Security Challenges in Cloud Computing
Table of Contents
- Executive Summary. 2
- Introduction. 3
- Literature Review.. 3
- The Cloud Computing Security Challenges. 5
4.1. XML Signature Element Wrapping. 5
4.3. Cloud Malware Injection Attack. 7
Security Challenges in Cloud Computing
The emerging trends in the area of information technology have made it possible for individuals to enjoy and have comfort. Cloud computing is among the biggest advancements in the information technology industry, known otherwise as on-demand computing. It offers the complete scalability, dependability, high performance and low cost workable solution in regards to dedicated models. It is the application offered in the manner of a service online and model hardware in the data centers that offers these services. This technology has the ability to allow the acquisition of resources when needed. It offers highly cost effective IT departments that are useful in the provision of better services. The provision of this service to the public on a pay when used, it is termed to as, public cloud while of the client has their own applications and operate them on personal models then it is known as a private cloud. The joint cloud is known as a hybrid cloud. Though comprising of a number of benefits for the information technology companies, cloud has a number of matters that have to be looked into in the application. The main issue is security and privacy. These matters come about in the process of application of public cloud since the model is not conscious of the data storage online.
This paper focuses on the security challenges that cloud computing face. The paper will start by noting what cloud is computing and the varied practices that are connected to it. The paper will later go on to look at the varied studies that are connected with cloud computing in the literature review. The challenges that arise will be next which will involve the threats that are there and followed by their solutions. This area will be followed by the future solutions that are there in the cloud computing system which is bound to be great. The paper ends with a business mission that aims to convince the business sector and clients of the ability that HawkEye Network Security has to offer for its clients.
Cloud Computing is an emerging tendency in the information technology stage. This is an internet-based form of computing where resources are placed in a common place for a number of users to make good use of them (Chudnov, 2010, 34). Devices like computers are used for this to take place. This form of technology has the ability to allow access to resources when called upon to do so. It is an affordable method for most IT departments that do not want to meet their daily needs in the pressure of resources and time.
The concept of cloud computing began in the 1960s where it was applied by telecommunication companies up to 1990 where there was the use of point to point data interface and then created virtual private networks (Chudnov, 2010, 33; Viega, 2009, 23). Though, due to network congestion and the desire to make the network bandwidth more reliable and operative, the cloud was acquired for the servers and the infrastructure. In its advancement, Amazon was significant in the formation of today’s data centers. In 2007 Google, IBM and other known Universities as well as organizations acquired the technology. By 2008, Garner took focus of its attributes for the client and the service providers.
This paper looks to offer the guidelines and areas of focus needed to information technology companies and experts in the acquisition of cloud computing technology. It goes on to offer awareness of cloud computing ability to the Information technology organizations through the handling of the global cloud computing challenges (Chudnov, 2010, 35). The paper is composed of matters that may come about and be incurred in the application of cloud computing; the acquisition of data and surveys undertaken by most companies, for instance IDC; a review of cloud computing security issues, solutions to security issues incurred by varied companies using the technology, alleviation procedures and the security models that may manage the security matters in the cloud setting.
Cloud computing is a method that is used to reduce cost. This technology is advanced as a means to limit company’s data processing costs through outsourcing the fundamental framework. Most of the cost saving acquired arises from trimming down the employees that are not needed so as to keep up with an on-company model. According to Wang et al (2010, 19), the keeping of data in a cloud in a dynamic on-demand method allows alluring advantages of the burden of keeping management, global data access with autonomous geographical places and keeping away from capital spending on hardware, software, upkeep among others.
Chudnov (2010, 33) states that in an attempt to reduce costs while issuing services to the clients, the application of affordable prices can allow divesting service hosting in the cloud a beneficial step. Khajeh-Hosseini et al (2010, 7) goes on to state that the ability for use of affordable cost is noted by shifting a company model to cloud computing. They add ends by stating that cloud computing is vital in doing away with potentially support-based matter as they are no physical models to sustain.
In addition to the benefits that are connected to cloud computing, there are similarly cloud computing and security threats that arise. The shifting to cloud computing model issues a security threat to a company’s information (Geng, 2009, 10). One of the biggest use fears based on cloud computing is the security, common with any rising internet technology. Mather et al (2009) states that there are six major areas of focus on security when looking at cloud computing; there is the moving of information from one place to another, the information that is kept, the information that undergoes processing as well as data lineage, attribution and remanence. Information that is being moved ought to be encrypted so as so keep confidentiality and integrity to the users. Information that is stored is similarly bound to be influenced if it is not encrypted.
