8/12/2019 1011316

1/4

AbstractCloud Computing is defined as a model for enablingconvenient, on-demand access to a shared pool of configurable

computing resources (e.g., networks, servers, storage, applicationsand services) that can be rapidly provisioned. Cloud computing is

next generation technology wherein all resources will be available as

a service through internet. This is one of the fastest growing areas in

IT industry; it offers benefits such as dynamic resource provisioning,

automated administration of IT infrastructures, and sharing ofunlimited CPU, bandwidth or storage space. In this paper we are

listing out the security issues and challenges in cloud environment,

the security standards and management tools which are in place andrecommended the best solutions which we can rely on.

KeywordsCloud, Data centric protection, Security

I. INTRODUCTIONLOUD computing delivers software and services over

networked connections, relying on a steady flow of

throughput to and from the virtualized data center in order to

maintain high service levels. Thanks to scalable virtualization

technology, cloud computing gives users access to a set of

pooled computing resources that share the following

attributes:

Multi-tenancy Highly scalable and elastic

Self-provisioned

Pay-per-use price model

In contrast to the significant capital expenditures it takes to

purchase and provision the launch of a traditional in-house

operational site, as well as the months of lead time that effort

involves, cloud computing lets administrators spin up virtual

servers. They can provision necessary storage and launch an

operational site within minutes or hours and for a fraction of

historical costs. The virtualization that underlies cloud

computing is very dynamic and allows a very high rate of

change, says Budko as customers move data and applicationsamong physical devices. What is missing is ability to manage

it smoothly, avoiding a sprawl of unused or underused virtual

machines that soak up electricity, cooling and management

time possibly create security risks just as unmanaged physical

servers do. Corporations and Business individuals are

concerned about how security and compliance integrity can be

Lovely Sasidharan, Asst Professor, AMCEC Bangalore(E-mail:

lovely_sasidharan@yahoo.co.in)

Neeth P.R, Lecturer, AMCEC Bangalore(E-mail:neethpr@gmail.com).

Dr. Leela Reddy is working as Professor, PESIT, India.

maintained in this new environment.

According to IDC survey conducted by IT executives and

business colleagues, the top issue in cloud computing is

Security. Moving critical applications and sensitive data to

public cloud is the major concern, because data is moving

under the control of a third party (Cloud Service Provider)

TABLEI

RATE THE CHALLENGES OR ISSUES OF CLOUD AS PER IDCSURVEY

Security 87%

Availability 83%

Performance 82%On-demand Payment Model cost more 81%

Lack of interoperability standards 80%

Bringing back to inhouse may be difficult 79%

Hard to integrate with in-house IT 76%

Not enough ability to customize 76%

II.SECURITY CONCERNS IN CLOUD COMPUTINGOpen systems and shared resources raise many security

challenges, making security one of the major barriers to adopt

cloud computing technologies [2].

Fig. 1 Security in 3-levels

A.Infrastructure Security Network LevelIn network level, with private cloud there are no new

attacks. Changes in the Organizations IT architecture will not

change current network topology significantly. Security

requirements in private cloud will not require changes in

existing network topology.

In Public cloud security requirements will require changes

in existing topology. How existing network topology will

interact with cloud providers network topology should be

addressed. In this four significant risk factors are there:

Ensuring the confidentiality and integrity oforganizations data in- transit to and from public

Security Issues and Solutions in CloudComputing

Lovely Sasidharan, Neeth P.R., Dr. Leela Reddy

C

Cloud

InfrastructureSecurity

Network level Host level ApplicationLevel

International Conference on Computational Techniques and Artificial Intelligence (ICCTAI'2011)

61

8/12/2019 1011316

2/4

cloud provider

Ensuring proper access Control (authentication,authorization and auditing) to whatever resources

which are using at public cloud provider.

Ensuring the availability of the internet-facingresources in a public cloud that are being used by the

organization.

Replacing the establish model of the network zonesand tiers with domains.

B.Infrastructure Security Host LevelFor host security, we should consider the context of

Context of cloud service delivery models (Saas, Paas, Iaas)

and deployment models (public, private and hybrid) .The

dynamic nature of cloud can bring new operational

challenges. The operational model motivates rapid

provisioning and fleet instances of VMs. Managing

vulnerabilities and patches is therefore much harder, as the

rate of change is much higher in a traditional data center.

Some of new host security threats include:

Stealing keys used to access and manage hosts(e.g.,SSH private keys)

Attacking unpatched, vulnerable services listening onstandard ports (FTP , SSH , NetBIOS)

Hijacking accounts that are not properly secured (i.e.,weak or no passwords for standard accounts)

Attacking systems that are not properly secured byhost firewalls

Deploying Trojans embedded in the softwarecomponent in the VM or within the VM image(OS)

itself

Securing virtual server in the cloud requires strong

operational security procedures. Here are some

recommendations:

1. Use a secure by default configuration. Harden yourimage and use a standard hardened image for

instantiating VMs (the guest OS) in a public cloud.

