Addressing cloud computing security issues

Download Addressing cloud computing security issues

Post on 05-Sep-2016




2 download

Embed Size (px)


<ul><li><p>C.</p><p>4</p><p>smCloud computing securityTrusted Third PartyPublic key infrastructureInformation and communication securityTrust</p><p>relocation to the clouds, deteriorating much of the effectiveness of traditional protection mechanisms.As a result the aim of this paper is twofold; firstly to evaluate cloud security by identifying uniquesecurity requirements and secondly to attempt to present a viable solution that eliminates these potentialthreats. This paper proposes introducing a Trusted Third Party, tasked with assuring specific securitycharacteristics within a cloud environment. The proposed solution calls upon cryptography, specificallyPublic Key Infrastructure operating in concert with SSO and LDAP, to ensure the authentication, integrityand confidentiality of involved data and communications. The solution, presents a horizontal level ofservice, available to all implicated entities, that realizes a security mesh, within which essential trustis maintained.</p><p> 2010 Elsevier B.V. All rights reserved.</p><p>1. Introduction</p><p>Throughout computer science history, numerous attempts havebeen made to disengage users from computer hardware needs,from time-sharing utilities envisioned in the 1960s, networkcomputers of the 1990s, to the commercial grid systems of morerecent years. This abstraction is steadily becoming a reality as anumber of academic and business leaders in this field of scienceare spiralling towards cloud computing. Cloud computing is aninnovative Information System (IS) architecture, visualized aswhatmay be the future of computing, a driving force demanding fromits audience to rethink their understanding of operating systems,clientserver architectures, and browsers. Cloud computing hasleveraged users from hardware requirements, while reducingoverall client side requirements and complexity.</p><p>As cloud computing is achieving increased popularity, concernsare being voiced about the security issues introduced through theadoption of this new model. The effectiveness and efficiency oftraditional protection mechanisms are being reconsidered, as thecharacteristics of this innovative deployment model, differ widelyfrom them of traditional architectures. In this paper we attemptto demystify the unique security challenges introduced in a cloud</p><p> Corresponding author.E-mail addresses: (D. Zissis), (D. Lekkas).</p><p>environment and clarify issues from a security perspective. Thenotion of trust and security is investigated and specific securityrequirements are documented. This paper proposes a securitysolution, which leverages clients from the security burden, bytrusting a Third Party. The Third Party is tasked with assuringspecific security characteristics within a distributed informationsystem, while realizing a trust mesh between involved entities,forming federations of clouds. The research methodology adoptedtowards achieving this goal, is based on software engineeringand information systems design approaches. The basic stepsfor designing the system architecture include the collection ofrequirements and the analysis of abstract functional specifications.</p><p>2. Grid and cloud computing</p><p>Grid Computing emerged in the early 1990s, as high perfor-mance computers were inter-connected via fast data communi-cation links, with the aim of supporting complex calculations anddata-intensive scientific applications. Grid computing is defined asa hardware and software infrastructure that provides dependableconsistent, pervasive, and inexpensive access to high-end com-putational capabilities. Cloud Computing has resulted from theconvergence of Grid Computing, Utility Computing and SaaS, andessentially represents the increasing trend towards the externaldeployment of IT resources, such as computational power, storageor business applications, and obtaining them as services [1]. CloudFuture Generation Computer</p><p>Contents lists available a</p><p>Future Generation</p><p>journal homepage: www</p><p>Addressing cloud computing security issuDimitrios Zissis , Dimitrios LekkasDepartment of Product and Systems Design Engineering, University of the Aegean, Syros 8</p><p>a r t i c l e i n f o</p><p>Article history:Received 14 May 2010Received in revised form11 December 2010Accepted 13 December 2010Available online 22 December 2010</p><p>Keywords:</p><p>a b s t r a c t</p><p>The recent emergence of clouarchitectures, software delivthe transition from mainfrencompasses elements frominnovative deployment archa critical issue for the succea security perspective, a nu0167-739X/$ see front matter 2010 Elsevier B.V. All rights reserved.doi:10.1016/j.future.2010.12.006Systems 28 (2012) 583592</p><p>t SciVerse ScienceDirect</p><p>omputer Systems</p><p></p><p>es</p><p>100, Greece</p><p>d computing has drastically altered everyones perception of infrastructureery and development models. Projecting as an evolutionary step, followingame computers to client/server deployment models, cloud computinggrid computing, utility computing and autonomic computing, into an</p><p>itecture. This rapid transition towards the clouds, has fuelled concerns ons of information systems, communication and information security. Fromber of unchartered risks and challenges have been introduced from this</p></li><li><p>584 D. Zissis, D. Lekkas / Future Generation</p><p>computing is a model for enabling convenient, on-demand net-work access, to a shared pool of configurable computing resources,(e.g., networks, servers, storage, applications, and services) that canbe rapidly provisioned and releasedwithminimalmanagement ef-fort or service provider interaction [2].