This literature presents three extensive service structures for cloud computing;
- Software as a Service (SaaS) which is used in the hosting of applications and are provided online using the web browser creating local desktop operability like Google Docs, Gmail and MySAP. The applications used are directed to the client when needed.one service operates on the cloud and several users are attended to. On the part of the customer, there is the absence of an investment in the servers or software licenses though for provider’s there is affordability as what is needed is just one application for hosting and preserved (Geng, 2009, 11). The SaaS suppliers control the software with regard to the usage aspect. They are set up on negotiated costs. It is composed of upcoming models. They offer maintenance and patching services.
- Platform as a Service (Paas) where cloud offers the software platform for models, and not solely software, the most reliable instance being Google App Engine. This service is composed of an advancement setting that is sealed and issued as a service where there are high forms of service that can be formed. Each customer has the autonomy to create their personal applications that operate on the supplier’s model (Geng, 2009, 12). To acquire control and scalability needs of the applications, this service has to provide a well described integration of the OS and application servers like LAMP model that are compose of MySQL, PHP servers and Linux.
- Infrastructure as a Service (IaaS) which is used in the hosting of a number of virtualized computing resources like storage and computing size; clients are able to use their software stacks so as to acquire services. The most common examples being Amazon Elastic Compute Cloud, and Simple DB among others. The attribute of IaaS is that its client issue virtual machine elements to IaaS provider, as opposed to programs and the machines are able to sustain the needs of the developers. (Viega, 2009, 106).
There are a number of security goals that are known to C.I.A comprising of confidentiality; that the information is well kept; integrity that means that the information is not changed in any way; availability which is the aptitude to get the data at the time that it is required. The C.I.A model for safety of information is applied as it is reliable and common. Stoneburner (2001, 2) adds that the main objective of security is to make it possible for a company to acquire all of its objectives through the application models with considerations of the information technology threat to the company, its associated and clients (Geng, 2009, 13). The other duty is to note the task reported security threats in IaaS cloud computing and to be in line with the security goals. Cloud computing service is termed by the SPI model.
Security in cloud is the biggest areas that research is undertaken. Studies show that experts are keen on a more reliable method and encryption methods so as to develop the information security in the cloud.
According to Brian Hay, there have been varied areas of focus like data authentication, integrity, querying and outsourcing the information. The study notes that threats that come about at the operational trust level, sharing of resources, new management techniques and digital forensic. In the operational trust level, the encrypted communication media are applied for the keeping of cloud as well as the computation on the information that has been encrypted also known as homomorphic encryption. The emerging threats methods like Virtualization Machine Introspection (VMI) is applied at the virtualization level so as to manage and change the information. The problems are stated with the help cloud resources and acquisition of a system for analysis.
According to John Mace, there have been proposals on automatic, flexible and self-driven methods to select where to operate workflow operations and keep data while offering audit information to verify policy agreement and do away with prosecution. They similarly state that a flexible facility to quantify data security policy effect so as to assist policy-makers to come up with justifiable and financial satisfactory security policy choices. Service Oriented Architecture (SOA) is applied for work flow application in a company. For reliability, productivity and to acquire public cloud, the cloud computing applies the method like sustaining management, coming up with policy, monitoring security. The flexible application method in the public cloud computing are security analysis, work flow application, policy obligation, audit of information and policy assessment.
Qiang Guo offers a different description for trust in cloud computing and varied areas connected to trust that are stated. A wide range of trust assessment framework termed to as ETEC have been put forward for consideration comprising of a time-based extensive assessment technique for articulating direct trust and space aspect assessment property for computation the approval trust. This technique similarly computes the trust level in the best manner and sensibly in the cloud computing setting.
4. The Cloud Computing Security Challenges
4.1. XML Signature Element Wrapping
Since customers have the ability to interface to cloud computing using their web-browser or other web services, the web attacks are threats that may arise in cloud computing. XML signature aspect wrapping is a common threat for the web services. Even though WS-Security applied XML signature so as to safeguard a person’s name, features and significance from sections not allowed to access, it is quite difficult to safeguard the positions in a file (Alvi, et al, n.d, 23). An attacker has the ability mess around with a SOAP message through replicating the intended aspect and issues its own value and shifts the initial aspect to another place on the SOAP message. This method can deceive the web service to undertake the suspicious message formed by the attack. An example is shown below of the wrapping attack.
