cloud computing: network/security threats and … · cloud computing: network/security threats and...

ijcrb.webs.com INTERDISCIPLINARY JOURNAL OF CONTEMPORARY RESEARCH IN BUSINESS

COPY RIGHT © 2012 Institute of Interdisciplinary Business Research

1323

JANUARY 2012 VOL 3, NO 9

CLOUD COMPUTING: NETWORK/SECURITY THREATS AND

COUNTERMEASURES

Sara Qaisar

Department of Technology Management, Faculty of Management Sciences, International Islamic University, H-10, Islamabad, Pakistan,

Kausar Fiaz Khawaja (Corresponding Author) Department of Technology Management, Faculty of Management Sciences, International Islamic University, H-10,

Islamabad, Pakistan,

Abstract:

Nowadays not just large organizations, but even small and medium size businesses are looking forward to adopt an economical computing resource for their business application, i.e. by introducing a new concept of cloud computing in their environment. Cloud computing improves organizations performance by utilizing minimum resources and management support, with a shared network, valuable resources (The NIST Definition of Cloud Computing, 2009), bandwidth, software’s and hardware’s in a cost effective manner and limited service provider dealings. Basically it’s a new concept of providing virtualized resources to the consumers. Consumers can request a cloud for services, applications, solutions and can store large amount of data from different location. But due to constantly increase in the popularity of cloud computing there is an ever growing risk of security becoming a main and top issue. Current paper proposes a back up plan required for overcoming the security issues in cloud computing.

Keywords: Cloud computing, Network issues, Security issues, Counter measures

1- Introduction:

In October 2007, Cloud computing became “popular” in the presence of other computing techniques used before (Wikipedia, 2012 a; Foster & Kesselman, 1998; Raleigh & Armonk, 2007; Naone, 2007; Reimer, 2007). The popularity was due to the partnership of IBM and Google to work under a domain ( Lohr., 2007; View, Calif & Armonk., 2007) followed by the entry of (Wikipedia, 2012b; Vouk, 2008). Cloud Computing was a new idea that uses internet and remote servers for maintaining data and applications. It offers through internet dynamic virtualized resources, bandwidth and on-demand software’s to consumers and promises the distribution of many economical benefits among its adapters. It helps consumers to reduce the usage of hardware, software license and system maintenance. Hence by using internet consumers are able to use service application on clouds (Ren & Lou, 2009). Moreover by using cloud computing consumers can get benefit in the form of cost, on-demand self services that reply rapidly, and can access broad network.

Current paper discuss in detail cloud computing, its types and Network/security issues related to it. Networks structure faces some attacks that are denial off service attack, man in the middle attack, network sniffing, port scanning, SQL injection attack, cross site scripting. Security Issues that occur in Cloud Computing are XML signature element wrapping, Browser security, cloud malware injection attack, flooding attacks, data protection, insecure or incomplete data deletion, locks in.

2- Cloud Computing

Many Organizations deal with the storing and retrieving of huge data and cloud computing helps in performing it efficiently with minimum cost, time and maximum flexibility. Besides the benefits associated with the cloud computing, there are different security issues organization has to deal with inorder to separate one cloud users data from the other inorder to maintain confidentiality/privacy, reliability and integrity (Bugiel, Nurnberger, Sadeghi, & Schneider, 2011). Moreover as cloud service provider has a complete control on the infrastructure, so security risk like manipulating or stealing of code by service provider exist (Cloud Security Alliance, 2010).



1324


Graphically network of networks i.e. Internet is shown globally as cloud. And cloud computing is referred as applications and services rendered to consumers through internet cloud. It is a paradigm shift that happened rapidly, transferring older computing techniques to a newer one. Hence nowadays internet provides different services to its consumers, and no special device or software is required to use those services. After studying 20 definitions Vaquero et al., (2009) come up with a minimum definition containing essential characteristics

“Clouds are a large pool of easily and accessible virtualized resources (such as hardware, development platforms and/or services). These resources can be dynamically re-configured to adjust to a variable load (scale), allowing also for an optimum resource utilization. This pool of resources is typically exploited by a pay-per-use model in which guarantees are offered by the infrastructure provider by means of customized service-level Agreements”

Cloud computing provides different services rather than a unit of product. These services put forwarded 3 models: software as a service (SAAS), platform as a Service (PAAS), and infrastructure as a Service (IAAS) (Iyer and Henderson, 2010; Han, 2010, Mell and Grance, 2010).

1. SAAS: it is run by cloud service provider and mostly used by organizations. It is available to users through internet.

