cloud security

ISSR

Cloud Computing Security

A project submitted in partial fulfillment of the requirements for the degree of Pre-Master of

Information System

Project team:Rania Ele Sawy Abd El RahimMohamed Talaat Rashed ShalashMaged Mohamed Farid Elwakil

Under supervision:Dr. Ashraf Abd Elhady

Cairo 2012

Document Version History

Ver. No. Ver. Date Prepared By Reviewed By Description

1.0.0 12-4-2012Mohamed ShalashRania Ele Sawy Maged Elwakil

Initial Document

1.0.1 2-5-2012Rania Ele SawyMohamed ShalashMaged Elwakil

Dr.Ashraf AbdElhady

1.0.217-5-2012

Maged Elwakil Security models.

1.1.0 29-5-2012Rania Ele Sawy Mohamed ShalashMaged Elwakil

Introduction,Security models,Cloud Security Definitions Security Threats.

1.1.1 1-6-2012Rania Ele Sawy Mohamed Shalash

Security modelsSecurity threats

1.1.2 4-6-2012Rania Ele Sawy Mohamed ShalashMaged Elwakil

Ashraf Abd Elhady

Acknowledgement

On the behalf of the Institute of Statistical Studies and Research, Cairo University, and on our own behalf, we would like to express our profound thanks and great attitude to all those respectable Professors in capacity of Dr. ASHRAF ABD ELHADY who guided us through the preparation of this research.

We would also appreciate the 2ND Republic and its spirit which inspired the Egyptians to move towards the modernization, the establishment and the democracy of New EGYPT.

Abstract

Cloud computing has recently emerged as a new paradigm for hosting and delivering services over the Internet. It is attractive to business owners as it eliminates the requirement for users to plan ahead for provisioning, and allows enterprises to start from the small and increase resources only when there is a rise in service demand.Cloud computing is becoming more and more popular today and is ever increasing in popularity with large companies as they share valuable resources in a cost effective way. Due to this increasing demand for more clouds there is an ever growing threat of security becoming a major issue. This research shall look at ways in which security threats can be a danger to cloud computing and how they can be avoided.

Table of Contents

1.1 Introduction:.............................................................................................................81.2 History of Cloud Computing..................................................................................161.3 Glossary & Key terms............................................................................................181.4 Cloud Computing Goals and Objectives................................................................192.1 Background...........................................................................................................212.2 Cloud Security Considerations............................................................................21

Remote attestation:...........................................................................................................21

2.3 Security Threats....................................................................................................22High risk in cloud security................................................................................................22

2.4 Malware.................................................................................................................23Viruses 23

Worms 24

Trojan horse 24

2.5 Web application and data security risk..............................................................24Injection 24

Security misconfiguration................................................................................................25

Insecure cryptographic storage.......................................................................................25

2.6 Threat mitigation..................................................................................................26Symmetric cryptography..................................................................................................26

Asymmetric Cryptography...............................................................................................26

Network intrusion detection system...............................................................................27

3.1 Governance...........................................................................................................293.2 Compliance............................................................................................................30

Law and Regulations.........................................................................................................30

Electronic Discovery.........................................................................................................30

3.3 Trust......................................................................................................................31Insider Access....................................................................................................................31

Data Ownership.................................................................................................................31

Composite Service.............................................................................................................32

Visibility 32

Risk Management..............................................................................................................33

3.4 Architecture..........................................................................................................33Attack Surface....................................................................................................................33

Virtual Network Protection..............................................................................................34

Ancillary Data....................................................................................................................34

Client-Side Protection.......................................................................................................35

Server-Side Protection,.....................................................................................................36

3.5 Identity and Access Management.......................................................................36Authentication,..................................................................................................................37

Access Control...................................................................................................................37

3.6 Software Isolation................................................................................................37High degrees of multi-tenancy over large numbers of platforms are needed for cloud computing 37

Hypervisor Complexity.....................................................................................................38

Attack Vectors,...................................................................................................................38

Data Isolation,....................................................................................................................39

Data Sanitization,..............................................................................................................41

Model 1:........................................................................................................................46Private Virtual Infrastructure model (PVI)..............................................................46Model 2:.......................................................................................................................49Cloud computing data security with the analysis of HDFS architecture................49Model 3:.......................................................................................................................56Towards Achieving Accountability, Auditability and Trust in Cloud Computing. 56Model 4:.......................................................................................................................62Towards Trusted Cloud computing model...............................................................62Trusted Cloud Computing platform (TCCP).............................................................62References...................................................................................................................67

Chapter oneIntroduction

1.1 Introduction:

Companies in the past were required to invest heavily in technology upfront, makes it difficult for small and new companies to have the equipment needed to attain their business goals. Through services like cloud computing, that upfront cost is largely offset, since companies lease what they need from month to month. As the need grows the amount leased grow. Therefore it is possible to customize computing costs at all points in time. Trend is now more and more to buy IT as a service instead of owning the devices and applications and having dedicated support groups. The cloud computing are collection of technologies and practices enabling computing to be delivered across multiple computers and capacity is available as needed and billed according to actual usage. It is so massive that it affects not only business models, but also the underlying architecture of how we develop, deploy, run, secure and deliver applications.

Cloud computing is a technology that uses the internet and central remote servers to maintain data and applications. Cloud computing allows consumers and businesses to use applications without installation, access their personal files at any computer with internet access.

The cloud computing security is one of the biggest issues in the IT industry nowadays. Is the cloud provider has the ability to manage potentially millions of customers? And this presents a massive challenge in security issues. This depicts that many people are worried about the cloud providers will not be able to cope with the large scale and the infrastructure will not be able to scale properly with large amounts of information and data security.

Privacy is important for organizations, especially when individual’s personal information or sensitive information is being stored but it is not yet completely understood whether the cloud computing infrastructure will be able to support the storing of sensitive information without making organizations liable from breaking privacy regulations. Many believe that cloud authorization systems are not robust enough with as little as a password and username to gain access to the system, in many clouds, usernames can be very similar, degrading the authorizations measures further.If there is private or sensitive information being stored on a cloud then there is a high chance that someone could tamper the information. The customers will use the cloud computing and store there information on it, if and only if the cloud providers are trusted.

(Layered architecture of Cloud Computing)Three well-known and frequently-used service models are the following:

Software-as-a-Service. (SaaS) is a model of software deployment whereby one or more applications and the computational resources to run them are provided for use on demand as a turnkey service. Its main purpose is to reduce the total cost of hardware and software development, maintenance, and operations. Security provisions are carried out mainly by the cloud provider. The cloud subscriber does not manage or control the underlying cloud infrastructure or individual applications, except for preference selections and limited administrative application settings.

Platform-as-a-Service. (PaaS) is a model of software deployment whereby the computing platform is provided as an on-demand service upon which applications can be developed and deployed. Its main purpose is to reduce the cost and complexity of buying, housing, and managing the underlying hardware and software components of the platform, including any needed program and database development tools. The development environment is typically special purpose, determined by the cloud provider and tailored to the design and architecture of its platform. The cloud subscriber has control over applications and application environment settings of the platform. Security provisions are split between the cloud provider and the cloud subscriber.

Infrastructure-as-a-Service. (IaaS) is a model of software deployment whereby the basic computing infrastructure of servers, software, and network equipment is provided as an on-demand service upon which a platform to develop and execute applications can be established. Its main purpose is to avoid purchasing, housing, and managing the basic hardware and software infrastructure components, and instead obtains those resources as virtualized objects controllable via a service interface. The cloud subscriber generally has a broad freedom to choose the operating system and development environment to be hosted.

Security provisions beyond the basic infrastructure are carried out mainly by the cloud subscriber.

Figure 1 Showing layers of the cloud delivery model

The PaaS provides Integrated Development Environment. (IDE) includes data security, backup and recovery, application hosting, and scalable architecture.

Figure 2 the Concept of Platform as a Service

Cloud ModelsThere are three main types of cloud deployment models - public, private and hybrid clouds.

Figure3 Public, Private, and Hybrid cloud deployment model

Public Clouds Public clouds are the most common type of cloud. This is where multiple customers can access web applications and services over the internet. Each individual customer has their own resources which are dynamically provisioned by a third party vendor. This third party vendor hosts the cloud for multiple customers from multiple data centers (see Figure 4.a), manages all the security and provides the hardware and infrastructure for the cloud to operate. The customer has no control or insight into how the cloud is managed or what infrastructure is available.

