Secutiry Implications of Cloud Computing Comments
SECURITY IMPLICATIONS OF CLOUD
COMPUTING
Narendran Calluru Rajasekar
November 30th, 2009
Supervised by
Dr Chris Imafidon
(formerly Queen Mary University of
London)
MSC Internet Systems Engineering
University of East London,
Docklands.
Acknowledgements
Anne-Marie Imafidon
University of Oxford.
Table of Contents
1 Abstract
2 Cloud Computing
2.1 Definition
2.2 Understanding Cloud Computing
3 Security Implications
3.1 Security Components
3.1.1
Encryption
3.1.2
Intrusion Detection/Prevention
Systems
3.1.3
Antivirus
3.1.
4Firewall
3.2 Security Threat
3.3 Authentication and Access
3.4 Data Security
3.5 Tempting Target for Cybercrime
3.6 Benefit to Risk Ratio
3.7 Legal Issues
4 Conclusion
5 Appendix - Glossary
6 References
1 Abstract
This paper is focussed on the security implications
of cloud computing. Before analysing the security implications, the
definition of cloud computing and brief discussion to under cloud
computing is presented. The actual analysis of this paper focuses
on the basic security components of cloud computing and security
threats involved in various aspects of cloud computing.
There are many leading providers in the market like
Google, Amazon, Microsoft, HP and IBM. They provide different
services and call it with their own names. What exactly is cloud
computing? It isn't new; it already exists in different forms such
as Virtualisation, Software as a Service, Utility Computing etc.
The major aspect in cloud computing is that it is exploited based
on the pay per usage charging model.
Though cloud provides many benefits one of which is
moving the capital expense to operational expense, the security and
legal issues are very high and an organisation can decide to adopt
cloud only on based on benefits to risk ratio.
The security implications in cloud computing is
discussed in detail in this paper.
Keywords: Cloud Computing, Cloud Security, Cloud
Legal Issues, Security Implications
^table of contents^
2 Cloud
Computing
2.1
Definition
Cloud computing is an evolving technology and has
no concrete definition for it yet. The cloud service providers
provide different services based on different capabilities such as
SaaS (Software as a Service), PaaS (Platform as a Service), IaaS
(Infrastructure as a Service). After analysing definitions from 20
different authors, Vaquero, L., L. Rodero-Merino, et al. (2008)
proposed the following definition for cloud computing.
"Clouds are a large pool of easily usable and
accessible virtualized resources (such as hardware, development
platforms and/or services). These resources can be dynamically
reconfigured to adjust to a variable load (scale), allowing also
for an optimum resource utilization. This pool of resources is
typically exploited by a pay-per-use model in which guarantees are
offered by the Infrastructure Provider by means of customized
SLA"
- Vaquero, L., L. Rodero-Merino, et al. (2008)
2.2Understanding
Cloud Computing
According to Dikaiakos, M., D. Katsaros, et al.
(2009), vision of 21st century is accessing Internet services from
light weight portable devices, instead of accessing it from a
traditional Desktop PC. Cloud computing is a technology which will
facilitate companies or organisation to host their services without
worrying about IT infrastructure and other supporting services.
The cloud concept draws on the existing
technologies which aren't new such as Centralised Computing,
Distributed Computing, Utility Computing, SaaS. It is new in the
way it integrates all the above and shifts them from a processing
unit to a network (Weiss, A., 2007).
The cloud computing facilitates a starting company
by moving Capital Expense to Operational Expense (Computing, D. and
M. Creeger, 2009). Amazon (EC2, S3), Microsoft Azure, IBM Blue
Cloud, HP Cloud Assure are some of the cloud computing services
available in the market Kaufman, L. M. (2009).
Organisations can decide upon their operating model
either by running their own private cloud or buy it from
3rd party service providers based on their requirements
(Grossman, R., 2009). The private cloud is similar to public cloud
but it has its own security and compliance needs hosted for and by
their own (Rash, W., 2009).
Cloud computing provides extensive computing power
for web services but is not mature enough to perform HPC (High
Performance Computing). Napper, J. and P. Bientinesi (2009)
experimentally shown that the execution speed per dollar spent
decreased exponentially with increase computing cores and hence the
cost of solving linear systems increased exponentially. Which means
cloud computing is in its evolving stage.
^table of contents^
3 Security
Implications
Sloan, K. (2009) has explored and demystified the
technologies involved in cloud computing in which he discusses
about the challenges posed in security of cloud computing.
According to him, security components could be added to the
security layer and be delivered as Security as a Service. Figure 1
shows the security architecture of cloud computing.
Figure 1: Cloud Computing Security Architecture
(Source: Sloan, K., 2009)
To ensure CIA (Confidentiality, Integrity and
Availability) of the information, the service provider should offer
tested encryption schema, stringent access controls and scheduled
data backups (Kaufman, L. M., 2009).
