Cloud computing is the delivery of dynamically scalable IT resources over the internet instead of hosting them locally (as

earlier done) on a university or local LAN to meet the changing business needs. The resources can be any services, computing, storage or even infrastructure. As these resources are available over the network, any organization or user can buy them on as needed basis and avoid costs of software and hardware. Here cloud is a virtualized pool of shared resources which can be rented to users or organizations, so that5 they pay only for what they use and not have to buy whole infrastructure or platform which was the case with conventional computing systems. In cloud there are service providers and users connected via internet As defined by NIST : Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models. Clearly this definition summarises services, deployment models and characteristics of cloud. The main characteristics of cloud are: On Demand Service: user can avail the resources instantly without having to physically interact with the service provider. Broad Network access:

Service Models of Cloud Computing: Cloud services come in many flavours depending on the type of resources provided by cloud.[1] Software as a Service (SaaS): It is a software deployment model where applications and computational resources required to run them are provided to the user on demand. Total cost of hardware and software deployment and maintenance is reduced. Underlying infrastructure is controlled and managed by cloud provider. User has to set only preferences and administrative application settings. Example, Google Mail, Google Docs, etc. Data as a Service (DaaS): Data is stored at service provider site and customer can query that data on demand regardless of the geographic location of data. It allows for the separation of data cost and usage from specific software or platform. Example, Amazon S3, Google BigTable. Platform as a Service (PaaS): In this computing platform is provided as on demand service over which user can deploy and develop desired applications i.e. a program or database development tools. The deployment environment can be rented on demand and are special purpose designed on the basis of customer needs. Example, Google AppEngine Infrastructure as a Service (IaaS): A basic computing infrastructure of servers, software, and network equipment is provided as an on-demand service upon which a platform can be deployed and applications can be executed. Infrastructure components for a system need not to be bought, instead can be obtained as virtualized objects controlled via a service interface. The cloud subscriber generally has broad freedom to choose the operating system and development environment to be hosted. Example, Amazons EC2, GoGrid etc. Identity and Policy Management as a Service (IPMaaS): Here provider manages the identity and policy issues of customer. Customer relies on service provider to perform some function

on data provided by user so that his identity can be authenticated. Also an enterprise or individual asks service provider to check whether certain functionality or new technology introduced in system obeys the policies of the enterprise. Network as a Service (NaaS): Here virtual networks are provided to the user which are made available by service provider. VPN is an example of cloud service in which cloud can serve as a network system which is secure as well as maintains privacy of the user. Hardware as a Service (HaaS): Data centres need not to be implemented by the end user. Cloud can offer services requiring particular hardware, results of which can be used by the user , so that user dont have to buy the hardware resources.

Cloud Deployment Models: With these levels of services cloud also provides some deployment models to define the scope of cloud services: Public cloud: Resources are available to multiple users who can quickly access them as peruse basis via web services. Resources are provided by a single service provider who can bill the usage. It suffers from security and compliance disadvantages. Private cloud: Instead of keeping your private data to a third party service provider private cloud keeps it to the private enterprise only. Internal personnel manages and controls the cloud data and is visible to enterprise only. Its advantage is that it solves security and compliance problems. Hybrid cloud: It is combination of public and private cloud. It follows private cloud rules during normal workload of enterprise but shifts to private cloud and uses its resources when workload goes to peak and gets back to using private resources when workload resumes to normal being. Community cloud: A group of organizations or enterprises jointly creates a cloud infrastructure which share resources between over a common cloud. This cloud can be hosted by a third party or by one of the organization in the group.

Advantages of cloud computing:

Security benefits of cloud: It is always beneficial and profitable(cheaper) to implement security resources on large scale and same is the case with cloud. All kinds of measures put together to defend the cloud infrastructure buys cheaper and same amount of security as for a single system. These measures may include strong authentication, secure virtualization, data filtering, patch management, access control and identity management.[2] Centralised Data[4]
Reduced Data Leakage: In any enterprise each employee keeps some critical data of the organization with him in his laptop or office computer. This is not a safe practice because this data can be leaked any time by inside

intrusion or any outsider. With cloud centralised storage data is securely stored at a third party location, so local attacks are not possible, unless and until cloud storage is secure. Monitoring benefits: Now a days companies have their data distributed over different locations instead of a central single location. Thus monitoring of distributed data can prove to be tedious task i.e. keeping track of which data is whrer and its statistics. With thin cloient this can be made easy but cloud also gives benefit of single data repository.