Figure 4. a. Public cloud deployment model

Private CloudsEmulate the concept of cloud computing on a private network. They allow users to have the benefits of cloud computing without some of the pitfalls. Private clouds grant complete control over how data is managed and what security measures are in place. This can lead to users having more confidence and control. The major issue with this deployment model is that the users have large expenditures as they have to buy the infrastructure to run the cloud and also have to manage the cloud themselves.

Hybrid CloudsIncorporate both public and private clouds (see Figure 4.b) within the same network. It allows the organizations to benefit from both deployment models. For example, an organization could hold sensitive information on their private cloud and use the public cloud for handling large traffic and demanding situations.

Figure 4.b. Hybrid cloud deployment model

Comparing Cloud Deployment ModelsPublic cloud computing is one of several deployment models

that have been defined. A public cloud is one in which the infrastructure and other computational resources that it comprises are made available to the general public over the Internet. It is owned by a cloud provider selling cloud services and, by definition, is external to an organization. At the other end of the spectrum are private clouds. A private cloud is one in which the computing environment is operated exclusively for an organization. It may be managed either by the organization or a third party, and may be hosted within the organization’s data center or outside of it. A private

cloud gives the organization greater control over the infrastructure and computational resources than does a public cloud.

Two other deployment models that fall between public and private clouds are community clouds and hybrid clouds. A community cloud is somewhat similar to a private cloud, but the infrastructure and computational resources are shared by several organizations that have common privacy, security, and regulatory considerations, rather than for the exclusive use of a single organization. A hybrid cloud is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables interoperability. Just as the different deployment models affect an organization’s scope and control over the computational environment of a cloud, so too does the service model supported by the cloud affect them.

Figure 5 illustrates the differences in scope and control between the cloud subscriber and cloud provider, for each of the service models discussed above. Five conceptual layers of a generalized cloud environment are identified in the center diagram and apply to public clouds, as well as each of the other deployment models. The arrows at the left and right of the diagram denote the approximate range of the cloud provider’s and user’s scope and control over the cloud environment for each service model. In general, the higher the level of support available from a cloud provider, the more narrow the scope and control the cloud subscriber has over the system.

The two lowest layers shown denote the physical elements of a cloud environment, which are under the full control of the cloud provider, regardless of the service model. Heating, ventilation, air conditioning (HVAC), power, communications, and other aspects of the physical plant comprise the lowest layer, the facility layer, while computers, network and storage components, and other physical computing infrastructure elements comprise the hardware layer.

The remaining layers denote the logical elements of a cloud environment. The virtualized infrastructure layer entails software elements, such as hypervisors, virtual machines, virtual data storage, and supporting middleware components used to realize the infrastructure upon which a computing platform can be established. While virtual machine technology is commonly used at this layer, other means of providing the necessary software abstractions are not excluded.

Similarly, the platform architecture layer entails compilers, libraries, utilities, and other software tools and development environments needed to implement applications. The application layer represents deployed software applications targeted towards end-user software clients or other programs, and made available via the cloud.

Figure 5 Differences in scope and control between the cloud subscriber and cloud provider, for each of the service models

Some have argued that the distinction between IaaS and PaaS is fuzzy, and in many commercial offerings, the two are more alike than different. Nevertheless, these terms do serve a purpose, distinguishing between very basic support environments and environments having greater levels of support, and accordingly different allocations of control, security and responsibility between the cloud subscriber and the cloud provider.

While cloud computing can be implemented exclusively for an organization as a private internal cloud, its main thrust has been to provide a vehicle for outsourcing parts of that environment to an outside party as a public cloud. As with any outsourcing of information technology services, concerns exist about the implications for computer security and privacy. The main issue centers on the risks associated with moving important applications or data from within the boundaries of the organization’s computing

center to that of another organization (i.e., a public cloud), which is readily accessible by the general public.Reducing cost and increasing efficiency are primary motivations for moving towards a public cloud, but reducing responsibility for security should not be. Ultimately, the organization is accountable for the overall security of the outsourced service. Monitoring and addressing security issues that arise remain in the purview of the organization, as doe’s oversight over other important issues such as performance and availability. Because cloud computing brings with it new security challenges, it is essential for an organization to oversee and manage how the cloud provider secures and maintains the computing environment and ensures data is kept secure.

Cloud security requires total situational awareness of the threats to the network, infrastructure and information. One of the biggest advantages to the cloud’s utility is also its biggest security weakness. Abstraction allows the cloud to be pervasive and removes knowledge of the underlying fabric of processors, storage, and networking; however, without knowledge of the underlying fabric, information owners’ understanding how to secure their applications and information becomes very complex. Many of the security principles used today to secure datacenters and networks rely on the information owners’ ability to manage the underlying fabric of servers, routers, firewalls, and intrusion detection devices to understand when attacks are occurring and to responds to the threats by shutting down access to resources and isolating pieces of the fabric that are being attacked.

In a cloud, traditional security methodologies do not work as the service providers cannot allow information owners, or clients, to manipulate the security settings of the fabric. If this were allowed, it would be possible for one client to change security settings illicitly in their favor, or change security settings of other clients maliciously. This situation is unacceptable since the information owner cannot manage the security posture of their computing environment. Therefore, a security model is needed that allows for an information owner to protect their data while not interfering with the privacy of other information owners within the cloud.

The cloud requires a model for handling security, one that is shared between operators and clients. Operators need to give clients visibility into the security posture of the fabric while maintaining control. The clients need to have assurance that they can control the privacy and confidentiality of their information at all times and have

assurances that if needed, they can remove, destroy, or lock down their data at any time.

A method of combining the requirements of the user and provider is to let the clients control the security posture of their applications and virtual machines while letting the service provider control the security of the fabric. This provides a symbiotic security stance that can be very powerful provided both parties hold up their end of the agreement

Cloud service providers believe encryptionCan the key help with a lot of the security issues?

1. But what come along with the benefits of encryption are the pitfalls as encryption can be processor intensive.

2. Encrypting is not always full proof for protecting data, there can be times when little glitches occur and the data cannot be decrypted leaving the data corrupt and unusable for customers and the cloud service provider.

3. The clouds resources can also be abused as cloud providers reassign IP addresses when a customer no longer needs the IP address. Once an IP address is no longer needed by one customer after a period of time it then becomes available for another customer to use.

4. Cloud providers save money and do not need as many IP addresses by reusing them, so it is in the cloud provider’s interest to reuse them. Too many of these used IP addresses can leave the cloud provider open to abuse of its resources.

1.2 History of Cloud ComputingCloud computing history can be tracked back to the early years of

computing. One of the first computer concepts was interconnection. Naturally, if two computers are connected, the next step for them is to share resources and form supercomputers. Furthermore, the idea gradually evolved from grid computing and virtualization to today’s highly complex cloud computing technology. After years of testing and debugging, final versions of this technology reached production environments and commercialization began. Utility companies deliver water, gas, and electricity as commodity services to every home and business that is connected to their “public” infrastructure. These utility services are provided on-demand and on a pay-as-you-use basis. Today, the same can be true for processing power, bandwidth, data storage, and enterprise software services.

How can utility, and outsourcing supplying IT? The essential motivation is to separate the services, this allows customers to use variable amounts of different environments as modified by their business needs without the need to make any capital investments. The use of IT becomes an operating expense (“opex”) rather than a capital expense (“capex”). That also frees the usage of systems from being tied to the depreciation cycles.

A number of new paradigms (See table 1) and terms related to distribute computing have been introduced, promising to deliver IT as a service, cloud computing, edge computing, grid computing and utility computing.

New Computing Paradigms

New ServicesNew or enhanced

FeaturesCloud

computingSoftware as a Service (SaaS)

- Ubiquitous access

Edge computing

Infrastructure as a Service (IaaS)

- Reliability

Grid computing Platform as a Service (PaaS)

- Scalability- Virtualization

Utility computing

Service-Oriented Architecture (SOA)

- Exchangeability / Location independence

- Cost-effectiveness

Table 1 Computing Paradigms

It is difficult to draw lines between these paradigms: Some commentators say that grid, utility and cloud computing refer to the same thing; others believe there are only subtle distinctions among them, while others would claim they refer to completely different phenomenon. There are no clear or standard definitions, and it is likely that vendor A describes the feature set of its cloud solution differently than vendor B.

