A. Mantri et al. (Eds.): HPAGC 2011, CCIS 169, pp. 103–112, 2011. © Springer-Verlag Berlin Heidelberg 2011

Security Concerns in Cloud Computing

Puneet Jai Kaur and Sakshi Kaushal

University Institute of Engineering and Technology, Panjab University, Chandigarh

puneetkaur79@yahoo.co.in, sakshi@pu.ac.in

Abstract. Since inception, the IT industry experienced a variety of natural evo-lution points, most marked with rapid change followed by years of internaliza-tion and consumption. According to most observers, the industry is rapidly evolving toward services as a core component of how consumers and business users interact with both software and one another The hype is deafening in places, and the key to success is recognizing that “cloud” adoption does not rep-resent an all-or-nothing proposition. Organizations use cloud computing as a service infrastructure, critically like to examine the security and confidentiality issues for their business critical insensitive applications. Yet, guaranteeing the security of corporate data in the cloud is difficult, if not impossible, as they provide different services like SaaS, PaaS and IaaS. Each service has its own service issues. This paper discusses the security issues, requirements and chal-lenges that cloud service providers face during the cloud engineering and the various deployment models for eliminating the security concerns.

Keywords: Cloud Computing, Public Cloud, Private Cloud, Cloud Security, Deployment Models.

1 Introduction

Cloud computing is a computing paradigm, where a large pool of systems are con-nected in private or public networks, to provide dynamically scalable infrastructure for application, data and file storage. With the advent of this technology, the cost of computation, application hosting, content storage and delivery is reduced signifi-cantly. Cloud computing is a practical approach to experience direct cost benefits and it has the potential to transform a data center from a capital-intensive set up to a vari-able priced environment. The idea of cloud computing is based on a very fundamental principal of reusability of IT capabilities. The difference that cloud computing brings compared to traditional concepts of grid computing or distributed computing is to broaden horizons across organizational boundaries. According to NIST - “Cloud Computing is a pay-per-use model for enabling available convenient, on-demand network access to a shared pool of configurable computing resources( e.g. networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or services provider interaction.” Cloud Computing has given a boost to the IT industry by providing following benefits:

104 P.J. Kaur and S. Kaushal

1. Reduced Cost : There are a number of reasons to attribute Cloud technology with lower costs. The billing model is pay as per usage; the infrastructure is not purchased thus lowering maintenance. Initial expense and recurring expenses are much lower than traditional computing.

2. Increased Storage: With the massive Infrastructure that is offered by Cloud pro-viders today, storage & maintenance of large volumes of data is a reality. Sudden workload spikes are also managed effectively & efficiently, since the cloud can scale dynamically.

3. Flexibility: This is an extremely important characteristic. With enterprises having to adapt, even more rapidly, to changing business conditions, speed to deliver is criti-cal. Cloud computing stresses on getting applications to market very quickly, by using the most appropriate building blocks necessary for deployment.

In this paper we have discussed the general concepts of the Cloud computing along with the various challenges faced. Along with we have also highlighted the security concerns of cloud computing . Section 2 provides an overview of the types of the cloud computing . Section 3 introduces the cloud computing security. Section 4 and 5 discusses the various security issues and concerns of Cloud computing and the de-ployment models for eliminating those security concerns.

2 Types of Cloud Computing

Cloud computing is typically classified in two ways:

Location of the cloud computing and the type of services offered.

2.1 Based on Location of the Cloud[1,2,3]

Public cloud: In Public cloud the computing infrastructure is hosted by the cloud vendor at the vendor’s premises. The customer has no visibility and control over where the computing infrastructure is hosted. The computing infrastructure is shared between any organizations.

Private cloud: The computing infrastructure is dedicated to a particular organization and not shared with other organizations. Private clouds are more expensive and more secure when compared to public clouds.

Hybrid cloud: Organizations may host critical applications on private clouds and applications with relatively less security concerns on the public cloud. The usage of both private and public clouds together is called hybrid cloud. A related term is Cloud Bursting. In Cloud bursting organization use their own computing infrastructure for normal usage, but access the cloud for high/peak load requirements. This ensures that a sudden increase in computing requirement is handled gracefully.

2.2 Based upon the Services Offered [1,2,3]

Infrastructure as a service (IaaS): IaaS provides basic storage and computing capabilities as standardized services over the network. Servers, storage systems,

Security Concerns in Cloud Computing 105

networking equipment, data centre space etc. are pooled and made available to handle workloads. The customer would typically deploy his own software on the infrastruc-ture. Leading vendors that provide Infrastructure as a service are Amazon EC2, Ama-zon S3, Rack space Cloud Servers and Flexi scale.

