MANAKULA VINAYAGAR ISTITUTE OF TECHNLOGY

SECURITY IN CLOUD COMPUTING Batch no,:12

CLOUD COMPUTING
CLOUD
COMPUTING PROVIDING UNLIMITED INFRASTRUCTURE TO STORE AND EXECUTE CUSTOMER DATA AND PROGRAM.

AS

CUSTOMERS YOU DO NOT NEED TO OWN THE INFRASTRUCTURE, THEY ARE MERELY

ACCESSING OR RENTING, THEY CAN FOREGO CAPITAL EXPENDITURE AND CONSUME RESOURCES AS A SERVICE, PAYING INSTEAD FOR WHAT THEY USE.

BENEFITS OF CLOUD COMPUTING :

MINIMIZED CAPITAL EXPENDITURE LOCATION AND DEVICE INDEPENDENCE UTILIZATION AND EFFICIENCY IMPROVEMENT VERY HIGH SCALABILITY HIGH COMPUTING POWER

SECURITY IN

CLOUD COMPUTING

Cloud computing is a catch-all phrase that covers virtualized operating systems running on virtual hardware on untold numbers of physical servers. The cloud term has consumed HighPerformance Computing (HPC), Grid computing and Utility Computing. The Cloud Security Alliance has adopted the definition developed by NIST; a computing in the cloud is a model exhibiting the following characteristics, on-demand self-service, Broad Network Access, Resource pooling, and Rapid elasticity and Measured service (Cloud Security Alliance Guidance Version 2.1, 2009, p. 15). This is an area that appears to be growing larger and more pervasive as the benefits of cloud architectures become better understood. More organizations start their own cloud projects and more application developers sign on for cloud development as the hyperbole is shaken out and the real parameters of the key technologies are discovered and perfected. The basic areas of cloud vulnerability are similar to the standard issues that surround networking and networked applications. The issues specific to cloud architectures include network control being in the hands of third parties and a potential for sensitive data to be available to a much larger selection of third-parties, both on the staff of the cloud providers, and among the other clients of the cloud. The quick adoption of the cloud model is plain in the success of the Amazon Elastic Cloud Computing (EC2) product, the buy-in from IBM with their backing of the highly concurrent, massively parallel language X-10 (Saraswat, Vijay, 2010) and Microsofts investment in its Azure cloud (Qiu et al., 2009). Janine Milne reported that eight of ten businesses surveyed in the UK were opting for private cloud initiatives rather than public cloud projects and they stated the issues of concern to be data security in transit, in storage or during processes (Milne, 2010). It is

plain that the field is full and the harvest for the IT security profession and IT in general are excellent.

Security is always a major concern in Open System Architectures

Dangers
Disrupts Services. Theft of Information. Loss of Privacy. Damage information.

Background
Cloud computing is a marketing term that refers to web-based application, storage, and communications services. Though this move to computing in the cloud seems to be inevitable, at least part of the reason why it is inevitable is expedience for the supplier companies, and vendor lock-in, or as Richard Stallman says in the Guardian. If you use a proprietary program or somebody elses web server, youre defenseless (sic). Youre putty in the hands of whoever developed that software. (Cloud computing is a trap, warns GNU founder Technology | guardian.co.uk, 2008) Perhaps because the definition of Cloud Computing is so broad and vague, there is a tendency to define it by what it is not. There is also a tendency to define as cloud computing whatever is in great supply, such as a large data centers surplus processing capacity. Christodorescu, Sailer, Schales, Sgandurra & Zamboni (2009) point out that clouds are not synonymous with virtualization though most clouds must use some sort of virtualization at hardware, OS or application level (Christodorescu, Sailer, Schales, Sgandurra, & Zamboni, 2009, p. 99).

Security issues associated with the cloud

There are a number of security issues/concern associated with cloud computing but these issues fall into two broad categories: Security issues faced by cloud providers (organizations providing Software-, Platform-, or Infrastructure-as-a-Service via the cloud) and security issues faced by their customers. In most cases, the provider must ensure that their infrastructure is secure and that their clients data and applications are protected while the customer must ensure that the provider has taken the proper security measures to protect their information.

Dimensions of cloud security

While cloud security concerns can be grouped into any number of dimensions (Gartner names seven while the Cloud Security Alliance identifies thirteen areas of concern) these dimensions have been aggregated into three general areas: Security and Privacy, Compliance, and Legal or Contractual Issues.

Security and privacy

In order to ensure that data is secure (that it cannot be accessed by unauthorized users or simply lost) and that data privacy is maintained, cloud providers attend to the following areas:

Data protection
To be considered protected, data from one customer must be properly segregated from that of another; it must be stored securely when at rest and it must be able to move securely from one location to another. Cloud providers have systems in place to prevent data leaks or access by third parties. Proper separation of duties should ensure that auditing and/or monitoring cannot be defeated, even by privileged users at the cloud provider.

Identity management
Every enterprise will have its own identity management system to control access to information and computing resources. Cloud providers either integrate the customers identity management system into their own infrastructure, using federation or SSO technology, or provide an identity management solution of their own.

Physical and personnel security

Providers ensure that physical machines are adequately secure and that access to these machines as well as all relevant customer data is not only restricted but that access is documented

Availability

Cloud providers assure customers that they will have regular and predictable access to their data and applications.

Application security
Cloud providers ensure that applications available as a service via the cloud are secure by implementing testing and acceptance procedures for outsourced or packaged application code. It also requires application security measures (application-level firewalls) be in place in the production environment.

Privacy
Finally, providers ensure that all critical data (credit card numbers, for example) are masked and that only authorized users have access to data in its entirety. Moreover, digital identities and credentials must be protected as should any data that the provider collects or produces about customer activity in the cloud.

