Security issues in cloud computing for msmes

International Journal of Advanced Research in Management (IJARM), ISSN 0976 – 6324 (Print),

ISSN 0976 – 6332 (Online), Volume 3, Issue 2, July-December (2012)

21

SECURITY ISSUES IN CLOUD COMPUTING FOR MSMES

Mr. Hemantkumar Wani Department of Management studies

Shri Jagdiprasad Jhabarmal Tibrewala University

Rajasthan, India [email protected]

Dr. N. Mahesh Department of Management studies

Shri Jagdiprasad Jhabarmal Tibrewala University

Rajasthan, India [email protected]

ABSTRACT

This research paper focuses on the security issues of Cloud computing in the sector of micro, small & medium enterprises (MSMEs). The more MSMEs competition intensifying and earlier adaption of latest internet based application and services have led to greater opportunities that are worthwhile to be seized. The opening up the world IT based markets has posed many challenges with the flooding of IT enabled services and applications. It makes an aim come true for the users to get all the resources instantly from various locations that are not known. But there are lot of hurdles in accomplishing this idea in the form of security parameters and backup issues.

Keywords-MSME(Micro,Small& Medium Enterprises), SLA,SSL technology, firewall,Middle server.

I. INTRODUCTION

Indian manufacturers especially from MSME sector have started to adapt software and technology solutions that have further revolutionized by the concept of cloud computing, which offer cutting-edge and innovative solution to cope with these challenges.

In recent past, the concept of cloud computing has revolutionized the world of IT. Cloud computing enables an efficient delivery of business applications online that are accessible from web browsers. The cloud computing can supply a new type of computing and business model for MSMEs. The MSME sector has adapted this concept worldwide and has implemented it to improve their overall operations. The type (SaaS, PaaS, etc) of cloud service an MSME will likely use, the disaster recovery options consideration and the cloud computing services in term of IT services and applications that effects on business and the economy. Security risks should be

INTERNATIONAL JOURNAL OF ADVANCED RESEARCH

IN MANAGEMENT (IJARM)

ISSN 0976 - 6324 (Print)

ISSN 0976 - 6332 (Online)

Volume 3, Issue 2, July-December (2012), pp. 21-28

© IAEME: www.iaeme.com/ijarm.html

Journal Impact Factor (2012): 2.8021 (Calculated by GISI)

www.jifactor.com

IJARM © I A E M E



22

analyze in adopting cloud computing technologies along with the actual needs, requirements and expectations of the MSMEs for cloud computing services.

Cloud computing emerged from so called distributed computing and grid computing. Here the

user can access any service which he/she wants for a specific task and for a specific amount of time [1]. Cloud computing provides us with a facility of sharing and interoperating the resources between different users and the systems being owned by the organizations. Security is a major hindrance in such type of systems because if the users are storing their data in a remote location owned by an unknown person and an organization then their data is not protected. Members communicating to each other should have a good level of trust so as to share the data and resource with each other.

In actual scenario, the cloud is the concept of virtualizing the local system of the user using remote cloud operating system to get a virtual desktop with a specific or a choice of operating systems to choose of operating systems to choose and to store the personal data and execute the application from anywhere. The customers or the user purchase the computing power depending on their demand and are not concerned with the underlying technologies used. The resources used and data accessed are owned by a third party and operated by them. This third party may not be located in the same area the user lives may be in the state or country.

II. CLOUD STRUCTURE AND TYPES

Public cloud: It is basically used by lot of users in the whole world and the security aspects act as utmost hindrance in such situations. It is basically a pay per use model in which users pay as per their use which becomes very useful and cost effective for the companies they are working for and for themselves.

Private Cloud: In private cloud we get additional benefits like additional security as the

company has the server at its end. As a way to exercise greater control over security and application availability, some enterprises are moving toward building private clouds. With the right approach and expertise in place, this type of setup can offer the best of both worlds: the cost-effectiveness of cloud computing and the assurance that comes with the ability to manage data and applications more closely.

