10
Business Cloud Computing: How secure is cloud computing? Ainul Mardhiyah Bt Nor Aziz Business Management Faculty University Technology MARA Shah Alam, Malaysia Abstract—Cloud computing is a way to increase the capacity or add capabilities dynamically without investing in new infrastructure, training new personnel, or licensing new software. It extends Information Technology’s (IT) existing capabilities. In the last few years, cloud computing has grown from being a promising business concept to one of the fast growing segments of the IT industry [1].Cloud computing has generated a lot of interest and competition in the industry and it is recognize as one of the top 10 technologies of 2010[2]. It is an internet based service delivery model which provides internet based services, computing and storage for users in all market including financial, health care & government. In this paper did systematic review on different types of clouds and the security issues that should be solved. Cloud security is becoming a key differentiator and competitive edge between cloud providers. This paper discusses the security issues arising in different type of clouds. Keywords—Cloud computing, cloud, security, and business cloud computing I INTRODUCTION Cloud computing is a style of computing where massively scalable IT- enabled capabilities are delivered ‘as a service’ to external customers using Internet technologies’’. Cloud providers currently enjoy a profound opportunity in the marketplace. The providers must ensure that they get the security aspects right, for they are the ones who will shoulder the responsibility if things go wrong. The cloud offers several benefits like fast deployment, pay-for- use, lower costs, scalability, rapid provisioning, rapid elasticity, ubiquitous network access, greater resiliency, hypervisor protection against network attacks, low-cost disaster recovery and data storage solutions, on- demand security controls, real time detection of system tampering and rapid re-constitution of services. While the cloud offers these advantages, until some of the risks are better understood, many of the major players will be tempted to hold back [3] The term “cloud” was coined from the computer network diagrams which use it to hide the complexity of infrastructure involved. Cloud computing provides software, platform and infrastructure as a service. Its main features include resource pooling, rapid elasticity, measured service, on-demand self service and broad network access. So, a cloud is a collection of hardware and software that runs in a data centre and enables the cloud computing model. A cloud reduces capital investment, hardware cost and software licence cost. Cloud computing also raises severe challenges especially regarding the security level required for the secure use of services provided by it. There are no publically available standards specific to cloud computing security. So, in this paper, we propose the following standards for maintaining security in an unsafe cloud 1

Business Cloud Computing How Secure is the Cloud Computing

Embed Size (px)

Citation preview

Page 1: Business Cloud Computing How Secure is the Cloud Computing

Business Cloud Computing: How secure is cloud computing?

Ainul Mardhiyah Bt Nor AzizBusiness Management FacultyUniversity Technology MARA

Shah Alam, Malaysia

Abstract—Cloud computing is a way to increase the capacity or add capabilities dynamically without investing in new infrastructure, training new personnel, or licensing new software. It extends Information Technology’s (IT) existing capabilities. In the last few years, cloud computing has grown from being a promising business concept to one of the fast growing segments of the IT industry [1].Cloud computing has generated a lot of interest and competition in the industry and it is recognize as one of the top 10 technologies of 2010[2]. It is an internet based service delivery model which provides internet based services, computing and storage for users in all market including financial, health care & government. In this paper did systematic review on different types of clouds and the security issues that should be solved. Cloud security is becoming a key differentiator and competitive edge between cloud providers. This paper discusses the security issues arising in different type of clouds.

Keywords—Cloud computing, cloud, security, and business cloud computing

I INTRODUCTION

Cloud computing is a style of computing where massively scalable IT- enabled capabilities are delivered ‘as a service’ to external customers using Internet technologies’’. Cloud providers currently enjoy a profound opportunity in the marketplace. The providers must ensure that they get the security aspects right, for they are the ones who will shoulder the responsibility if things go wrong. The cloud offers several benefits like fast deployment, pay-for- use, lower costs, scalability, rapid provisioning, rapid elasticity, ubiquitous network access, greater resiliency, hypervisor protection against network attacks, low-cost disaster recovery and data storage solutions, on-demand security controls, real time detection of system tampering and rapid re-constitution of services. While the cloud offers these advantages, until some of the risks are better understood, many of the major players will be tempted to hold back [3]

