Cloud Computing Security Issues in Infrastructure as a Service” report

Cloud Computing Security Issues in Infrastructure as a Service

CHAPTER 1

Introduction of Cloud Computing

According to Gartner’s Hype Cycle Special Report for 2009, “technologies at the ‘Peak of

Inflated Expectations’ during 2009 include cloud computing, e-books and Internet TV, while

social software and micro blogging site have tipped over the peak and will soon experience

disillusionment among enterprise users”. Is cloud computing also heading for the trough of

disillusionment?

The Internet is often represented as a cloud and the term “cloud computing” arises

from that analogy. Accenture defines cloud computing as the dynamic provisioning of IT

capabilities (hardware, software, or services) from third parties over a network. McKinsey

says that clouds are hardware-based services offering compute, network and storage capacity

where: hardware management is highly abstracted from the buyer; buyers incur infrastructure

costs as variable OPEX [operating expenditures]; and infrastructure capacity is highly elastic

(up or down).

Large companies can afford to build and expand their own data centers but small- to

medium-sized enterprises often choose to house their IT infrastructure in someone else’s

facility. A collocation center is a type of data center where multiple customers locate

network, server and storage assets, and interconnect to a variety of telecommunications and

other network service providers with a minimum of cost and complexity.

Software, Platform, and Infrastructure as a Service are the three main service delivery

models for Cloud Computing. Those models are accessible as a service over the Internet. The

Cloud services are made available as pay-as-you-go where users pay only for the resources

they actually use for a specific time, unlike traditional services, e.g., web hosting.

Furthermore, The pricing for cloud services generally varies according to QoS requirements.

The cloud deployment models, based on their relationship to the enterprise, are

classified to private, public, and hybrid. Public Cloud services are sold as Utility Computing,

while private Cloud refers to internal datacenters of an enterprise which are not available to

1 Dept. Of ISE, SJBIT


the general public. Examples of emerging Cloud Computing Platforms include Microsoft

Azure1, Amazon EC22, and Google App Engine3. The confusion between Cloud and

Service Oriented Architecture (SOA) has prompted us to discuss this issue and offer a brief

comparison between them. SOA and Cloud Computing can be considered complementary

services sharing common characteristics. Hence, if SOA is a set of principles and

methodologies designed to facilitate systems integration and communication regardless of

development languages and platforms, Cloud Computing, on the other hand, is designed to

enable companies to utilize massive capacities instantly without having to invest into new

infrastructure, train new staff, or license new software.

Cloud Computing allows small and medium-sized businesses to completely outsource

their datacenter infrastructure, as well as large companies that need huge load capacities

without building larger expensive datacenters internally. Cloud Computing employs the

virtualization technology to offer a secure, scalable, shared, and manageable environment. In

short, regardless of the difference in designing purposes and the dependency of Cloud

Computing on virtualization technology, Cloud Computing might intersect with SOA in

Components as a Service, e.g., SOA via Web Service standards. Therefore, Cloud

Computing and SOA can be pursued independently, or concurrently as complementary

activities to provide an outstanding business.

Cloud Computing depends primarily on IaaS layer to provide cheap and pay-as-you-

go processing power, data storage, and other shared resources. This paper presents a detailed

and precise study of IaaS security and privacy concerns. We have investigated security for

each IaaS component: Service Level Agreement (SLA), Utility Computing (UC), Platform

Virtualization, Networks & Internet Connectivity, and Computer Hardware. Furthermore,

Cloud software’s security that impact on IaaS and on the whole Cloud Computing is

presented. We are interested in the IaaS delivery model because it is the foundation of all

other delivery models, and a lack of security in this layer affects the other delivery models

that are built upon IaaS layer.



CHAPTER-2

Cloud Computing

As we said previously, the term the cloud is often used as a metaphor for the Internet and has

become a familiar cliché. However, when “the cloud” is combined with “computing,” it

causes a lot of confusion. To define the term using a very broad sense, they contend that

anything beyond the firewall perimeter is in the cloud. A more tempered view of cloud

computing considers it the delivery of computational resources from a location other than the

one from which you are computing.

