A Survey on Security issues and challenges in Public Cloud Computing

1GnanaPrakasam T, 2Rajiv Kannan A1Assistant Professor in Computer Science and Engineering, The Kavery Engineering College, Mecheri,

Tamil Nadu, India1Professor in Computer Science and Engineering, K.S.R College of Engineering, Tiruchengode,

Tamil Nadu, India1trainergnanam@gmail.com,2rajiv5757@yahoo.co.in

Abstract – Cloud computing discusses the facts, handling control, and system deposited on isolated servers which are easily available in the Internet as conflicting to one's individual terminals. For consumers, cloud computing provisions can fetch around foremost fee concessions and proficiencies. It unseals the world of computing to a wider range of uses and supplements the ease of use by providing access through any network link. There is much delicate information and data that are secured and kept in the computers, and these are at present being relocated to the cloud. Along with these advantages there are also some drawbacks too. Eventually the consumers have less control over the unprivileged access to the data and have minimum awareness of where it is located. There are several safety hazards to the data that are located on the cloud. The cloud can be besieged by mischievous people who can access those data through unsafe internet links. There are numerous disputes that require to be dispensed with reverence for safekeeping and confidentiality in a cloud computing set-up. This wide-ranging review paper targets to briefly examine unanswered questions, threatening the Cloud Computing.

Keywords –Cloud Computing, security, longevity, recovery, data segregation

I. INTRODUCTION

Internet has been a driving force to various technologies that have been developed. Cloud computing is seen as a trend in the present day scenario with almost all the organizations trying to make an entry into it [1]. The advantages of using cloud computing are reduced hardware and maintenance cost, accessibility around the globe, and flexibility. Fig. 1 shows the basic cloud platform and the various applications that cloud providers contribute to the consumers.

A few existing techniques that contribute to the cloud computing are:

1. Virtualization

Virtualization is a remarkable technology used in cloud computing settings. The idea of cloud computing has taken the consideration and fancy of formations of all scopes since its capability distribution model converts the power of virtualization into quantifiable business significance. Cloud computing includes virtualization and the way to implement

it [2]. Cloud and Virtualization together support and distributing enhanced possessions, on-demand applications, elasticity and scalability.

2. Web Service, SOA and Mash-up

The objective of a Service Oriented Architecture (SOA) is amplified IT compliances, condensed charge of request improvement and upkeep, and better configuration among IT specialists and corporate employers [3]. Cloud Computing and SOA Services provide:

Cloud Computing & Virtualization Referring / Executions

SOA Accessing / Applications

Complex Event Processing (CEP) Checking / Operations

XML / SOAP / REST Web Services constructed Compound Requests and SOA Resolutions

Software Development, comprising Mobile Applications.

Mash-ups allow developers to combine interesting data and then visualize that data through a web application. In practice, a mash-up requires a data source and a web visualization platform. Mash-up is a technique by which a website or Web application uses data, presentation or functionality from two or more sources to create a new service [4].

3. Application Programming Interface (API)

An application-programming interface is a unique significant technique of cloud computing. Without an API, there is no cloud computing. API facilitates Amazon Simple Storage Service (S3), cloud services such as Amazon Elastic Compute Cloud (EC2) and Twitter. These organizations use this technique to access the service [5]. Cloud APIs fall into three overall groupings:

Control APIs, which permit cloud structure to be supplemented, restructured, or detached in actual time.

Data APIs, through which data are streamed along the channels to and from the cloud.

Application Functionality APIs, which facilitate the functionality with which end customers interrelate.

The remainder of this paper is organized into different sections in which the background is presented in section II. In section III, Threats to security in Public cloud Computing

are discussed in terms of Basic, Network Level and application level Securities. In section IV, recommendations and suggestions are provided to overcome the security challenges and the paper is concluded in section V.