1.3 Glossary & Key termsItem Descriptionopex operating expensecapex capital expenseSaaS Software as a ServicePaaS Platform as a ServiceIaaS Infrastructure as a ServiceSOA Service Oriented Architecture NIST National Institute of Standards and TechnologyTPM Trusted Platform ModuleSSL secure sockets layerUDDI Universal Description Discovery and IntegrityDDOS The distributed denial of service attacksSOAP Simple Object Access ProtocolWSDP Web Service Description LanguageCP Cloud ProviderLSASS Local Security Authority Subsystem ServiceDES Data Encryption StandardAES Advanced Encryption StandardRSA Rivest-Shamir-AdlemanDSA Diffie-Hellmann and Digital Signature AlgorithmSAML Security Assertion Markup LanguagePVI Private Virtual InfrastructureTVD Trusted Virtual DatacenterVTPM Virtual Trusted Platform ModelLoBot Locator BotHDFS Hadoop Distributed File SystemGFS Google File SystemIE Internet ExplorerCALC Cloud Accountability Life CycleTCCP Trusted Cloud Computing platformTPM Trusted Platform ModelTCG Trusted Computing GroupTC Trusted coordinatorHadoop Open source software that enables distributed parallel processing of

huge amounts of data across inexpensive, commodity servers.HBase Is the Hadoop database. HBase is an open-source, distributed,

versioned, column-oriented store modeled. Real-time read/write access to your Big Data, hosting of very large tables.

POSIX Portable Operating System Interface for uni-X. POSIX is a set of standards codified by the IEEE. Establishing a set of guidelines for operating system vendors to follow.

1.4 Cloud Computing Goals and Objectives Cloud computing has been defined by NIST as a model for

enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction. Cloud computing can be considered a new computing paradigm insofar as it allows the utilization of a computing infrastructure at one or more levels of abstraction, as an on-demand service made available over the Internet or other computer network. Because of the implications for greater flexibility and availability at lower cost, cloud computing is a subject that has been receiving a good deal of attention lately.

Cloud computing services benefit from economies of scale achieved through versatile use of resources, specialization, and other practicable efficiencies. However, cloud computing is an emerging form of distributed computing that is still in its infancy. The term itself is often used today with a range of meanings and interpretations. Much of what has been written about cloud computing is definitional, aimed at identifying important paradigms of use and providing a general taxonomy for conceptualizing important facets of service.

Chapter twoCloud computing and

Cloud Security Definitions,

Security Threats or attacks

2.1 BackgroundThe virtual servers are created instantaneously in the cloud

and used at the same time.In a public cloud the data of the customers are kept in the provider premises. The question of privacy is a real concern because there is no guarantee that illegitimated eyes could not have access to that sensitive information. Furthermore, because many services are deployed through the Internet via the virtual servers using software as a service (SaaS) there is a risk of malware infection and hacker penetration. In fact, a web server can be compromised and served to spread a bad URL (uniform resource locator) link and to redirect the requests to a fake page where the malicious code will be downloaded in order to infect and take control of the machines.

2.2 Cloud Security Considerations The infrastructure provider achieves full data security. Service providers typically do not have access to the physical

security system of data centers. Even for a virtual private cloud, the service provider can only

specify the security setting remotely, without knowing whether it is fully implemented.

The infrastructure provider must achieve the following objectives: 1. Confidentiality, for secure data access and transfer.2. Auditability, for attesting whether security setting of

applications has been tampered or not.

Confidentiality is usually achieved using cryptographic protocols while auditability can be achieved using remote attestation techniques.

Remote attestation: Typically requires a trusted platform module (TPM) to generate non-forgeable. System summary (i.e. system state encrypted using TPM’s private key) as the proof of system security. - It is critical to build trust mechanisms at every architectural layer of the cloud.

2.3 Security ThreatsCloud computing and web services run on a network structure so they are open to network type attacks:

1. The distributed denial of service attacks (DDOS)If a user could hijack a server then the hacker could stop the web services from functioning and demand a ransom to put the services back online. To stop these attacks the use of syn cookies and limiting users connected to a server all help stop a DDOS attack.

2. The man in the middle attack. If the secure sockets layer (SSL) is incorrectly configured then client and server authentication may not behave as expected therefore leading to man in the middle attacks.

3. Network sniffing.With a packet sniffer an attacker can capture sensitive data if unencrypted such as passwords and other web service related security Configuration such as the UDDI (Universal Description Discovery and Integrity), SOAP (Simple Object Access Protocol) and WSDL (Web Service Description Language) files.

4. Port scanningPort 80 is always open due to being the port that the web Server sits on. However this can easily be encrypted and as long as the server software is configured correctly then there should be no intrusion.

High risk in cloud security

5. loss of governanceIn using cloud infrastructures, the client necessarily cedes control to the Cloud Provider (CP) on a number of issues which may affect security.

6. LOCK-INThere is currently little on offer in the way of tools, procedures or Standard data formats or services interfaces that could guarantee data, Application and service portability. This can make it difficult for the customer to migrate from one provider to another or migrates data and services back to an in-house IT environment. This introduces a dependency on a particular CP for service provision, especially if data portability, as the most fundamental aspect, is not enabled.

7. Insecure or incomplete data deletionWhen a request to delete a cloud resource is made, as with most operating systems, this may not result in true wiping of the data. Adequate or timely data deletion may also be impossible (or undesirable from a customer perspective), either because extra copies of data are stored but are not available, or because the disk to be destroyed also stores data from other clients. In the case of multiple tenancies and the reuse of hardware resources, this represents a higher risk to the customer than with dedicated hardware

2.4 Malware

VirusesA virus is a malicious code, which makes copies of itself and

distribute those copies to other files and programs. It needs the user interaction to propagate. When viruses infect a program, they propagate to infect other programs on the system and other systems that use a common infected program. Viruses can also infect the MBR (master boot record) of the hard drive or a removable media.The master boot record (MBR) of a hard drive is the unique location on the disk where a computer basic’s input and output system can locate and load the boot program. If there is an infected disk in the drive when the computer boots, the virus can be loaded into the memory. Viruses exploit the vulnerabilities related to some applications document like word processing file and spreadsheet. Most of those software are writing using macro programming languages and the bad guys are taking advantage of those capabilities. Macros viruses spread from application that uses macros such as Microsoft Office documents.Email viruses travel as an attachment to email messages. They replicate by automatically mailing themselves to people in the victim’s email book.Most viruses are pretty harmless and sometimes the user might not notice them for years. The first virus which was able to hide without being discovered was called Brain.The Brain stealth virus hides itself in the memory by simulating all the DOS system call that normally detects viruses, causing them to return the information that the virus is absent.

WormsA computer worm is a program that executes, reproduces

independently and travels across network connection. It takes advantage of known vulnerabilities to spread.They are two types of worms: Network Service Worm and Mass Mailing Worms.Network Services Worms exploits the common vulnerability found in network service associated with an operating system or an application. Once they have exploited the targeted protocol in the system they look for other possible systems over the same network by performing scanning. An example of such a worm is Sasser, which uses Server Message Block (SMB) and Local Security Authority Subsystem Service (LSASS) in Windows to spread.Mass Mailing Worms infect system by searching for email addresses and sending a copy of itself to those addressees. Usually they use the system email client. Embedded in most network software, computer worms penetrate firewalls and other computer security measure.

Trojan horseTrojan horse is an application which appears to be useful,

downloaded from the Internet and in fact is malware. They do not spread and are separated into two parts: the server and the controlled computer. When the malicious program is loaded in the memory of the host, the attacker can take control of the computer by sending command.The client disguises itself and can spread via chat software such as Skype, yahoo messenger and file sharing website.

2.5 Web application and data security risk

InjectionInjection flaws allow an intruder to forward malicious code

through the web application inside the system. Scripts written in Python, Perl or any other programming language can be injected and executed into the unsecure application. When the web application handles HTTP (hypertext transfer protocol) request through as part of an external request, it must be carefully examine otherwise a bad guy can inject special characters or malicious commands in the information which will certainly transfer these to the external system for execution. SQL injection is a widespread form of injection. In this type of attack, when the parameter that the application sends to the

database is revealed, the attacker can append malicious SQL command into the content of that parameter and trick the web application to forward fake queries to the databases. A successful SQL injection can lead to an authentication bypass allowing an unauthorized user to login to the application without supplying a valid username and password, information disclosure and remote command execution.

