Business Cloud Computing How Secure is the Cloud Computing

  • Published on

  • View

  • Download

Embed Size (px)


<p>Paper Title (use style: paper title)</p> <p>Business Cloud Computing: How secure is cloud computing?</p> <p>Ainul Mardhiyah Bt Nor AzizBusiness Management Faculty</p> <p>University Technology MARA</p> <p>Shah Alam, Malaysia</p> <p>AbstractCloud computing is a way to increase the capacity or add capabilities dynamically without investing in new infrastructure, training new personnel, or licensing new software. It extends Information Technologys (IT) existing capabilities. In the last few years, cloud computing has grown from being a promising business concept to one of the fast growing segments of the IT industry [1].Cloud computing has generated a lot of interest and competition in the industry and it is recognize as one of the top 10 technologies of 2010[2]. It is an internet based service delivery model which provides internet based services, computing and storage for users in all market including financial, health care &amp; government. In this paper did systematic review on different types of clouds and the security issues that should be solved. Cloud security is becoming a key differentiator and competitive edge between cloud providers. This paper discusses the security issues arising in different type of clouds.KeywordsCloud computing, cloud, security, and business cloud computing</p> <p>I INTRODUCTIONCloud computing is a style of computing where massively scalable IT- enabled capabilities are delivered as a service to external customers using Internet technologies. Cloud providers currently enjoy a profound opportunity in the marketplace. The providers must ensure that they get the security aspects right, for they are the ones who will shoulder the responsibility if things go wrong. The cloud offers several benefits like fast deployment, pay-for- use, lower costs, scalability, rapid provisioning, rapid elasticity, ubiquitous network access, greater resiliency, hypervisor protection against network attacks, low-cost disaster recovery and data storage solutions, on-demand security controls, real time detection of system tampering and rapid re-constitution of services. While the cloud offers these advantages, until some of the risks are better understood, many of the major players will be tempted to hold back [3]The term cloud was coined from the computer network diagrams which use it to hide the complexity of infrastructure involved. Cloud computing provides software, platform and infrastructure as a service. Its main features include resource pooling, rapid elasticity, measured service, on-demand self service and broad network access. So, a cloud is a collection of hardware and software that runs in a data centre and enables the cloud computing model. A cloud reduces capital investment, hardware cost and software licence cost. Cloud computing also raises severe challenges especially regarding the security level required for the secure use of services provided by it. There are no publically available standards specific to cloud computing security. So, in this paper, we propose the following standards for maintaining security in an unsafe cloud computing environment. Main characteristics include; </p> <p> On-demand self-service. The ability for an end user to sign up and receive for example services without the long delays that have characterized traditional IT. </p> <p> Broad network access. Ability to access the service via standard platforms for example desktop, laptop, and mobile.</p> <p> Resource pooling. Resources are pooled across multiple customers.</p> <p> Rapid elasticity. Capability can scale to cope with demand peaks.</p> <p> Measured Service. Billing is metered and delivered as a utility service.Cloud Computing stack it shows three distinct categories within Cloud Computing: I. Software as a Service, </p> <p> II. Platform as a Service and </p> <p> III. Infrastructure as a Service </p> <p>I. SaaS -Software as a Service.Software delivery model where application and associated data are centrally hosted on the cloud. Users do not manage the infrastructure or platform on which the application is running. For example SaaS include Microsoft Office365, Google Apps, application.</p> <p>II. PaaS-Platform as a Service Cloud computing service model which provides a centrally hosted software development solution stack, offering the facilities to deploy applications from anywhere witout buying underlying hardware and software. For example of PaaS include Windows, Azure and Google App Engine. Platform is the layer between the software and the infrastructure providing developers with specialized APIs in their specific programming segment. For example, a.NET developer is looking for a place to host a web application, someone who uses SQL for his database backend and IIS for web hosting, may look to Microsoft Azure.