2. Protect the integrity of the hardened image fromunauthorized access.

3. Safeguard the private keys required to access hosts inthe private cloud.

4. Isolate the decryption keys from the cloud where thedata is hosted

5. Include no authentication credentials in virtualizedimages except for a key to decrypt the file system key

6. Do not allow password based authentication for shellaccess

7. Require passwords for role-based access8. Run only the required services and turn off the

unused services (e.g., turn off FTP, print services,

database services if they are not required)

9. Enable system auditing and event logging and log thesecurity events to a dedicated log server. Isolate the

log server with higher security protection, including

accessing controls.

III. TOP CLOUD COMPUTING THREATSA.TransparencyService providers must demonstrate the existence of

effective and robust security controls, assuring customers that

their information is properly secured against unauthorized

access, change and destruction. Key questions to decide are:

How much transparency is enough? What needs to be

transparent? Will transparency aid malefactors? Key areaswhere supplier transparency is important include: What

employees (of the provider) have access to customer

information? Is segregation of duties between provider

employees maintained? How are different customers

information segregated? What controls are in place to prevent,

detect and react to breaches?

B.PrivacyWith privacy concerns growing across the globe it will be

imperative for cloud computing service providers to prove to

existing and prospective customers that privacy controls are in

place and demonstrate their ability to prevent, detect and react

to breaches in a timely manner. Information and reporting

lines of communication need to be in place and agreed on

before service provisioning commences. These

communication channels should be tested periodically during

operations.

C.ComplianceMost organizations today must comply with a litany of

laws, regulations and standards. There are concerns with

cloud computing that data may not be stored in one place and

may not be easily retrievable. It is critical to ensure that if data

are demanded by Cloud computing authorities, it can be

provided without compromising other information. Auditscompleted represent a rare by legal, standard and regulatory

authorities themselves demonstrate that there can be

opportunity to plenty of overreach in such seizures. When

using cloud services there is no guarantee that an enterprise

can get its information when needed, and some providers are

even reserving rework security the right to withhold

information from authorities and IT controls

D.Trans-border information flowWhen information can be stored anywhere in for a better

the cloud, the physical location of the information can become

an issue. Physical location dictates jurisdiction and legal

obligation. Country laws governing personally tomorrow.identifiable information (PII) varies greatly. What is allowed

in one country can be a violation in another.

E.CertificationCloud computing service providers will need to provide

their customers assurance that they are doing the right

things. Independent assurance from third-party audits and/or

service auditor reports should be a vital part of any assurance

program in choosing a provider. Reputation, history and

sustainability should all be factors to consider.

International Conference on Computational Techniques and Artificial Intelligence (ICCTAI'2011)

62

8/12/2019 1011316

3/4

F.FailureTo perform to agreed-upon service levels can impact not

only confidentiality but also availability, severely affecting

business operations. The dynamic nature of cloud computing

may result in confusion as to where information actually

resides. When information retrieval is required, this may

create delays. Third-party access to sensitive information

creates a risk of compromise to confidential information. Due

to the dynamic nature of the cloud, information may not be

immediately located in the event of a disaster. Business

continuity and disaster recovery plans must be well

documented and tested. The cloud provider must understand

the role it plays in terms of backups, incident response and

recovery. Recovery time objectives should be stated in the

contract.

IV. STRATEGIES FOR ADDRESSING CLOUD COMPUTING RISKSUnauthorized access to data in the cloud is a significant

concern. An enterprise must take an inventory of its

information assets and ensure that data are properly classified

and labeled. This will help to determine what should bespecified when drafting a service level agreement (SLA), any

need for encryption of data being transmitted or stored, and

additional controls for information that is sensitive or of high

value to the organization. SLA is one of the most effective

tools the enterprise can use to ensure adequate protection of

information entrusted to the cloud. The SLA will be the tool

where customers can specify if joint control frameworks will

be utilized and describe the expectation of an external, third-

party audit. Clear expectations regarding the handling, usage,

storage and availability of information must be articulated in

the SLA. Additionally, requirements for business continuity

and disaster recovery (discussed previously) will need to becommunicated in the agreement.

V.GOVERNANCE AND CHANGE ISSUES WITH CLOUDCOMPUTING

Typical governance activities such as goal setting, policy

and standard development, defining roles and responsibilities,

and managing risks must include special considerations when

dealing with cloud technology and its providers. The cloud

presents many unique situations for businesses to address.

One large governance issue is that business unit personnel,

who previously were forced to go through IT, can now bypass

IT and receive services directly from the cloud. It is, therefore,

paramount that information security policies address uses for

cloud services.