The term “cloud” was coined from the computer network diagrams which use it to hide the complexity of infrastructure involved. Cloud computing provides software, platform and infrastructure as a service. Its main features include resource pooling, rapid elasticity, measured service, on-demand self service and broad network access. So, a cloud is a collection of hardware and software that runs in a data centre and enables the cloud computing model. A cloud reduces capital

investment, hardware cost and software licence cost. Cloud computing also raises severe challenges especially regarding the security level required for the secure use of services provided by it. There are no publically available standards specific to cloud computing security. So, in this paper, we propose the following standards for maintaining security in an unsafe cloud computing environment. Main characteristics include;

On-demand self-service. The ability for an end user to sign up and receive for example services without the long delays that have characterized traditional IT.

Broad network access. Ability to access the service via standard platforms for example desktop, laptop, and mobile.

Resource pooling. Resources are pooled across multiple customers.

Rapid elasticity. Capability can scale to cope with demand peaks.

Measured Service. Billing is metered and delivered as a utility service.

Cloud Computing stack – it shows three distinct categories within Cloud Computing: I. Software as a Service, II. Platform as a Service and III. Infrastructure as a Service

I. SaaS -Software as a Service.Software delivery model where application and associated data are centrally hosted on the cloud. Users do not manage the infrastructure or platform on which the application is running. For example SaaS include Microsoft Office365, Google Apps, Salesforce.com application.

II. PaaS-Platform as a Service Cloud computing service model which provides a centrally hosted software development solution stack, offering the facilities to deploy applications from anywhere witout buying underlying hardware and software. For example of PaaS include Windows, Azure and Google App Engine. Platform is the layer between the software and the infrastructure providing developers with specialized APIs in their specific programming segment. For example, a.NET developer is

1

Page 2: Business Cloud Computing How Secure is the Cloud Computing

looking for a place to host a web application, someone who uses SQL for his database backend and IIS for web hosting, may look to Microsoft Azure.

III. IaaS-Infrastructure as a ServiceA service model of cloud computing which control hosts infrastructure, servers, network, VMS, storage, load balancers, security devices. For example of IaaS include Amazon Web Services and Rackspace offerings. IaaS is the building block on which PaaS and SaaS are built. It replaces traditional on site servers and networking.

Diagram 1: Cloud Computing Stack

II. VARIOUS TYPES OF CLOUDS

Clouds are broadly classified as: PERSONAL CLOUDS: Such clouds are especially operated by single organization.

GENERAL CLOUDS: These clouds are used for providing services to common people.

DOMAIN-SPECIFIC CLOUDS: These clouds are maintained for specific requirements by a group of organizations.

MIXED CLOUDS: These clouds are mixtures of above said three clouds which can share data to achieve fulfil a specific requirement. Personal clouds: are used to provide a broad range of office and enterprise computing services. It involves applications for online collaboration, email and calendaring such as ERP software. Conventional approaches to computing have constraint our ability to meet the needs. For example, in traditional computing servers are dedicated to specific applications. This results in poor utilization of server. So,

personal clouds provide a new architecture for improving efficiency. It includes a hosting platform, interfacing unit and infrastructure services. By building a personal cloud, we can deliver the benefits of public cloud without incurring the risk for the data and application.

Fig. 3 (Personal Cloud Security Issues)

General Cloud: A general cloud in which a service provider makes resources such as applications and storage is available to the general public over the internet. The main advantages of using general cloud services are:

Easy and inexpensive setup because hardware, application and bandwidth costs are covered by the provider.

Scalability to meet needs. Economic for general public.

There are shared infrastructures and services in general cloud which may give rise to new security issues. The following security challenges are yet to be solved where the attacker or hacker needs to be hurdled:

The actual physical machine where the virtual server is running.