Cloud computing is about moving services, computation and/or data—for cost and

business advantage—off-site to an internal or external, location-transparent, centralized

facility or contractor. By making data available in the cloud, it can be more easily and

ubiquitously accessed, often at much lower cost, increasing its value by enabling

opportunities for enhanced collaboration, integration, and analysis on a shared common

platform.

Cloud computing models that encompass a subscription-based or pay-per-use

paradigm provide a service that can be used over the Internet and extends an IT shop’s

existing capabilities. Many users have found that this approach provides a return on

investment that IT managers are more than willing to accept.

Figure 2.1:- Cloud Computing.



2.1 Cloud Architecture

In Cloud architecture, the systems architecture(A system architecture or systems architecture

is the conceptual model that defines the structure, behavior, and more views of a system. An

architecture description is a formal description and representation of a system) of the

software systems(The term software system is often used as a synonym of computer program

or software.) involved in the delivery of cloud computing, typically involves multiple cloud

components communicating with each other over application programming interfaces,

usually web services. This resembles the Unix philosophy of having multiple programs each

doing one thing well and working together over universal interfaces. Complexity is

controlled and the resulting systems are more manageable than their monolithic counterparts.

Figure 2.2:- Cloud Architecture.



2.2 Cloud Components

Figure 2.3:- Cloud Component

A cloud computing solution is made up of several elements: clients, the data centre, and

distributed servers. As shown in Above Figure, these components make up the three parts of

a cloud computing solution.

Each element has a purpose and plays a specific role in delivering a functional cloud-

based application, so let’s take a closer look.

2.2.1 Clients

Clients are, in a cloud computing architecture, the exact same things that they are in a local

area network (LAN). They are, typically, the computers that just sit on your desk. But they

might also be laptops, tablet computers, mobile phones, or PDAs (Personal digital assistant

or Palmtop Computer)—all big drivers for cloud computing because of their mobility.

Anyway, clients are the devices that the end users interact with to manage their information

on the cloud. Clients generally fall into three categories:



• Mobile -Mobile devices include PDAs or Smartphone’s, like a Blackberry, Windows

Mobile Smartphone or an iPhone.

• Thin -Clients are computers that do not have internal hard drives, but rather let the servers

do all the work, but then display the information.

• Thick -This type of client is a regular computer, using a web browser like Firefox or

Internet Explorer to connect to the cloud.

Thin clients are becoming an increasingly popular solution, because of their price and effect

on the environment. Some benefits to using thin clients include

• Lower hardware costs -Thin clients are cheaper than thick clients because they do not

contain as much hardware. They also last longer before they need to be upgraded or become

obsolete.

• Lower IT costs -Thin clients are managed at the server and there are fewer points of failure.

• Security -Since the processing takes place on the server and there is no hard drive, there’s

less chance of malware invading the device. Also, since thin clients don’t work without a

server, there’s less chance of them being physically stolen.

• Data security -Since data is stored on the server, there’s less chance for data to be lost if the

client computer crashes or is stolen.

2.2.2 Datacenter

The datacenter is the collection of servers where the application to which you subscribe is

housed. It could be a large room in the basement of your building or a room full of servers on

the other side of the world that you access via the Internet.

A growing trend in the IT world is vitalizing servers. That is, software can be

installed allowing multiple instances of virtual servers to be used. In this way, you can have

half a dozen virtual servers running on one physical server.

The number of virtual servers that can exist on a physical server depends on the size

and speed of the physical server and what applications will be running on the virtual server.



2.2.3 Distributed Servers

In Distributed Servers, the servers don’t all have to be housed in the same location. Often, servers

are in geographically disparate locations. But to you, the cloud subscriber, these servers act as if

they’re humming away right next to each other.

This gives the service provider more flexibility in options and security. For instance, Amazon

has their cloud solution in servers all over the world. If something were to happen at one site,

causing a failure, the service would still be accessed through another site. Also, if the cloud

needs more hardware, they need not throw more servers in the safe room—they can add them

at another site and simply make it part of the cloud.