II. BACKGROUND

The Cloud Computing exploration group discussed various custom circumstances and associated desires that may occur in the cloud model. These models reflect use cases from various view-points including those of customers, designers and security engineers [6]. ENISA examined the different security risks connected to the influences and weaknesses in the cloud computing [7]. Discussions were held with respect to the security specifications and objectives related to data locations, segregations and data recovery [8]. Related work has been done in high level security fears in the cloud computing models such as data integrity, imbursement and privacy of complex material [9].

Different authors have studied the possible vulnerabilities in technology related, cloud-characteristics related and security concerns related issues and risks [10]. Works have been carried out in association with the Administration of Security in cloud computing, focusing on cloud security issues with the help of observations done by the International Data corporation enterprise [11]. A survey by cloud security alliance (CSA) & IEEE indicates that enterprises, almost in all the sectors, are keen to implement cloud computing. However, security measures are needed both to accelerate the cloud adoption in a wider range and to respond to the regulatory advice from different governing bodies [12, 32]. Several studies have been carried out concerning the security matters in cloud computing and these efforts have carried out a thorough investigation of the cloud computing security issues and challenges.

Several security issues have to be considered before an enterprise switches to the cloud computing model [13]. They are:

Restricted consumer admission: A hazard which deals with who accesses the data of a business in the cloud.

Governing Agreement: A threat concerning warranties and guidelines in relation to a cloud service.

Data Position: A danger about who stores the data in a specific site.

Data Separation: A feature which deals with the dispute that one’s facts must not fuse with somebody else’s data.

Data Retrieval: A subject which suggests that clients might not be able to get their data back.

Long-Term Feasibility: A characteristic which means that the cloud provider relies in provision for infinity [14].

III. THREATS TO SECURITY IN PUBLIC CLOUD COMPUTING

Due to involvement of many technologies such as linkages, databanks, working arrangements, resource planning, business supervision, concurrency regulator and memory organization, several safe keeping disputes rise in cloud computing [15]. Security requires a holistic approach. Security at different levels such as Basic level, Network level, and application level is necessary to keep the cloud up and running continuously.

1. Basic Security

A. Emulating and speedy resource assembling

The demands in IT lead to accumulation of Virtual Machines, causing VM trail. Along with the cloud self-service gateways, VMs can rapidly be provisioned and willingly emulated and motivated between physical servers. However, weaknesses or formation flaws may be un-intentionally disseminated. It is problematic to preserve an auditable record of the security state of a VM at some opinion of interval [16]. A query arises about the possible security risks in the use of shared pre-built images which are vital.

B. Data Remnants

In a cloud organization, records are repeatedly relocated to style the pre-eminent usage of resources which means that initiatives might not constantly recognize their data location [17]. This may be correct about any cloud prototype, but is typically accurate in the public cloud. To compromise the greatest cost savings, industries want service providers to enhance resource convention.

Also, if data is relocated, remaining data may be left behind which can be accessed by illegal handlers [18]. This unauthorized access is considered unpreventable in public cloud till date. However, new security practices must be introduced to relocate data without any remnants in the old location.

C. Adaptable Limits

A cloud organization produces an adaptable limit. Additional sections and users throughout the organization

can deliver computer resources, and a cloud portal can also be stretched to exterior sources such as associates [19]. However, with this amplified access comes an increased risk of data outflow. In addition, businesses are tackled with handling and safeguarding a dissimilar set of mobile equipment, often developed by the employee. With this tendency towards consumerization, the cloud is often used for consistent access to requests and data on wandering endpoints. Security must provide a stability of stretchy access and data guard [20].

D. Unencrypted data

Un-encrypt are apparently a weakness for delicate data. Data encryption helps to address outward threats, threats from spiteful insiders, and the need for supervisory agreement [21]. With data encryption issues, such as data remnants and an adaptable limit become relatively less because even if the data is accessed by an unlicensed consumer, it cannot be interpreted. However, many out dated encryption clarifications can permit customers to a vulnerable situation in the cloud. If there is no solution to provide policy-based management methodologies with identity and integrity-based server authentication, unlicensed servers may obtain the encrypted data [22].

