Window Azure Plate form-Security challenges &offerings

Rini MahajanAsst. Prof, Department of Computer Science &EngineeringQuest Group Of institutions,Jhanjeri(Mohali)rinimahajan@gmail.com

Abstract-Now a day’s cloud computing is verypopular Technology. Many large & Medium sizeorganizations are using cloud services likeIaas saas or paas. The access to theseServices are based on standard InternetProtocols like HTTP, SOAP, REST, XML andCloud computing is emerging field because ofits performance, high availability, leastcost. There are so many platform toimplement & to provide cloud computingservices. Microsoft Window Azure is one ofthe platform. As the interest of large &medium size organizations is gettingincreased, security concern is also gettingincreased. This paper presents the overviewof Window azure platform to provide cloudcomputing services, its security issues &offerings.

Index Terms -Cloud Computing, Window Azure, Security,Vulnerabilities, Threats, Risks, countermeasures.

I. INTRODUCTIONCloud Computing is scalable Internet-based IT-services and resources. Onefeature is common to all such newtechnologies - a shift in the geographyof computation. [5]Cloud computing is Internet-basedcomputing, whereby shared resources,software and information, are providedto computers and devices on-demand, likethe electricity grid.

Cloud computing is the combination oftechnology, platform, hosting storage,and application hosted as a service [1].A cloud can Host a variety of differentworkloads. it Allows workloads to bedeployed and scaled-out quickly throughthe rapid provisioning of virtualmachines or physical machines Supportredundant, self-recovering, highlyscalable programming models that allowworkloads to recover from manyunavoidable hardware/software failuresand Monitor resource use in real timeto enable rebalancing of allocationswhen needed [3].

II. WINDOW AZUREMicrosoft Windows Azure platform is agroup of cloud technologies, eachproviding a specific set of services toapplication developers. It provides afamiliar and flexible environment todrive and support specific needs andservices of the development team,customers and users. Windows Azureplatform comprises the following:

Dr. Dheerendra SinghProfessor & HeadDeptt. of Computer Science &Engineering,SUSCET, Tangori, Mohali.

Windows AzureMicrosoft SQL AzureWindows Azure Platform AppFabricWindow Azure Market Place [.2, 6]

Figure-1 Figure-2

Win Azure- Windows Azure is a platform for running Windows applications and storing data in the cloud.

Figure-3 win Azure

Windows Azure has three main parts: theCompute service, the Storage service,and the Fabric.

The Compute service runs applications,Storage service stores data. & theWindows Azure Fabric provides a commonway to manage and monitor applicationsthat use this cloud platform.

compute services runs the application onwindow server that are created on .NetPlatform .Storage services providesstorage for large binary objects whichwork as Back end for window applicationsThe fabric controller knit the machinesin a single Windows Azure data centerinto a cohesive whole. Content deliverynetwork (CDN) supports caching of datato speed up the performance. Connect services are useful fororganizations to interact with cloudapplications as if they were inside theorganization’s own firewall. Azure’sservices are offered through industrystandard SOAP, REST and XML protocols,thus using them won’t be a problemwhatever the operating system used.[6]

SQL Azure-SQL Azure offers cloud-basedservices for relational data. Thecomponents of SQL Azure are thefollowing:

SQLAzure

Database provides a cloud-based databasemanagement system (DBMS). Thistechnology lets on-premises and cloudapplications store relational data onMicrosoft servers in Microsoft datacenters. As with other cloudtechnologies, an organization pays onlyfor what it uses, increasing anddecreasing usage (and cost) as theorganization’s needs change. SQL Azure Reporting is a version of SQLServer Reporting Services (SSRS) thatruns in the cloud. Intended primarilyfor use with SQL Azure Database, itallows creating and publishing standardSSRS reports on cloud data. SQL Azure Data Sync allows synchronizingdata between SQL Azure Database and on-premises SQL Server databases. It canalso be used to synchronize data acrossdifferent SQL Azure databases indifferent Microsoft data centers.

SQL Azure is built on Microsoft SQLServer. As with SQL Server, developerscan create indexes and views, use storedprocedures, define triggers, and more.Applications can access SQL Azure datausing Entity Framework, ADO.NET, andother Windows data access interfaces[6]

THE WINDOW AZURE APP FABRIC

Figure-4 The fabric controller interacts withWindows Azure applications via the fabric agent.

The Windows Azure Fabric consists of a(large) group of machines, all of whichare managed by software called thefabric controller. The fabric controlleris replicated across a group of five toseven machines, and it owns all of theresources in the fabric: computers,switches, load balancers, and more.Because it can communicate with a fabricagent on every computer, it’s also awareof every Windows Azure application inthis fabric. It monitors all runningapplications, manages operating systems,taking care of things like patching theversion of Windows Server 2008 that runs

in Windows Azure VMs. It also decideswhere new applications should run,

choosing physical servers to optimizehardware utilization.

III. CLOUD SECURITYThere is a critical need to securelydata hosted by cloud service provider.Since many applications are critical innature it is important that clouds besecure. The major security challengewith clouds is that the owner of thedata may not have control of where thedata is placed. There are numeroussecurity issues for cloud computing asit encompasses many technologiesincluding networks, databases, operatingsystems, virtualization, resourcescheduling, transaction management, loadbalancing, concurrency control and

memory management. Therefore, securityissues for many of these systems andtechnologies are applicable to cloudcomputing [7].One way to make securityactionable and prescriptive is to focuson threats, attacks, vulnerabilities andcountermeasures [4, 8]

Threats, Attacks, Vulnerabilities, and Countermeasures These are defined as follows:

Asset- A resource of value such as thedata in a database, data on the file system, or a system resource.