There are many clouds available in the market and
the enterprises will start using different clouds for different
operations. Eventually there will be a situation where the cloud
integration services would be required which again would require a
different approach of security implications (Kim, W., 2009). Also
there is no single regulatory organisation which regulates the
standards for cloud security. Organisation needs to check where the
assurance comes from? (Everett, C., 2009).
Although, the basic security components have been
identified, the security requirement varies with respect to the
domain and business needs. Cloud Security Alliance (2009, April)
has identified 15 different domains in cloud computing as shown in
the figure 2.
Figure 2: Different domains in cloud computing
security Source: Cloud Security Alliance (2009, April)
Since the area is vast and there is no standards
clearly defined, cloud security clearly lags and business needs to
understand the dangers and weigh them against the benefits (Greene,
T., 2009).
For instance, the database service provided by
Amazon S3 doesn't support flexible authorisation and granular
security (Brantner, M., D. Florescu, et al., 2008).
3.1 Security
Components
3.1.1
Encryption
To guarantee the privacy of information hosted on
servers in cloud, the information could be encrypted which can only
be decrypted at the client level with a key. Again this is only
reliable if the data can be quickly decrypted at the client level
as it might need high processing power. The multi-core processors
which are evolving will make this possible and provide greater
integration of information (Hewitt, C., 2008).
A researcher at IBM has cracked a problem with
"homomorphic encryption" which is believed boost cloud computing by
enabling service providers to analyse the data without actually
compromising them (Saran, C., 2009).
In reality, even the leading service providers
don't deliver high level of security. For instance, Google services
can be used using both http and https. Though by default the
service runs using https which is SSL encrypted, it sometime drops
back to http which in unencrypted. This will allow attackers to
monitor the network traffic and capture the credentials of a
specific user (news article: Computer Fraud & Security, 2009).
Also when uploading email attachments, Google doesn't use https by
default, although the settings could be change to use https always
(Herrick, D., 2009).
3.1.2 Intrusion
Detection/Prevention Systems
Providing security for cloud computing requires
more than authentication using passwords and confidentiality in
data transmission. Vieira, K., A. Schulter, et al. (2009) have
proposed a solution for intrusion detection in cloud computing. The
solution consists of two kinds of analysis behavioural analysis and
knowledge analysis. In behavioural analysis, the data mining
techniques were used to recognize expected behaviour or a sever
deviation of behaviour and in knowledge analysis security policy
violations and attack patterns were analysed to detect or prevent
intrusion.
3.1.3
Antivirus
Antivirus scanning can be done on the cloud to
reduce the risk of malicious activities. It is an expensive
operation and doing it once ahead of time for benefit of many could
be advantageous, and with the power of cloud more anti-virus
engines can be employed to make more efficient. The challenge here
is bridging the gap between the threat release and the virus
signature release (Walsh, P. J., 2009). Although antivirus scanning
is an expensive operation, it should be repeated with the release
of new virus signatures.
3.1.4
Firewall
Firewalls could be implemented as a virtual machine
image running in its own processing compartment or at the hardware
level at each gateway in "out of band" firewall management channels
(Sloan, K., 2009).
3.2 Security
Threat
The communication between cloud services and
consumers can be secured using SSL. Since the technology is too
familiar, users usually ignore the warning which can be exploited
by attackers. Google has demonstrated such type of exploitation in
cloud based services. On the other hand, a flaw in indexing system
design of Zoho has resulted in security vulnerability where one
user can read others documents. Also there are other XSS and CSRF
attacks which were successful on cloud which makes it vulnerable to
attacks (Mansfield-Devine, S., 2008).
In SaaS model, the developer should always assume
that intruders have full access to the client as anyone including
intruders can buy the software. Though they are not supplied with
source code, they still have access to binaries using which they
can exploit the vulnerabilities. Hence there should always be a
verification mechanism to verify client requests before execution
(Viega, J., 2009).
3.3
Authentication and Access
There are different authentication mechanisms for
different services. The most commonly used mechanisms are Open Id,
Open Auth, and User Request Token. The Open Id and Open Auth
mechanism is usually used in mobile devises where the
authentication information cannot be stored, or have it firewalled
as done in regular PC. Yahoo and Google use User Request Token
mechanism for authentication where as Amazon AWS uses a custom
mechanism which mirrors the Open Id and Open Auth mechanisms and in
addition to it, the calling program signs the outbound header
elements using HMAC-SHA1 algorithm (Christensen, J., 2009).