2. PAAS: It is a tool (Windows, LINUX) used by developers for developing Websites without installing any software on the system, and can be executed without any administrative expertise.

3. IAAS: It is operated, maintained and control by cloud service providers that support various operations like storage, hardware, servers and networking.

There are four types of cloud computing models listed by NIST (2009): private cloud, public cloud, hybrid cloud and community cloud.

1. Public Cloud: it is for the general public where resources, web applications, web services are provided over the internet and any user can get the services from the cloud,. Public Organizations helps in providing the infrastructure to execute the public cloud.

2. Private Cloud: It is used by the organizations internally and is for a single organization, anyone within the organization can access the data, services and web applications but users outside the organizations cannot access the cloud. Infrastruture of private cloud are completely managed and corporate data are fully maintained by the organization itself.

3. Hybrid Cloud: The Cloud is a combination of two or more clouds (public, private and community). Basically it is an enviornment in which multiple internal or external suppliers of cloud services are used. It is being used by most of the organizations (IBM and Junipers Network, 2009).

4. Community Cloud: The cloud is basically the mixture of one or more public, private or hybrid clouds, which is shared by many organization for a single cause (mostly security).Infrastructured is to be shared by several organizations within specific community with common security, compliance objectives. It is managed by third party or managed internally.Its cost is lesser then public cloud but more than private cloud.

Figure 1: Types of Cloud Computing



1325


3- Network Issues in Cloud Computing:

There are different network issues occur in cloud computing some of which are discussed below:

3-1 Denial of Service:

When hackers overflows a network server or web server with frequent request of services to damage the network, the denial of service cannot keep up with them, server could not legitimate client regular requests. For example a hacker hijacks the web server that could stop the functionality of the web server from providing the services. In cloud computing, hacker attack on the server by sending thousands of requests to the server that server is unable to respond to the regular clients in this way server will not work properly. Counter measure for this attack is to reduce the privileges of the user that connected to a server. This will help to reduce the DOS attack. (Scarfone K, 2007)

3-2 Man in the Middle Attack:

This is another issue of network security that will happen if secure socket layer (SSL) is not properly configured. For example if two parties are communicating with each other and SSL is not properly installed then all the data communication between two parties could be hack by the middle party. Counter measure for this attack is SSL should properly install and it should check before communication with other authorized parties.

3-3 Network Sniffing:

Another type of attack is network sniffer, it is a more critical issue of network security in which unencrypted data are hacked through network for example an attacker can hack passwords that are not properly encrypted during communication. If the communication parties not used encryption techniques for data security then attacker can capture the data during transmission as a third party. Counter measure for this attack is parties should used encryption methods for securing there data.

3-4 Port Scanning:

There may be some issues regarding port scanning that could be used by an attacker as Port 80(HTTP) is always open that is used for providing the web services to the user. Other ports such as 21(FTP) etc are not opened all the time it will open when needed therefore ports should be secured by encrypted until and unless the server software is configured properly. Counter measure for this attack is that firewall is used to secure the data from port attacks. (Services, 2009)

3-5 SQL Injection Attack:

SQL injection attacks are the attacks where a hackers uses the special characters to return the data for example in SQL scripting the query end up with where clause that may be modified by adding more information in it. For example an argument value of variable y or 1==1 may cause the return of full table because 1==1is always seems to be true.

3-6 Cross Site Scripting:

It is a type of attack in which user enters right URL of a website and hacker on the other site redirect the user to its own website and hack its credentials. For example user entered the URL in address bar and attacker redirects the user to hacker site and then he will obtain the sensitive data of the user. Cross site scripting attacks can provide the way to buffer overflows, DOS attacks and inserting spiteful software in to the web browsers for violation of user’s credentials. (Yang, 2003)

Hacker site

Enter Real URL

Hacker on Sever Redirect the user

Figure 2: Cross Site Scripting



1326


4- Security Issues in Cloud Computing:

Security issues of cloud computing are discussed below:

4-1 XML Signature Element Wrapping:

XML signature Element Wrapping is the fine renowned attack for web service. It is use to defend a component name, attribute and value from illegal party but unable to protect the position in the documents. (Jamil & Zaki, 2011b) Attacker targets the component by operating the SOAP messages and putting anything that attacker like. Counter measure for this attack is using the digital certificate e.g. X.509 authorized by third party such as certificate authorities and also uses the mixture of WS-security with XML signature to a particular component. XML should have the list of components so that it can reject the messages which have malicious file and also reject the unexpected messages from the client.