Hybrid cloud: It provides services by combining private and public clouds that have been integrated to optimize service. The promise of the hybrid cloud is to provide the local data benefits of the private clouds with the economies, scalability, and on-demand access of the public cloud. The hybrid cloud remains somewhat undefined because it specifies a midway point between the two ends of the continuum of services provided strictly over the Internet and those provided through the data centre or on the desktop. [2]



23

III. MODELS OF CLOUD COMPUTING

A. Model 1:Infrastructure as a service(Iaas)

The key aspects of IT infrastructure, hardware, facilities, and administration have traditionally been the domain of IT departments within each company. Dedicated personnel install and configure servers, routers, firewalls, and other devices in support of their respective employers. This equipment requires dedicated housing as well as environmental controls, emergency power, and security systems to keep it functioning properly. Finally, every company allocates additional space where IT personnel work to support the infrastructure that is in place. Every aspect of IT infrastructure has evolved on its own, yet-until now - has not moved toward integration. For example, a company purchases software it needs and then purchases a server to run it. If data storage is necessary for files or databases, disk arrays and hard drives are added into the mix to accommodate the needs of the company. A local network is maintained to provide employees access to IT resources, and high speed internet connectivity for voice and data is added to the company account as necessary. Practically speaking, each IT system has its own management system, with some systems requiring the addition of a specialized worker to the staff. Infrastructure as a service takes the traditional components of IT infrastructure, takes them off site, and offers them in one unified, scalable package to companies who can manage them through one management interface. Infrastructure as a service results in IT services that easily conform to the changing requirements of a business. Because the infrastructure does not reside on the premises, obsolete equipment, upgrades, and retrofits no longer play a role in the company's decision to adopt new technology [3]. The IaaS provider takes care of that seamlessly allowing the business to focus on its mission .Cost effectiveness augments the convenience of IaaS. Because the IaaS provider has massive platforms segmented for each customer, the economies of scale are enormous, providing significant cost savings through efficiency. The need for every company to maintain its own infrastructure is eliminated through IaaS. The power of IaaS brings the resources needed to service government and enterprise contracts to businesses of every size. IaaS improves reliability because service providers have specialized workers that ensure nearly constant uptime and state-of-the-art security measures. Infrastructure as a Service is a form of hosting. It includes network access, routing services and storage. The IaaS provider will generally provide the hardware and administrative services needed to store applications and a platform for running applications. Scaling of bandwidth, memory and storage are generally included, and vendors compete on the performance and pricing offered on their dynamic services. IaaS can be purchased with either a contract or on a pay-as-you-go basis. However, most buyers consider the key benefit of IaaS to be the flexibility of the pricing, since you should only need to pay for the resources that your application delivery requires [4].

B. Model 2:Software as a Service(SaaS)

Software is ubiquitous in today’s business world, where software applications can help us track shipments across multiple countries, manage large inventories, train employees, and even help us form good working relationships with customers. For decades, companies have run software on their own internal infrastructures or computer networks. In recent years, traditional software license purchases have begun to seem antiquated, as many vendors and customers have migrated to software as a service business model. Software as a service, or 'SaaS', is a software application



24

delivery model by which an enterprise vendor develops a web-based software application, and then hosts and operates that application over the Internet for use by its customers. Customers do not need to buy software licenses or additional infrastructure equipment, and typically only pay monthly fees (also referred to as annuity payments) for using the software. It is important to note that SaaS typically encapsulates enterprise as opposed to consumer-oriented web-hosted software, which is generally known as web 2.0. According to a leading research firm, the SaaS market reached $6.3B in 2006; still a small fraction of the over $300B licensed software industry. However, growth in SaaS since 2000 has averaged 26% CAGR, while licensed software growth has remained relatively flat. Demand for SaaS is being driven by real business needs — namely its ability to drive down IT-related costs, decrease deployment times, and foster innovation [5]. Both public and private cloud models are now in use. Available to anyone with Internet access, public models include Software as a Service (SaaS) clouds like IBM LotusLive™, Platform as a Service (PaaS) clouds such as IBM Computing on Demand™, and Security and Data Protection as a Service (SDPaaS) clouds like the IBM Vulnerability Management Service. Private clouds are owned and used by a single organization. They offer many of the same benefits as public clouds, and they give the owner organization greater flexibility and control. Furthermore, private clouds can provide lower latency than public clouds during peak traffic periods. Many organizations embrace both public and private cloud computing by integrating the two models into hybrid clouds. These hybrids are designed to meet specific business and technology requirements, helping to optimize security and privacy with a minimum investment in fixed IT costs. All these services are cost effective but have a lot of issues regarding security and backup. Depending upon the implementation and platform needed the central server can send the request to the respective server.

