture to prevent different kinds of
attacks.
REFERENCES
[1]
Peter Mell, and Tim Grance, “The NIST
Definition of Cloud Computing,”Version 15, 107-09,
http://
www.wheresmyserver.co.nz
/storage/media/faq-files/cloud-def-v15.pdf.
Google Compute
Engine
encryption at rest
and other
techniques
vSphere
Domain
Operating
System, Data
Domain
Boost
Yes
Yes
No
No
Yes
Yes
Yes
Yes
[5]
Farzad Sabahi, “Virtualization level security in
cloud computing.” 978-1-61284-486-2/11/$26.00
©2011 IEEE, pp. 250-254.
[6]
Santos, Nuno, Krishna P.Gummadi, Rodrigo
Rodrigues, “Towards trusted cloud computing,”
Proceeding of the 2009 conference on hot topics
in cloud computing. USENIX Association, 2009.
[7]
Manas Jog, M. Madiajagan, “Cloud Computing:
Exploring Security Design Approaches in
Infrastructure as a Service,” Proceedings of 2012
1ntemational of Cloud Computing, Technologies,
Applications & Management 978-1-4673-44166112/$31.00 ©2012 IEEE, pp. 156-159.
[8]
T. G. Ben, B. Pfaff, J. Chow, M. Rosenblum, and
D. Boneh, “Terra: A Virtual Machine-Based
Platform for Trusted Computing.” ACM
Press,2003, pp. 193–206.
[9]
Wesam Dawoud, Ibrahim Takouna, Christoph
Meinel, “Infrastructure as a service security:
Challenges and solutions,” proceeding of
Informatics and Systems (INFOS), 2010 The 7th
International Conference.
[2]
Cloud Security Alliance, "Security Guidance for
Critical Areas of Focus in Cloud Computing",
2012,
https://
cloudsecurityalliance.
org/guidance/ csaguide. v 3.0. pdf.
[3]
Deyan Chen, Hong Zhao, “Data Security and
Privacy Protection Issues in Cloud Computing,”
Proceeding of 2012 International Conference on
Computer Science and Electronics Engineering
978-0-7695-4647-6/12 $26.00 © 2012 IEEE
[DOI 10.1109/ICCSEE.2012.193], pp. 647-651.
[10]
Pankaj Arora, Rubal Chaudhry Wadhawan, Er.
Satinder Pal Ahuja, “Cloud Computing Security
Issues in Infrastructure as a Service,” proceeding
of International Journal Of Advanced Research in
Computer Science and Software Engineering
Volume 2, Issue 1, january 2012.
[4]
Ali Sajid, Srijit k. Nair, “Secure Communication
using Dynamic VPN Provisioning in an InterCloud
Environment.”
978-1-467345231/12/$31.00©2012 IEEE, pp. 428-433.
[11]
amazon web services secuity whitepaper “
http://aws.amazon.com
“
and
“http://media.amazonwebservices.com/pdf/AWS
_Security_Whitepaper.pdf.”
_______________________________________________________________________________________________
ISSN (Print): 2319-2526, Volume -3, Issue -6, 2014
18
International Journal on Advanced Computer Theory and Engineering (IJACTE)
_______________________________________________________________________________________________
[12]
GoGrid
Cloud
security
“http://www.gogrid.com/gg/assets/
GoGrid_Security-Overview_F.pdf”
[13]
Rackspace
Cloud
security
whitepaper,
“http://www.rackspace.com
/knowledge_center/whitepaper/
rackspaceprivate-cloud-security-white-paper”
[14]
whitepaper,
cloud.google.com/files/GoogleCommonSecurity-WhitePaper-v1.4.pdf”
[15]
vSphere,
http://www.vmware.com/products/vsphere/featur
es.html.”
[16]
vSphere
common
security
whitepaper,
“http://www.vmware.com/files/
pdf/techpaper/
VMware-vSphere-Data-Protection-AdvancedEMC-Data-Domain-Integration.pdf.”
Google Compute Engine common security
whitepaper,
“https://

_______________________________________________________________________________________________
ISSN (Print): 2319-2526, Volume -3, Issue -6, 2014
19