Security misconfigurationThe web server and application server are the backbone of a

web application. They provide a number of services that the web application uses including directory service, data storage and mail. Failure to properly manage the configuration of these servers can lead to a wide variety of security breaches. Security misconfiguration can happen at the application stack, the framework, the web server, the custom code and the platform.External intruders and users with their own accounts can attempt to compromise the system. Attackers use the unpatched flaws, unprotected files and directories to have illegal access or knowledge of the system.The defaults account must always be changed because the attacker can discover the standard admin page and log in with those defaults passwords.The server can also generate an error message that displays information concerning its environment, users and associated data. The information may be useful for launching a deadly attack. If one attack fails, the attacker can still use the error information provided to launch a more focused attack.

Insecure cryptographic storageIn the cloud, the need to store sensitive information by the web

application in the database or in the file system is important. The information can be a credit card number, social security number, account record and passwords. Therefore, the use of encryption is relevant. By simply not encrypting the data which deserves the encryption, there will be a flaw.

Developers usually make a mistake when using encryption and the main areas where mistake are usually made are: failure to encrypt critical data, insecure storage of keys, certificates and passwords, improper storage of secrets in memory, poor choice of algorithm. Almost every application is connected to a database; the credentials used to make these connections should be encrypted to

prevent easy access to these data storage systems. The web application must have cryptographic support. In the case of the credit card number storage, a merchant should respect the compliance. The compliance is a set of regulations applied and enforced with the means of fines. Following the PCI DSS (payment card industry data security standard) compliance requirement three; cardholder data must be protected. The personal account number, the cardholder’s name and the expiration date should be encrypted when transmitting across different network.

2.6 Threat mitigation

Symmetric cryptographyCryptography is a method of storing and transmitting data in a

form that only the recipient can read and process.The mechanism that makes it up is to hide information from unauthorized individuals. It is an effective way to keep sensitive information, as it is stored on media.Encryption is a method to convert readable data called plaintext into an unreadable format called cipher text. Once it is transformed into cipher text neither a human nor a machine can process it until it is decrypted.In symmetric cryptography, the sender and the receiver use the same key for encryption and decryption. Symmetric keys are also called secret keys because this type of encryption requires each user to keep the key a secret and protected. The security of the symmetric encryption is completely dependent on how well users protect the key.If a key is compromised, all messages encrypted with that key can be decrypted and read by an attacker. The following are examples of symmetric cryptography: Data Encryption Standard (DES), Advanced Encryption Standard (AES) and Blowfish.

Asymmetric CryptographyAsymmetric cryptography utilizes the combination of two

different keys, one public key and one private key. Everyone can know the public key but the private key is known and used only by the owner. The two keys are mathematically related. If someone gets the public key of another person, he or she could not be able to figure out the corresponding private key. When Bob encrypts data with his

private key, the receiver Alice must have a copy of Bob’s public key to decrypt it.The receiver can reply also in an encrypted form. In that case, Alice encrypts the message using Bob’s public key and the message will be decrypted at the other end using Bob’s private key because he is the only person to have the private key. The both keys, public and private can be used to encrypt and decrypt a messageThe following are examples of asymmetric key algorithms: Rivest-Shamir-Adleman (RSA), Diffie-Hellmann and Digital Signature Algorithm (DSA).

Network intrusion detection systemAn intrusion detection system aims to detect a security breach.

Intrusion detection can be defined as a method to detect unauthorized use or attack to a computer, network or telecommunication system. The basic idea behind the intrusion detection system is to spot something suspicious happening on the network and sound an alarm. In a typical intrusion detection system product, the sensors collect traffic and user activity data and send them to an analyzer that looks for abnormal activities.When the analyzer detects an activity, it sends an alert to the administrator interface. The network intrusion detection system uses sensors with a network interface card in a promiscuous mode. When a network interface card is in a promiscuous mode, it collects all traffic, makes a copy of all packets, and then passes one copy to the TCP stack and one copy to the analyzer to look for specific types of patterns of known threats.

Chapter threeThe Key Security and

Privacy Issues

Although the emergence of cloud computing is a recent development, insights into critical aspects of security can be gleaned from reported experiences of early adopters and also from researchers analyzing and experimenting with available cloud provider platforms and associated technologies. The sections below highlight privacy and security-related issues that are believed to have long-term significance for cloud computing. Where possible, to illustrate an issue, examples are given of problems previously exhibited or demonstrated. Note that security and privacy considerations that stem from information technology outsourcing.

Cloud computing has grown out of an amalgamation of technologies, including service oriented architecture, virtualization, Web 2.0, and utility computing, therefore many of the privacy and security issues involved can be viewed as known problems cast in a new setting. The importance of their combined effect, however, should not be discounted. Cloud computing does represent a thought-provoking paradigm shift that goes beyond conventional norms to de-parameterize the organizational infrastructure, at the extreme, displacing applications from one organization’s infrastructure to the infrastructure of another organization, where the applications of potential adversaries may also operate.

3.1 GovernanceGovernance implies control and oversight over policies, procedures,

and standards for application development, as well as the design, implementation, testing, and monitoring of deployed services.With the wide availability of cloud computing services, lack of organizational controls over employees engaging such services arbitrarily can be a source of problems. While cloud computing simplifies platform acquisition, it doesn't alleviate the need for governance; instead, it has the opposite effect, amplifying that need.The ability to reduce capital investment and transform it into operational expenses is an advantage of cloud computing. Cloud computing can lower the initial cost of deploying new services and thus align expense with actual use. However, the normal processes and procedures set in place by an organization for acquiring computational resources as capital expenditures may be easily bypassed by a department or an individual and the action obscured as operational expenses. If such actions are not governed by an organization, its policies and procedures for privacy, security, and oversight could be overlooked and the organization put at risk. For example, vulnerable systems could be deployed, legal regulations could be ignored, charges could amass quickly to unacceptable levels, and resources could be used for unsanctioned purposes, or other untoward effects could occur.

Many businesses also prefer operational expenses over capital expenditures, because of tax considerations (e.g., the ability to manage the cost of capital better and deduct operational expenses in the accounting period in which they are incurred versus depreciating the capital expenditure over time).

3.2 ComplianceCompliance involves conformance with an established specification,

standard, regulation, or law.Various types of security and privacy laws and regulations exist within different countries at the national, state, and local levels, making compliance a potentially complicated issue for cloud computing.Data Location, One of the most common compliance issues facing an organization is data location. Use of an in-house computing center allows an organization to structure its computing environment and to know in detail where data is stored and what safeguards are used to protect the data. In contrast, a characteristic of many cloud computing services is that detailed information about the location of an organization’s data is unavailable or not disclosed to the service subscriber. This situation makes it difficult to ascertain whether sufficient safeguards are in place and whether legal and regulatory compliance requirements are being met. External audits and security certifications can to some extent alleviate this issue, but they are not a panacea.When information crosses borders, the governing legal, privacy, and regulatory regimes can be ambiguous and raise a variety of concerns.Consequently, constraints on the trans-border flow of sensitive data, as well as the requirements on the protection afforded the data, have become the subject of national and regional privacy and security laws and regulations. Among the concerns to be addressed is whether the laws in the jurisdiction where the data was collected permit the flow, whether those laws continue to apply to the data post transfer, and whether the laws at the destination present additional risks or benefits Technical, physical and administrative safeguards, such as access controls, often apply. Law and Regulations, The Privacy Act likewise governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. In many countries throughout the world huge lows and regulations require public and private organizations to protect the privacy of personal data and the security of information and computer systems.Electronic Discovery, Electronic discovery involves the identification, collection, processing, analysis, and production of electronic documents in

the discovery phase of litigation. Organizations also have other incentives and obligations to preserve and produce electronic documents, such as complying with audit and regulatory information requests, and for government organizations, with Freedom of Information Act (FOIA) requests. Documents not only include electronic mail, attachments, and other data objects stored on a computer system or storage media, but also any associated metadata, such as dates of object creation or modification, and non-rendered file content (i.e., data that is not explicitly displayed for users).The capabilities and process of a cloud provider, such as the form in which data is maintained and the electronic discovery-related tools available, affect the ability of the organization to meet its obligations in a cost effective, timely, and compliant manner. For example, a cloud provider’s archival capabilities may not preserve the original metadata as expected, causing spoliation (i.e., the intentional, reckless, or negligent destruction, loss, material alteration, or obstruction of evidence that is relevant to litigation), which could negatively impact litigation.