E. Shared multi-tenant environments of the public cloud

The multi-tenant construction of the public cloud raises fears about the grasping of an industry’s cloud data, or sharing their storage dimensions. And with these apprehensions there comes a craving for prominence [23]. One customer in this environment should not be allowed to access the data of another resident.

F. Control and availability

The most common knowledge about the usage of common data center or public cloud give the organizations a better feeling that they have good control over the data with regard to security and accessibility [24]. Service providers can form their cloud set-up to offer high convenience and presentation, maintained by their cloud computing specialists [25]. Often this substructure and staff outstrip the limit of an enterprise that can facilitate the delivery in-house. However, all data centers, whether in-house or through a service provider may undergo outages.

G. Invader’s Practice on the cloud

Invaders have a practice of using cloud computing techniques to support their assaults. Computing resources of the public cloud can promote attacks. In the multi-tenant environment attackers can attain inter-VM attacks by connecting their personal VM and then polluting the visitor of other residents on the same host machine [26]. This type

of attack can result in stolen computer resources for using as trusted data access. Invaders also generate their own personal clouds to circulate resources.

2. Network Level Security

There are different network issues that occur in cloud computing some of which are discussed below:

A. Denial of Service

When a hacker surpluses a network server or web server with recurrent appeal of services to destruct the network, the denial of service cannot keep up with them. The server cannot validate the client’s consistent requirements. In such a situation, in cloud computing, when the hacker attacks a server by sending numerous requests to the server, then the server is unable to respond properly and more over the server gets hanged [27]. This can be avoided by reducing the privileges of the users connected to a server.

B. Man in the Middle Attack

If the secure socket layer (SSL) is not designed properly, this kind of problem arises. In this situation, a network link can be easily hacked by an unknown person, when both the parties establish communication [28]. One of the remedies for this type of attack is to install and configured the secure socket layer properly, before the parties establish the communication among themselves.

C. Port Scanning

Port scan attack is one of the most popular reconnaissance techniques attackers used to discover services they can break into. All machines connected to a network run many services that used TCP or UDP ports and there are more than six thousand defined ports available [29]. Normally, port scan does not make any direct damage just by scanning. Potentially a port scan helps the attacker find which ports are available to launch various attacks. Port scanning tools can be used legitimately for administrators and users to learn network vulnerabilities. [30].

D. SQL Injection Attack

SQL injection is an attack in which a malicious code is implanted into the strings which in future impedes occurrences of SQL server’s parsing and execution. Therefore, any Procedure that constructs SQL statements should be studied for injection vulnerabilities because SQL server implements all syntactically effective queries that it

accepts. Even parameterized data can be influenced by an accomplished and determined attacker. [31].

E. Cross Site Scripting

Cross Site Scripting which is also known as XSS or CSS is commonly supposed to be one of the most collective application layer hacking techniques.

Cross-site scripting indicates the hacking technique that influences vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some types of data from the victim [17]. Cross site scripting attacks can provide ways to buffer overflows, DOS attacks and inserting spiteful software into the web browsers for violation of user’s credentials [32]. Hackers are constantly experimenting with a wide repertoire of hacking techniques to compromise websites and web applications and make off with a treasure trove of sensitive data including credit card numbers, social security numbers and even medical records.

3. Application Level Security

A.XML Signature Element Wrapping

Naive use of XML Signature may result in signed documents remaining vulnerable to undetected modification by an adversary. In the typical usage of XML Signature to protect SOAP messages, an adversary may be capable of modifying valid messages in order to gain unauthorized access to protected resources [23].

The content of a SOAP message protected by an XML Signature as specified in WS-Security can be altered without invalidating the signature. This so called wrapping attack or XML rewriting attack [7] is possible because the referencing schemes used to locate parts of a SOAP message document differ from the signature verification function and the application logic.

To avoid this type of attack, it is better to use a digital signature authorized by a third party and the mixture of WS-security with XML signature to a particular component. XML should have the list of components so that it can reject the messages that have malicious files and also reject the unexpected messages from the client [10].