</p><p>The name cloud computing, was inspired by the cloud symbolthat is often used to represent the Internet in flow charts and di-agrams. A distinct migration to the clouds has been taking placeover recent years with end users, bit by bit maintaining a grow-ing number of personal data, including bookmarks, photographs,music files andmuchmore, on remote servers accessible via a net-work. Cloud computing is empowered by virtualization technol-ogy; a technology that actually dates back to 1967, but for decadeswas available only on mainframe systems. In its quintessence, ahost computer runs an application known as a hypervisor; this cre-ates one or more virtual machines, which simulate physical com-puters so faithfully, that the simulations can run any software,from operating systems, to end-user applications [3]. At a hard-ware level, a number of physical devices, including processors,hard drives and network devices, are located in datacenters, in-dependent from geographical location, which are responsible forstorage and processing needs. Above this, the combination of soft-ware layers, the virtualization layer and the management layer,allow for the effective management of servers. Virtualization is acritical element of cloud implementations and is used to providethe essential cloud characteristics of location independence, re-source pooling and rapid elasticity. Differing from traditional net-work topologies, such as clientserver, cloud computing is able tooffer robustness and alleviate traffic congestion issues. The man-agement layer is able to monitor traffic and respond to peaks ordrops with the creation of new servers or the destruction of non-necessary ones. Themanagement layer has the additional ability ofbeing able to implement securitymonitoring and rules throughoutthe cloud. According to Merrill Lynch, what makes cloud comput-ing newand differentiates it fromGrid Computing is virtualization:Cloud computing, unlike grid computing, leverages virtualizationto maximize computing power. Virtualization, by separating thelogical from the physical, resolves some of the challenges faced bygrid computing [4]. While Grid Computing achieves high utiliza-tion through the allocation of multiple servers onto a single task orjob, the virtualization of servers in cloud computing achieves highutilization by allowing one server to compute several tasks con-currently [5]. While most authors acknowledge similarities amongthose two paradigms, the opinions seem to cluster around thestatement that cloud computing has evolved fromGrid Computingand that Grid Computing is the foundation for cloud computing.In cloud computing, the available service models are:</p><p> Infrastructure as a Service (IaaS). Provides the consumerwith thecapability to provision processing, storage, networks, and otherfundamental computing resources, and allow the consumer todeploy and run arbitrary software, which can include operatingsystems and applications. The consumer has control overoperating systems, storage, deployed applications, and possiblylimited control of select networking components.</p><p> Platform as a Service (PaaS). Provides the consumer with thecapability to deploy onto the cloud infrastructure, consumer-created or acquired applications, produced using programminglanguages and tools supported by the provider. The consumerdoes not manage or control the underlying cloud infrastructureincluding network, servers, operating systems, or storage,but has control over the deployed applications and possiblyapplication hosting environment configurations.</p><p> Software as a Service (SaaS). Provides the consumer with the ca-</p><p>pability to use the providers applications running on a cloud in-frastructure. The applications are accessible from various clientComputer Systems 28 (2012) 583592</p><p>devices, through a thin client interface, such as a web browser(e.g. web-based e-mail). The consumer does not manage orcontrol the underlying cloud infrastructure, including network,servers, operating systems, storage, or even individual applica-tion capabilities, with the possible exception of limited user-specific application configuration settings.</p><p>Four deployment models have been identified for cloud architec-ture solutions, described below:</p><p> Private cloud. The cloud infrastructure is operated for a privateorganization. It may be managed by the organization or a thirdparty, and may exist on premise or off premise.