Placing malicious code on the physical machine. Attack on VM (Virtual Machine) from other

VMs. DoS Attacks

2

Security: Identify and

Access

Management

Data

Protection

Security

Intelligence

Software

Platform and

Infrastructure

security

Platform as a Service (PaaS) Database Web Workflow Analytics Service Business Presence Reporting Contacts

Platform Infrastructure as a Service (IaaS)

High availability and disaster recovery

Load balancing Virtual machine isolation Quality of service Virtual storage Multi tenancy Aggregation Virtual network Virtual complete

Security: DoS Attacks

Attacks on

Virtual

Machines

Placing

Malicious

Code

Attack on

physical

machine

Platform as a Service (PaaS)

Database Web Workflow Analytics Service

Business Presence Reporting Contacts

Page 3: Business Cloud Computing How Secure is the Cloud Computing

Fig. 4 (General Cloud Security Issues)

Domain Specific clouds: In the past few years, security investment was largely driven by regulatory mandates. for example payment card industry, data security standards mandates regular vulnerability scanning of IT assets, retail and financial services organization purchased scanning and log management tools. Mount Sinai Hospital in Toronto is building a community cloud in conjunction with the Canadian govt. that will give 14 areas hospitals shared access to a fatal ultrasound application and data storage for patient information. Security Issues in Domain Specific:

Compliance and auditing Intrusion Detection (IDS) and Firewall features. Access control Anti Virus/Anti Malware protection.

Fig.5 (Domain Specific Cloud Security Issues)

Hybrid Clouds: A hybrid cloud is a combination of at least one private cloud and at least one general cloud. It is a cloud computing environment in which an organization provides and manages resources internally and externally. It allows a business to take advantage of the scalability and cost effectiveness.

• Risk of multiple cloud tenants.

• Ongoing compliance concerns

• Access control and identity management.

• Data slinging

Advantage Security in Cloud Computing

One of the hottest debates in the information technol-ogy community today centers around cloud computing. Propo-nents suggest the flexibility, scalability and economics of the cloud make it a logical choice, while opponents point to secu-rity and privacy concerns as reasons not to move to the cloud. From the perspective of a company focused on providing se-cure information technology solutions to large, very security-conscious customers, we believe it is possible for small to mid-sized organizations to have the best of both worlds: the benefits of the cloud can be affordably attained in a way that does not jeopardize an organization’s security.

Security is the big argument against cloud computing these days. However, one might argue that cloud computing can actually be more secure than locally managed systems, particularly for small to mid-sized companies. Here are a few specific examples [4]:

Multifactor authentication: A number of cloud computing vendors now offer multi-factor authentication as part of their service. Multi-factor authentication is much more secure than the more traditional user name and password authentication convention. Instead, multi-factor authentication systems com-bine something you know (password), with something you have (hard token), and/or something you are (biometric). Un-fortunately, many small and mid-size companies don’t have the resources (skills, time, or money) to implement such au-thentication capabilities on their own.

Security patching: Many software products that we use ev-eryday require diligence when it comes to applying security patches and testing these patches to make sure they were prop-erly applied. Again, many companies do not have the re-sources to adequately perform this complex and time-consum-ing task, which puts their systems at risk. As we are seeing in the news with malware and cyber attacks like Stuxnet, hackers typically feed on known vulnerabilities, often more than a year old, that have not been patched.

Physical security: Reputable cloud computing vendors often host their systems in facilities that have much stronger physi-

3

Platform Infrastructure as a Service (IaaS) High

availability and disaster recovery

Load balancing Virtual

machine isolation

Quality of service

Virtual storage Multi tenancy Aggregation Virtual

network Virtual

complete

Security: Compliance

& Auditing Intrusion

Detection & Firewall Features

Access Control

Anti Virus/ Anti Malware Protection

Platform as a Service (PaaS) Database Web Workflow Analytics Service Business Presence Reporting Contacts

Platform Infrastructure as a Service (IaaS)

High availability and disaster recovery

Load balancing Virtual machine

isolation Quality of service Virtual storage Multi tenancy Aggregation Virtual network Virtual complete

Page 4: Business Cloud Computing How Secure is the Cloud Computing

cal security controls with meaningful certifications that many small-to-midsize companies cannot provide on their own.