3.3 TrustUnder the cloud computing paradigm, an organization relinquishes

direct control over many aspects of security and, in doing so, confers an unprecedented level of trust onto the cloud provider.Insider Access, Data processed or stored outside the confines of an organization, its firewall, and other security controls bring with it an inherent level of risk. The insider security threat is a well-known issue for most organizations and, despite the name, applies as well to outsourced cloud services. Insider threats go beyond those posed by current or former employees to include contractors, organizational affiliates, and other parties that have received access to an organization’s networks, systems, and data to carry out or facilitate operations. Incidents may involve various types of fraud, sabotage of information resources, and theft of confidential information.Incidents may also be caused unintentionally, for instance, a bank employee sending out sensitive customer information to the wrong Google mail account.Moving data and applications to a cloud computing environment operated by a cloud provider expands the insider security risk not only to the cloud provider’s staff, but also potentially among other customers using the service. Data Ownership, The organization’s ownership rights over the data must be firmly established in the service contract to enable a basis for trust. The continuing controversy over privacy and data ownership rights for social

networking users illustrates the impact that ambiguous terms can have on the parties involved. Ideally, the contract should state clearly that the organization retains ownership over all its data; that the cloud provider acquires no rights or licenses through the agreement to use the data for its own purposes, including intellectual property rights or licenses; and that the cloud provider does not acquire and may not claim any security interest in the data. For these provisions to work as intended, the terms of data ownership must not be subject to unilateral amendment by the cloud provider.Composite Service, Cloud services themselves can be composed through nesting and layering with other cloud services. For example, a SaaS provider could build its services upon the services of a PaaS or IaaS cloud. The level of availability of the SaaS cloud would then depend on the availability of those services. Cloud services that use third-party cloud providers to outsource or subcontract some of their services should raise concerns, including the scope of control over the third-party, the responsibilities involved, and the remedies and recourse available should problems occur. Trust is often not transitive, requiring that third-party arrangements be disclosed in advance of reaching an agreement with the cloud provider, and that the terms of these arrangements are maintained throughout the agreement or until sufficient notification can be given of any anticipated changes.Visibility, Migration to public cloud services relinquishes control to the cloud provider for securing the systems on which the organization’s data and applications operate.Management, procedural, and technical controls used in the cloud must be commensurate with those used for internal organizational systems or surpass them, to avoid creating gaps in security. Since metrics for comparing two computer systems are an ongoing area of research, making such comparisons can be a formidable task. Cloud providers are typically reluctant to provide details of their security and privacy, since such information might be used to devise an avenue of attack. Moreover, detailed network and system level monitoring by a cloud subscriber is generally not part of most service arrangements, limiting visibility and the means to audit operations directly.Transparency in the way the cloud provider operates is a vital ingredient for effective oversight over system security and privacy by an organization. To ensure that policy and procedures are being enforced throughout the system lifecycle, service arrangements should include some means for gaining visibility into the security controls and processes employed by the cloud provider and their performance over time. Ideally, the organization would have control over aspects of the means of visibility, such as the

threshold for alerts and notifications or the level of detail and schedule for reports, to accommodate its needs.Risk Management, With cloud-based services, some subsystems or subsystem components are outside of the direct control of a subscribing organization. Many people feel more comfortable with risk when they have more control over the processes and equipment involved. At a minimum, a high degree of control provides the option to weigh alternatives, set priorities, and act decisively in the best interest of the organization when faced with an incident. Risk management is the process of identifying and assessing risk, and taking the necessary steps to reduce it to an acceptable level.Public cloud-based systems, as with traditional information systems, require that risks are managed throughout the system lifecycle.Assessing and managing risk in systems that use cloud services can be a challenge. To the extent practical, the organization should ensure that security controls are implemented correctly, operate as intended, and meet its security requirements. Establishing a level of trust about a cloud service is dependent on the degree of control an organization is able to exert on the provider to provision the security controls necessary to protect the organization’s data and applications, and also the evidence provided about the effectiveness of those controls. However, verifying the correct functioning of a subsystem and the effectiveness of security controls as extensively as with an organizational system may not be feasible in some cases, and other means (e.g., third-party audits) may be used to establish a level of trust. Ultimately, if the level of trust in the service falls below expectations and the organization is unable to employ compensating controls, it must either reject the service or accept a greater degree of risk.

3.4 ArchitectureThe architecture of the software systems used to deliver cloud

services comprises hardware and software residing in the cloud. The physical location of the infrastructure is determined by the cloud provider as is the implementation of the reliability and scalability logic of the underlying support framework. Virtual machines often serve as the abstract unit of deployment and are loosely coupled with the cloud storage architecture. Applications are built on the programming interfaces of Internet-accessible services, which typically involve multiple cloud components communicating with each other over application programming interfaces. Many of the simplified interfaces and service abstractions belie the inherent complexity that affects security. Attack Surface, The hypervisor or virtual machine monitor is an additional layer of software between an operating system and hardware

platform that is used to operate multi-tenant virtual machines. Besides virtualized resources, the hypervisor normally supports other application programming interfaces to conduct administrative operations, such as launching migrating, and terminating virtual machine instances. Compared with a traditional non-virtualized implementation, the addition of a hypervisor causes an increase in the attack surface.The complexity in virtual machine environments can also be more challenging than their traditional counterparts, giving rise to conditions that undermine security.Virtual Network Protection, Most virtualization platforms have the ability to create software-based switches and network configurations as part of the virtual environment to allow virtual machines on the same host to communicate more directly and efficiently.For example, for virtual machines requiring no external network access, the virtual networking architectures of most virtualization software products support same-host networking, in which a private subnet is created for intra-host communications. Traffic over virtual networks may not be visible to security protection devices on the physical network, such as network-based intrusion detection and prevention systems. To avoid a loss of visibility and protection against intra-host attacks, duplication of the physical network protection capabilities may be required on the virtual network.Ancillary Data, While the focus of protection is placed mainly on the application data, as guardians of the realm, cloud providers hold significant details about the service users’ accounts that could be compromised and used in subsequent attacks. Payment information is one example; other, more subtle types of information, can also be involved. For example, a database of contact information stolen from a SaaS cloud 20 provider, via a targeted phishing attack against one of its employees, was used in turn to launch successful targeted electronic mail attacks against subscribers of the cloud service. The incident illustrates the need for cloud providers to promptly report security breaches occurring not only in the data the cloud provider holds for its subscribers, but also the data it holds about its subscribers.Another type of ancillary data held by IaaS cloud providers is virtual machine images. A virtual machine image entails the software stack, including installed and configured applications, used to boot the virtual machine into an initial state or the state of some previous checkpoint. Sharing virtual machine images is a common practice in some cloud computing environments. Image repositories must be carefully managed and controlled to avoid problems.

The provider of an image faces risks, since an image can contain proprietary code and data and embody vulnerabilities. An attacker may attempt to examine images to determine whether they leak information or provide an avenue for attack. This is especially true of development images that are accidentally released. The reverse may also occur—an attacker may attempt to supply a virtual machine image containing malware to users of a cloud computing system. For example, researchers demonstrated that by manipulating the registration process to gain a first-page listing, they could readily entice cloud users to run virtual machine images they contributed to the image repository of a popular cloud provider. The risks for users running tainted images include theft and corruption of data.Client-Side Protection, A successful defense against attacks requires securing both the client and server side of cloud computing. With emphasis typically placed on the latter, the former can be easily overlooked. Web browsers, a key element for many cloud computing services, and the various available plug-ins and extensions for them are notorious for their security problems. Moreover, many browser add-ons do not provide automatic updates, increasing the persistence of any existing vulnerabilities.Maintaining physical and logical security over clients can be troublesome, especially with embedded mobile devices such as smart phones. Their size and portability can result in the loss of physical control. Built-in security mechanisms often go unused or can be overcome or circumvented without difficulty by a knowledgeable party to gain control over the device. Smart phones are also treated more as fixed appliances with a limited set of functions, than as general-purpose systems. No single operating system dominates and security patches and updates for system components and add-ons are not as frequent as for desktop clients, making vulnerabilities more persistent with a larger window of opportunity for exploitation.