B. Browser Security

As a client directs an appeal to the server by web browser, it has to make use of SSL to encrypt the credentials to

authenticate the user. If there is a third party, intermediary host can decrypt the data. The hacker may use some sniffing interfaces on the intermediary host and retrieve some valuable data and thereby enter into the cloud as a valid user [28]. To avoid this, vendor can use WS-security techniques on web browsers. It uses the message level that in turn uses XML encryption for constant encryption of SOAP messages which do not have to be decrypted at intermediary hosts.

C. Cloud Malware Injection Attack

Malware injection attack has spread like wildfire these days, and countless websites have been affected. The attack is done via a compromised FTP, and many believe that the virus can actually sniff out FTP passwords and send it back to the hacker. The hacker then uses your FTP password to access your website and add malicious frame coding to infect other visitors who browse your website [18]. Most web browsers will put up a notice when they’ve detected malware in your website. This prevents other people from unknowingly downloading the malware.

D. Data Protection

Data protection in cloud computing is a very significant feature. It is very difficult to have a check on the performance of the cloud provider and the confidentiality and handling of a sensitive data by them, in case of several conversions of data [30]. One of the measures to prevent such an attack is that a consumer of cloud computing should check whether the data is handled legally or not.

E. Incomplete Data Deletion

Unfinished data removal is more dangerous in cloud computing environment. It does not remove complete data because duplication of data is positioned in supplementary servers. For example, when a client requests to remove a cloud resource, it will not be removed completely in some operating systems. Precise data erasure is not likely possible because replicas of data are deposited in the adjacent replica which are not existing [27]. Necessary steps should be taken so that Virtualized private networks shall be used for securing the data and appropriate query can be used to remove the data completely in all the servers.

F. Inter-VM Attacks

Each physical host has a soft-switch to enable VMs to interconnect with one another because inter-VM communications do not always leave the physical host; they are unprotected by firewalls and other hardware-based

protection. In the event a VM is compromised, it can attack other VMs on the same host without detection from existing tools [19]. Moreover, once an attacker compromises one element of a virtual environment, other elements may also be compromised if virtualization-aware security is not implemented.

G. Instant-On Gaps

Virtualized environments are not essentially less secure than their physical counterparts, but in some cases, the real-world usage of virtualization can bring vulnerabilities, and managers are conscious of these vulnerabilities and take necessary measures to eradicate them [12]. Instant-on gaps are instances of such vulnerability. When VMs are triggered and deactivated in quick cycles, providing security to those VMs and keeping them up-to-date can be challenging.

H. Resource Contention

Another concern in the public cloud is resource contention. A security issue can arise when the resource contention is the result of a Denial of Service (DoS) attack on another tenant of the shared infrastructure. The public cloud is a shared resource that can potentially expose all tenants in the cloud to security risks when one tenant becomes the target of a DoS attack. However, private cloud provides businesses with inherent protection from DoS attacks directed at other businesses by avoiding shared infrastructure [21].

IV. Findings and Recommendations

Cloud computing has gained over numerous subjects in gaining credit for its virtues. Its safety shortages and advantages need to be sensibly considered before making a choice to use it. Both the cloud client and cloud supplier must be conscious of their individual security assurances.

Encryption is merely a resolution for protection in a multi-tenant atmosphere, endorsing that one’s data cannot be observed by others. In addition, self-defending VMs can shield in contradiction of inter- VM attacks and other vulnerabilities in a public cloud.

Cloud computing is a lean-to virtualization, adding computerization to a virtual background. Progressions in virtualization tools empower initiatives to acquire more computing power of the physical servers. The outdated data center impression is dwindling to permit cost savings and promote IT solutions through merging of servers. Service providers have discovered that they can use virtualization to enable multi-tenant instead of single-tenant or single-purpose physical servers. The thorough and well configured public cloud can have different altitudes of controls and ensure security. A smart reaction to the risk of data position is to select several cloud services and store different data in different clouds, thereby reducing the risk of data location.