Fig. 1 SOAP messageFig. 2
Source: Alvi, et al, n.d
In the figure above the client details request a picture known as “mc.jpg.” though, the threat interferes and changes the SOAP message through the inclusion of the same aspect as the user desires a file known as “cv.doc” as opposed to the picture figure 3. Later the web service acquires a message which will direct the cv. file to the customer (Popovic , 2010, 24). Another threat is in the form of an email web application. If a threat interferes with the SOAP message and alters the clients e-mail and directs it to another email, the service will direct the email to the new set location. By 2008, Amazon’s EC2, a public cloud computing model, was known to be at risk of the XML signature wrapping risk. The most viable solution would be to apply an integrated WS-Security with the XML Signature to identify the precise aspect and digital certificated like X.509 that is provided by Certification Authorities. Additionally, the web service ought to come up with a number of aspects that are applied in the model and turn down any message that is composed of unanticipated details from the customer.
4.2. Browser Security
In a cloud computing model, the computational operations are done in the cloud server while the user’s end a request is send and an outcome is anticipated. The Web browser is a well know n technique to interface to the cloud models. Prior to the user to request for services on the cloud systems, the customer is supposed to verify themselves if they have the ability to apply the cloud model (Popovic , 2010, 26). In the security section, in the present times web browsers depend highly on SSL/TLS procedures. They are not in a position to use the WS-Security factor (XML Signature and Encryption) to the confirmation operation. In the end, the moment a web browser calls for a service from the web browser in the cloud model, it cannot apply the customer’s details like name so as to confirm the user and the XML encryption to seal the SOAP message so as to safeguard information from unintended sections or people (Alvi, et al, n.d, 40; Shuai et al, 2010, 28). The web browser has to apply the SSL/TLS to seal the credential and apply the same model four way handshake methods so as to confirm the customer. Nevertheless, the SSL/TLS just upholds a point-to-point interaction, meaning that in the presence of a middle tier in the client and cloud serve, like proxy server or another application, the information has to be unsealed on another host.
In the presence of a threat sniffing packages on the host it may acquire its details and apply it to get access to the cloud model as a genuine user (Popovic , 2010, 27). Moreover, the SST/TLS has been interfered with by Marlinspike that applied the method known as “Null Prefix Attack” so as to undertake unseen element in the attack process against SSL/TLS application. Consequently, the attackers are in a good position to undertake this method so as to call for services from the cloud model with no genuine details. It appears that SSL/TLS has no ability as a means for confirmation of cloud computing method. The most successful and reliable method would be the vendors that make the web browsers use WS-Security aspect in the web-browsers (Alvi, et al, n.d, 41). The main thought behind this idea is that WS-Security seems capable to apply XML encryption so as to offer an all-inclusive encryption in the SOAP data. As opposed to point-to-point sealing, the end-to-end method does not have to be unsealed at the middle hosts. Lastly, the threats are in a good position to sniff and acquire plain text of the SOAP data.
4.3. Cloud Malware Injection Attack
This form of attack is keen on injection of suspicious services, application or virtual machine into the cloud model with regard to the cloud service framework SaaS, PaaS and IaaS. So as for this threat to take place, an invader is supposed to form a suspicious application, service or virtual tool and then it has to include it to the cloud system (Popovic , 2010, 26). After the suspicious software has been included to the cloud model, the threat deceives the cloud model to handle the suspicious software as a valid example. If it works, a common user is in a position to call up for the suspicious threat and then the threat is performed. Another instance of this threat would be a threat attempting to upload a suspicious program is automatically applied and the cloud model interferes by placing the virus that can severely affect the cloud model. In terms of the virus instance, the hardware is spoilt as they have a common hardware. Moreover, the threat may desire to apply a virus application to invade other clients on the system. After the customer calls up the suspicious application, the cloud model directs the virus to the internet to the user and then effects on the user’s machine. The user’s computer is then affected by it. The most effective solution to this threat would be to undertake a service case integrity assessment for the requests that come in. A hash value may be applied so as to keep the initial service image and link it with the hash values of all the service images (Popovic , 2010, 25; Shuai et al, 2010, 23). In the end of applying the hash values, a threat is supposed to come up with a valid hash value assessment so as to deceive the cloud model and inject a suspicious aspect in the cloud model.