CHAPTER - 3

Cloud Computing Deployment models

Cloud computing architects provides three basic service models

i. Public cloud

ii. Private cloud

iii. Hybrid cloud

IT organizations can choose to deploy applications on public, private, or hybrid

clouds, each of which has its trade-offs. The terms public, private, and hybrid do not dictate

location. While public clouds are typically “out there” on the Internet and private clouds are

typically located on premises, a private cloud might be hosted at a Collocation (share or

designate to share the same place) facility as well.

A number of considerations with regard to which cloud computing model they choose

to employ, and they might use more than one model to solve different problems. An

application needed on a temporary basis might be best suited for deployment in a public

cloud because it helps to avoid the need to purchase additional equipment to solve a

temporary need. Likewise, a permanent application, or one that has specific requirements on

quality of service or location of data, might best be deployed in a private or hybrid cloud.

3.1 Public clouds

Public clouds are run by third parties, and applications from different customers are likely to

be mixed together on the cloud’s servers, storage systems, and networks. Public clouds are

most often hosted away from customer premises, and they provide a way to reduce

111customer risk and cost by providing a flexible, even temporary extension to enterprise

infrastructure.

If a public cloud is implemented with performance, security, and data locality in

mind, the existence of other applications running in the cloud should be transparent to both

cloud architects and end users.

Portions of a public cloud can be carved out for the exclusive use of a single client,

creating a virtual private datacenter. Rather than being limited to deploying virtual machine



images in a public cloud, a virtual private datacenter gives customers greater visibility into its

infrastructure. Now customers can manipulate not just virtual machine images, but also

servers, storage systems, network devices, and network topology.

3.2 Private clouds

Private clouds are built for the exclusive use of one client, providing the utmost control over

data, security, and quality of service . The company owns the infrastructure and has control

over how applications are deployed on it. Private clouds may be deployed in an enterprise

datacenter, and they also may be deployed

at a collocation facility.

Private clouds can be built and managed by a company’s own IT organization or by a

cloud provider. In this “hosted private” model, a company such as Sun can install, configure,

and operate the infrastructure to support a private cloud within a company’s enterprise

datacenter. This model gives companies a high level of control over the use of cloud

resources while bringing in the expertise needed to establish and operate the environment.

3.3 Hybrid clouds

Hybrid clouds combine both public and private cloud models. They can help to provide on-

demand, externally provisioned scale. The ability to augment a private cloud with the

resources of a public cloud can be used to maintain service levels in the face of rapid

workload fluctuations. This is most often seen with the use of storage clouds to support Web

2.0 applications. A hybrid cloud also can be used to handle planned workload spikes.

Sometimes called “surge computing,” a public cloud can be used to perform periodic tasks

that can be deployed easily on a public cloud.

Hybrid clouds introduce the complexity of determining how to distribute applications

across both a public and private cloud. Among the issues that need to be considered is the

relationship between data and processing resources. If the data is small, or the application is

stateless, a hybrid cloud can be much more successful than if large amounts of data must be

transferred into a public cloud for a small amount of processing.



CHAPTER- 4

Cloud computing Service Model

In practice, cloud service providers tend to offer services that can be grouped into three

categories: software as a service, platform as a service, and infrastructure as a service. These

categories group together the various layers with some overlap.

Table 4.1: - Cloud Computing Service Model

4.1 Software as a service (SaaS)

Software as a service features a complete application offered as a service on demand. A

single instance of the software runs on the cloud and services multiple end users or client

organizations.



The most widely known example of SaaS is salesforce.com, though many other

examples have come to market, including the Google Apps offering of basic business

services including email and word processing.

Although salesforce.com preceded the definition of cloud computing by a few years,

it now operates by leveraging its companion force.com, which can be defined as a platform

as a service.

4.2 Platform as a service (PaaS)

Platform as a service encapsulates a layer of software and provides it as a service that can be

used to build higher-level services. There are at least two perspectives on PaaS depending on

the perspective of the producer or consumer of the services:

• Someone producing PaaS might produce a platform by integrating an OS, middleware,

application software, and even a development environment that is then provided to a

customer as a service. For example, someone developing a PaaS offering might base it on a

set of Sun™ x VM hypervisor virtual machines that include a Net Beans™ integrated

development environment, a Sun Glass Fish™ Web stack and support for additional

programming languages such as Perl or Ruby.