IV. REQUIREMENTS OF SECURITY

It gives a general description of security services and related mechanisms, which can be ensured by the Reference Model, and of the positions within the Reference Model where the services and mechanisms may be provided. Extends the field of application of ISO 7498 [6] to cover secure communications between open systems. Adds to the concepts and principles included in ISO 7498 but does not modify them. In the fig 1, we have showed how the requirements are fulfilled in our proposed system.

a. Authentication and Authorisation

User can be identified in this model as we are using the SSL security for that purpose. A governance body is acting as an interface between the user and the cloud servers. There will be encryption between the user and central server and between the central server and cloud of servers. User details will be stored within the central server in the form of UserID etc and validation will be done accordingly. Hence the requirement is fulfilled in this. Authorization is not a big issue in private cloud because the system administrator can look into it by granting access only to those who are authorized to access the data. Whereas in public cloud it will become more hectic due to requests from normal users have to be taken into considerations. Privileges over the process flow have to be considered as the control may flow from one server



25

to another. Respective UserID will be saved in the central servers after the registration and authorization can be done easily as the respective rights can be stated there.

b. Confidentiality

Confidentiality plays a very important role as the data has to be secure and should not be reviled anywhere. This can be achieved in this system as we have used Dual SSL technology. User’s data, profiles etc have to be maintained and as they are virtually accessed various protocols (security) have to be enforced. If we standardize the whole cluster of a particular sector then it can be easily imposed. With regard to data-in-transit, the primary risk is in not using a vetted encryption algorithm. Although this is obvious to information security professionals, it is not common for others to understand this requirement when using a public cloud, regardless of whether it is IaaS, PaaS or SaaS. It is also important to ensure that a protocol provides confidentiality as well as integrity (e.g., FTP over SSL [FTPS], Hypertext Transfer Protocol Secure [HTTPS], and Secure Copy Program [SCP])—particularly if the protocol is used for transferring data across the Internet. Merely encrypting data and using a non-secured protocol (e.g., “vanilla” or “straight” FTP or HTTP) can provide confidentiality, but does not ensure the integrity of the data (e.g., with the use of symmetric streaming ciphers) [6].

c. Integrity

Integrity is maintained as the hashing is done in SSL technology. The major drawback in case of this technology is the excessive redundant data due to which the bandwidth is used up and the packet size is increased. From a privacy and confidentiality perspective, the terms of service may be the most important feature of cloud computing for an average user who is not subject to a legal or professional obligation. It is common for a cloud provider to offer its facilities to users without individual contracts and subject to the provider’s published terms of service. A provider may offer different services, each of which has distinct terms of service. A cloud provider may also have a separate privacy policy. It is also possible for a cloud provider to conduct business with users subject to specific contractual agreements between the provider and the user that provides better protections for users. The contractual model is not examined further here. If the terms of service give the cloud provider rights over a user’s information, then a user is likely bound by those terms. A cloud provider may acquire through its terms of service a variety of rights, including the right to copy, use, change, publish, display, distribute, and share with affiliates or with the world the user’s information. There may be few limits to the rights that a cloud provider may claim as a condition of offering services to users. Audits and other data integrity measures may be important if a user’s local records differ from the records maintained on the user’s behalf by a cloud provider.

d. Availability

Another issue is availability of the data when it is requested via authorized users. The most powerful technique is prevention through avoiding threats affecting the availability of the service or data. It is very difficult to detect threats targeting the availability. Threats targeting availability can be either Network based attacks such as Distributed Denial of Service (DDoS) attacks or CSP availability. For example, Amazon S3 suffered from two and a half hours outage in February 2008 and eight hours outage in July 2008. In the next section, we will discuss the identity and access management practices of the cloud computing by tackling some protocols



26

such as Security assertion Markup Language (SAML), Open Authentication (OAuth) protocol and a comparison between these two techniques to conclude the best solution.

e. Non-repudiation

Non-repudiation is the requirement which states that if a sender is sending the data to the other end. In our proposed system this requirement is fulfilled by the middle server because it has the routing table as well as the table of content of all the servers in the cloud with corresponding server ID, name, location etc. Due to the routing table’s entry of server ip, receiver and sender ip we can state that if the user has sent the request he cannot deny it and if receiver gives acknowledgement or response he also cannot deny of giving it.

f. Backup and Disaster Recovery

A cloud may be used for production operations, so it is important to have a backup and disaster recovery policy in place. The backup policy should define what data is backed up, how long backups are kept, as well as costs associated with those services. Similarly, in the event of a catastrophic failure of a private cloud, a failover plan should be in place. This plan may include using multiple data centers to host a private cloud or running jobs in a more conventionally organized cluster environment with manual management of jobs. The details of how to implement backup and disaster recovery will vary by your needs and resources, but it is essential for business continuity planning to have some policy in place [8].