Security certifications: Many industries require IT systems and facilities maintain certain types of information security and/or privacy certifications. For example, compliance with the Federal Information Security Management Act, or FISMA, is required for the federal government while Health Insurance Portability and Accountability Action (HIPAA) compliance is required for the healthcare industry. These certifications can be prohibitively expensive for smaller organizations to achieve; however, many cloud vendors provide access to sys-tems and facilities that are already certified. Even if your busi-ness does not require a certification, it may be comforting to engage with vendors who offer them as it demonstrates mature business practices as it relates to information security.

Security issues in SaaS

In SaaS, the client has to depend on the provider for proper security measures. The provider must do the work to keep multiple users’ from seeing each other’s data. So it becomes difficult to the user to ensure that right security measures are in place and also difficult to get assurance that the application will be available when needed [6]. With SaaS, the cloud customer will by definition be substituting new software applications for old ones. Therefore, the focus is not upon portability of applications, but on preserving or enhancing the security functionality provided by the legacy application and achieving a successful data migration [5]. The SaaS software vendor may host the application on its own private server farm or deploy it on a cloud computing infra- structure service provided by a third-party provider (e.g. Amazon Google, etc.). The use of cloud computing coupled with the pay- as-you-go (grow) approach helps the application service provider reduce the investment in infrastructure services and enables it to concentrate on providing better services to customers.

Over the past decade, computers have become widespread within enterprises, while IT service sand computing has become a commodity. Enterprises to day view data and business processes (transactions, records, pricing information, etc.) themselves as strategic and guard them with access control and compliance policies. However, in the SaaS model, enterprise data is stored at the SaaS provider’s data center, along with the data of other enterprises. Moreover, if the SaaS provider is leveraging a public cloud computing service, the enterprise data might be stored along with the data of other unrelated SaaS applications. The cloud provider might, additionally, replicate the data at multiple locations across countries for the purposes of maintaining high availability. Most enterprises are familiar with the traditional on premise model, where the data continue store side within the enterprise boundary, subject to their policies. Consequently, there is a great deal of discomfort with the lack of control and knowledge of how their data is stored and secured in the SaaS model. There are strong concerns about data breaches, application vulnerabilities and availability that can lead to

financial and legal liabilities. The layered stack for a typical SaaS vendor and critical aspects that must be covered across layers in order to ensure security of the enterprise data. The following key security elements should be carefully considered as an integral part of the SaaS application development and deployment process:

Data security Network security Data locality Data integrity Data segregation Data access Authentication and authorization

Security Issues in PaaS

In PaaS, the provider might give some control to the people to build applications on top of the platform. But any security below the application level such as host and network intrusion prevention will still be in the scope of the provider and the provider has to offer strong assurances that the data remains inaccessible between applications. PaaS is intended to enable developers to build their own applications on top of the platform. As a result it tends to be more extensible than SaaS, at the expense of customer-ready features. This trade off extends to security features and capabilities, where the built-in capabilities are less complete, but there is more flexibility to layer on additional security. Applications sufficiently complex to leverage an Enterprise Service Bus (ESB) need to secure the ESB directly, leveraging a protocol such as Web Service (WS) Security [7]. The ability to segment ESBs is not available in PaaS environments. Metrics should be in place to assess the effectiveness of the application security programs. Among the direct application, security specific metrics available are vulnerability scores and patch coverage. These metrics can indicate the quality of application coding. Attention should be paid to how malicious actors react to new cloud application architectures that obscure application components from their scrutiny. Hackers are likely to attack visible code, including but not limited to code running in user context. They are likely to attack the infrastructure and perform extensive black box testing. The vulnerabilities of cloud are not only associated with the web applications but also vulnerabilities associated with the machine-to-machine Service Oriented Architecture (SOA) applications, which are increasingly being deployed in the cloud.