VIII. Conclusion

Cloud computing moves the application software and data bases to servers in large data centers on the internet, where the management of the data and services are not fully trustworthy. This unique attribute raises many new security challenges in areas such as software and data security, recovery, and privacy, as well as legal issues in areas such as regulatory compliance and auditing, all of which have not been well understood.

There are many new technologies emerging at a rapid rate, each with technological advancements and with the potential of making human lives easier. However, one must be very careful to understand the security risks and challenges posed in utilizing these technologies. Cloud computing is no exception.

In this paper key security considerations and challenges which are currently faced in Cloud Computing are highlighted.

Cloud Computing is a new phenomenon which is set to revolutionize the way we use the internet, though there is much to be cautious about. Cloud computing has the potential to become a front runner in promoting a secure, virtual and economically viable IT solution in the upcoming periods provided the challenges and issues are eradicated by formulating better security mechanisms.

Cloud computing is a typical amendment of outdated computing. It is tough to associate one feature of the system with another. While outmoded computing, allows a designer to be slacker about security, cloud computing condition insists a good developer facing these difficulties directly. When the provider finds solutions to these difficulties, the structure becomes more secure. Subsequently, the cloud client can reach the system quicker without any data loss.

Therefore, it is the duty of the provider to deliver security from the top-down, bottom-up and also laterally, to defend the system and to safeguard the interests of the cloud benefactor. This study has taken care to well verse the providers with enough information that are to be considered when designing a cloud. The several issues which have been discussed help a developer to strengthen the security system while constructing a cloud application.

REFERENCES

[1] Lewis, Grace. “Cloud Computing: Finding the Silver Lining, Not the Silver Bullet” Internet: http://www.sei.cmu.edu/ newsitems/cloudcomputing.cfm , Oct.25 2009.

[2] Dormann, Will, Rafail, Jason. “Securing Your Web Browser.” Internet:http://www.cert.org/tech_tips/securing_browser, Sep. 28, 2006.

[3] Jansen, Wayne, Grance Timothy. “Guidelines on Security and Privacy in Public Cloud Computing.” in National Institute of Standards and Technology, Vol. 12, Jan 2011.

[4] Strowd, Harrison & Lewis, Grace. “T-Check in System-of-Systems Technologies: Cloud Computing,”(CMU/SEI-2010-TN-009), Software Engineering Institute, Carnegie Mellon University,Mar 1, 2010.

[5] Lewis, Grace. “Basics about Cloud Computing”. Internet:http://www.sei.cmu.edu/library/abstracts/whitepapers/cloudcomputingbasics.cfm,Dec 13,2010.

[6] J. Brodkin. “Gartner: Seven cloud-computing security risks.” Infoworld,Available: http://www.infoworld.com/d/security-central/gartner-seven-loudcomputingsecurity-risks-853 ?, Mar. 13, 2010.

[7] ENISA. "Cloud computing: benefits, risks and recommendationsforinformationsecurity." Available:http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computingrisk- assessment, Jul. 10, 2010.

[8] R. K. Balachandra, P. V. Ramakrishna and A. Rakshit. “Cloud Security Issues.” In Proc.‘09 IEEE International Conference on Services Computing, 2009, pp 517-520.

[9] P. Kresimir and H. Zeljko. "Cloud computing security issues and challenges." In Proc.Third International Conference on Advances in Human-oriented and PersonalizedMechanisms, Technologies, and Services, 2010, pp. 344-349.

[10] B. Grobauer, T. Walloschek and E. Stöcker, "Understanding Cloud ComputingVulnerabilities," IEEE Security and Privacy, vol. 99, 2010.

[11] S. Subashini, and V. Kavitha. “A survey on security issues in service deliverymodels of cloud computing.” J Network Computing, Jul,2010.

[12] S. Ramgovind, M. M. Eloff, E. Smith. “The Management of Security in Cloud Computing,” InProc. 2010 IEEE International Conference on Cloud Computing, 2010.

[13] M. A. Morsy, J. Grundy and Müller I. “An Analysis of the Cloud Computing Security Problem,” in Proc. APSEC 2010 Cloud Workshop, 2010.