4.4. Flooding Attacks
Even though data movement in the customer and serve may be safe, the threats may opt to attack the cloud setting directly. The most known attributes of the cloud models from the clients, the cloud model automatically scale up by beginning another service cases so as to uphold the customers’ needs. On the other side, this may be quite risky due to flooding of threats like DoS that is an operation to a precise service in the cloud model, cloud computing OS notes the added calls (Popovic , 2010, 28). Its starts to offer added service cases so as to handle the workload, if the threat directs other requests, the system will attempt to go against the needs by offering computational needs. Lastly, the system may take up all of the resources on the cloud and not be in a position to offer services to normal need from the users.
Indirectly, other applications operating in the cloud hardware server of the intended service may be impacted from excess loads due to the DoS attack (Shuai et al, 2010, 22). After resources of the server are close to be empty, there are no resources that are accessible on a single server. As a result, the other applications may be in a position to offer their services to common users. In regards to accounting sense, the DoS attack leads to added costs to the clients. A good example would be Amazon Elastic Compute Cloud that charges the clients from the real movement of information in the attacker and service case. After a service case operating on Amazon EC2 has been taken over by the DoS, the added computational resources have been applied and there are other information shifts between the threat and the service. The service case owner has to incur added costs to Amazon for the unintended case (Popovic , 2010, 28). Taking to fact that it is hard to generally do away with DoS attacks, putting a firewall or an Intrusion Detection System (IDS) is efficient in filtering the requests from invading the server. On the other hand, the IDS may at times issue deceiving details to the network controller since it offers incorrect alerts; it may see regular requests to be intrusive requests.
4.5. Privacy Issue
Every human being has the right to safe and private information. In regard to the cloud, privacy takes place takes place in regards to cloud application (Jansen, 2010, 4). The public cloud, which is acquired over the internet and distributed to other clients, is a major model in regards to cost decline, though depending on CSP to control client data comes up with privacy issues.
The lack of user control is present in the SaaS setting which is charged with management of information. The manner the client keeps its management of information is assessed of kept. It is legal to call on him and create trust in the clients and vendor (Jansen, 2010, 5). It is here that the client details are processed in the cloud, which there is the threat of misuse or illegal selling.
A common threat in privacy is the unauthorized secondary use. The cloud model informs that the service provider can acquire profits from secondary use of clients. It has the ability of financial dynamic-ability of the CPS, like vendor termination (Jansen, 2010, 6).
There is also trans-border data flow and explosion which is comprised of a number or organizations and is not managed by the owners. Vendors assure the simplicity in the application through copying information; this is quite hard to make sure that double data are kept safely (Jansen, 2010, 6). Since there is movement of data, it is quite hard to know which server or device will be used.
So as to manage the privacy issues in the cloud, the user may be offered the ability to control their information. The data may similarly be encrypted so as to conceal the threat from getting information that is kept in the message (Jansen, 2010, 7). The provider ought to be conversant of any new alterations that have been made so that they are able to track the changes that take place.
Cloud computing is a modern trend advancement that offers simple access to highly efficient computing resources and keeps storage set-up using web services. Cloud computing offers the availability for effective, cost effective and high level performance services to states, companies, private and personal clients. It similarly creates a special chance to developing nations to coming closer to the developed nations. Developing nations, good example is Pakistan is able to acquire the satisfaction of cloud computing through its use in the e-government. The paper has been able to focus on the varied practices that are connected to cloud computing practices and the matters that challenge the application of cloud computing services in organizations. It after noting this issues several solutions are proposed so as to manage the challenges so as to do away with the problems.
The providers and the users have to take into consideration that the cloud computing system ought to be safe from threats and there have to be cohesion between the users and the providers in times of security for the cloud. Client-plus-cloud form of computing creates a well-developed choice, dynamic efficiency and cost-efficient for companies and clients. So as to acquire the complete benefit, clients have to be issued with genuine assurances based on the privacy and security of the information that flows over the internet. Several regulatory and public laws are yet to be managed so as that computing over the internet is successful.