Security Issues in IaaS

With IaaS the developer has better control over the security as long as there is no security hole in the virtualization manager. Also, though in theory virtual machines might be able to address these issues but in practice there are plenty of security problems. The other factor is the reliability of the data that is stored within the provider’s hardware. Due to the growing virtualization of ‘everything’ in information society, retaining the ultimate control over data to the owner of data

4

Page 5: Business Cloud Computing How Secure is the Cloud Computing

regardless of its physical location will become a topic of utmost interest. To achieve maximum trust and security on a cloud resource, several techniques would have to be applied [9]. The security responsibilities of both the provider and the consumer greatly differ between cloud service models. Amazon’s Elastic Compute Cloud (EC2) infrastructure as a service offering, as an example, includes vendor responsibility for security up to the hypervisor, meaning they can only address security controls such as physical security, environmental security, and virtualization security. The consumer, in turn, is responsible for the security controls that relate to the IT system including the OS, applications and data [5].

IaaS is prone to various degrees of security issues based on the cloud deployment model through which it is being delivered. Public cloud poses the major risk whereas private cloud seems to have lesser impact. Physical security of infrastructure and disaster management if any damage is incurred to the infrastructure (either naturally or intentionally), is of utmost importance. Infrastructure not only pertains to the hardware where data is processed and stored but also the path where it is getting transmitted. In a typical cloud environment, data will be transmitted from source to destination through umpteen number of third-party infrastructure devices [8].

There is a high possibility that data can be routed through an intruder’s infrastructure. The complexity involved in IaaS due to each of the service deployment models. Although cloud architecture is an improvised technology, the underlying technologies remain the same. The cloud is just built over the internet and all the concerns related to security in internet are also posed by the cloud. The basis of the cloud technology makes the consumer and provider reside at different location and virtually access the resources over the Internet. Even if enormous amount of security is put in place in the cloud, still the data is transmitted through the normal underlying Internet technology. So, the security concerns which are threatening the Internet also threaten the cloud. But, in a cloud, the risks are overwhelmingly high. This is because of its vulnerability and the asset value of the resources and their nature of them residing together. Cloud systems still uses normal protocols and security measures that are used in the Internet but the requirements are at a higher extent. Encryption and secure protocols cater to the needs to a certain extent but they are not context oriented. A robust set of policies and protocols are required to help secure transmission of data within the cloud. Concerns regarding intrusion of data by external non users of the cloud through the internet should also be considered. Measures should be set in place to make the cloud environment secure, private and isolated in the Internet to avoid cyber criminals attacking the cloud.

III RECOMMEDATIONS

Transparency

A key to improving consumer confidence in cloud privacy and security is transparency and disclosure. Providers need to

improve disclosure of privacy notices and business practices so that users know what is being offered. Prospective clients and users should be able to understand the security precautions take by a given provider, and have enough information to make an informed choice between two alternatives about their risk exposure. Even sharing how a cloud provider recruits its employees that administer key systems would be useful information.

Absent any formal liability for security incidents, current and potential clients need to have as much information about risks of cloud services use as possible. One of the virtues of the cloud is its potential for real-time performance data and on-demand transparency. For example, companies can offer real-time information on cloud down-time and data breaches. There is also some limited evidence that public disclosures of data breaches lead to a financial penalty in the form of reduced stock prices [9] that, in turn, might lead to risk mitigation. On-demand transparency gives consumers instantaneous information. This is an advantage that was not available in the era of paper-based records or some types of desktop computing.

Competition

Beyond transparency, the greatest promise for a more secure set of cloud infrastructures is a competitive marketplace. A diverse enough pool of market actors will allow security to be a credible path to differentiating service. This will engender a positive feedback loop, where firms will market themselves, and even the secure provider will have to raise their level of security. Moreover, a larger number of platforms and systems will increase the number of potential targets for attackers, preventing malware specialization and reducing systematic social risk. However, providers must be large enough to leverage the economies of scale discussed above, including security investment, information sharing, and usable interfaces.