</p> <p>III. IaaS-Infrastructure as a ServiceA service model of cloud computing which control hosts infrastructure, servers, network, VMS, storage, load balancers, security devices. For example of IaaS include Amazon Web Services and Rackspace offerings. IaaS is the building block on which PaaS and SaaS are built. It replaces traditional on site servers and networking.</p> <p> Diagram 1: Cloud Computing StackII. VARIOUS TYPES OF CLOUDSClouds are broadly classified as: PERSONAL CLOUDS: Such clouds are especially operated by single organization. GENERAL CLOUDS: These clouds are used for providing services to common people. DOMAIN-SPECIFIC CLOUDS: These clouds are maintained for specific requirements by a group of organizations. MIXED CLOUDS: These clouds are mixtures of above said three clouds which can share data to achieve fulfil a specific requirement.Personal clouds: are used to provide a broad range of office and enterprise computing services. It involves applications for online collaboration, email and calendaring such as ERP software. Conventional approaches to computing have constraint our ability to meet the needs. For example, in traditional computing servers are dedicated to specific applications. This results in poor utilization of server. So, personal clouds provide a new architecture for improving efficiency. It includes a hosting platform, interfacing unit and infrastructure services. By building a personal cloud, we can deliver the benefits of public cloud without incurring the risk for the data and application.</p> <p>Fig. 3 (Personal Cloud Security Issues)General Cloud: A general cloud in which a service provider makes resources such as applications and storage is available to the general public over the internet. The main advantages of using general cloud services are:</p> <p> Easy and inexpensive setup because hardware, application and bandwidth costs are covered by the provider. Scalability to meet needs. Economic for general public. </p> <p>There are shared infrastructures and services in general cloud which may give rise to new security issues. The following security challenges are yet to be solved where the attacker or hacker needs to be hurdled: The actual physical machine where the virtual server is running. </p> <p> Placing malicious code on the physical machine. </p> <p> Attack on VM (Virtual Machine) from other VMs. </p> <p> DoS Attacks </p> <p>Fig. 4 (General Cloud Security Issues)</p> <p>Domain Specific clouds: In the past few years, security investment was largely driven by regulatory mandates. for example payment card industry, data security standards mandates regular vulnerability scanning of IT assets, retail and financial services organization purchased scanning and log management tools. Mount Sinai Hospital in Toronto is building a community cloud in conjunction with the Canadian govt. that will give 14 areas hospitals shared access to a fatal ultrasound application and data storage for patient information. Security Issues in Domain Specific:</p> <p> Compliance and auditing</p> <p> Intrusion Detection (IDS) and Firewall features.</p> <p> Access control</p> <p> Anti Virus/Anti Malware protection.Fig.5 (Domain Specific Cloud Security Issues)</p> <p>Hybrid Clouds: A hybrid cloud is a combination of at least one private cloud and at least one general cloud. It is a cloud computing environment in which an organization provides and manages resources internally and externally. It allows a business to take advantage of the scalability and cost effectiveness. </p> <p>Risk of multiple cloud tenants. </p> <p>Ongoing compliance concerns </p> <p>Access control and identity management. </p> <p>Data slingingAdvantage Security in Cloud Computing</p> <p>One of the hottest debates in the information technology community today centers around cloud computing. Proponents suggest the flexibility, scalability and economics of the cloud make it a logical choice, while opponents point to security and privacy concerns as reasons not to move to the cloud. From the perspective of a company focused on providing secure information technology solutions to large, very security-conscious customers, we believe it is possible for small to mid-sized organizations to have the best of both worlds: the benefits of the cloud can be affordably attained in a way that does not jeopardize an organizations security.</p> <p>Security is the big argument against cloud computing these days. However, one might argue that cloud computing can actually be more secure than locally managed systems, particularly for small to mid-sized companies. Here are a few specific examples [4]:</p> <p>Multifactor authentication: A number of cloud computing vendors now offer multi-factor authentication as part of their service. Multi-factor authentication is much more secure than the more traditional user name and password authentication convention. Instead, multi-factor authentication systems combine something you know (password), with something you have (hard token), and/or something you are (biometric). Unfortunately, many small and mid-size companies dont have the resources (skills, time, or money) to implement such authentication capabilities on their own.