4-2 Browser Security:

The second issue is Browser Security. As a client sent the request to the server by web browser the web browser have to make use of SSL to encrypt the credentials to authenticate the user.SSL support point to point communication means if there is third party, intermediary host can decrypt the data. If hacker installs sniffing packages on intermediary host, the attacker may get the credentials of the user and use in these credentials in the cloud system as a valid user. (Jensen, 2009) Counter measure for this attack is Vendor should use WS-security concept on web browsers because WS-security works in message level that use XML encryption for continuous encryption of SOAP messages which does not have to be decrypted at mediator hosts.

4-3 Cloud Malware Injection Attack:

The third issue is Cloud Malware Injection Attack, which tries to damage a spiteful service, application or virtual machine. An interloper is obligatory to generate his personal spiteful application, service or virtual machine request and put it into the cloud structure (Booth, 2004). Once the spiteful software is entered into the cloud structure, the attacker care for the spiteful software as legitimate request. If successful user ask for the spiteful service then malicious is implemented. Attacker upload virus program in to the cloud structure. Once cloud structure care for as a legitimate service the virus is implemented which spoils the cloud structure. In this case hardware damages and attacker aim is to damage the user. Once user asks for the spiteful program request the cloud throws the virus to the client over the internet. The client machine is infected by virus. Counter measure for this attack is authenticity check for received messages. Store the original image file of the request by using hash function and compare it with the hash value of all upcoming service requests. In this way attacker create a legitimate hash value to deal with cloud system or to enter into the cloud system.

4-4 Flooding Attacks:

The fourth issue is Flooding Attack. Attacker attacks the cloud system openly. The most significant feature of cloud system is to make available of vigorously scalable recourses. Cloud system repeatedly increase its size when there is further requests from clients, cloud system initialize new service request in order to maintain client requirements. Flooding attack is basically distributing a great amount of non-sense requests to a certain service. Once the attacker throw a great amount of requests, by providing more recourses cloud system will attempt to work against the requests, ultimately system consume all recourses and not capable to supply service to normal requests from user. Then attacker attacks the service server. DOS attacks cost extra fees to the consumer for usage of recourses. In an unexpected situation the owner of the service has to compensate additional money. Counter measure for this attack is it’s not easy to stop Dos Attacks. To stop from attacking the server, Intrusion detection system will filter the malicious requests, installing firewall. Occasionally intrusion detection system provides fake alerts and could mislead administrator.

4-5 Data Protection:

Data protection in cloud computing is very important factor it could be complicated for the cloud customer to efficiently check the behavior of the cloud supplier and as a result he is confident that data is handled in a legal way, but it does not like that this problem is intensify in case of various transformation of data. Counter measure for this attack is that a consumer of cloud computing should check data handle either it is handled lawfully or not.



1327


4-6 Incomplete Data Deletion:

Incomplete data deletion is too much risky in cloud computing, it does not remove completed data because replica’s of data is placed in other servers for example When a client request to remove a cloud resource then with most operating systems this will not remove accurately. Accurate data deletion is not possible because copies of data are stored in the nearest replica but are not available. (Jamil & Zaki, 2011a). Counter measure is that Virtualized private networks should use for securing the data and used the query that will remove the complete data from the main servers along with its replica’s.

4-7 Locks in:

Another issue is locks in; at this time there is a small tender in the manner of tools, standard data format or procedures, services edge that could undertake data, application and service portability. This will not enable the customer to shift from one cloud provider to another or shift the services back to home IT location. (Catteddu, 2010)

5- Conclusion:

Cloud computing is a new term that is introduced in business environment where users can interact directly with the virtualized resources and safe the cost for the consumers. Some security issues and their counter measures are discussed in this paper. It has several models to protect its data for the business users. An organization used private clouds within its organization to prevent from loss of data. Cloud computing have several deployment models that help in retrieving the information. SAAS, PAAS, IAAS are the three models for cloud computing. Security in cloud computing consist of security abilities of web browsers and web service structure.