Platform as a Service (PaaS ): Here, a layer of software, or development environ-ment is encapsulated & offered as a service, upon which other higher levels of service can be built. The customer has the freedom to build his own applications, which run on the providers infrastructure. Typical players in PaaS are Google’s Application En-gine, Microsofts Azure, Salesforce.com’s force.com .

Software as a service (SaaS): In this model, a complete application is offered to the customer, as a service on demand. A single instance of the service runs on the cloud & multiple end users are serviced. On the customers side, there is no need for upfront investment in servers or software licenses, while for the provider, the costs are low-ered, since only a single application needs to be hosted & maintained. Examples are Salesforce.coms ,Googles gmail and Microsofts hotmail, Google docs and Microsofts online version of office called BPOS (Business Productivity Online Standard Suite).

3 Cloud Computing Security

Cloud computing security is an evolving sub-domain of computer security, network security, and, more broadly, information security. It refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. There are a number of security issues associated with cloud computing but these issues fall into two broad categories: Security issues faced by cloud providers (organizations providing Software-, Platform-, or Infrastructure-as-a-Service via the cloud) and security issues faced by their customers. In most cases, the provider must ensure that their infrastructure is secure and that their clients’ data and applications are protected while the customer must ensure that the provider has taken the proper security measures to protect their information. In cloud computing, end users’ data is stored in the service provider’s data centers rather than storing it on user’s computer. This will make users concerned about their privacy. Moreover, moving to centralized cloud services will result in user’s privacy and secu-rity breaches as discussed in. Security threats may occur during the deployment; also new threats are likely to come into view. Cloud environment should preserve data integrity and user privacy along with enhancing the interoperability across multiple cloud service providers. The security related to data distributed on three levels in [11]:

Network Level The Cloud Service Provider (CSP) will monitor, maintain

and collect information about the firewalls, Intrusion detection or/and pre-vention systems and data flow within the network.

Host Level :It is very important to collect information about system log files., in order to know where and when applications have been logged.

Application Level: Auditing application logs, which then can be required for incident response or digital forensics.

106 P.J. Kaur and S. Kaushal

At each level, it is required to satisfy security requirements to preserve data secu-rity in the cloud such as confidentiality, integrity and availability as follows:

1. Confidentiality: Ensuring that user data which resides in the cloud cannot be ac-cessed by unauthorized party. This can be achieved through proper encryption tech-niques taking into consideration the type of encryption: symmetric or asymmetric encryption algorithms, also key length and key management in case of the symmetric cipher.

2. Integrity: Cloud users should not only worry about the confidentiality of data stored in the cloud but also the data integrity. Data could be encrypted to provide con-fidentiality where it will not guarantee that the data has not been altered while it is residing in the cloud. Mainly, there are two approaches which provide integrity, using Message Authentication Code (MAC) and Digital Signature (DS). In MAC, it is based on symmetric key to provide a check sum that will be append to the data. On the other hand, in the DS algorithm it depends on the public key structure (Having public and private pair of keys). As symmetric algorithms are much faster than asymmetric algorithms, in this case, we believe that Message Authentication Code (MAC) will be the best solution to provide the integrity checking mechanism.

3. Availability: Another issue is availability of the data when it is requested via au-thorized users. The most powerful technique is prevention through avoiding threats affecting the availability of the service or data. It is very difficult to detect threats tar-geting the availability. Threats targeting availability can be either Network based at-tacks such as Distributed Denial of Service (DDoS) attacks or CSP availability.

4 Security Issues in Cloud

4.1 Various Security Issues

Security concerns have been raised due to the computing model introduced by cloud computing, which is characterized by off-premises computing, lost control of IT in-frastructure, service-oriented computing, and virtualization, and so on. Here are seven of the specific security issues Gartner says customers should raise with vendors before selecting a cloud vendor.[5,10]

1. Privileged user access. Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the "physical, logical and personnel controls" IT shops exert over in-house programs.

2. Regulatory compliance. Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are "signaling that customers can only use them for the most trivial functions.

3. Data location. When we use the cloud, we probably won't know exactly where our data is hosted. In fact, we might not even know what country it will be stored in.

4. Data segregation. Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn't a cure-all. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists.

Security Concerns in Cloud Computing 107

5. Recovery. Even if we don't know where our data is, a cloud provider should tell us what will happen to our data and service in case of a disaster.

6. Investigative support. Investigating inappropriate or illegal activity may be impossible in cloud computing. Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible.

7. Long-term viability. Ideally, our cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But we must be sure that our data will remain available even after such an event.

