International Journal of Computational Intelligence and Information Security, March 2012 Vol. 3, No.

Research Challenges and Security Issues in Cloud Computing

R. Kalaichelvi Chandrahasan, S Shanmuga Priya and Dr. L. Arockiam AMA International University, Kingdom of Bahrain M.I.E.T Engg College, Tiruchirappalli, India St. Joseph's College, Tiruchirappalli, India kalai_hasan@yahoo.com, shanmugapriyaraj@yahoo.com, larockiam@yahoo.co.in Abstract
Cloud computing is a promising computing standard where computing resources in large data center are made available as services over Internet. Cloud computing has become prominent IT by offering the business environment data storage capacity. This new profitable paradigm for computing is an attractive, massive, largescale investment that includes any subscription-based or pay-per-use service over the Internet. It is on-demand access to virtualized IT services and products. Salesforce, Amazon and Google are currently providing such services, charging clients using an on-demand policy. As the users deal their sensitive data to clouds i.e. public domains, the major hurdles for cloud adoption are lack of security and access control. The main setback is that the insecure information flows as service provider can access multiple virtual machines in clouds. So it is necessary to build up proper security for cloud implementation. The aim of this paper is to provide an overall view of cloud computing with the aim to highlight the possible security issues and vulnerabilities connected with virtualization infrastructure. Keywords: Cloud Computing; Virtualization; On-Demand Policy; Security; Service Provider; Public Domains

1. Introduction
Cloud computing takes virtual infrastructure and builds upon research in distributed computing, grid computing, utility computing, autonomic computing, networking, web services and software services. It has shown tremendous potential to empowerment, agility, multi-tenancy, reliability, scalability, availability, performance, security and maintenance. Through Cloud environment Email, Instant messaging, business software, and web content management can be offered. It incorporates many existing technologies such as information and infrastructure consisting of pools of computers, networks, distributed services application, information and storage resources. The US National Institute of Standards and Technology (NIST) defines cloud as follows: Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with a minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three delivery models, and four deployment models. [1]. Due to the ever growing interest in cloud computing, we focus on issues that are specific to cloud environment. The rest of this document is organized as follows. Section 2 describes an overview of Cloud that embraces the characteristics of cloud computing, service models, deployment models and cloud scalability. Section 3 presents the security challenges in cloud and the seven layers on the basis of CSA followed by the Service Level Agreement and widely used languages for describing web services in Section 4. Finally, Section 5 concludes the paper and discusses the future work.

2. Cloud: Overview
2.1 Characteristics of Cloud Computing
The five characteristics of cloud computing embrace on-demand self-service, ubiquitous network access, location independent resource pooling, rapid elasticity, and measured service [6].

2.2 Service Models

There are three layers referred as delivery models that provide the resources to the clients. 42

International Journal of Computational Intelligence and Information Security, March 2012 Vol. 3, No. 3 Cloud Software as a Service (SaaS): The top layer provides the customer with ready to use application running on the infrastructure of service provider. The applications are easily accessible from several client devices as on-demand services. As clients obtain software from different providers, ensuring the information by these services is well secured becomes an issue. Salesforce, DocLanding, Zoho, Workday are instances of SaaS are used for different purposes such as email, billing, human resource management etc. Cloud Platform as a Service (PaaS): It is the middle layer that provides platform oriented service, controlling the installed applications and available hosting environment configuration. Services that the application can request from an OS can be a constraint in PaaS. Google App Engine, LoadStorm are the instances of PaaS for running web applications and testing their performance. Cloud Infrastructure as a Service (IaaS): The bottom layer provides infrastructure services such as memory, cpu and storage. The consumer can deploy and run software. It reduces hardware costs. License cost is reduced in all layers. Trusting virtual machines, setting hosts, acquiring inter host communication are significant areas to be considered in IaaS. Amazon S3 and FlexiScale are the best examples of IaaS for storage and maintaining virtual servers.

Figure 1: Cloud Computing Map [2]

2.3 Deployment Models

The major factor to provide a secure cloud computing is the type of cloud to be implemented. The types of cloud deployment models offered are: Private cloud: This cloud infrastructure is functioned only for particular organization. Community cloud: This cloud infrastructure is available to several specific groups of organizations. Public cloud: The purpose of this cloud infrastructure is to public or large industry group can serve multiple tenants. Hybrid cloud: It is composite of two or more than two clouds.