1328


References

Booth, D. (2004). Web service architecture. Retrieved from http://www.w3.org: http://www.w3.org/TR/ws‐arch/wsa.pdf Bugiel, S., Nurnberger, S., Sadeghi, A.-R., & Schneider, T. (2011). Twin Clouds: An Architecture for Secure Cloud Computing. Workshop on Cryptography and Security in Clouds . Zurich. Catteddu, D. (2010). Cloud Computing. Retrieved from http://www.enisa.europa.eu/act/rm/files/deliverables/cloud‐computingrisk‐assessment Cloud Security Alliance (2010). Top threats to cloud computing, version 1.0. http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf . Cloud Security Alliance. (2010). Top Threats to Cloud Computing V1.0. Cloud Security Alliance (CSA). Foster, I., & Kesselman, C. (1998). The Grid: Blueprint for a New Computing Infrastructure (The Elsevier Series in Grid Computing). Morgan Kaufmann. Han Y (2010). On the clouds: a new way of computing. Inf Technol Libr, Vol. 29 No. 2, pp: 87-92. Iyer B, Henderson JC (2010). Preparing for the future: understanding the seven capabilities of cloud computing. MIS Q Exec; Vol. 9 No. 2, pp:117-131. Jamil, D., & Zaki, H. (2011a). cloud computing security. International Journal of Engineering Science and Technology (IJEST) , Vol.3 No.4, 3478-3483. Jamil, D., & Zaki, H. (2011b). SECURITY ISSUES IN CLOUD COMPUTING AND COUNTER MEASURES. International Journal of Engineering Science and Technology (IJEST) , Vol. 3 No. 4, 2672-2676. Jensen, M. (2009, September). On Technical Security Issues in Cloud Computing. IEEE International Conference in Cloud Conouting , 109-116. Lohr, S. (2007, October 8). Google and I.B.M. Join in ‘Cloud Computing’ Research. Retrieved 1 28, 2012, from The Newyork Times: http://www.nytimes.com/2007/10/08/technology/08cloud.html Mell P, Grance T (2010). The NIST definition of cloud computing. Commun ACM; Vol. 53 No. 6, pp:50. NAONE, E ( 2007, September 18). Computer in the Cloud. Retirived 1 24, 2012, from Technology Review, MIT: http://www.technologyreview.com/printerfriendlyarticle.aspx?id=19397

Peter Mell and Tim Grance, (2009)The NIST Definition of Cloud Computing, version 15, National Institute of Standards and Technology (NIST), Information Technology Laboratory (www.csrc.nist.gov).

RALEIGH, NC & ARMONK, NY (2007, May 7). North Carolina State University and IBM help bridge digital divide in North Carolina and beyond. Retrived 1 27,2012, from IBM: http://www‐03.ibm.com/press/us/en/pressrelease/21506.wss REIMER, J (2007, April 8). Dreaming in the “Cloud” with the XIOS web operating system. Retrived 1 24, 2012, from ars technical: http://arstechnica.com/news.ars/post/20070408‐dreaming‐in‐the‐cloud‐with‐the‐xios‐web‐operating‐system.html Ren, K., & Lou, W. (2009). Ensuring Data Storage Security in Cloud Computing. Retrieved from http://www.ece.iit.edu/~ubisec/IWQoS09.pdf Scarfone K, S. A. (2007). Guide to Secure Web Services. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf Services, A. W. (2009, April). Amazon Virtual private Cloud. Retrieved from http://aws.amazon.com/vpc/ Vaquero LM, Rodero-Merino L, Caceres J, Lindner M (2009). A break in the clouds: towards a cloud definition. ACM SIGCOMM Comput Commun, Vol. 39 No. 1, pp:50-55. View, M. Calif & Armonk. (2007, October 8). Google and IBM Announced University Initiative to Address Internet-Scale Computing Challenges. Retrieved 1 28, 2012, from IBM: http://www-03.ibm.com/press/us/en/pressrelease/22414.wss View, M. Calif & Armonk. (2007, October 8). Google and IBM Announced University Initiative to Address Internet-Scale Computing Challenges. Retrieved 1 28, 2012, from IBM: http://www-03.ibm.com/press/us/en/pressrelease/22414.wss



1329


Vouk, M. (2008). Cloud Computing-Issues, Research and Implication. "Journal of Computing and Information Technology - CIT" , Vol. 16 No.4, pp. 235–246. Wikipedia (2012a, January 26). Amazon Elastic Compute Cloud Retrived 1 27, 2012, from Wikimedia Foundation Inc. http://en.wikipedia.org/wiki/Amazon_Elastic_Compute_Cloud. Wikipedia (2012b, January 27). Cloud Computing Retrieved 1 28, 2012, from Wikimedia Foundation Inc. http://en.wikipedia.org/wiki/Cloud_computing Yang, A. (2003). Guide to XML Web Services Security. Retrieved from http://www.cgisecurity.com/ws/WestbridgeGuideToWebServicesSecurity.pdf

cloud computing: network/security threats and … · cloud computing: network/security threats and...

Documents