• Someone using PaaS would see an encapsulated service that is presented to them through

an API. The customer interacts with the platform through the API, and the platform does

what is necessary to manage and scale itself to provide a given level of service. Virtual

appliances can be classified as instances of PaaS. A content switch appliance, for example,

would have all of its component software hidden from the customer, and only an API or GUI

for configuring and deploying the service provided to them.

PaaS offerings can provide for every phase of software development and testing, or they can

be specialized around a particular area such as content management.

Commercial examples of PaaS include the Google Apps Engine, which serves

applications on Google’s infrastructure. PaaS services such as these can provide a powerful

basis on which to deploy applications, however they may be constrained by the capabilities

that the cloud provider chooses to deliver.



4.3 Infrastructure as a service (IaaS)

Infrastructure as a service delivers basic storage and compute capabilities as standardized

services over the network. Servers, storage systems, switches, routers, and other systems are

pooled and made available to handle workloads that range from application components to

high-performance computing applications. Commercial examples of IaaS include Joyent,

whose main product is a line of virtualized servers that provide a highly available on-

demand infrastructure.

4.4 Anything-as-a-Service (XaaS)

Which is also a subset of cloud computing? XaaS broadly encompasses a process of

activating reusable software components over the network. The most common and

successful example is Software-as-a-Service. The growth of “as-a-service” offerings has

been facilitated by extremely low barriers to entry (they are often accessible for free or

available as recurring charges on a personal credit card). As a result, such offerings have

been adopted by consumers and small businesses well before pushing into the enterprise

space. All “as-a-service” offerings share a number of common attributes, including little or

no capital expenditure since the required infrastructure is owned by the service provider,

massive scalability, multi tenancy, and device and location independence allowing

consumers remote access to systems using nearly any current available technology.

On the surface, it appears that XaaS is a potentially game-changing technology that

could reshape IT. However, most CIOs still depend on internal infrastructures because they

are not convinced that cloud computing is ready for prime time. Many contend that if you

want real reliability, you must write more reliable applications. Regardless of one’s view on

the readiness of cloud computing to meet corporate IT requirements, it cannot be ignored.

The concept of pay-as-you-go applications, development platforms, processing power,

storage, or any other cloud-enabled services has emerged and can be expected to reshape IT

over the next decade.

4.5 Virtualization and Private Clouds

Virtualization of computers or operating systems hides the physical characteristics of a

computing platform from users; instead it shows another abstract computing platform. A



hypervisor is a piece of virtualization software that allows multiple operating systems to run

on a host computer concurrently. Virtualization providers include VMware, Microsoft, and

Citrix Systems. Virtualization is an enabler of cloud computing.

Recently some vendors have described solutions that emulate cloud computing on private

networks, referring to these as “private” or “internal” clouds (where “public” or “external” cloud

describes cloud computing in the traditional mainstream sense). Private cloud products claim to

deliver some of the benefits of cloud computing without the pitfalls. Hybrid solutions are also

possible: building internal clouds and connecting customer data centers to those of external cloud

providers. It has been reported that Eli Lilly wants to benefit from both internal and external

clouds3 and that Amylin6 is looking at private cloud VMware as a complement to EC2. Other

experts, however, are skeptical: one has even gone as far as to describe private clouds as absolute

rubbish.7 Platform Computing has recently launched a cloud management system, Platform ISF,

enabling customers to manage workload across both virtual and physical environments and

support multiple hypervisors and operating systems from a single interface. VMware, the market

leader in virtualization technology, is moving into cloud technologies in a big way, with vSphere

4. The company is building a huge partner network of service providers and is also releasing a

“vCloud API”. VMware wants customers to build a series of “virtual data centers”, each

tailored to meet different requirements, and then have the ability to move workloads in the

virtual data centers to the infrastructure provided by cloud vendors.

Cisco, EMC and VMware have formed a new venture called Acadia. Its strategy for

private cloud computing is based on Cisco’s servers and networking, VMware’s server

virtualization and EMC’s storage. (Note, by the way, that EMC owns nearly 85% of

VMware.) Other vendors, such as Google, disagree with VMware’s emphasis on private

clouds; in return VMware says Google’s online applications are not ready for the enterprise.



