Cloud Computing and Security Challenges

Abstract

Cloud Providers offer a pool of shared resources to their Customers through the cloud network. Nowadays, shifting to cloud is a very optimal decision as it provides pay-as-you-go services to customers.  Cloud  has  boomed  high  in  E-business  and  other  industries for  its  advantages  like  multi-tenancy,  resource  pooling,  storage capacity  etc.  In spite of its vitality, it exhibits various security flaws including loss of sensitive data, data leakage and few others related to cloning, resource pooling and so on. In order to comprehend security threats, this study is presented so as to effectively refine the crude security issues under various areas of cloud.  This  study  also  aims  at  revealing  different  security threats  under  the  cloud  models  and IT governance to stagnant these threats within Cloud.

Keywords- Characteristics, Deployment Model, Service Models, Data Location Compliance, Ancillary Data, Attack Surface.

        I.            Introduction

Cloud  Computing  has  emerged  as  a  very  well-known technique to support large and voluminous data with the help of  shared  pool  of  resources  and  large  storage  area.

Peter  Mell  and  Timothy  Grance[1],    have  defined  cloud computing as  “Cloud  computing  is  a  model  for  enabling ubiquitous, convenient, on-demand network access to a shared pool  of  configurable  computing  resources  (e.g.,  networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

A  cloud  service  is  generally  used  by  the  clients  as  and when needed, normally on hourly basis. This “on-demand” or “pay as you go” approach makes the cloud service flexible, where end user can have a great deal or modest service the  way  they  desire  at  any  point  of  time , where  the  service  is entirely  administered  by  the  provider.  Noteworthy improvements in each key components includes virtualization, distributed  computing  and  also  the  improved  access  to  high speed internet service therefore  weak economy have speeded up the inflate of cloud computing rigorously.

***II.     *** Understanding cloud computing

**A.5 Essential Cloud Characteristics

i.   On-demand self-service: A consumer can unilaterally provision computing capabilities, such as service time and network storage, as needed automatically without requiring human interaction with each service provider

ii.   Broad network access: Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).

iii.  *** Resource pooling: The provider’s computing resources are pooled to serve multiple consumers. Resources can be dynamically assigned and reassigned according to customer demand. Customer generally may not care where the resources are physically located but should be aware of risks if they are located offshore*

iv.   Rapid elasticity: Capabilities can be expanded or released automatically (i.e., more CPU power, or ability to handle additional users) .To the customer this appears seamless, limitless, and responsive to their changing requirements.[1]

v.   Measured service: Customers are charged for the services they use and their usage. There is a metering concept where customer resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.[1]

**B.4 Cloud Deployment Model

---

Figure 1: Cloud computing type

i.   Private cloud: Private cloud is cloud infrastructure operated solely for a single organization, whether managed internally or by a third-party and hosted internally or externally. Undertaking a private cloud project requires a significant level and degree of engagement to virtualize the business environment, and requires the organization to reevaluate decisions about existing resources.[4][5]

ii.   Community cloud: Community cloud shares infrastructure between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party and hosted internally or externally. The costs are spread over fewer users than a public cloud (but more than a private cloud), so only some of the cost savings potential of cloud computing are realized.[3][4]

iii.   Public cloud: A cloud is called a "public cloud" when the services are rendered over a network that is open for public use. Technically there may be little or no difference between public and private cloud architecture. Generally, public cloud service providers like Amazon AWS, Microsoft and Google own and operate the infrastructure and offer access only via Internet [6]

iv.   Hybrid cloud: Hybrid cloud is a composition of two or more clouds (private, community or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models. Gartner, Inc. defines a hybrid cloud service as a [cloud computing service that is composed of some combination of private, public and community cloud services, from different service providers.]A hybrid cloud service crosses isolation and provider boundaries so that it can’t be simply put in one category of private, public, or community cloud service. It allows one to extend either the capacity or the capability of a cloud service, by aggregation, integration or customization with another cloud service. By finally "hybrid cloud" architecture, companies and individuals are able to obtain degrees of fault tolerance combined with locally immediate usability without dependency on internet connectivity. Hybrid cloud architecture requires both on-premises resources and off-site (remote) server-based cloud infrastructure.[3][7]