2FA (Two Factor Authentication) is one other
authentication mechanism which requires two identities or proof
which user knows (PIN or Password) / has (Hardware Token, Mobile
Phone, Smartcard). Though this mechanism is more secure than the
other type of authentication, handling tokens or smartcards could
be a burden to users. In this scenario, mobile phones or smart
phones can act as a proof if software which generates tokens
similar to hardware tokens is installed on it (Abraham, D.,
2009).
3.4 Data
Security
The organisations using cloud computing should
maintain their own data backups even if the providers backs up data
for the organisation. This will help continuous access to their
data even at the extreme situations such as data providers going
bankruptcy or disaster at data center etc (Viega, J., 2009).
Mowbray, M. and S. Pearson (2009) has proposed a
client based privacy manager to eliminate the fear of data leakage
and loss of privacy in cloud computing. In the paper, they have
presented a scenario of salesforce.com which can undergo a security
threat; theft of sales data and various ways that an intruder can
gain knowledge based on the un-encrypted data. The threats include
the collection of personal information and getting inappropriate
access to the information. Based on this scenario a set of
requirements was derived which include the minimization of personal
and sensitive data used in cloud and maximising security protection
of data. Finally the overall architecture for client-based privacy
data manager has been depicted.
On the other hand, Wang, C., Q. Wang, et al. (2009)
says that the model in which public verifiability is enforced can
be used where the third party auditor audits the data without
intervening with user's time to ensure the data security.
3.5 Tempting
Target for Cybercrime
Internet is always a ground of attack for malicious
activities. The cloud computing offers a tempting target for
cybercrime for various reasons. To maintain data integrity, many
providers require 100% of customer's data to be placed in cloud
which means that if compromised 100% of data is available to
attackers. Leading providers such as Google and Amazon have
existing infrastructure to deflect cyber attacks, but this might
not be the case with all providers. The cloud architecture is such
that it has interlinks with multiple entities and compromise with
any one of the weakest links would compromise all the linked
entities (Kaufman, L. M., 2009).
The cloud community watching services analyses the
cloud activities constantly to detect and prevent newly injected
viruses and malicious activities. Active participation of many
organisations in this community will help them to curb the
malicious activities more effectively (Hawthorn, N., 2009).
3.6 Benefit to
Risk Ratio
Viega, J. (2009) presents a scenario of software
industry where developers would not have much control over IT
Infrastructure. In this scenario, IaaS would be beneficial where
the communication between the cloud and local machine is encrypted
so that man in middle cannot intercept the traffic. This would be a
huge cost saving for the company.
As discussed in section
3.2, in SaaS model the attackers have very less information
i.e., the binaries of the software which is quite justifiable to
have modest application security program. The cost-effective
reality for many organisations is to hire someone to do cheap
security testing and skip the cost of training developers on
security best practices and review their work (Viega, J.,
2009).
3.7 Legal
Issues
IT industry's recent focus is on cloud computing
due to the 'credit crunch' and a global recession. The key legal
issues in cloud with respect to sourcing arrangements are DPA (Data
Protection Act 1998), duties of confidentiality and database right.
For instance, in the method of storing large volume of data in
cloud, the servers could spread across the world. It is debatable
whether the informed consent can actually be given in this vague
situation. Similarly there are intricacies over confidentiality and
database rights as well (Joint, A., E. Baker, et al., 2009).
It is perfectly possible to use cloud-computing in
UK in a legal compliant and low risk manner. This would require
alteration in operating model which could erode the benefits of
cloud computing if not considered in early stages and if
contractual or operational management is not properly adopted,
there could be significant increase of operational risk (Joint, A.,
E. Baker, et al., 2009).
A news article published by Computer Fraud &
Security (August, 2009) indicates that the data might be subject to
search and seizure by government agencies if not specific contracts
are made between the service providers. When Google was asked how
this situation would be handled, they said that their customers
would be notified about any legal order it receives. Hence it is up
to the customers to get specific agreements from the service
providers.
^table of contents^
4 Conclusion
The definition of cloud computing is emerging as
the various organisations that are developing cloud services are
evolving. It is evident that the cloud computing by itself is in
evolving stage and hence the security implications in it aren't
complete. Even the leading cloud computing providers such as
Amazon, Google etc are facing many security issues and are yet to
stabilise. Achieving complete solution for legal issues is still a
question. With this level of issues in cloud computing, decision to
adopt cloud computing in an organisation could be made only based
on the benefits to risk ratio.
There is a general assumption at the basic level of
all security mechanisms that brute force attack would take
considerable time to break it. Considering the power of cloud
computing with distributed technology can bring to the computing
power, breaking the keys used currently is not far from now! This
is a flaw in the low level assumption which could collapse entire
security of cloud.