Vulnerabilities
Cloud computing shares in common with other network-based application, storage and communication platforms certain vulnerabilities in several broad areas:

Web application vulnerabilities, such as cross-site scripting and sql injection (which are symptomatic of poor field input validation, buffer overflow; as well as default configurations or mis-configured applications. Accessibility vulnerabilities, which are vulnerabilities inherent to the TCP/IP stack and the operating systems, such as denial of service and distributed denial of services (Krgel, Toth, & Kirda, 2002) Authentication of the respondent device or devices. IP spoofing RIP attacks, ARP poisoning (spoofing), and DNS poisoning are all too common on the Internet. TCP/IP has some unfixable flaws such as trusted machine status of machines that have been in contact with each other, and tacit assumption that routing tables on routers will not be maliciously altered. Data Verification, tampering, loss and theft, while on a local machine, while in transit, while at rest at the unknown third-party device, or devices, and during remote back-ups. Physical access issues, both the issue of an organizations staff not having physical access to the machines storing and processing a data, and the issue of unknown third parties having physical access to the machines Privacy and control issues stemming from third parties having physical control of a data is an issue for all outsourced networked applications and storage, but cloud architectures have some specific issues that are distinct from the usual issues. Christodorescu, et al. show a significant gap between what is assumed and what is reality, i.e., all virtual machines are brought into existence clean, when in reality a compromised hypervisor can spawn compromised VMs, or all VM operating systems are known and available for audit, when in reality the Windows source-code, among others, is not available for audit (Christodorescu et al., 2009, p. 100).

Security Is the Major Challenge

Security Solutions
There are several groups interested in developing standards and security for clouds and cloud security. The Cloud Security Alliance (CSA) is gathering solution providers, non-profits and individuals to enter into discussion about the current and future best practices for information assurance in the cloud (Cloud Security Alliance (CSA) security best practices for cloud computing,2009) The Cloud Standards web site is collecting and coordinating information about cloud-related standards under development by other groups (Clouds Standards 2010). The Open Web Application Security Project (OWASP) maintains a top 10 list of vulnerabilities to cloud-based or Software as a Service deployment models which is updated as the threat landscape changes (OWASP,2010). The Open Grid Forum publishes documents to containing security and infrastructural specifications and information for grid computing developers and researchers (Open Grid Forum, 2010).

Web Application Solutions

The best security solution for web applications is to develop a development framework that shows and teaches a respect for security. Tsai, W., Jin, Z., & Bai, X. (2009) put forth a four-tier framework for web-based development that though interesting, only implies a security facet in the process (Tsai, Jin, & Bai, 2009, p. 1). Towards best practices in designing for the cloud by Berre, Roman, Landre, Heuvel,, Lennon, & Zeid (2009) is a road map toward cloud-centric development (Berre et al., 2009), and the X10 language is one way to achieve better use of the cloud capabilities of massive parallel processing and concurrency .(Saraswat, Vijay, 2010)

Accessibility Solutions
Point out the value of filtering a packet-sniffer output to specific services as an effective way to address security issues shown by anomalous packets directed to specific ports or services An often-ignored solution to accessibility vulnerabilities is to shut down unused services, keep patches updated, and reduce permissions and access rights of applications and users.

Authentication Solutions
Halton and Basta (2007) suggest one way to avoid IP spoofing by using encrypted protocols wherever possible. They also suggest avoiding ARP poisoning by requiring root access to change ARP tables; using static, rather than dynamic ARP tables; or at least make sure changes to the ARP tables are logged. (Basta & Halton, 2007, p. 166).

Data Verification, Tampering, Loss and Theft Solutions

Raj, Nathuji, Singh and England (2009) suggest resource isolation to ensure security of data during processing, by isolating the processor caches in virtual machines, and isolating those virtual caches from the Hypervisor cache (Raj, Nathuji, Singh, & England, 2009, p. 80). Hayes points out that there is no way to know if the cloud providers properly deleted a clients purged data, or whether they saved it for some unknown reason (Hayes, 2008, p.(Hayes, 2008, p. 11). Would cloud-providers and clients have custody battles over client data?

Privacy and Control Solutions

Hayes (2008) points out an interesting wrinkle here, allowing a third-party service to take custody of personal documents raises awkward questions about control and ownership: If you move to a competing service provider, can you take a data with you? Could you lose access to a documents if you fail to pay a bill? (Hayes, 2008, p. 11). The issues of privacy and control cannot be solved, but merely assured with tight service-level agreements (SLAs) or by keeping the cloud itself private.

Physical access solutions

One simple solution, which Milne (2010) states to be a widely used solution for UK businesses is to simply use in-house private clouds (Milne, 2010). Nurmi, Wolski, Grzegorczyk, Obertelli, Soman, Youseff, & Zagorodnov show a preview of one of the available home-grown clouds in

their (2009) presentation. The Eucalyptus Open-Source Cloud-Computing System (Nurmi et al., 2009

Conclusion
The largest gaps between cloud-security practice and cloud-security research lies in the fact that the assumptions in the research leave out some very important differences between cloud security and virtual machine security, as pointed out by Christodorescu et al. (2009). The research questions will center on these differences, and they intend to develop a mixed-method research framework to discover how the vulnerabilities are exploited, and what must be done to close the vulnerabilities. One of the pieces of the framework might be developing a way to monitor the clouds management software, and another might be development of isolated processing for specific clients applications. Having a way to tell whether the virtual machines in the cloud are patched properly would also be a useful part of the framework. Peoples behavior can be tracked and monitored; for instance whether people allow the automated patching software to run, or updating anti-virus software definitions (on virtual machines running operating systems that are susceptible to viruses, worms and other such malware), or whether people understand how to harden their virtual machines in the cloud.