**C.4 Cloud Service Models

i.   Software as a Service (SaaS): The capability provided to the consumer use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g. Web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user specific application configuration settings.[1]

ii.   Platform as a Service (PaaS): The capability provided to the consumer to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.[1][7]

iii.   Infrastructure as a Service (IaaS): The capability provided to the consumer to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).[1]

iv.   Network as a service (NaaS): A category of cloud services where the capability provided to the cloud service user to use network/transport connectivity services and/or inter-cloud network connectivity services. NaaS involves the optimization of resource allocations by considering network and computing resources as a unified whole. Traditional NaaS services include flexible and extended VPN, and bandwidth on demand. NaaS concept materialization also includes the provision of a virtual network service by the owners of the network infrastructure to a third party.[8]

***   III.           *** Cloud security challenges.

Security has been one of the most challenging issues for the IT executives particularly in cloud implementation. There exist numerous security anxieties that are preventing companies from captivating advantages of the cloud. Several studies identified security as the primary level confront for cloud users. In this section, taxonomy related to cloud computing security has been presented.

There are existing security challenges, experienced in other computing environments, and there are new elements which are necessary to consider. The challenges include

**A.Governance

Cloud computing requires an appropriate IT governance model to ensure a secured computing environment and to comply with all relevant organizational information technology policies. As such, organizations need a set of capabilities that are essential when effectively implementing and managing cloud services, including demand management, relationship management, data security management, application lifecycle management, risk and compliance management. A danger lies with the explosion of companies joining the growth in cloud computing by becoming providers. However, many of the infrastructural and logistical concerns regarding the operation of cloud computing businesses are still unknown. This immaturity may have ramifications for the industry as whole.

Achieving and maintaining governance and compliance in cloud environments brings new challenges to many organizations. Things you might need to consider include: [9]

Jurisdiction and regulatory requirements

·         Can data be accessed and stored at rest within regulatory constraints?

·         Are development, test and operational clouds managing data within the required jurisdictions including backups?

Complying with Export/Import controls

·         Applying encryption software to data in the cloud: Are these controls permitted in a particular country/jurisdiction?

·         Can you legally operate with the security mechanisms being applied?

Compliance of the infrastructure

·         Are you buying into a cloud architecture/infrastructure/service which is not compliant?

Audit and reporting

·         Can you provide the required evidence and reports to show compliance to regulations such as PCI and SOX?

·         Can you satisfy legal requirements for information when operating in the cloud?

The  ability  to  reduce  capital  investment  for  computing  resources,  and  instead,  satisfy computational  needs  through  operational expenses  is an advantage of cloud computing. Cloud computing can lower the initial cost of deploying new services and  shorten the time  required  to gain  a  tangible  benefit  from  the  investment  (i.e.,  accelerate  the  time-to-value),  thus  better aligning expense  with  actual  use. However,  the  normal  processes  and  procedures  an organization  uses  to  acquire  computational  resources  as  capital  expenditures  may  be  easily bypassed  by  a  department  or  an  individual,  and  the  procuration  obscured  under  day-to-day operations .

**B.Data

Cloud places data in new and different places, not just the user data but also the application (source) code. Who has access, and what is left behind when you scale down a service? Other key issues include:

Data Location Compliance

One of the most common compliance issues facing an organization is data location .Use of an in-house computing center allows an organization to structure its computing environment and to know in detail where data is stored and what safeguards are used to protect the data. In contrast, a characteristic of many  cloud  computing  services  is  that  data  is  stored  redundantly  in  multiple  physical locations  and  detailed  information  about  the  location  of  an  organization’s  data  is unavailable or not disclosed to the service  consumer. This situation makes it difficult to ascertain  whether  sufficient  safeguards  are  in  place  and  whether  legal  and  regulatory compliance requirements are being met.  For example, NARA regulations include  facility  requirements  for  the  storage  of  federal  records  and  stipulate a minimum  height  above  and  distance  away  from  a  flood  plain.   External audits and security certifications can alleviate this issue to some extent, but they are not a panacea. [2]