[14] S. Arnold. “Cloud computing and the issue of privacy.”KM World, pp14-22.Available: www.kmworld.com, Aug. 19, 2009.

[15] A. Paul. “Demystifying the cloud. Important opportunities, crucial choices.”Global Net-optex Incorporated, pp4-14. Available: http://www.gni.com, Dec. 13, 2009.

[16] M. Klems, A. Lenk, J. Nimis, T. Sandholm and S. Tai. “What’s Inside the Cloud? An Architectural Map of the Cloud Landscape.” IEEE Xplore, pp 23-31, Jun. 2009.

[17] C. Weinhardt, A. Anandasivam, B. Blau, and J. Stosser. “Business Models in the Service World.” IT Professional, vol. 11, pp. 28-33, 2009.

[18] N. Gruschka, L. L. Iancono, M. Jensen and J. Schwenk. “On Technical Security Issues inCloud Computing,” in Proc. 09 IEEE International Conference on Cloud Computing, Jul.2009pp 110-112.

[19] N. Leavitt. “Is Cloud Computing Really Ready for Prime Time?” Computer, vol. 42, pp. 15-20, May. 2009.

[20] M. Jensen, J. Schwenk, N. Gruschka and L. L. Iacono, "On Technical Security Issues in Cloud Computing." in Proc IEEE ICCC, 2009, pp. 109-116.

[21] Peter Mell and Tim Grance.“The NIST Definition of Cloud Computing,” National Institute of Standards and Technology (NIST), Information Technology Laboratory, version 15, Oct. 2009.

[22] Wang, Lizhe von Laszewski. “Cloud computing: A Perspective study,” Proc. Grid Computing Environments workshop, Nov. 16, 2008.

[23] Michael Armbrust, Armando Fox, Rean Griffith, Anthony D. “A view of cloud computing.”Communications of the ACM, Volume 53 Issue 4, pages 50-58. Apr. 2010.

[24] Tim Mather, Subra Kumaraswamy, Shahed Latif. “Cloud Security and Privacy: An Enterprise perspective of Risks and Compliance,” O'Reilly Media, Inc., Feb. 2009.

[25] Siani Pearson. “Taking Account of Privacy when Designing Cloud Computing Services.” in Proc. ICSE Workshop on Software Engineering Challenges of Cloud Computing, pages 44-52. May 2009.

[26] Jinpeng Wei, Glenn Ammons, Vasanth Bala, Peng Ning. “Managing security of virtual machine images in a cloud environment.” In Proc. CCSW '09: ACM workshop on Cloud computing security pages 91-96. Nov. 2009.

[27] Miranda Mowbray, Siani Pearson. “A Client-Based Privacy Manager for Cloud Computing.” in Proc. COMSWARE ‘09 Fourth International ICST Conference on Communication System Software and Middleware, Jun. 2009.

[28] Flavio Lombardi, Roberto Di Pietro. “Transparent Security for Cloud,” inProc.SAC '10, ACM Symposium on Applied Computing, pages 414-415,Mar. 2010.

[29] Weichao Wang, Zhiwei Li, Rodney Owens, Bharat Bhargava. “Secure and Efficient Access to Outsourced Data,”in Proc.CCSW '09, ACM workshop on Cloud computing security, pages 55-65. Nov. 2009.

[30] Richard Chow, Philippe Golle, Markus Jakobsson, Elaine Shi. “Controlling Data in the Cloud Outsourcing Computation without Outsourcing Control,”in Proc. ACM workshop on Cloud computing security, pages 85-90. Nov. 2009.

[31] Xinwen Zhang, Joshua Schiffman, Simon Gibbs. “Securing Elastic Applications on Mobile Devices for Cloud Computing,” in Proc. CCSW '0, ACM workshop on Cloud computing security, pages- 127-134. Nov. 2009.

[32] Shilpashree, Srinivasamurthy, David Q. Liu, “Survey on Cloud Computing Security – Technical Report,” Department of Computer Science, Indiana University Purdue University Fort Wayne Jul. 2010.