4.2 Security Policy in Cloud Computing Environment

In order to solve these problems, the security policy [9] should include the following points:

a) Divided into multiple security domains in the cloud computing environment, dif-ferent security domain operation must be mutual authentication, each security domain internal should have main map between global and local.

b) Ensure that the user’s connection and communications security with the SSL, VPN, PPTP, etc. Using license and allowing there are multiple authorizations among user, service owner and agents, to ensure user access to data securely.

c ) User data security assurance: according to the different user’s requirements, dif-ferent data storage protection should be provided. At the same time, the efficiency of data storage should be improving.

d) Using a series of measure to solve the user dynamic requirements, including a complete single sign-on authentication, proxy, collaborative certification, and

certification between security domains. e) Establishment of third-party monitoring mechanism to ensure that operation of

cloud computing environment is safe and stable. f) The computing requested by service requestor, should carry out the safety tests,

it can check whether they contain malicious requests to undermine the security rules.

5 Security Models for Cloud Computing

5.1 Model for addressing Security Policies

The concept of Security Access Control Service (SACS). has been introduced [9] to address the above mentioned security policies in cloud computing environment.

Figure 1 represents the composition of its system modules. SACS includes Access Authorization, Security API, cloud connection Security. Access Authorization is used to authorize to users who want to request cloud service; Security API keeps users use spe-cific services safely after accessing to the cloud; cloud connection security to ensure the bottom resource layer. Combining the SACS with the existing architecture of cloud computing, A security model of cloud computing is constituted, as shown in Fig.2.

108 P.J. Kaur and S. Kaushal

Fig. 1. The system modules of SACS

Figure 2 Security Model

Fig. 2. Security Model

The process in the security model: First, the user creates a local user agent, and es-tablish a temporary safety certificate, then user agent use this certificate for secure authentication in an effective period of time. This certificate, including the host name, user name, user ID, start time, end time, and security attributes, etc. the user’s security

user Agent

Access Authorisation

SaaS

Security API

PaaS, IaaS

Cloud Connection Security

Virtual Resource Layer

Physical Resource Layer

Service Layer

Resource Layer

Access Authorisation

Security API

Cloud Connection Security

SACS

Security Concerns in Cloud Computing 109

access and authorization is complete. Second, when the user’s task use the resource on the cloud service layer, mutual authentication take place between user agent and specific application, while the application check if the user agent’s certificate is ex-pired, a local security policy is mapped.

Third, according to user’s requirements, cloud application will generate a list of service resource, and then pass it to the user agent. Through Security API, user agent connects specific services. And Cloud connection security ensures the safety of re-source provided by the resource layer. The security API in this model should be achieved with SSL method, while the realization of cloud connection security uses SSL and VPN methods

5.2 Deployment Models for Eliminating Security Concerns

To address the above mentioned security issues various deployment models have been proposed In the following, we present five deployment models [8] that address users’ security concerns with cloud computing.

1. Separation Model: The main idea is to have two independent services responsible for data processing and data storage. (Figure 3)

Fig. 3. Separation Model

Data are presented to users and are processed by the Data Processing Service. When the data need to be stored, they are handed over to the Cloud Storage Service, which will make the data persistent and ready for retrieval in the future. The Separation Model mandates at least two different cloud computing service providers be involved in a transaction. To some extent, this prevents some frauds and errors by preventing any single service provider from having excessive control over the transactions. 2. Availability Model: With the availability model, a user can work on her data via a data processing service, and the data will be kept on a cloud storage service.(figure 4).

Fig. 4. The Availability Model

User

Data Processingservice A

Cloud Storage service B

Cloud Storageservice C

Data Processingservice B

Cloud Storageservice D

User Data Processingservice

Cloud Storage service

110 P.J. Kaur and S. Kaushal

To ensure the availability of the services, there are at least two independent data processing services, Data Processing Service A and Data Processing Service B re-spectively, and two independent data storage services, Cloud Storage Service C and Cloud Storage Service D respectively. Either one of the data processing services can have access to the data on either one of the cloud storage services. Data are replicated and synchronized via a Replication Service. The Availability model imposes redun-dancy on both data processing and cloud storage. Hence there is no single point of failure with respect to data access. When a data processing service or a cloud storage service experiences failure, there is always a backup service present to ensure the availability of the data.

3. Migration Model: When data on clouds can only stay on the clouds where they are kept, users will be forced to stay with the clouds unless they decide to give up their data. This is not an acceptable situation.

Fig. 5. Migration Model

In this model (figure 5) users process their data via a Data Processing Service, where the data are kept on Cloud Storage Service A. The Cloud Data Migration Ser-vice can interact with Cloud Storage Service A and another cloud storage service, namely Cloud Storage Service B. The Cloud Data Migration Service can move data from Cloud Storage Service A to Cloud Storage Service B, and vice versa. By being able to move data from Cloud Storage Service A to Cloud Storage Service B, users need not worry about their data being excessively controlled by a cloud provider, knowing that they can switch to another service provider by moving the data out from the current cloud storage service provider to another.