2.4 Scalable Web Architectures

In terms of scalability of cloud computing, it has two dimensions, namely horizontal cloud scalability and vertical cloud scalability [15]. Horizontal cloud scalability: It is the facility in which multiple clouds can be integrated and connected to have one logical cloud. For instance a calculation cloud can be integrated with storage cloud or two calculation clouds can integrate into a larger calculation cloud. Vertical cloud scalability: It is the facility in which the capacity of a cloud can be developed by enhancing individual existing nodes in the cloud. For example providing a server with more physical memory or 43

International Journal of Computational Intelligence and Information Security, March 2012 Vol. 3, No. 3 improving the bandwidth that connects two nodes. Additionally, a node can be gradually upgraded from a single power machine to a data center. Users can store their data in the cloud without they need to know where it keeps the data or how it accesses the data.

3. Security Challenges In Cloud

As promising as it is, cloud computing is also facing many security issues including sensitive data access, data segregation, privacy, authentication and identity management, policy integration, bug exploitation, recovery, accountability, visibility under virtualization, malicious insiders, management console security, account control, and multi-tenancy issues[3], [4]. Solutions to various cloud security issues include cryptography, public key infrastructure, standardization of APIs, and improving virtual machine support and legal support. Public clouds clutch the highest risk of data exposure and hence it must be managed with the proper caution. Hence understanding the challenges and security risks in cloud environment and developing solutions are essential to the success of this evolving paradigm [6]. A survey was conducted by International Data Corporation (IDC) IT group to rate the cloud services and its issues in 2008. The Figure 2 shows the respondents rating. It shows that security is the major concern in cloud computing paradigm.

Figure 2: Cloud Challenges/Issues survey [17].

3.1 Data Security

Cloud vendors face major issues in confidentiality, integrity and availability in data security. Confidentiality refers to who stores the encryption keys. Integrity refers to no common policies that exist for data transfer. Lastly, the most problematic issue is availability i.e. it is very hard to make applications and resources. Data security includes Privileged user access, Regulatory compliance, Data location, Data segregation, Recovery, Investigative Support, Long-term viability [5], [10].

3.2 Key security challenges 3.2.1 Authentication

As cloud users store their information to various services across the Internet, it can be accessible by unauthorized people. Henceforth for authenticating users and services cloud should have identity management system.

3.2.2 Access Control

To identify and allow only authorized users, cloud should have a fine access control policies. Such services should be flexible, easily manageable and their privilege distribution is administered efficiently. Also the access control services should be incorporated based on Service Level Agreement (SLA). 44

International Journal of Computational Intelligence and Information Security, March 2012 Vol. 3, No. 3

3.2.3 Policy Integration

The end users may access many cloud providers such as Amazon, Google, LoadStorm and other providers. They may have their own policies and approaches and hence there might be conflicts among their policies. Hence we need to have a mechanism to detect these inconsistencies among their policies and to have solutions for them.

3.2.4 Service Management

To meet customers' needs, many cloud providers together form a new composed service and provides a packaged service to customers. At this scenario, there should be a service integrator to get the finest interoperable services.

3.2.5 Trust Management

As the cloud environment is service oriented, a trust management approach should be developed. It should include trust negotiation factors for the cloud providers and cloud users. The idea is, the providers need to have some level of trust on the users to release their services to, and their users should have some level of trust on the providers to choose their service from [11], [12], [13].

3.3 Seven Layers in Cloud:

A cloud is structured in seven layers on the basis of Cloud Security Alliance: 1) Facility Layer, 2) Network Layer, 3) Hardware Layer, 4) OS Layer, 5) Middleware Layer, 6) Application Layer and 7)The User Layer [7], [8] [14].

3.3.1 The Facility Layer

The facility layer provides physical security. A high priority should be considered in controlling and monitoring physical access to the hardware. Closed-circuit cameras and patrolling security guards, alarm system, administrator logging, authentication, confidentiality agreements, background checks, and visitor access should be incorporated into surveillance of physical security. Also an architectural security should be adequate to guard the data center from any kind of physical attack.

3.3.2 The Network Layer

The provider furnishes the network access to the users to access the customer data across the Internet in cloud. Hence the network defense devices should collect information about security events on the networks. The provider should maintain, monitor and audit network flow data. Also the customer should request these audits for verification.