Trust: Data Ownership

The  organization’s  ownership  rights  over  the  data  must  be  firmly established in the service contract to  enable a basis for trust  and privacy  of data.  The continuing  controversy  over  privacy  and  data  ownership  rights  for  social  networking users illustrates the impact that ambiguous action can have on the parties involved. Ideally, the contract should state clearly that the organization retains exclusive  ownership  over  all  its  data;  that  the  cloud  provider  acquires  no  rights  or licenses through the agreement, including intellectual property rights or licenses,  to use the  organization’s data for its own purposes; and that the cloud provider does not acquire and may not claim any  interest in the data  due to security . For these provisions to  work  as  intended,  the  terms  of  data  ownership  must  not  be  subject  to  unilateral amendment by the cloud provider.[2]

Trust: Ancillary Data

While the focus of attention in cloud computing is mainly on protecting application data, cloud providers  also  hold significant details about the accounts  of cloud consumers  that  could  be  compromised  and  used  in  subsequent  attacks.   Payment information  is  one  example;  other,  more  subtle  types  of  information,  can  also  be involved.   For  example,  a  database  of  contact  information  stolen  from  a  SaaS  cloud provider, via a targeted phishing attack against one of its employees, was used in turn to launch successful targeted electronic mail attacks against  consumers of the cloud service.   The  incident  illustrates  the  need  for  cloud  providers  to  protect  and report  promptly security breaches occurring not only in the data the cloud provider holds for its  consumers, but also  in  the data it holds  about  its  consumers, regardless of whether the data is held within or separately from the cloud infrastructure.

Other types of ancillary data that exists involve information the cloud provider collects or produces about customer-related activity in the cloud.  They  include  data  collected  to meter  and  charge  for  consumption  of  resources,  logs  and  audit  trails,  and  other  such metadata  that  is  generated  and  accumulated  within  the  cloud  environment.    Unlike organizational data, a cloud provider may be more inclined to claim ownership over the operational and other types of metadata it collects. Such  data, if sold,  released, or leaked to a third party,  however, is a  potential threat to  an organization’s privacy, since the data could  be  used  to  infer  the  status  and  outlook  of  an  organization’s  initiative  (e.g.,  the activity  level  or  projected  growth  of  a  startup  company).   Several  points  to  consider clarifying  in a  service contract are the types of metadata collected by the cloud provider, the  protection  afforded to  the  metadata,  and  the  organization’s  rights  over  metadata, including ownership, opting out of collection or distribution, and fair use.

Data Isolation

Data can take many forms. For example, for cloud-based application development,  it  includes  the  application  programs,  scripts,  and  configuration  settings, along  with  the  development  tools.   For deployed applications, it includes records and other content created or used by the applications, including deallocated objects, as well as account information about the users of the applications. Access controls are one means to keep data away from unauthorized users; encryption is another. Access controls are typically identity-based, which makes authentication of the user’s identity an important issue in cloud computing.  Lacking physical control over the storage of information makes encryption is the only way to ensure that it is truly protected. [2]

Data must be secured while at rest, in transit, and in use, and access to the data must be controlled.   Standards  for  communications  protocols  and  public  key  certificates  allow data transfers to be protected using cryptography  and  can usually  be implemented  with equal  effort  in  SaaS,  PaaS,  and  IaaS  environments .Procedures for protecting data at rest are not as well standardized, however, making interoperability an issue due to the predominance of proprietary systems.   Capabilities  also  vary  greatly across  service  models,  and  cryptographic  protection  may  not  be  feasible  for  some environments,  particularly  PaaS and  SaaS  environments.  The lack of interoperability  affects  the  availability  of  data  and  complicates  the  portability  of applications and data between cloud providers.  Protecting data in use is an emerging area of cryptography with little practical results to offer, leaving trust mechanisms as the main safeguard.

Data Sanitization

The data sanitization practices that a cloud provider implements have obvious implications for security.   Sanitization  involves  the  expunging  of  data  from storage media by overwriting, degaussing, or other means, or the destruction of the media itself,  to  prevent  unauthorized  disclosure  of  information. It applies in various equipment refresh or maintenance situations, such as when a storage device is removed from service or repurposed.   Data  sanitization  also  applies  to  backup  copies  made  for recovery  and  restoration  of  service  and  residual  data  remaining  upon  termination  of service.