CHAPTER - 5

Cloud Security Alliance (CSA) Model

Understanding the relationships and dependencies between Cloud Computing models is

critical to understanding Cloud Computing security risks.

IaaS is the foundation of all cloud services, with PaaS building upon IaaS, and SaaS

in turn building upon PaaS as described in the Cloud Reference Model diagram. In this way,

just as capabilities are inherited, so are information security issues and risk. It is important to

note that commercial cloud providers may not neatly fit into the layered service models.

Nevertheless, the reference model is important for relating real-world services to an

architectural framework and understanding the resources and services requiring security

analysis. IaaS includes the entire infrastructure resource stack from the facilities to the

hardware platforms that reside in them. It incorporates the capability to abstract resources (or

not), as well as deliver physical and logical connectivity to those resources. Ultimately, IaaS

provides a set of APIs which allow management and other forms of interaction with the

infrastructure by consumers.

5.1 Key points to CSA model:

i. IaaS is the most basic level of service with PaaS and SaaS next two above levels of

service.

ii. Moving upwards each of the service inherits capabilities and security concerns of the

model beneath.

iii. IaaS provides the infrastructure, PaaS provides platform development environment

and SaaS provides operating environment.

iv. IaaS has the least level of integrated functionalities and integrated security while SaaS

has the most.

v. This model describes the security boundaries at which cloud service provider's

responsibility ends and the consumer's responsibilities begin.



vi. Any security mechanism below the security boundary must be built into the system

and above should be maintained by the consumer.

Figure 5.1:- Cloud Computing Cloud Security Alliance (CSA) Model



CHAPTER- 6

Cloud Computing Security Issues

In order to ensure that data is secure (that it cannot be accessed by unauthorized users or

simply lost) and that data privacy is maintained, cloud providers attend to the following areas

in Security and Privacy issues.

Figure 6.1: - Security Architecture Design

A security architecture framework should be established with consideration of

processes (enterprise authentication and authorization, access control, confidentiality,

integrity, no repudiation, security management, etc.), operational procedures, technology



specifications, people and organizational management, and security program compliance and

reporting. A security architecture document should be developed that defines security and

privacy principles to meet business objectives. Documentation is required for management

controls and metrics specific to asset classification and control, physical security, system

access controls, network and computer management, application development and

maintenance, business continuity, and compliance. A design and implementation program

should also be integrated with the formal system development life cycle to include a business

case, requirements definition, design, and implementation plans. Technology and design

methods should be included, as well as the security processes necessary to provide the

following services across all technology layers:

i. Authentication

ii. Authorization

iii. Availability

iv. Confidentiality

v. Integrity

vi. Accountability

vii. Privacy

The creation of a secure architecture provides the engineers, data center operations

personnel, and network operations personnel a common blueprint to design, build, and test

the security of the applications and systems.

Design reviews of new changes can be better assessed against this architecture to assure

that they conform to the principles described in the architecture, allowing for more consistent

and effective design reviews.



CHAPTER- 7

Deployment Model in Cloud Computing

7.1 Public Cloud

The deployment of a public cloud computing system is characterized on the one hand by the

public availability of the cloud service offering and on the other hand by the public network

that is used to communicate with the cloud service. The cloud services and cloud resources

are procured from very large resource pools that are shared by all end users. These IT

factories, which tend to be specifically built for running cloud computing systems, provision

the resources precisely according to required quantities. By optimizing operation, support,

and maintenance, the cloud provider can achieve significant economies of scale, leading to

low prices for cloud resources. In addition, public cloud portfolios employ techniques for

resource optimization; however, these are transparent for end users and represent a potential

threat to the security of the system. If a cloud provider runs several datacenters, for instance,

resources can be assigned in such a way that the load is uniformly distributed between all

centers.

Figure 7.1 : Three users accessing a public cloud



Some of the best-known examples of public cloud systems are Amazon Web Services

(AWS) containing the Elastic Compute Cloud (EC2) and the Simple Storage Service (S3)

which form an IaaS cloud offering and the Google App Engine with provides a PaaS to its

customers. The customer relationship management (CRM) solution Salesforce.com is the

best-known example in the area of SaaS cloud offerings.