Threat- A potential occurrence malicious or otherwise that can harm an asset.

Vulnerability- A weakness that makes athreat possible.

Attack.- An action taken to exploit vulnerability and realize a threat. An action taken to harm an asset.

Countermeasure- A safeguard that addresses a threat and mitigates risk.

This means that building a knowledgebaseof threats, attacks, vulnerabilities, and Countermeasures, we can dramaticallyimprove security know [1, 7, 8]

IV. WIN AZURE CLOUD SECURITY DESIGN

In the actual realm of security, WindowsAzure Platform provides several securitymechanisms to keep data protected.Customers must authenticate with theirWindows Live Identifier so as tocorrectly identify themselves as anauthorized client to help prevent

unauthorized access to backend systems.Data stored on the platform is encryptedwithin Windows Azure, so even a breachof their security systems does not makedata stored by your applicationavailable. Each customer’s data islogically separated onto a different(virtual) volume so it is difficult toaccess another customer’s data. As withGoogle Apps, data can be replicated atseveral locations so catastrophicfailure does not imply data loss [7].

To maintain security any cloud computingplate form must provide confidentiality,integrity, availability of customer dataand accountability. Confidentiality isone of the important factors fromsecurity point of view which ensuresthat a customer’s data is onlyaccessible by authorized entities.

Windows Azure provides confidentialityvia:-

Identity and Access Management - Ensuresthat only properly authenticatedentities are allowed access.

The Service Management API (SMAPI)-provides web services via theRepresentational State Transfer (REST)protocol. The protocol runs over SSL andis authenticated with a certificate andprivate key generated by the customer.

As long as the customer maintainscontrol of the private key and the LiveID used to create the account, thismechanism provides a high degree ofassurance that only the customers’authorized representatives can accessspecific aspects of the service.

Isolation - Minimizes interaction withdata by keeping appropriate containerslogically or physically separate.

Encryption - Used internally withinWindows Azure for protecting controlchannels and is provided optionally forcustomers who need rigorous dataprotection capabilities [8].

Example Application Scenario and Solution

Example Scenario

Solution

Sr. no.

Area Notes

1 Authentication

• Authenticate users with forms authentication • Store users in Azure Tables • Use TableStorage Membership Provider for membership API’s • Authenticate application against Azure Storage with access key • Map ASP.NET users to single Azure Storage connection • All access to the database occurs as the application identity

2 Authorization

Use TableStorage RoleProvider for roles API’s • Authorize users inapplication logic • Store roles in Azure Tables

3 Communication

Use HTTP port 80 for non-secure connections to ASP.NET application •Perform forms authentication over port 443 (SSL)

TABLE-1

Sr. no.

Area Notes

1 Auditing and Logging

How security-related events are recorded, monitored, and audited.

2 Authentication

The process of proving identity, typically through

credentials, such as a user name and password

3 Authorization

How your application provides access controls for roles, resources and operations.

4 Communication

How data is transmitted over the wire. Transport security versus message encryption iscovered here.

5 Configuration Management

How your application handles configurationand administration ofyour applications from a security perspective.

6 Cryptography

How your application enforces confidentiality and integrity.

7 Exception How you handle applications errors and exceptions.Management Sensitive DataHow your application handles any data thatmust be protected either in memory, over the network, or in persistent stores

8 Session Management

A session refers to aseries of related interactions between a user and your application.

9 Validation How your application filters, scrubs, or rejects input before additional processing, or how it

sanitizes output.

TABLE-2The key to the buckets is that they areactionable. Another key is thatdevelopers can relate to them. Thismakes it easier to share securityknowledge between security experts anddevelopers in a pragmatic way [8].

V. CONCLUSIONCloud computing has brought revolutionespecially for large scale industrieshowever cloud computing environmentforces to face issues directly todeveloper. Window Azure supports SQLServer and Active Directory providersfor authenticating the user to maintainthe confidentiality. However there areseveral other security challengesincluding security aspects ofvirtualization. Due to the complexity ofthe cloud, it will be difficult toachieve end-to-end security. So thechallenge for developer is to ensuremore secure operations even if somefailure occurs. To build trustapplications from untrusted componentswill be a major aspect with respect tocloud security. Business on the cloud isa shared responsibility between businessand IT.

REFERENCES. [1] B. C. Kaufman and R. Venkatapathy, “Windows Azure TM Security Overview.” [2]HighTech_Whitepaper_Windows_Azure_09_2011 by TCS[3]www.ibm.com/developerworks/websphere/zones/hipods/ [4]R. Jain, “A Survey of Cloud SecurityIssues and Offerings,” pp. 1–14.

[5] H. Erdogmus. Cloud computing: DoesNirvana hide behind the Nebula? IEEESoftware, 26(2):4–6, 2009.[6] D. Chappell, “Introducing the azureservices platform an early look atwindows azure, . net services ,”October, 2008.[7]K. Hamlen, M. Kantarcioglu, L. Khan,and B. Thuraisingham, “Security Issuesfor Cloud Computing,” Int. J. Inf.Secur. Priv., vol. 4, no. 2, pp. 36–48,2010.[8] P. Enfield, “Azure SecurityNotes.”