2. Incident Response / Forensics

Forensic readiness: with Infrastructure as a Service (IaaS) providers, I can build a dedicated forensic server in the same Cloud as my company and place it offline, ready for use when needed. I would only need pay for storage until an incident happens and I need to bring it online. I dont need to call someone to bring it online or install some kind of remote boot software - I just click a button in the Cloud Providers web interface. If I have multiple incident responders, I can give them a copy of the VM so we can distribute the forensic workload based on the job at hand or as new sources of evidence arise and need analysis. To fully realise this benefit, commercial forensic software vendors would need to move away from archaic, physical dongle based licensing schemes to a network licensing model. Decrease evidence acquisition time: Eliminate or reduce service downtime: Note that in the above scenario I didnt have to go tell the COO that the system needs to be taken offline for hours whilst I dig around in the RAID Array hoping that my physical acqusition toolkit is compatible (and that the version of RAID firmware isnt supported by my forensic software). Abstracting the hardware removes a barrier to even doing forensics in some situations. Decrease evidence transfer time: In the same Cloud, bit fot bit copies are super fast - made faster by that replicated, distributed filesystem my Cloud provider engineered for me. From a network traffic perspective, it may even be free to make the copy in the same Cloud. Without the Cloud, I would have to a lot of time consuming and expensive provisioning of physical devices. I only pay for the storage as long as I need the evidence. Eliminate forensic image verification time: Some Cloud Storage implementations expose a cryptographic checksum or hash. For example, Amazon S3 generates an MD5 hashautomagically when you store an object. In theory you no longer need to generate time-consuming MD5 checksums using external tools - its already there. Decrease time to access protected documents: Immense CPU power opens some doors. Did the suspect password protect a document that is relevant to the investigation? You can now test a wider range of candidate passwords in less time to speed investigations.

3. Password assurance testing (aka cracking)

Decrease password cracking time: if your organisation regularly tests password strength by running password crackers you can use Cloud Compute to decrease crack time and you only pay for what you use. Ironically, your cracking costs go up as people choose better passwords ;-). Keep cracking activities to dedicated machines : if today you use a distributed password cracker to spread the load across non-production machines, you can now put those agents in dedicated Compute instances - and thus stop mixing sensitive credentials with other workloads.

4. Logging
Unlimited, pay per drink storage: logging is often an afterthought, consequently insufficient disk space is allocated and logging is either non-existant or minimal. Cloud Storage changes all this - no more guessing how much storage you need for standard logs. Improve log indexing and search: with your logs in the Cloud you can leverage Cloud Compute to index those logs in real-time and get the benefit of instant search results. What is different here? The Compute instances can be plumbed in and scale as needed based on the logging load - meaning a true real-time view.

Getting compliant with Extended logging: most modern operating systems offer extended logging in the form of a C2 audit trail. This is rarely enabled for fear of performance degradation and log size. Now you can opt -in easily - if you are willing to pay for the enhanced logging, you can do so. Granular logging makes compliance and investigations easier.

5. Improve the state of security software (performance)

Drive vendors to create more efficient security software : Billable CPU cycles get noticed. More attention will be paid to inefficient processes; e.g. poorly tuned security agents. Process accounting will make a comeback as customers target expensive processes. Security vendors that understand how to squeeze the most performance from their software will win.

6. Secure builds
Pre-hardened, change control builds: this is primarily a benefit of virtualization based Cloud Computing. Now you get a chance to start secure (by your own definition) - you create your Gold Image VM and clone away. There are ways to do this today with bare-metal OS installs but frequently these require additional 3rd party tools, are time consuming to clone or add yet another agent to each endpoint. Reduce exposure through patching offline: Gold images can be kept up securely kept up to date. Offline VMs can be conveniently patched off the network. Easier to test impact of security changes: this is a big one. Spin up a copy of your production environment, implement a security change and test the impact at low cost, with minimal startup time. This is a big deal and removes a major barrier to doing security in production environments.

7. Security Testing
Reduce cost of testing security: a SaaS provider only passes on a portion of their security testing costs. By sharing the same application as a service, you dont foot the expensive security code review and/or penetration test. Even with Platform as a Service (PaaS) where your developers get to write code, there are potential cost economies of scale (particularly around use of code scanning tools that sweep source code for security weaknesses).

[1] Tharam Dillon, Chen Wu, Elizabeth Chang, 2010 24th IEEE
International Conference on Advanced Information Networking and Applications ,Cloud computing: issues and challenges. [2] Benefits,

risks and recommendations for information security

[3] Towards

Analyzing Data Security Risks in Cloud Computing Environments

Amit Sangroya, Saurabh Kumar, Jaideep Dhok, and Vasudeva Varma [4] http://cloudsecurity.org/blog/2008/07/21/assessing-the-security-benefits-of-cloud-

computing.html