7.2 Private CloudPrivate cloud computing systems emulate public cloud service offerings within an

organization’s boundaries to make services accessible for one designated organization.

Private cloud computing systems make use of virtualization solutions and focus on

consolidating distributed IT services often within data centers belonging to the company. The

chief advantage of these systems is that the enterprise retains full control over corporate data,

security guidelines, and system performance. In contrast, private cloud offerings are usually

not as large-scale as public cloud offerings resulting in worse economies of scale.

Figure 7.2: A user accessing a private cloud

7.3 Hybrid CloudA hybrid cloud service deployment model implements the required processes by combining

the cloud services of different cloud computing systems, e.g. private and public cloud



services. The hybrid model is also suitable for enterprises in which the transition to full

outsourcing has already been completed, for instance, to combine community cloud services

with public cloud services.

Figure 7.3: Hybrid cloud usage

7.4 Community CloudIn a community cloud, organizations with similar requirements share a cloud infrastructure. It

may be understood as a generalization of a private cloud, a private cloud being an

infrastructure which is only accessible by one certain organization.

Figure 7.4: Three users accessing a community cloud



CHAPTER- 8

SECURITY CONTROL

Although the term Cloud Computing is widely used, it is important to note that all Cloud

Models are not the same. As such, it is critical that organizations don't apply a broad brush

one-size fits all approach to security across all models. Cloud Models can be segmented into

Software as a Service (Saas), Platform as a service (PaaS) and Integration as a Service (IaaS).

When an organization is considering Cloud security it should consider both the differences

and similarities between these three segments of Cloud Models:

8.1 SaaS

This particular model is focused on managing access to applications. For example, policy

controls may dictate that a sales person can only download particular information from sales

CRM applications. For example, they are only permitted to download certain leads, within

certain geographies or during local office working hours. In effect, the security officer needs

to focus on establishing controls regarding users' access to applications.

Figure 8.1:- Cloud Service Model


http://www.csoonline.com/article/596819/cloud-security-the-basics


8.2 PaaS

The primary focus of this model is on protecting data. This is especially important in the case

of storage as a service. An important element to consider within PaaS is the ability to plan

against the possibility of an outage from a Cloud provider. The security operation needs to

consider providing for the ability to load balance across providers to ensure fail over of

services in the event of an outage. Another key consideration should be the ability to encrypt

the data whilst stored on a third-party platform and to be aware of the regulatory issues that

may apply to data availability in different geographies.

8.3 IaaS

Within this model the focus is on managing virtual machines. The CSOs priority is to overlay

a governance framework to enable the organization to put controls in place regarding how

virtual machines are created and spun down thus avoiding uncontrolled access and potential

costly wastage.



CHAPTER - 9

THREATS AND SOLUTIONS SUMMARY FOR IAAS

Table 9.1: Threats and solutions summary for IaaS

A Security Model for IaaS (SMI) as a guide for assessing and enhancing security in each

layer of IaaS delivery model . SMI model consists of three sides: IaaS components, security

model, and the restriction level. The front side of the cubic model is the components of IaaS

which were discussed thoroughly in the previous sections. The security model side includes

three vertical entities where each entity covers the entire IaaS components. The first entity is



Secure Configuration Policy (SCP) to guarantee a secure configuration for each layer in IaaS

Hardware, Software, or SLA configurations; usually, miss-configuration incidents could

jeopardize the entire security of the system. The second is a Secure Resources Management

Policy (SRMP) that controls the management roles and privileges. The last entity is the

Security Policy Monitoring and Auditing (SPMA) which is significant to track the system

life cycle. The restriction policy side specifies the level of restriction for security model

entities. The level of restriction starts from loose to tight depending on the provider, the

client, and the service requirements. Nevertheless, we hope SMI model be a good start for the

standardization of IaaS layers. This model indicates the relation between IaaS components

and security requirements, and eases security improvement in individual layers to achieve a

total secure IaaS system.