</p> <p>Security patching: Many software products that we use everyday require diligence when it comes to applying security patches and testing these patches to make sure they were properly applied. Again, many companies do not have the resources to adequately perform this complex and time-consuming task, which puts their systems at risk. As we are seeing in the news with malware and cyber attacks like Stuxnet, hackers typically feed on known vulnerabilities, often more than a year old, that have not been patched.</p> <p>Physical security: Reputable cloud computing vendors often host their systems in facilities that have much stronger physical security controls with meaningful certifications that many small-to-midsize companies cannot provide on their own.</p> <p>Security certifications: Many industries require IT systems and facilities maintain certain types of information security and/or privacy certifications. For example, compliance with the Federal Information Security Management Act, or FISMA, is required for the federal government while Health Insurance Portability and Accountability Action (HIPAA) compliance is required for the healthcare industry. These certifications can be prohibitively expensive for smaller organizations to achieve; however, many cloud vendors provide access to systems and facilities that are already certified. Even if your business does not require a certification, it may be comforting to engage with vendors who offer them as it demonstrates mature business practices as it relates to information security.</p> <p>Security issues in SaaS In SaaS, the client has to depend on the provider for proper security measures. The provider must do the work to keep multiple users from seeing each others data. So it becomes difficult to the user to ensure that right security measures are in place and also difficult to get assurance that the application will be available when needed [6]. With SaaS, the cloud customer will by definition be substituting new software applications for old ones. Therefore, the focus is not upon portability of applications, but on preserving or enhancing the security functionality provided by the legacy application and achieving a successful data migration [5]. The SaaS software vendor may host the application on its own private server farm or deploy it on a cloud computing infra- structure service provided by a third-party provider (e.g. Amazon Google, etc.). The use of cloud computing coupled with the pay- as-you-go (grow) approach helps the application service provider reduce the investment in infrastructure services and enables it to concentrate on providing better services to customers.Over the past decade, computers have become widespread within enterprises, while IT service sand computing has become a commodity. Enterprises to day view data and business processes (transactions, records, pricing information, etc.) themselves as strategic and guard them with access control and compliance policies. However, in the SaaS model, enterprise data is stored at the SaaS providers data center, along with the data of other enterprises. Moreover, if the SaaS provider is leveraging a public cloud computing service, the enterprise data might be stored along with the data of other unrelated SaaS applications. The cloud provider might, additionally, replicate the data at multiple locations across countries for the purposes of maintaining high availability. Most enterprises are familiar with the traditional on premise model, where the data continue store side within the enterprise boundary, subject to their policies. Consequently, there is a great deal of discomfort with the lack of control and knowledge of how their data is stored and secured in the SaaS model. There are strong concerns about data breaches, application vulnerabilities and availability that can lead to financial and legal liabilities. The layered stack for a typical SaaS vendor and critical aspects that must be covered across layers in order to ensure security of the enterprise data. The following key security elements should be carefully considered as an integral part of the SaaS application development and deployment process: </p> <p> Data security Network security Data locality Data integrity Data segregation Data access Authentication and authorizationSecurity Issues in PaaS In PaaS, the provider might give some control to the people to build applications on top of the platform. But any security below the application level such as host and network intrusion prevention will still be in the scope of the provider and the provider has to offer strong assurances that the data remains inaccessible between applications. PaaS is intended to enable developers to build their own applications on top of the platform. As a result it tends to be more extensible than SaaS, at the expense of customer-ready features. This trade off extends to security features and capabilities, where the built-in capabilities are less complete, but there is more flexibility to layer on additional security. Applications sufficiently complex to le...</p>


View more >