The increased availability and use of social media, personal Webmail, and other publicly available sites also have associated risks that are a concern, since they can negatively impact the security of the browser, its underlying platform, and cloud services accessed, through social engineering attacks. For example, spyware was reportedly installed in a hospital system via an employee’s personal Webmail account and sent the attacker more than 1,000 screen captures, containing financial and other confidential information, before being discovered. Having a backdoor Trojan, keystroke logger, or other type of malware running on a client does not bode well for the security of cloud or other Web-based services it accesses. As part of the overall security architecture for cloud computing, organizations need to review existing measures and employ additional ones, if necessary, to

secure the client side. Banks are beginning to take the lead in deploying hardened browser environments that encrypt network exchanges and protect against keystroke logging.Server-Side Protection, Virtual servers and applications, much like their non-virtual counterparts, need to be secured in IaaS clouds, both physically and logically. Following organizational policies and procedures, hardening of the operating system and applications should occur to produce virtual machine images for deployment. Care must also be taken to provision security for the virtualized environments in which the images run. For example, virtual firewalls can be used to isolate groups of virtual machines from other hosted groups, such as production systems from development systems or development systems from other cloud-resident systems. Carefully managing virtual machine images is also important to avoid accidentally deploying images under development or containing vulnerabilities.Hybrid clouds are a type of composite cloud with similar protection issues. In a hybrid cloud the infrastructure consists of a private cloud composed with either a public cloud or another organization’s private cloud. The clouds themselves remain unique entities, bound together by standardized or proprietary technology that enables unified service delivery, but also creates interdependency. For example, identification and authentication might be performed through an organization’s private cloud infrastructure, as a means for its users to gain access to services provisioned in a public cloud.Preventing holes or leaks between the composed infrastructures is a major concern with hybrid clouds, because of increases in complexity and diffusion of responsibilities. The availability of the hybrid cloud, computed as the product of the availability levels for the component clouds, can also be a concern; if the percent availability of any one component drops, the overall availability suffers proportionately.

3.5 Identity and Access ManagementData sensitivity and privacy of information have become increasingly an area of concern for organizations and unauthorized access to information resources in the cloud is a major concern.One recurring issue is that the organizational identification and authentication framework may not naturally extend into the cloud and extending or changing the existing framework to support cloud services may be difficult. The alternative of employing two different authentication systems, one for the internal organizational systems and another for external cloud-based systems, is a complication that can become unworkable over time. Identity federation, popularized with the

introduction of service oriented architectures, is one solution that can be accomplished in a number of ways, such as with the Security Assertion Markup Language (SAML) standard or the OpenID standard.Authentication, A growing number of cloud providers support the SAML standard and use it to administer users and authenticate them before providing access to applications and data. SAML provides a means to exchange information, such as assertions related to a subject or authentication information, between cooperating domains. SAML request and response messages are typically mapped over the Simple Object Access Protocol (SOAP), which relies on the eXtensible Markup Language (XML) for its format. SOAP messages are digitally signed. For example, once a user has established a public key certificate for a public cloud, the private key can be used to sign SOAP requests.SOAP message security validation is complicated and must be carried out carefully to prevent attacks. For example, XML wrapping attacks have been successfully demonstrated against a public IaaS cloud. XML wrapping involves manipulation of SOAP messages. A new element (i.e., the wrapper) is introduced into the SOAP Security header; the original message body is then moved under the wrapper and replaced by a bogus body containing an operation defined by the attacker. The original body can still be referenced and its signature verified, but the operation in the replacement body is executed instead.Access Control, SAML alone is not sufficient to provide cloud-based identity and access management services. The capability to adapt cloud subscriber privileges and maintain control over access to resources is also needed. As part of identity management, standards like the eXtensible Access Control Markup Language (XACML) can be used by a cloud provider to control access to cloud resources, instead of using a proprietary interface. XACML focuses on the mechanism for arriving at authorization decisions, which complements SAML’s focus on the means for transferring authentication and authorization decisions between cooperating entities. XACML is capable of controlling the proprietary service interfaces of most providers, and some cloud providers already have it in place. Messages transmitted between XACML entities are susceptible to attack by malicious third parties, making it important to have safeguards in place to protect decision requests and authorization decisions from possible attacks, including unauthorized disclosure, replay, deletion and modification.

3.6 Software IsolationHigh degrees of multi-tenancy over large numbers of platforms are needed for cloud computing to achieve the envisioned flexibility of on-demand provisioning of reliable services and the cost benefits and efficiencies due

to economies of scale. To reach the high scales of consumption desired, cloud providers have to ensure dynamic flexible delivery of service and isolation of subscriber resources. Multi-tenancy in cloud computing is typically done by multiplexing the execution of virtual machines from potentially different users on the same physical server. It is important to note that applications deployed on guest virtual machines remain susceptible to attack and compromise, much the same as their non-virtualized counterparts. This was dramatically exemplified by a bot net found operating out of an IaaS cloud computing environment.Hypervisor Complexity, The security of a computer system depends on the quality of the underlying software kernel that controls the confinement and execution of processes.A virtual machine monitor or hypervisor is designed to run multiple virtual machines, each hosting an operating system and applications, concurrently on a single host computer, and to provide isolation between the different guest virtual machines.A virtual machine monitor can, in theory, be smaller and less complex than an operating system. These characteristics generally make it easier to analyze and improve the quality of security, giving a virtual machine monitor the potential to be better suited for maintaining strong isolation between guest virtual machines than an operating system is for isolating processes. In practice, however, modern hypervisors can be large and complex, comparable to an operating system, which negates this advantage. For example, Xen, an open source x86 virtual machine monitor, incorporates a modified Linux kernel to implement a privileged partition for input/output operations, and KVM, another open source effort, transforms a Linux kernel into a virtual machine monitor. Understanding the use of virtualization by a cloud provider is a prerequisite to understanding the security risk involved.Attack Vectors, Multi-tenancy in virtual machine-based cloud infrastructures, together with the subtleties in the way physical resources are shared between guest virtual machines, can give rise to new sources of threat. The most serious threat is that malicious code can escape the confines of its virtual machine and interfere with the hypervisor or other guest virtual machines. Live migration, the ability to transition a virtual machine between hypervisors on different host computers without halting the guest operating system, and other features provided by virtual machine monitor environments to facilitate systems management, also increase software size and complexity and potentially add other areas to target in an attack.Several examples illustrate the types of attack vectors possible. The first is mapping the cloud infrastructure. While seemingly a daunting task to

perform, researchers have demonstrated an approach with a popular IaaS cloud. By launching multiple virtual machine instances from multiple cloud subscriber accounts and using network probes, assigned IP addresses and domain names were analyzed to identify service location patterns. Building on that information and general technique, the plausible location of a specific target virtual machine could be identified and new virtual machines instantiated to be eventually co-resident with the target.Once a suitable target location is found, the next step for the guest virtual machine is to bypass or overcome containment by the hypervisor or to takedown the hypervisor and system entirely. Weaknesses in the provided programming interfaces and the processing of instructions are common targets for uncovering vulnerabilities to exploit. For example, a serious flaw that allowed an attacker to write to an arbitrary out-of-bounds memory location was discovered in the power management code of a hypervisor by fuzz emulated I/O ports. A denial of service vulnerability, which could allow a guest virtual machine to crash the host computer along with the other virtual machines being hosted, was also uncovered in a virtual device driver of a popular virtualization software product.More indirect attack avenues may also be possible. For example, researchers developed a way for an attacker to gain administrative control of guest virtual machines during a live migration, employing a man-in-the-middle attack to modify the code used for authentication. Memory modification during migration presents other possibilities, such as the potential to insert a virtual machine-based rootkit layer below the operating system. A zero-day exploit in HyperVM, an open source application for managing virtual private servers, purportedly led to the destruction of approximately 100,000 virtual server-based Websites hosted by a service provider. Another example of an indirect attack involves monitoring resource utilization on a shared server to gain information and perhaps perform a side-channel attack, similar to attacks used in other computing environments. For example, an attacker could determine periods of high activity, estimate high-traffic rates, and possibly launch keystroke timing attacks to gather passwords and other data from a target server.