Conclusions

In cloud computing, end-to-end security is critical. Building blocks from TCG and

commercial products built on these principles will help make the cloud environment more

secure. Ongoing research from TCG and operating system or device security vendors will

take advantage of the TPM using additional software to enhance its capability for cloud

computing. Other research on cloud computing security is under way at several companies.

Today, the good news is that most cloud security issues can be addressed with well-known,

existing techniques.

The TPM can be an independent entity that works on behalf of cloud computing

customers. Inside every server in the cloud, the TPM and associated software can check what

is installed on each machine and verify the machine’s health and proper performance. When

it detects a problem, TNC technology can immediately restrict access to a device or server.

For securing data at rest in the cloud or in clients that access cloud data, self-encrypting

drives based on Trusted Storage provide the ultimately secure solution.

Organizations that have already implemented TCG-based solutions can leverage their

corporate investment in hardware, software and policies and re-use them for cloud

computing. If cloud computing represents an organization’s initial implementation of TCG-

based technology (used by the cloud provider), the rest of the organization should be re-

evaluated for areas where TCG technology can provide improved internal security, including:

activating TPMs, use of self-encrypting drives and network access control through TNC.

In an emerging discipline, like cloud computing, security needs to be analyzed more

frequently. With advancement in cloud technologies and increasing number of cloud users,

data security dimensions will continuously increase. In this paper, we have analyzed the data

security risks and vulnerabilities which are present in current cloud computing environments.

The most obvious finding to emerge from this study is that, there is a need of better

trust management. We have built a risk analysis approach based on the prominent security



issues. The security analysis and risk analysis approach will help service providers to ensure

their customers about the data security. Similarly, the approach can also be used by cloud

service users to perform risk analysis before putting their critical data in a security sensitive

cloud.

At present, there is a lack of structured analysis approaches that can be used for risk

analysis in cloud computing environments. The approach suggested in this paper is a first

step towards analyzing data security risks. This approach is easily adaptable for automation

of risk analysis.



References

[1] R. Buyya, C. S. Yeo, and S. Venugopal, “Market-Oriented Cloud Computing:

Vision, Hype, and Reality for Delivering IT Servicesas Computing Utilities,”

Proceedings of the 10th IEEE International Conference on High Performance

Computing and Communications, p. 9, August 2008. [Online]. Available:

http://arxiv.org/abs/0808.3558.

[2] SLA Management Team, SLA Management Handbook, 4th ed. Enterprise

Perspective, 2004.

[3] G. Frankova, Service Level Agreements: Web Services and Security, ser. Lecture

Notes in Computer Science. Berlin, Heidelberg: Springer Berlin Heidelberg, 2007,

vol. 4607.

[4] P. Patel, A. Ranabahu, and A. Sheth, “Service Level Agreement in Cloud

Computing,” Cloud Workshops at OOPSLA09, 2009. [Online]. Available:

http://knoesis.wright.edu/aboutus/visitors/summer2009/PatelReport.pdf

[5] D. Nurmi, R. Wolski, C. Grzegorczyk, G. Obertelli, S. Soman, L. Youseff, and D.

Zagorodnov, “The Eucalyptus Open-Source Cloud- Computing System,” Cluster

Computing and the Grid, IEEE International Symposium on, vol. 0, pp. 124–131,

2009.

[6] T. Mather, S. Kumaraswamy, and S. Latif, Cloud Security and Privacy: An Enterprise

Perspective on Risks and Compliance, 1st ed., 2009. [Online]. Available:

http://books.google.com/books?id=BHazecOuDLYC&pgis=1

[7] R. Kanneganti and P. Chodavarapu, SOA Security. Manning Publications, 2008.

[Online]. Available: http://www.amazon.com/SOASecurity- Ramarao

Kanneganti/dp/1932394680

[8] M. McIntosh and P. Austel, “XML signature element wrapping attacks and

countermeasures,” Workshop On Secure Web Services, 2005.

URL:

[1] http://en.wikipedia.org/wiki/Cloud_Computing

[2] http://www.cloudsecurityalliance.org

[3] http://cloudcomputing.sys-con.com/node/1330353


Engineering

Cloud Computing Security Issues in Infrastructure as a Service” report