VI. PROBLEM PRESENTATIONAs more applications turn to SSL to help keep users secure,

they may also be inadvertently hampering the ability of

enterprises to ensure malicious code and exploits are not

slithering through network traffic from the endpoint with the

growth of social networking, Web mail and Instant Messaging

are still growing strong. Compared to a year ago, Instant

Messaging traffic has doubled, while Web mail and social

networking have grown about 5 fold. Users are also using a

mix of ways to share files, Palo Alto's numbers show. File

Transfer Protocol, Peer-to-Peer networking, and browser

based file sharing are used with 92 percent, 82 percent, and 91

percent frequency, respectively. With the rise of applications

using encryption, some measures to be taken to protect the

infrastructure Technologies that detect botnet activity can

correlate attempts to connect with network nodes identified ascompromised, malicious, or recognized points of command-

and-control, regardless whether the attempt seeks to encrypt

traffic, says Crawford Another method is to turn to proxies as

a type of traffic cop to inspect traffic to some degree. These

can be complemented with policies that restrict or block

encrypted traffic that doesn't pass through 'official' channels.

However, some of these strategies may be limited in their

usefulness if legitimate traffic cannot be directed through

these accepted channels or unauthorized traffic cannot be

sufficiently restrained.

VII.SUGGESTED SOLUTION FOR SECURITY ISSUES IN CLOUD

One important way to increase data protection,

confidentiality and integrity is to ensure that the data is

protected in transit and at rest within the cloud using file-level

encryption. As the CSA Security Guidance points out,

encryption offers the benefits of minimum reliance on the

cloud service provider and lack of dependence on detection of

operational failure. Data-centric protection through

encryption renders the data unusable to anyone that does not

have the key to decrypt it. No matter whether the data is in

motion or at rest, it remains protected. The owner of the

decryption keys maintains the security of that data and can

decide who and what to allow access to the data. Encryptionprocedures can be integrated into the existing workflow for

cloud services. For example, an admin could encrypt all

backup data before sending into the storage cloud. An

executive can protect corporate IP before putting it into the

private cloud. And a sales representative could encrypt a

private customer contract before sending it to a collaborative

worksite, like Share point, in the public cloud.

Different operating systems on different computing

platforms and want to share that data securely inside or

outside of the private or public cloud. One of the best security

solutions for cloud and virtualized environments is data-

centric, file-level encryption that is portable across all

computing platforms and operating systems, and works withina private, public or hybrid cloud.

VIII.PUBLICATION PRINCIPLESA.Required compliance frameworkNot to give permission for every customer to access data

centers. Instead an agreed-upon compliance framework that

allows customers to order off a menu of tests and get the

results.

International Conference on Computational Techniques and Artificial Intelligence (ICCTAI'2011)

63

8/12/2019 1011316

4/4

B.Standardized framework requiredAmazon has a view; Yahoo has a view; Google has a

view, McNerney says. But all our approaches are still

different. The next wave is that all of us will have to come

together with a framework that we will have to use to make it

super-productive on the Web.

For example, the companies need to agree on a way of

handling universal IDs. The problems with federated identity

on the Internet have not been solved in the standards,

Customers are going to expect that this (cloud services) is

an interoperable environment for them.

IX. CONCLUSIONPublic cloud providers manage both the cloud infrastructure

and the personal data that run it. One way to ensure that data

in the cloud is protected is to choose a security solution that

encrypts the data at the file-level before it leaves a trusted

zone. IT administrators and end-users can take back some

control over their data protection needs by using a security

solution that is data-centric because it protects that data, is

portable across all computing platforms and operatingsystems, and works within any computing environment. Used

properly, data centric encryption security prevents

unauthorized access and tampering regardless of where the

data travels, and means organizations can enjoy the business

benefits of cloud computing without putting sensitive data at

risk.

REFERENCES

[1] February 8, 2011, IDC Forecasts U.S. Public IT Cloud ServicesRevenue to Grow 21.6%,,

http://www.idc.com/about/viewpressrelease.jsp.

[2] http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf.[3] http://srmsblog.burtongroup.com/2008/01/five-immutable.html

vCloudSecurity Alliance, December 2009 Security Guidance for

Critical Areas of Focus in Cloud Computing V2.1,

[4] http://aws portal.amazon.com/gp/aws/developer/terms-and-conditions.html

[5] http://www.idc.com/about/viewpressrelease.jsp?[6] containerId=prUS22605110&sectionId=null&elementId=null&pageTyp

e=SYNOPSIS

[7] iiiAmazon Web ServicesTM Customer Agreement, Updated September25, 2008, Section 7.2.Security Group SRMS Blog, January 08, 2008,

Five Immutable Laws of Virtualization Security,

[8] http://www.idc.com/about/viewpressrelease.jsp?containerId=prUS22692511&sectionId=null&elementId=null&pageType=SYNOPSIS IDC Press

Release, December 6, 2010, Worldwide Market for Enterprise Server

Virtualization to Reach $19.3 Billion by 2014,

[9] IDC Press Release, February 8, 2011, IDC Forecasts U.S. Public ITCloud Services

[10] Cloud Security and Privacy, an Enterprise Perspective on Risks andCompliance. Tim Mather, Subra Kumaraswamy , Shahed Latif

International Conference on Computational Techniques and Artificial Intelligence (ICCTAI'2011)

64

http://srmsblog.burtongroup.com/2008/01/five-immutable.htmlhttp://srmsblog.burtongroup.com/2008/01/five-immutable.htmlhttp://srmsblog.burtongroup.com/2008/01/five-immutable.html