V. USE OF PROPOSED MODEL

In the proposed system we have introduced an idea in which we have defined a central server which will be having a router table which contains cloud Id, the corresponding user Id , the actual server Id to which the user is connecting to. The source ip and the destination ip also have been put into the table.

Figure 1. Architecture Diagram of proposed model



27

TABLE I. ROUTING TABLE

It also contains the actual amount of data flow that is the packets per second transfer rate. On the user end there will be personal firewall and the connectivity between the user and the central server will be encrypted using SSL encryption standards that are regularly used now-a-days. Again at the Central server’s end there will be an application level firewall which will check whether the packets are malicious or not. Application-level firewalls (sometimes called proxies) have been looking more deeply into the application data going through their filters. Fig.2 shows the architectural diagram of the proposed system. By considering the context of client requests and application responses, these firewalls attempt to enforce correct application behavior, block malicious activity and help organizations ensure the safety of sensitive information and systems. They can log user activity too. Application-level filtering may include protection against spam and viruses as well, and be able to block undesirable Web sites based on content rather than just their IP address. [6] Further what we have suggested is to make a separate cluster of clouds for banking sector, educational sector, government bodies (will not contain confidential data). The user has a personal firewall at his end. The central server say for banks as an example consists of a table which consists of the user ID, server id, its name and all the related information through which a governance body can back track the server and the user. When a user tries to connect to a particular server from the cloud then his/her user id sever id source ip and destination ip are saved. The total time of synchronization, packet size being transferred server name and the total lease time in case of a secure connection is saved in the table incase if the user is not able to connect to a server i.e., if the ping shows connection time out we can easily track the server from the central servers routing table. Even the user credentials and the session are secured by SSL technology. Further we can achieve more security by clubbing different security algorithms with SSL [9]. There is a secured connectivity between the user and the central server and between cloud’s servers. Due to double encryption all the security requirements are fulfilled in this model. Tracking the server is also simple because their will be a table which will help us know the cloud id server name, server id and the corresponding organizations name whose server it is. So if the server is not getting connected then we can track it. We also have to standardize all the servers in the cloud for a particular sector like banking sector, the centralized banks and co-operative banks

UID SID Source IP Destn IP

12017 2747 191.268.67.67 101.123.22.25

86770 2967 111.125.25.23 102.124.12.35

Time Cloud ID Packet Size

Server Name

Lease Time

500mins 222 437kb ABC 30mins

800mins 266 128kb XYZ 18mins



28

etc have to come together and use standardized protocols so as to achieve this proposal. Even by standardizing in education sector we can achieve a common place to gain knowledge and we can use the services as according. We have also included the routing table below which depicts the actual scenario.

I. CONCLUSION

The model we have proposed is having its own advantages in case of security and backup. Due to a middle server technology in between the user and the cloud server we can easily track the user as well as the server in the cloud. We can also nexus both public cloud and private cloud together in one with hybrid clouds. Due to SSL security the security parameters are also taken into consideration. This model can help cloud computing and make it reach new ends.

REFERENCES

[1] Peter Mell and Tim Grance,”The NIST Definition of Cloud

Computing”http://csrc.nist.gov/groups/SNS/cloud-computing/ [2] Architectural Requirements Of The Hybrid Cloud Information Management Online,

February 10, 2010 Brian J. Dooley [3] http://cloudstoragestrategy.com/2010/01/cloud-storage-for-the-enterprise---part-2-the-hybrid-

cloud.html By Steve Lesem on January 25, 2010 [4] R. Nicole, “Title of paper with only first word capitalized,” J. Name Stand. Abbrev., in press. [5] http://www.wikinvest.com/concept/Software_as_a_Service [6] Tim Mather, Subra Kumaraswamy, and Shahed Latif”Cloud Privacy and security” pp. 529–

551, September 2009: First Edition [7] "IBM Point of View: Security and Cloud Computing"Cloud computing White paper

November 2009. [8] Zhidong Shen,2010 2nd International Conference on Signal Processing Systems (ICSPS). [9] Palivela Hemant, Hemant Wani “Development of Servers In Cloud Computin To Solve

Issues Related To Security And Backup” (CCIS-IEEE Conference.Beijing ,China).

Documents

Security issues in cloud computing for msmes