3.7 Data ProtectionData stored in the cloud typically resides in a shared environment collocated with data from other customers. Organizations moving sensitive and regulated data into the cloud, therefore, must account for the means by which access to the data is controlled and the data is kept secure.Data Isolation, Data can take many forms. For example, for cloud-based application development, it includes the application programs, scripts, and

configuration settings, along with the development tools. For deployed applications, it includes records and other content created or used by the applications, as well as account information about the users of the applications. Access controls are one means to keep data away from unauthorized users; encryption is another. Access controls are typically identity-based, which makes authentication of the user’s identity an important issue in cloud computing.Database environments used in cloud computing can vary significantly. For example, some environments support a multi-instance model, while others support a multi-tenant model. The former provide a unique database management system running on a virtual machine instance for each cloud subscriber, giving the subscriber complete control over role definition, user authorization, and other administrative tasks related to security. The latter provide a predefined environment for the cloud subscriber that is shared with other tenants, typically through tagging data with a subscriber identifier. Tagging gives the appearance of exclusive use of the instance, but relies on the cloud provider to establish and maintain a sound secure database environment.Various types of multi-tenant arrangements exist for databases. Each arrangement pools resources differently, offering different degrees of isolation and resource efficiency. Other considerations also apply. For example, certain features like data encryption are only viable with arrangements that use separate rather than shared databases. These sorts of tradeoffs require careful evaluation of the suitability of the data management solution for the data involved. Requirements in certain fields, such as healthcare, would likely influence the choice of database and data organization used in an application. Privacy sensitive information, in general, is a serious concern.Data must be secured while at rest, in transit, and in use, and access to the data must be controlled. Standards for communications protocols and public key certificates allow data transfers to be protected using cryptography. Procedures for protecting data at rest are not as well standardized, however, making interoperability an issue due to the predominance of proprietary systems. The lack of interoperability affects the availability of data and complicates the portability of applications and data between cloud providers.Currently, the responsibility for cryptographic key management falls mainly on the cloud service subscriber. Key generation and storage is usually performed outside the cloud using hardware security modules, which do not scale well to the cloud paradigm. NIST’s Cryptographic Key Management Project is identifying scalable and usable cryptographic key

management and exchange strategies for use by government, which could help to alleviate the problem eventually.Protecting data in use is an emerging area of cryptography with little practical results to offer, leaving trust mechanisms as the main safeguard.Data Sanitization, The data sanitization practices that a cloud provider implements have obvious implications for security. Sanitization is the removal of sensitive data from a storage device in various situations, such as when a storage device is removed from service or moved elsewhere to be stored. Data sanitization also applies to backup copies made for recovery and restoration of service, and also residual data remaining upon termination of service. In a cloud computing environment, data from one subscriber is physically commingled with the data of other subscribers, which can complicate matters.For instance, many examples exist of researchers obtaining used drives from online auctions and other sources and recovering large amounts of sensitive information from them. With the proper skills and equipment, it is also possible to recover data from failed drives that are not disposed of properly by cloud providers.

3.8 AvailabilityIn simple terms, availability is the extent to which an organization’s

full set of computational resources is accessible and usable. Availability can be affected temporarily or permanently, and a loss can be partial or complete. Denial of service attacks, equipment outages, and natural disasters are all threats to availability. The concern is that most downtime is unplanned and can impact the mission of the organization.

3.9 Temporary OutagesDespite employing architectures designed for high service reliability

and availability, cloud computing services can and do experience outages and performance slowdowns. A number of examples illustrate this point. In February 2008, a popular storage cloud service suffered a three-hour outage that affected its subscribers, including Twitter and other startup companies. In June 2009, a lightning storm caused a partial outage of an IaaS cloud that affected some users for four hours. Similarly, in February 2008, a database cluster failure at a SaaS cloud caused an outage for several hours, and in January 2009, another brief outage occurred due to a network device failure. In March 2009, a PaaS cloud experienced severe degradation for about 22 hours due to networking issues related to an upgrade.At a level of 99.95% reliability, 4.38 hours of downtime are to be expected in a year.

Periods of scheduled maintenance are also usually excluded as a source of downtime in SLAs and able to be scheduled by the cloud provider with short notice. The level of reliability of a cloud service and its capabilities for backup and recovery need to be addressed in the organization’s contingency planning to ensure the recovery and restoration of disrupted cloud services and operations, using alternate services, equipment, and locations, if required. Cloud storage services may represent a single point of failure for the applications hosted there. In such situations, the services of a second cloud provider could be used to back up data processed by the primary provider to ensure that during a prolonged disruption or serious disaster at the primary, the data remains available for immediate resumption of critical operations.

3.10 Prolonged and Permanent OutagesThe possibility exists for a cloud provider to experience serious

problems, like bankruptcy or facility loss, which affect service for extended periods or cause a complete shutdown. For example, in April 2009, the Federal Bureau of Investigation raided computing centers in Texas and seized hundreds of servers, when investigating fraud allegations against a handful of companies that operated out of the centers. The seizure disrupted service to hundreds of other businesses unrelated to the investigation, but who had the misfortune of having their computer operations collocated at the targeted centers.

Other examples of outages are the major data loss experienced in 2009 by a bookmark repository service, and the abrupt failure of an on-line storage-as-a-service provider, who closed without warning to its users in 2008. Changing business conditions may also cause a cloud provider to disband its services, as occurred recently with an online cloud storage service. The organization’s contingency plan should address prolonged and permanent system disruptions through support for continuity of operations that affect the restoration of essential functions elsewhere.Denial of Service, A denial of service attack involves saturating the target with bogus requests to prevent it from responding to legitimate requests in a timely manner. An attacker typically uses multiple computers or a botnet to launch an assault. Even an unsuccessful distributed denial of service attack can quickly consume large amounts of resources to defend against and cause charges to soar. The dynamic provisioning of a cloud in some ways simplifies the work of an attacker to cause harm. While the resources of a cloud are significant, with enough attacking computers they can become saturated. For example, a denial of service attack against a code hosting site operating over an IaaS cloud resulted in more than 19 hours of downtime.

Besides attacks against publicly accessible services, denial of service attacks can occur against internally accessible services, such as those used in cloud management.Internally assigned non-routable addresses, used to manage resources within a cloud provider’s network, may also be used as an attack vector. A worst-case possibility that exists is for elements of one cloud to attack those of another or to attack some of its own elements.Value Concentration, A response to the question “Why do you do rob banks?” is often attributed to Willie Hutton, a historic and prolific bank robber his answer: “because that is where the money is.” In many ways, data records are the currency of the 21st century and cloud-based data stores are the bank vault, making them an increasingly preferred target due to the collective value concentrated there. Just as economies of scale exist in robbing banks instead of individuals, a high payoff ratio also exists for successfully compromising a cloud.As opposed to a direct approach, finesse and circumvention was Willie’s trademark.That style works as well in the digital world of cloud computing. For instance, a recent exploit involved targeting an electronic mail account of a social networking service administrator, reportedly by answering a set of security questions to gain access to the account, and using the information found there to gain access to company files stored in a PaaS cloud. Similar weaknesses have been identified in public clouds. A registered electronic mail address and valid password for an account are all that are required to download authentication credentials from a cloud provider’s management dashboard, which in turn grant access to all of the account’s resources.Since lost passwords can be reset by electronic mail, an attacker controlling the mail system of an account, or passively eavesdropping on the network through which electronic mail containing a password reset would pass, could effectively take control of the account.Having data collocated with that of an organization with a high threat profile could also lead to a denial of service, as an unintended casualty from an attack targeted against that organization. Similarly, side effects from a physical attack against a high profile organization’s cloud-based resources are also a possibility. For example, over the years, facilities of the Internal Revenue Service have attracted their share of attention from would-be attackers.