3.3.3 The Hardware Layer

As the customer access services from virtual machines, the provider should maintain and monitor the hardware that the hardware is tamper-free. The provider should have appropriate protocols to monitor the connection topology, memory use, bus speeds, processor loads, and disk storage and so on.

3.3.4 The OS Layer

The vital important factor to be considered in cloud environment is securing the host OS. If it can be accessed by the illegal users, the customer data would be compromised. The provider should deploy an OS that manages to identify where the security policy or configuration might be lacking and prevent future inventions.

3.3.5 The Middleware Layer

Middleware involves virtualization management tools, data format conversion, performing security functions, and managing access controls. The middleware mediates between the applications and the OS. It should monitor and secure communication between various systems. So, the provider should make sure that all middleware will accept and transmit only encrypted data and protect it against malicious manipulation.

45

International Journal of Computational Intelligence and Information Security, March 2012 Vol. 3, No. 3

3.3.6 The Applications Layer

The providers provide the application as a service to the public. So the code can be exposed to potentially malicious users. Hence secure coding and secure software development should be an important factor to be considered. Customers should prefer applications in which the source code and business logic can be carefully examined by neutral third parties for potential flaws. Also applications should monitor sufficiently to detect violations in web based applications. The provider should widely deploy stricter security policies in application layer.

3.3.7 The User Layer

The cloud users can be of two types: Web based application cloud users and members of customer organization user. Former access cloud information in insecure environment, while the later use information which have security policy. However access patterns can be monitored for malicious behavior. For example, Google Apps monitors login behavior such as the time and IP address, makes this information available to the user, and notifies the user of aberrant behavior. This idea could be extended to make digests of such alerts available to IT managers about the accounts for which their organization is responsible. In addition, the customer might access sensitive data in public areas. The authorized users can demolish many security policies in a few clicks because of his carelessness as web browsers have much vulnerability to manipulate. So user education is the best way to avoid such problems in cloud environment.

4. The Service Level Agreement

As several cloud adoption exist in emerging markets such as Service Oriented Architecture, the quality and reliability of the services become important factors. Nevertheless the requirements of the service consumers vary considerably. From the cloud providers' viewpoint, all demands of cloud customer cannot be fulfilled. And hence as a negotiation process, provider and customer commit to an agreement. In SOA terms, this agreement is referred to as a Service Level Agreement (SLA). This SLA serves as the basis for the expected level of service between the consumer and the provider. A constant monitoring on Quality of Service (QoS) is necessary to enforce SLAs [16], [18]. The service level agreement is a contract or agreement between the cloud provider and cloud customer. In cloud computing the service and data maintenance is done by some vendors. So, the client has no control over the data or the processes on data. The communication media in this scenario is Internet i.e. public environment. The only means the vendor can gain trust of client is through the SLA. The SLA should embrace a definition of services, customers needs, performance measurement, problem management, customer duties, warranties, and eliminate unrealistic expectations, termination of agreement [9]. As cloud provides services like SaaS, PaaS, and IaaS, each service has its own security issues. So the SLA has to define several levels of security. Some of them are: a. Customer-based SLA b. Service-based SLA c. Multilevel SLA d. Corporate-level SLA e. Service-level SLA f. Web service level agreement Mainly it should cover a specific range of issues such as performance of services to be delivered, tracking and reporting problems, resolution of disputes, clients and providers responsibilities, confidential information and termination. Cloud APIs are application programming interfaces (APIs) used to construct applications in the cloud computing environment. With the growing adoption of cloud, a number of service-oriented architecture (SOA) services have been emerged. The widely used languages are REST cloud storage APIs and Web Services Description Language (WSDL). These APIs are Web tolerant. They offer extremely good services in advanced services such as secure sharing and collaboration.

5. Considerations and Future Work

Enterprises are implementing cloud computing phenomenon. As it is essential for the adoption of cloud system, they should be aware of emerging security concerns and main research challenges faced by cloud computing. This paper articulated the challenges and issues on the way towards adopting Cloud. The non-profit 46

International Journal of Computational Intelligence and Information Security, March 2012 Vol. 3, No. 3 organization "Cloud Security Alliance" formed to use the best practices for providing security assurance has been presented. Additionally we analyzed the Service Level Agreement that builds trust between cloud providers and cloud customers. We conclude that we need security at different levels such as Server access security, Internet access security, Database access security, Data privacy security, Program access security. A secure cloud computing environment depends on identifying security solutions. A deeper study on current security approaches to deal with different security issues related to the cloud should be the focused of future work.

