Impact of Security Issues in Adapting Cloud Computing

M.Subashini #1, R.Rashmi #2, B.Thamarai selvi#3

#1,#2,#3, Master of Engineering Students, Department of Computer science and Engineering, Sri Sai Ram Engineering College, Tambaram, Chennai, India
1

subamunuswamy@gmail.com,2rashmismit@gmail.com,3thamcs.bala@gmail.com

Abstract

Cloud computing is a method of delivering hosted services - Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-aService (SaaS) over the Internet in a fast, costeffective way. The technology has gained popularity in a weakened economy as enterprises seek ways to save money, but this emerging technology presents certain risks, and it could open an organization to security vulnerabilities and threats. This paper provides an overview of basic concepts in cloud computing and brings forth the security aspects which needs to be addressed before taking the cloud to the enterprises in a larger scale.
Keywords cloud computing , infrastructure as a service(Iass), Platform as a service (PaaS) and Software-as-a Service (SaaS), Secuity.

Fig. 1 Example of cloud environment

I. INTRODUCTION

II. Cloud Deployment Models: A. Public cloud In Public cloud or external cloud resources are dynamically provisioned on a fine-grained, selfservice basis over the Internet, through web applications/web services, from an off-site thirdparty provider who shares resources and bills on a fine-grained utility computing basis. B. Hybrid cloud A hybrid cloud environment consists of multiple internal and/or external provider.A hybrid cloud can describe configuration combining a local device, such as a Plug computer with cloud services [2]. It can also describe configurations combining virtual and physical, collocated assets.

Cloud computing is an umbrella term used to refer to Internet based development and services[1]. The cloud is a metaphor for the Internet. The characteristics of cloud data, applications, services and infrastructure are as follows: Remotely hosted: Services or data are hosted on someone elses infrastructure. Ubiquitous: Services or data are available from anywhere. Commodified: The result is a utility computing model similar to traditional that of traditional utilities, like gas and electricity. Cloud computing has evolved through a number of phases which include grid and utility computing, application service provision (ASP), and Software as a Service (SaaS).

C. Private cloud Private cloud and internal cloud are neologisms that some vendors have recently used to describe offerings that emulate cloud computing on private networks. These (typically virtualisation automation) products claim to "deliver some benefits of cloud computing without the pitfalls", capitalising on data security, corporate governance, and reliability concerns. They have been criticized on the basis that users "still have to buy, build, and manage them" and as such do not benefit from lower up-front capital costs and less hands-on management, essentially "the economic model that makes cloud computing such an intriguing concept".

operating system required to support computing. With Platform as a Service the consumer is able to deploy their own applications, sometimes purchased and sometimes developed in the programming languages, APIs, sandboxes and other tools supported by the provider. Cloud platform services are not tied to a particular piece of hardware or operating system, so most providers support programming languages that can easily be moved from platform to platform, such as Java, Python, Perl, PHP and .Net. Cloud Infrastructure as a Service (IaaS). With IaaS, the user is allowed to interact with the infrastructure, although the functions required to provide the infrastructure are abstracted, provisioned by the service provider. Services typically included at this level provide the user with the ability to acquire processing, storage, networks, and other fundamental computing resources, although the actual implementation is generally performed by the service provider and governed by contractual vehicles such as Service Level Agreements. Consumers are able to deploy and run arbitrary software, which can include operating systems and applications. IV. Basic security requirements: For over twenty years, information security has held confidentiality, integrity and availability as the core principles of information security [3]. A. Confidentiality Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. B.Integrity In information security, integrity means that data cannot be modified without authorization. C. Availability For any information system to serve its purpose, the information must be available when it is needed. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. D. Authenticity

Fig. 1 Cloud deployment model

III. Basic Services Delivery Models of the Cloud: Delivery Models describe the layer at which the user interacts with the services. These layers form a stack. Platform services are precursors to offering Software as a Service. Similarly, platform services cannot be provided absent an infrastructure to deliver them. Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the software running on a cloud infrastructure and access it from various client devices through a thin client interface such as a Web browser. The consumer does not manage or control the underlying cloud infrastructure, network, servers, operating systems, storage, or even individual application capabilities. Cloud Platform as a Service (PaaS). Platform as a service refers to providing a virtual computing platform to the user. Computing platform is a term that has typically referred to the hardware and

In computing, e-Business and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. E. Non-repudiation Non-repudiation implies one's intention to fulfill their obligations to a contract. It also implies that one party of a transaction cannot deny having received a transaction nor can the other party deny that it had participated in the transaction. V. Security Concerns in Cloud Environment

security threats that can possibly arise in a cloud environment. A. Data Centre security: The delay in adapting of cloud by the enterprises is mainly attributed to the security of the data centers that provide the cloud services. Data is redundantly stored in multiple physical locations and the physical location is across the globe. Data centers can enter into a contractual commitment to obey local privacy requirements of their customers .Data should be stored and processed only in specific jurisdictions as defined by user. The centers themselves need to regularize and periodically check the validity and integrity of their data. Audit tools can also be provided so that users can easily determine how their data is stored, protected, used, and verify policy enforcement.