In  a  public  cloud  computing  environment,  data  from  one  consumer  is  physically collocated (e.g., in an IaaS data store) or  commingled  (e.g., in a SaaS database)  with the data  of  other  consumers,  which  can  complicate  matters.   Many examples exist of researchers obtaining used drives from online auctions and other sources and recovering large amounts of sensitive information from them (e.g., [Val08]). With the proper skills and  equipment,  it  is  also  possible  to  recover  data  from  failed  drives,  if  they  are  not disposed of properly .  Service agreements should  stipulate sufficient measures that  are  taken  to  ensure  data  sanitization  is  performed  appropriately  throughout  the system lifecycle.

**C.Architecture

Standardized infrastructure and applications; increased commoditization leading to more opportunity to exploit a single vulnerability many times. To complement  the  server side  of the equation,  cloud-based applications  require  a  client side  to initiate  and obtain  services.  While Web browsers often serve as clients, other possibilities exist. In  addition,  an  adequate  and  secure  network  communications  infrastructure  must  be  in  place. Many of the simplified interfaces and service abstractions on the client, server, and network belie the inherent underlying complexity that affects security and privacy .Looking at the underlying architecture and infrastructure, some of the considerations include: [2][8]

Attack Surface

The  hypervisor  or  virtual  machine  monitor  is  an  additional  layer  of software  between  an  operating  system  and  hardware  platform  that  is  used  to  operate multi-tenant  virtual  machines  and  is  common  to  IaaS  clouds.   Besides virtualized resources, the hypervisor normally supports other application programming interfaces to conduct administrative operations, such as launching, migrating, and terminating virtual machine instances.   Compared  with  a  traditional,  non-virtualized  implementation,  the addition  of  a  hypervisor  causes  an  increase  in  the  attack  surface.   That  is,  there  are additional  methods  (e.g.,  application  programming  interfaces),  channels  (e.g.,  sockets), and data items (e.g., input strings) an attacker can use to cause damage to the system.

Virtual  servers  and  applications,  much  like  their  non-virtual  counterparts,  need  to  be secured, both physically and logically. Following organizational policies and procedures, the  operating  system  and  applications  should  be  hardened  when  producing  virtual machine  images for deployment. Care must also be taken to provision security for the virtualized  environments  in  which  the  images  run .For  example,  virtual firewalls can be used to isolate groups of virtual machines from other hosted groups, such as  production  systems  from  development  systems,  or  development  systems  from  other cloud-resident systems. Carefully managing virtual machine images is also important to avoid accidentally deploying images under development or containing vulnerabilities.

Virtual Network Protection

Most virtualization platforms have the ability to create software-based switches and network configurations as part of the virtual environment to allow virtual machines on the same host to communicate more directly and efficiently. For  example,  for  virtual  machines  requiring  no  external  network  access,  the  virtual networking  architectures  of  most  virtualization  software  products  support  same-host networking, in which a private subnet is created for intra-host communications. Traffic over virtual networks may not be visible to security protection devices on the physical network, such as network-based intrusion detection and prevention systems .To avoid a loss of visibility and protection against intra-host attacks, duplication of  the  physical  network  protection  capabilities  may  be  required  on  the  virtual  network.  While some hypervisors allow network monitoring,  their capabilities are  generally  not  as  robust  as  those  in  tools  used  to  monitor  physical  networks. Organizations should consider the risk and performance tradeoffs between having traffic hidden  within  the  hypervisor  versus  exposing  that  traffic  to  the  physical  network  for monitoring.

Client-Side Protection

A successful defense against attacks requires securing both the client and server side of cloud computing. With emphasis typically placed on the latter, the former can be easily overlooked.  Services from different cloud providers, as well as cloud-based  applications  developed  by  the  organization,  can  impose  more  exacting demands on the client, which may have implications for security and privacy that need to be  taken  into  consideration.    Web  browsers,  a  key  element  for  many  cloud  computing  services,  and  the  various  plug-ins  and  extensions  available  for  them  are  notorious  for their security problems. Moreover, many browser add-ons do  not  provide  automatic  updates,  increasing  the  persistence  of  any  existing vulnerabilities.

The growing availability and use of social media, personal Webmail, and other publicly available sites also have associated risks that are a concern, since they increasingly serve as avenues for social engineering attacks that can negatively impact the security of the browser, its underlying platform, and cloud services accessed. For example, spyware was reportedly  installed  in  a  hospital  system  via  an  employee’s  personal  Webmail  account and  sent  the  attacker  more  than  1,000  screen  captures,  containing  financial  and  other confidential information, before being discovered . Having a backdoor Trojan, keystroke logger, or other type of malware present on a client,  runs counter to protecting the security   and privacy  of  public  cloud  services,  as well as  other  Internet-facing public services being accessed.