References
[1] [2] [3] [4] [5] http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc Ramgovind S, EloffMM, Smith E, "The Management of Security in Cloud Computing", Information Security for South Africa (ISSA) conference, pp 1-7, Sep 2010 Meiko Jensen, Jorg Sehwenk et al., On Technical Security Issues in cloud Computing IEEE International conference on cloud Computing, pp 109-116, October 2009. Mladen A. Vouk, "Cloud Computing Issues, Research and Implementations" Journal of Computing and Information Technology - CIT 16, 4, pp 235246, 2008 Herminder Singh & Babul Bansal "Analysis Of Security Issues And Performance Enhancement In Cloud Computing" International Journal of Information Technology and Knowledge Management, Volume 2, No. 2, pp. 345-349, July-December 2010 Hassan Takabi, James B.D.Joshi, Gail Joon Ahn, "SecureCloud: Towards a Comprehensive Security Framework for Cloud Computing Environments" 34th Annual IEEE Computer Software and Applications Conference Workshops, pp 393-398, 2010 Jonathan Spring Software Engineering, "Monitoring Cloud computing by layer part 1" Security & Privacy, IEEE vol 9, Issue 2, pp 66-68, Mar 2011 Jonathan Spring Software Engineering, "Monitoring Cloud computing by layer part 2" Security & Privacy, IEEE vol 9, Issue 3, pp 52-55, May 2011 Balachandra Reddy, Ramakrishna Paturi, Dr.Atanu, "Cloud security Issues", IEEE International conference on Services Computing, pp 517-520, 2009

[6]

[7] [8] [9]

[10] Hassan Takabi and JamesB.D., "Security and Privacy Challenges in Cloud Computing Environments", Security & Privacy, IEEE, vol 8, Issue 6, pp 24-31, Dec 2010. [11] Nelson Gonzalez, Charles Miers, "A quantitative analysis of current security concerns and solutions for cloud computing", Third IEEE International conference on Cloud Computing Technology and Science, pp 231-238, 2011 [12] Subhashis Sengupta, Vikrant Kaulgud and Vibhu Saujanya Sharma, "Cloud Computing Security-Trends and Research Directions", IEEE World Congress on Services, pp 524-531, 2011 [13] Siani Pearson and Azzedine Benameur, "Privacy, Security and Trust Issues Arising from Cloud Computing" 2nd IEEE International Conference on Cloud Computing Technology and Science, pp 693702, 2010 [14] Cloud Security Alliance Web site, http://www.cloudsecurityalliance.org/ [15] Lijun Mei, W.K. Chan and T.H. Tse, "A Tale of Clouds: Paradigm Comparisons and Some Thoughts on Research Issues", IEEE Asia-Pacific Services Computing Conference, pp 464-469, 2008 [16] Pankesh Patel, Ajith Ranabahu and Amit Sheth1, "Service Level Agreement in Cloud Computing", Cloud Workshops at OOPSLA, 2009 [17] www.idc.com [18] Service Level Agreement Definition and contents,http://www.service-level-agreement.net, accessed on March 10, 2009.

47

International Journal of Computational Intelligence and Information Security, March 2012 Vol. 3, No. 3

Authors Profile
Ms. R. Kalaichelvi Chandrahasan is working as an Asst. Professor in AMA International University, Kingdom of Bahrain. She is currently pursuing her research in Karpagam University, Coimbatore, India. She has published 4 research articles in the International / National Journals. Her areas of research interests are in Cloud Computing, Data mining and Semantic Web mining.

Ms. S Shanmuga Priya is working as an Asst. Professor in M.I.E.T Engg College, Trichy. She is currently pursuing her research in Bharathidasan University, Tiruchirappalli, India. Her areas of research interest are Java, Networking and Cloud Computing.

Dr. L. Arockiam is working as an Associate Professor in St.Josephs College, India. He has published 102 research articles in the International / National Conferences and Journals. He has also authored two books: "Success through Soft Skills" and "Research in a Nutshell" His areas of research interests are: Software Measurement, Cloud Computing, Cognitive Aspects in Programming, Web Service, Mobile Networks and Data mining.

48