Even though cloud computing is a new method that is set to change the manner that the internet is used; there is a great number of things to be keen about. There are several technologies that come about at a fast speed, every one of them with technological improvements and with the ability of making things easier. Though, one has to be keen to appreciate the security threats and the issues brought about in the utilization of these methods. Cloud computing is no different. The technology has the ability to be on the fore front in the advancement of a safe, virtual and economically relevant IT solution in the coming times.
Cloud computing is the most modern technology hence a number of things are to be looked into. It has several open matters with some of them comprising of scalability, elasticity, data management, reliability, performance, system advancement and economic issues. Cloud computing has acquired the attribute of a ‘killer application’ is bound to set up several issues and solution that have to be advanced so as to make technology to operate successfully (Tian et al, 2010, 23). Hence the research does not stop here, a number of things have to be accomplished in the coming times. The model seen in this is the first step and a number of changes is bound to be made; though it may offer the grounds for intense studies to be undertaken on security application of cloud computing.
The mission of my business is; providing security services at an affordable cost at the appropriate time.
Mission Statement
The business which is known as Hawk Eye is created on traditional values of hard work, ethical associations and morality.
- We are a quality-oriented company.
- We will offer the uppermost quality and most reliable professional network security services that are accessible.
- We will offer among the highest wages and staff incentives so as to appeal and maintain the most efficient security officers, who will on the other hand offer the finest security services that are accessible to our clients.
HawkEye network Security offers you the best and most reliable and of the top level security services that one has ever experienced.
The highest level of satisfaction is assured. This is guaranteed as HENS is keen on offering uniformed security officers. We set the provision of service to you as our client at the top of our priority. We let other companies be focuses on investigation and repossession of properties among others for other companies.
Our skills and experiences are displayed in the place that we are located. A number of our clients are tired of the poor service that they have experienced from other security companies; however some keep on staying with the bad services as they are of the thought that all of the security companies are the same. HENS is out to prove that this statement is not true, using our 100% satisfaction guarantee promise, one has nothing to worry about but the challenges from their current provider.
7.1. Support Services
Through serving a sizeable client and using a manageable growth, HawkEye network Security has everything but problems that affect every security company. A number of security companies acquire new customers, present new services and operate events with no focus on the proficiency to offer support services for their customers.
At HENS, support services like officer scheduling, uniforms, payroll and billing operation are not assumed. Flimsy support services for the staff and customers bring about absence of watches, discontented staff, billing mistakes and below par client service. Generally, flimsy support services are the same as below par security services.
HENS apply a joint computerized model to organize scheduling, payment and billing to make sure there is dependability. Authentication of data is undertaken so as to make sure that the clients are not over-charged or dissatisfied with the services.
Privacy of data is assured through the use of effective data encryption techniques that have a proven high level of security for data. The client’s data is placed in the best hands from the time it is delivered, when it travels till when it gets to the destination as well as in storage. This will at end lead to data integrity for the client data.
The company similarly undertakes a month to month audit of the system and analysis so as to know the place the company in terms of security. This will be able to give our clients the confidence they need so as to continue to do business with us as well as attract others.
8. Bibliography
Alvi, F., Choudary, B., Jaffery, N. and Pathan, E (n.d). A review on cloud computing security issues & challenges. Acquired from: < http://www.pbltt2011.mfu.ac.th/download/full_paper/C3_Fizza%20Abbas-TTPBL- Full%20paper_A%20Review%20on%20cloud%20computing%20security%20issues%20 and%20challenges.pdf >
Chudnov, D., 2010. A view from the clouds. Computers in Libraries, 30(3), 33-35.
Geng L; David F; Jinzy Z; Glenn D., 2009. “Cloud computing: IT as Service. “IEEE computer society IT Professional”, Vol. 11, pp.10-13.
Jansen, W.A., 2010. “ Cloud Hooks: Security and Privacy Issues in Cloud Computing5719001 IEEE 2011 44th Hawaii International Conference on System Sciences (HICSS), pp1, 4-7.
Khajeh-Hosseini, A, Sommerville, I. & Sriram, I, 2010. Cloud migration: A case study of migration an enterprise it system to iass. Paper presented at the Proceedings of the 2010 IEEE 3rd International Conference on Cloud Computing.
Mather, T. Kumaraswmy, S. & Latif, S., 2009. Cloud security and privacy. Beijing: Cambridge; O’Reilly.
Popovic K; Hocenski Z., 2010. “Cloud comp