^table of contents^
5 Appendix -
Glossary
| Term |
Definition |
| 2FA |
Two Factor Authentication |
| CIA |
Confidentiality, Integrity and Availability |
| CRSF |
Cross Site Request Forgery |
| DPA |
Data Protection Act 1998 |
| HMAC |
Hash based Message Authentication Code |
| HPC |
High Performance Computing |
| HTTP |
Hyper Text Transfer Protocol |
| HTTPS |
Secure Hyper Text Transfer Protocol |
| IaaS |
Infrastructure as a Service |
| PaaS |
Platform as a Service |
| SaaS |
Software as a Service |
| SHA1 |
Secure Hash Algorithm |
| SSL |
Secure Socket Layer |
| XSS |
Cross Site Scripting |
^table of contents^
6 References
[1] Kaufman, L. M. (2009)."Data
Security in the World of Cloud Computing." IEEE Security andPrivacy
7(4): 61-64.
[2] Kim, W. (2009). "Cloud
Computing: Today and Tomorrow."Journal of object technology 8(1):
65-72.
[3] Grossman, R. (2009). "The Case
for Cloud Computing." ITPROFESSIONAL 11(2): 23-27.
[4] Rash, W. (2009). Is cloud
computing secure? Prove it. tech in-depth,eWeek. 2009: 8-10.
[5] Computing, D. and M. Creeger
(2009). "Cloud Computing: AnOverview." Distributed Computing
7(5).
[6] Weiss, A. (2007). "Computing in
the clouds." COMPUTING 16.
[7] Saran, C. (2009). Cryptography
breakthrough could secure cloudservices. Computer Weekly. 2009:
20.
[8] Hawthorn, N. (2009). "Finding
security in the cloud."Computer Fraud & Security 2009(10):
19-20.
[9] Everett, C. (2009). "Cloud
computing - A question oftrust." Computer Fraud & Security
2009(6): 5-7.
[10] (2009). "Data in the cloud
might be seized by governmentagencies without you knowing."
Computer Fraud & Security 2009(8): 1.
[11] (2009). "Industry to Google:
encrypt your cloud." ComputerFraud & Security 2009(6):
3-20.
[12] Hewitt, C. (2008). "ORGsfor
scalable, robust, privacy-friendly client cloud computing."
IEEEInternet Computing 12(5): 96-99.
[13] Viega, J. (2009). "Cloud
Computing and the Common Man."Computer 42(8): 106-108.
[14] Vaquero, L., L. Rodero-Merino,
et al. (2008). "A break in theclouds: towards a cloud definition."
ACM SIGCOMM Computer CommunicationReview 39(1): 50-55.
[15] Wang, C., Q. Wang, et al.
(2009). Ensuring data storage security incloud computing.
[16] Vieira, K., A. Schulter, et al.
(2009). "Intrusion DetectionTechniques in Grid and Cloud Computing
Environment."
[17] Napper, J. and P. Bientinesi
(2009). Can cloud computing reach thetop500?, ACM New York, NY,
USA.
[18] Mowbray, M. and S. Pearson
(2009). A client-based privacy managerfor cloud computing, ACM.
[19] Herrick, D. (2009). Google
this!: using Google apps forcollaboration and productivity,
ACM.
[20] de Assunao, M., A. di Costanzo,
et al. (2009). Evaluating thecost-benefit of using cloud computing
to extend the capacity of clusters, ACMNew York, NY, USA.
[21] Cloud_Security_Alliance (2009,
April). "Security Guidance forCritical Areas of Focus in Cloud
Computing." Retrieved Nov 25, 2009, from http://www.cloudsecurityalliance.org/guidance/csaguide.pdf
[22] Christensen, J. (2009). Using
RESTful web-services and cloud computingto create next generation
mobile applications, ACM.
[23] Dikaiakos, M., D. Katsaros,
etal. (2009). "Cloud Computing: Distributed Internet Computing for
IT andScientific Research." IEEE Internet Computing 13(5):
10-13.
[24] Brantner, M., D. Florescu, et
al. (2008). Building a database on S3,ACM.
[25] Greene, T. (2009).
"Cloudsecurity fears cast shadow at RSA." Network World 26(16).
[26] Joint, A., E. Baker, et
al.(2009). "Hey, you, get off of that cloud?" Computer Law and
SecurityReview: The International Journal of Technology and
Practice 25(3): 270-274.
[27] Walsh, P. J. (2009).
"Thebrightening future of cloud security." Network Security
2009(10): 7-10.
[28] Sloan, K. (2009)."Security in a
virtualised world." Network Security 2009(8): 15-18.
[29] Mansfield-Devine, S.
(2008)."Danger in the clouds." Network Security 2008(12): 9-11.
[30] Abraham, D. (2009). "Why2FA in
the cloud?" Network Security 2009(9): 4-5.
^table of contents^