One key mechanism in this equation is exportability of data and code. Exportability would reduce switching costs, enabling clients to shift to more secure providers. The marketplace can be further tended by rewarding smaller or newer players with government contracts, or at very least guaranteeing open forums for industry collaboration and standard setting. A diverse marketplace allows natural selection to reward successful market participants with greater market share. This selection can be artificially guided through blunt instruments such as liability, or more subtle mechanisms such as federal guidelines or security certifications.

Legal Clarifications

This approach to cloud privacy should be clarified because it is not clear that consumers have a clear sense of which platforms they are using and how privacy protections vary across domains. During the course of a day, people shift quickly from cloud to desktop to flash drives without thought to how confidentiality rules differ. When they shift from a

5

Page 6: Business Cloud Computing How Secure is the Cloud Computing

desktop to the cloud, most consumers are unaware that their privacy rights drop precipitously. Ideally, congress should act to require a “probable cause” search warrant that is approved by a judge. This would provide greater safeguards for online content, pictures, geo location data and emails. Such legislation is supported by a broad coalition of cloud providers, technology firms and advocacy groups from across the political spectrum [10].

IV CONCLUSIONS

In this paper much of the work has been focused on types of clouds and their security challenges and it describes the way of designing the solution for the security threats. It gives a comparison between different services providers on different cloud services SaaS, PaaS, IaaS. This review shows that there are several types of clouds and the related security challenges on each level.

There is reason to be optimistic about the gains to be had from a transition of many information services to cloud architecture. Cloud computing makes possible cost savings, scalability, and more efficient use of IT resources, among other things. However, the risks to privacy and security from cloud computing cannot be ignored. Not all these risks are new, and some of them can be mitigated through technology investment and due diligence from the client. But others are systematic in nature, and may not be solvable through unilateral innovation.

Uncertainty dominates the client’s ability to forecast risk and the data subject’s expectation of privacy. Transparency would support selection towards a more security-conscious cloud universe, and market competition can enable that shift. While some uncertainty will always be present in a world of network threats, clarified.

.

ACKNOWLEDGMENT

Special thanks to my lecturer Dr. Wan Abdul Rahim who is conducting Management Information System subject from University Technology MARA for give opportunity to write this article and thanks to all colleague in Business Faculty who are supporting in process finishing this article.

REFERENCES

[1] S. Subashini & V. Kavitha (2010). A survey on security issues in service delivery models of cloud computing. Journal of Network and Computer Applications.

[2] Tripathi, A., & Mishra, A. (2011). Cloud Computing Security Considerations; Signal Processing, Communications and Computing (ICSPCC), IEEE International Conference, IT Division Gorakhpur Centre: Gorakhpur India.

[3] Viega, J. (2009). Cloud computing and the common man computer, 42(8), 106-8.

[4] Wood, J., and Tracy, R. (2011). Security Advantages of Cloud Computing. Modern DC Business Magazine,1-2.

[5] Seccombe, A., Hutton, A., Meisel, A., Windel, A., Mohammed, A., Licciardi, A., et al. (2009). Security guidance for critical areas of focus in cloud computing v2.1 cloud security alliance, 25.

[6] Choudhary, V. (2007). Software as a service: implications for investment in software development. In: International conference on system sciences, 209.

[7] Descher, M., Masser P., Feilhauer T., Tjoa, A. M., Huemer, D. (2009). Retaining data control to the client in infrastructure clouds. In: International conference on availability, reliability and security, ARES, 9-16.

[8] Ristenpart, T., Tromer, E., Shacham, H., Savage, S. (2009). Hey, you, get off of my cloud: exploring information leakage in third- party compute clouds. In: Proceedings of the CCS 2009, ACM Press. Computer Science and Artificial Intelligence Laboratory Massachusetts Institute of Technology: Cambridge, US, 270-4.

[9] Acquisti, Alessandro, Friedman, A., and Rahul Teland (2006). Is There a Cost to Privacy Breaches? An Event Study. International Conference of Information Systems (ICIS).

[10] Helft and Miguel (2010). Technology Coalition Seeks Stronger Privacy Laws, New York Times, March 30.

6