Many security and regulatory compliance issues can arise from each cloud deployment model. Customers often want to trust that their cloud service providers have provided a secure infrastructure; that other organizations or internal deployments cannot access data thats not authorized; that applications are maintained securely and kept up to date; and that B. Information security : Information security pertains to issues related with key processes and security controls are auditable, secure communication, authentication, and issues among many other security concerns. concerning single sign on and delegation. These security implications of cloud computing are Secure communication issues include those security manifold. Many argue that public clouds create concerns that arise during the communication security concerns for security conscious and heavily between two entities. These include confidentiality regulated organizations, citing loss of physical and integrity issues. Confidentiality indicates that all control, ability to audit, and other issues of data sent by users should be accessible to only transparency. Others argue that some forms of cloud legitimate receivers, and integrity indicates that all computing services also can reduce the complexity data received should only be sent/modified by associated with many aspects of security, such as legitimate senders. Public key encryption, X.509 providing for a more homogeneous infrastructure certificates, and the Secure Sockets Layer (SSL) that helps to simplify testing and auditing, providing enable authentication and secure communication for easier automation of some security functions, and over computer networks. C. Internet access security simplifying aspects of disaster recovery. The internet is prone to the following attacks and obviously these attacks have their impacts on the VI. Security Levels in Cloud Environment cloud computing also. The ability of cloud computing services to collect 1. Denial of Service: The access to a certain and centrally store increasing amounts of consumer data, combined with the ease with which such Internet based service is denied due to heavy traffic centrally stored data may be shared with others, in the network which forces the servers and the create a risk the data may be used by entities in network to fail. 2. QoS Violation : The network user tend to ways not intended by consumers[4]. In the remainder of this section the different levels at which security extract more services from the network than it is measures can be inserted is discussed. Suggestions allocated . This can be averted by proper network are also provided for solving the most common policing procedures.

3. IP Spoofing: Spoofing is the creation of TCP/IP packets using somebody else's IP address. Infrastructure must not permit an instance to send traffic with a source IP or MAC address other than its own. 4. Port Scanning: If the customer configures the security group to allow traffic from any source to a specific port, then that specific port will be vulnerable to a port scan. When Port scanning is detected it should be stopped and blocked. 5. ARP Cache Attack: To find out the MAC address associated with a particular IP address, a computer simply sends an ARP request broadcast. An attacker sitting on the same Ethernet network (i.e., LAN), can easily sniff the network traffic of a victim on his Ethernet network by sending spoofed ARP messages to the victim. 6. Vulnerability in Virtualization: The types of virtualization provided can be either para Virtualization or full system virtualization. Instance Isolation ensures that different instances running on the same physical machine are isolated from each other. Current VMMs do not offer perfect isolation: Many bugs have been found in all popular VMMs that allow escaping from VM! Virtual machine monitor should be root secure, meaning that no level of privilege within the virtualized guest environment permits interference with the host system. Some vulnerability has been found in all virtualization software, which can be exploited by malicious, local users to bypass certain security restrictions or gain escalated privileges [5]. For example, The vulnerability in Microsoft Virtual PC and Microsoft Virtual Server could allow a guest operating system user to run code on the host or another guest operating system.(Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege )Vulnerability was found in VMware's shared folders mechanism that grants users of a Guest system read and write access to any portion of the Host's file system including the system folder and other security-sensitive files. 7. Host Security Issues Security threat may be posed from the host that executes the code in the cloud environment. A suggested solution is to create a trusted set of users

through the distribution of digital certification, passwords, keys etc. and then access control policies are defined to allow the trusted users to access the resources of the hosts.
VII CONCLUSIONS

This paper has discussed in detail the various aspects of security that needs to be considered while implementing cloud computing. In a nutshell there are five major steps that can be adopted to enforce security in the cloud environment. Enterprises must understand how the cloud's uniquely loose structure affects the security of data sent into it. Assurance to supply detailed information on its security architecture and is willingness to accept a security audit must be obtained from the cloud service provider. Ensure that internal security technologies and practices, such as network firewalls and user access controls, are strong and can mesh well with cloud security measures. Understand how laws and regulations will affect what it sent into the cloud. Users of the cloud must also constantly monitor and get themselves updated with the changes in cloud technologies and practices that may affect the data security. The security issues in a cloud need focused research for enterprises to make advantage of the massive utility it provides.
REFERENCES
[1] P. Wayner, Cloud versus Cloud: A guided tour of Amazon, Google, AppNexus and GoGrid, Infoworld, July 21, 2008. [2] P. Goyal, R. Mikkilineni, M. Ganti, Manageability and Operability of the Virtual Business Services Fabric, in Proceedings of WETICE 2009: 18th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises.

[3] Kostas Pentikousis. Distributed Information Object Resolution. In Proc. Eighth International Conference on Networks (ICN), Gosier, Guadeloupe/France, March 2009. IEEE Computer Society Press. [4] Rao Mikkilineni. Cloud Computing and the Lessons from the Past. 2009. [5] Padma Apparao, Ravi Iyer, Xiaomin Zhang, Don Newell, Tom Adelmeyer. Characterization & Analysis of a Server Consolidation Benchmark.