4. Tunnel Model: The Tunnel model introduces a tunnel service located between the Data Processing Service and the Data Storage Service. (figure: 6)

Fig. 6. Tunnel Model

The tunnel servers as a communication channel between the Data Processing Ser-vice and the Cloud Storage Service. It is responsible for providing an interface for the two services to interact with each other, for manipulating and retrieving data. The tunnel can in fact be implemented as a service as well. With the Tunnel Model, the Data Processing Service manipulates data based on the interface provided by the Data Tunneling Service. The Cloud Storage Service will not be able to relate the data it keeps with a specific data processing service. The Tunnel Model makes it extremely

User Data Processing service

Cloud Storage service B

Cloud Storage service A Migration

Service

User Data Processingservice

Cloud Storage service

Data Tunneling service

Security Concerns in Cloud Computing 111

difficult for the Data Processing Service to collude with the Cloud Storage service for fraud.

5. Cryptography Model: For critical applications, the security of data, especially confidentiality and integrity, are key requirements. Data confidentiality and integrity are in most cases dependent on cryptography support. The Cryptography Model Fig-ure 7, augments the Tunnel Model with a Cryptography Service, which provides sup-port for cryptographic operations on data. The Data Processing Service feeds data to the Data Tunneling Service for persistence. The Data tunneling Service will invoke the Cryptography Service to perform a cryptographic operation on the data before handing the data over to the Cloud Storage Service. Thus the data kept by the Cloud Storage Service are cryptographically processed, meaning that they could be cipher-text that can only be read by those who have the decryption key, or they could be data augmented with digital signatures or message authentication codes, and so on, de-pending on the security requirements. With the Cryptography Model, data can be stored in their cryptographically processed form.

Fig. 7. Cryptography Model

6 Conclusion

With the continuous promotion of cloud computing, security has become one of the core issues In this paper security in cloud computing was elaborated in a way that covers security issues and challenges and the deployment models for eliminating Se-curity concerns. These deployment models are developed to address the security is-sues raised by the identified security concerns. The proposed models are not without limitations. As the proposed models are at deployment architecture level, they do not include specific protocols and algorithms that can provide supports for confidentiality and integrity at cryptography level. Corresponding design patterns and interfaces should also be developed to allow cloud based applications be deployed on clouds in the manners specified by the proposed models. In all, Cloud computing platform need to provide some reliable security technology to prevent security attacks, as well as the destruction of infrastructure and services .

References

1. Cloud Computing, Wikipedia, http://en.wikipedia.org/wiki/CloudComputing 2. Lenk, A., Klems, M., Nimis, J., Tai, S., Snadholm, T.: What’s Inside the Cloud? An Archi-

tectural Map of the Cloud Landscape. In: IEEE Proceedings, ICSE 2009, May 23, pp. 23–31 (2009)

User Data Processingservice

Cloud Storage service

Data Tunneling service

Cryptographic Service

112 P.J. Kaur and S. Kaushal

3. Harris, T.: Cloud Computing- An Overview., Whitepaper, Torry Harris Bussiness Solutins (January 2010)

4. Buyya, R., Pandey, S., Vecchiola, C.: Cloudbus Toolkit for Market-Oriented Cloud Com-puting. CloudCom, pp. 22-44 (2009)

5. Popovic, K., Hocenki, Z.: Cloud Computing security issues and challenges. In: MIPRO 2010, opatija, Croatia, May 24-28, pp. 344–349 (2010)

6. Jing, X., Zhang, J.-j.: A brief survey on the Security Model of Cloud Computing. In: Ninth International symposium on Distributed computing and Applications to Business, Engi-neering and Sciences, pp. 475–478. IEEE, Los Alamitos (2010)

7. Mukherjee, K., Sahoo, G.: A secure Cloud Computing. In: IEEE Proceedings of Interna-tional Conference on Recent Trends in Information, Telecommunication and Computing, pp. 369–371 (2010)

8. Zhao, G., Rong, C.: Deployment models- towards eliminating Security Concerne from Cloud Computing. In: IEEE Proceedings of International Conference on High Performance Computing and Simulation (HPCS), pp. 189–195 (2010)

9. Jing, Y., Zhang, J.-j.: A brief survey on the Security model of Cloud Computing. In: Ninth International Symposium on Distributed Computing and Applications to Bussiness, IEEE Proceedings Engineering and Science, pp. 475–478 (2010)

10. Brodkan, J.: Gartner: Seven Cloud Computing Security Risks, http://www.infoworld.com/.../security.../ gartner-seven- cloud-computing-security-risks

11. Almulla, S.A., Yeun, C.Y.: Cloud Computing Security Management. In: IEEE Proceedings of Second International Conference on Engineering Systems management and its Applica-tions (ICESMA), pp. 1–7 (2010)