**D.Assurance

Challenges exist for testing and assuring the infrastructure, especially when there is no easy way for data center visits or penetration (pen) tests. Some of the Challenges include:

Service Level Agreements (SLAs).

There  were  several  open  issues  reported  with  crafting  cloud  service  provider  SLAs. Feedback  indicated  a  severe  need  for  SLA  templates  and  contractual  language  that enterprises could work from and adapt. There were three areas of particular concern. The first was mapping regulatory and standards requirements to specific terms that fit into an SLA. The second was being able to craft an SLA that cloud providers would accept that still meet the burden of internal and external audit.  The  third  was  the  need  for  better processes to map the terms of service in the agreements that enterprises had with their customers  to  an  SLA  with  cloud  providers.  Respondents  indicated  that  there  was  a significant  gap,  in  some  cases,  between  their  requirements  and  the  terms  that  cloud service providers would  agree to.  Many had to shop around before finding a provider that met their requirements. In all cases, the inability of a cloud provider to meet explicit regulatory requirements would derail a deal.  Beyond explicit regulatory requirements, many respondents indicated that security requirements were not adequately detailed in many current provider SLAs. 

Contingency planning and disaster recovery for cloud implementations.

Business Continuity and Disaster Recovery (BC/DR) are the contingency plans and measures designed and implemented to ensure operational resiliency in the event of any service interruptions. BC/DR plans have always been important to any business. As IT systems have become more central to all areas of business, the ability to quickly and reliably recover these systems has become critical. This, in conjunction with increased focus on BC/DR from regulatory bodies, has helped ensure that BC/DR planning and testing is much higher on the agenda for most businesses.

Cloud centric BC/DR makes use of the cloud’s flexibility to minimize cost and maximize benefits. For example, a tenant could make use of lower specification guest machines as replication targets for data and systems, thus minimizing costs. With the ability to quickly ramp up these machines, and even the number of machines (guests), in a BC/DR scenario, the tenant would have the same benefits as hosting the fully specified systems 24/7. This ability to minimize cost, while also providing full performance should DR be invoked, is a key benefit of the cloud's flexibility and resilience.

When using the cloud for operational processes and/or production systems, an organization’s BC/DR requirements must be included in their procurement, planning, design, management, and monitoring of their cloud environments and cloud service providers. BC/DR requirements should be embedded in service or operational level objectives.

Cloud providers typically do not offer a complete BC/DR service, which may include office space, monitors, phones, etc. Cloud providers primarily offer availability for servers/systems and storage, and possibly end-user access via virtual desktops. All aspects of the services to be provided in the case of an invocation should be negotiated and defined fully in their service level agreement (SLA).

***    IV.           *** Conclusion and future work

Cloud computing has made customers both thrilled and edgy.  They are excited by various opportunities provided by the cloud and are anxious as well to the questions related to the security it offers. When users migrate their data on cloud they would be alarmed with the security flaws inherent to the cloud environment. These security threats with cloud computing have emerged as one of the very plausible topics.  This study has put points on security threats found across the cloud models and its governance.   This study will further be extended by security prevention mechanisms for Cloud and how to align Cloud with IT governance for Egypt Stock Exchange.

References

1-       "The NIST Definition of Cloud Computing". National Institute of Standards and Technology. July 2011

2-       “Guidelines on Security and Privacy in Public Cloud Computing”. National Institute of Standards and Technology. Dec 2011

3-       “Gartner Says Cloud Computing Will Be As Influential As E-business” gartner.com June, 2008

4-       “Just don't call them private clouds” news.cnet.com January, 2009

5-       “There's No Such Thing As A Private Cloud” ,informationweek.com January, 2009

6-       “HP's Turn-Key Private Cloud – Application Development Trends". Adtmag.com. 2010-08-30

7-       “Mind the Gap: Here Comes Hybrid Cloud” ,blogs.gartner.com September, 2012 

8-       “The role of virtualization in future network architectures”, Ádám Kapovits , June 2011

9-       “Transformation to Cloud Services Sourcing: Required IT Governance Capabilities”, Anton Joha, Marijn Janssen, September 2012.

* *