</p><p> Community cloud. The cloud infrastructure is shared by severalorganizations and supports a specific community that hascommunal concerns (e.g., mission, security requirements,policy, and compliance considerations). It maybe managed bythe organizations or a third party, and may exist on premise oroff premise.</p><p> Public cloud. The cloud infrastructure is made available to thegeneral public or a large industry group and is owned by anorganization selling cloud services.</p><p> Hybrid cloud. The cloud infrastructure is a composition of two ormore clouds (private, community, or public) that remain uniqueentities, but are bound together by standardized or proprietarytechnology, that enables data and application portability (e.g.,cloud bursting for load-balancing between clouds) [2].</p><p>Cloud computing is viewed as one of themost promising technolo-gies in computing today, inherently able to address a number ofissues. A number of key characteristics of cloud computing havebeen identified [6,7]:Flexibility/Elasticity: users can rapidly provision computing re-sources, as needed, without human interaction. Capabilities can berapidly and elastically provisioned, in some cases automatically, toquickly scale out or up.Scalability of infrastructure: new nodes can be added or droppedfrom the network as can physical servers, with limited modifica-tions to infrastructure set up and software. Cloud architecture canscale horizontally or vertically, according to demand.Broad network access. Capabilities are available over the networkand accessed through standard mechanisms that promote use byheterogeneous platforms (e.g., mobile phones, laptops, and PDAs).Location independence. There is a sense of location independence,in that the customer generally has no control or knowledge overthe exact location of the provided resources, but may be able tospecify location at a higher level of abstraction (e.g., country, state,or datacenter).Reliability improves through the use of multiple redundant sites,whichmakes cloud computing suitable for business continuity anddisaster recovery.Economies of scale and cost effectiveness. Cloud implementations,regardless of the deploymentmodel, tend to be as large as possiblein order to take advantage of economies of scale. Large clouddeployments can often be located close to cheap power stationsand in low-priced real estate, to lower costs.Sustainability comes about through improved resource utilization,more efficient systems, and carbon neutrality.</p><p>Cloud implementations often contain advanced security tech-nologies,mostly available due to the centralization of data and uni-versal architecture. The homogeneous resource pooled nature ofthe cloud, enables cloud providers, to focus all their security re-sources on securing the cloud architecture. At the same time, theautomation capabilities within a cloud, combined with the large</p><p>focused security resources, usually result in advanced security ca-pabilities. Maintaining a perspicacious vision is essential in a field</p></li><li><p>D. Zissis, D. Lekkas / Future Generation</p><p>that is evolving exponentially. Cloud computing is not a panaceaand many believe it to be a market-driven hype. Cautiousness isnecessary, so as to not be carried away by the caprice of the mo-ment. Cloud computing in its quintessence, has the capability toaddress a number of identified deficiencies of traditional archi-tectures due to its unique characteristics, but the adoption of thisinnovative architecture may introduce a number of additional un-categorized threats (Fig. 1).</p><p>3. Cloud computing security</p><p>3.1. Trust</p><p>Trust is not a new research topic in computer science, spanningareas as diverse as security and access control in computer net-works, reliability in distributed systems, game theory and agentsystems, and policies for decision making under uncertainty [8].Perhaps the most notable example was the development of theTrusted Computer System Evaluation Criteria (TCSEC) [9] in thelate 70s and early 80s. Here, trust was used in the process of con-vincing observers that a system (model, design or implementation)was correct and secure [10].</p><p>The concept of trust, adjusted to the case of twoparties involvedin a transaction, can be described as follows: An entity A isconsidered to trust another entity B when entity A believes thatentity B will behave exactly as expected and required [11].Thereinafter, an entity can be considered trustworthy, if the partiesor people involved in transactions with that entity rely on itscredibility. In general, the concept described above can be verballyrepresented by the term reliability, which refers to the quality of aperson or entity that is worthy of trust. Trust in the informationsociety is built on various different grounds, based on calculus,on knowledge or on social reasons [12]. The notion of trust inan organization could be defined as the customers certainty thatthe organization is capable of providing the required servicesaccurately and infallibly. A certainty which also expresses thecustomers faith in its moral integrity, in the s...</p></li></ul>