3.11 Incident ResponseAs the name implies, incident response involves an organized

method for dealing with the consequences of an attack against the security of a computer system. The cloud provider’s role is vital in performing

incident response activities, including incident verification, attack analysis, containment, data collection and preservation, problem remediation, and service restoration.Revising an organization’s incident response plan to address differences between the organizational computing environment and a cloud computing environment is an important, but easy-to-overlook prerequisite to transitioning applications and data.Collaboration between the service subscriber and provider in recognizing and responding to an incident is essential to security and privacy in cloud computing. The complexity of the service can obscure recognition and analysis of incidents. For example, it reportedly took one IaaS provider approximately eight hours to recognize and begin taking action on an apparent denial of service attack against its cloud infrastructure, after the issue was reported by a subscriber of the service. Understanding and negotiating the provisions and procedures for incident response should be done before entering a service contract, rather than as an afterthought. The geographic location of data is a related issue that can impede an investigation, and is a relevant subject for contract discussions.Response to an incident should be handled in a way that limits damage and reduces recovery time and costs. Being able to convene a mixed team of representatives from the cloud provider and service subscriber quickly is an important facet to meeting this goal. Remedies may involve only a single party or require the participation of both parties. Resolution of a problem may also affect other subscribers of the cloud service. It is important that cloud providers have a transparent response process and mechanisms to share information with their subscribers during and after the incident.

Chapter FourDeployment Models of

Cloud Security

Model 1:

Private Virtual Infrastructure model (PVI)Private Virtual Infrastructure allows organizations to utilize

cloud resources with the level of assurance that is required to meet their confidentiality concerns. PVI provide security architecture for cloud computing which uses a new trust model to share the responsibility of security in cloud computing between the Service provider and client, decreasing the risk exposure to both.The PVI cloud security model is a virtual datacenter over the existing cloud infrastructure.

- The PVI datacenter is under control of the information owner.- The cloud fabric is under control of the service provider.

PVI Cloud Security ArchitectureThe Private Virtual Infrastructure architecture has two layers.

The IaaS fabric layer provides computation resources managed by the service provider, while the PVI layer provides a virtual datacenter managed by the client. The service provider assumes responsibility for providing the physical security and the logical security of the service platform required for the PVI layer. Each client is responsible for securely provisioning their virtual infrastructure with appropriate firewalls, intrusion detection systems, monitoring and logging to ensure that data is kept confidential. PVI enables the client to build a virtual infrastructure that meets these requirements.

PVI is based on five tenets proposed as a basis for cloud security.1. Trusted Cloud Platform

It provide the ability to verify security settings of the underlying fabric, security services which protect and monitor the fabric and identity certificate presented to the virtual environment that attests these services by using Trusted Virtual Datacenter (TVDc) builds upon Trusted Virtual Domains, which provides strong isolation and integrity guarantees that significantly enhance the security and management capabilities in virtualized environments.

2. PVI Factory- The most sensitive component of PVI.

- It is the root authority for: (Provisioning – VTPM key generation - Certificate generation & management).

Virtual Trusted Platform Model (VTPM) It is a cryptographic component that stores cryptographic keys.

- Should be under full control of the information owner.- It serves as the controller and policy decision point for

the PVI.- It is responsible for ensuring the integrity of the PVI and

handling incidents in the event of a security breach.

3. Measurement and Secure Provisioning- Providers must allow clients transparent insight into

their infrastructures.- LoBot can perform the fabric pre-measurement which

allows PVI to share the responsibility of security management. Locator Bot (LoBot) is a VM architecture and secure transfer protocol based on VTPM.

- After LoBots probe target platforms for security properties they can securely provision VMs on those platforms.

4. Secure Shutdown and Data Destruction- This process is required to ensure all sensitive data is

removed before new processes are allowed to run on it.- The VM do not provide that, so there is a

recommendation to enclose that on future VM monitors or through LoBot.

5. Monitoring and Auditing- LoBot provide continuous monitoring of the cloud

environment.- Locator Bot (LoBot) is the architecture and protocol for

secure provisioning and secure migration of virtual machines within an IaaS cloud. LoBot provides many other security features for PVI such as environmental monitoring, tamper detection and secure shutdown

How PVI work? …We must know- A LoBot is a self-contained virtual machine with a VTPM- Probe application that is provisioned on a target machine.1. Upon startup, the VTPM binds itself to the target’s TPM, and

then the Probe application reads the platform configuration

from the target TPM’s and obtains identifying information about the platform. This information is then combined with the VTPM’s which is cryptographically sealed in a blob that is transferred to the PVI factory.

2. The PVI factory decrypts the blob and examines the information received to determine whether the environment is safe. Once the target environment is determined to be safe, the PVI factory configures the VM and securely transfers it to the target environment, via the LoBot protocol, in a blob encrypted such that only the target platform may execute source environment.

3. At the target environment, the LoBot probe application receives and unseals the source environment. If the source environment was tampered with during transfer, it will be detected during the decryption phase.

PVI Strengths1. New paradigm for securing and managing cloud computing

services based on a synergistic relationship between the vendor and customer of cloud services

2. Provides information owners the flexibility to manage their own data

3. This model takes into account all key security.

PVI Weaknesses1. This model just dealing with infrastructure layer and plat form

layer Ignoring application layer in cloud computing.2. Introduces Secure Shutdown and Data Destruction and

monitoring and auditing tenets in the PVI model without any methods to obtain them.

3. Introduces PVI factory and Locater Bot Protocol

Model 2:

Cloud computing data security with the analysis of HDFS architecture.This Model analyses the basic problem of cloud computing data security. With the analysis of HDFS architecture, we get the data security requirement of cloud computing and set up a mathematical data model for cloud computing. Finally we build a data security model for cloud computing.

Introduction The emergence of the Cloud system has simplified the

deployment of large-scale distributed systems for software vendors. The Cloud system provides a simple and unified interface between vendor and user, allowing vendors to focus more on the software itself rather than the underlying framework. Applications on the Cloud include Software as a Service system and Multi-tenant databases. The Cloud system dynamically allocates computational resources in response to customers’ resource reservation requests and in accordance with customers’ predesigned quality of service.Risk coming with opportunity, the problem of data security in cloud computing become bottleneck of cloud computing.

Data Security Problem of Cloud Computing

A. Security Problem Drive from VMThe virtual machine technology is considered as a cloud

computing platform of the fundamental component. Virtual Machine technology bring obvious advantages, it allows the operation of the server which is no longer dependent on the physical device, but on the virtual servers. In virtual machine, a physical change or migration does not affect the services provided by the service provider. If user needs more services, the provider can meet user’s needs without having to concern the physical hardware.

However, the virtual server from the logical server group brings a lot of security problems. The traditional data center security measures on the edge of the hardware platform, while cloud computing may be a server in a number of virtual servers, the virtual server may belong to different logical server group, therefore there is the possibility of attacking each other ,which brings virtual servers a lot of security threats. Virtual machine extending the edge of clouds makes the disappearance of the network boundary, thereby affecting

almost all aspects of security, the traditional physical isolation and hardware-based security infrastructure cannot stop the clouds computer environment of mutual attacks between the virtual machine.

B. The Existence of Super-userCloud provider carries out the management and maintenance

of data, the existence of super-users to greatly simplify the data management function, but it is a serious threat to user privacy. Super-powers is a double edged sword, it brings convenience to users and at the same time poses a threat to users. In an era of personal privacy, personal data should be really protected, and the fact that cloud computing platform to provide personal services in the confidentiality of personal privacy on the existence of defects. Not only individual users but also the organizations have similar potential threats, e.g. corporate users and trade secrets stored in the cloud computing platform may be stolen. Therefore the use of super user rights must be controlled in the cloud. C. Consistency of Data

Cloud environment is a dynamic environment, where the user's data transmits from the data center to the user's client. For the system, the user's data is changing all the time. Read and write data relating to the identity of the user authentication and permission issues. In a virtual machine, there may be different users’ data which must be strict managed. The traditional model of access control is built in the edge of computers, so it is weak to control reading and writing among distributed computers. It is clear that traditional access control is obviously not suitable for cloud computing environments. The traditional access control mechanism has serious shortcomings.

D. New TechnologyThe concept of cloud computing is built on new architecture.

The new architecture comprised of a variety of new technologies, such as Hadoop, Hbase, which enhances the performance of cloud systems but brings in risks at the same time. In the cloud environment, users create many dynamic virtual organizations, first set up in co-operation usually occurs in a relationship of trust between organizations rather than individual level. So those users based on the expression of restrictions on the basis of proof strategy is often difficult to follow; which frequently occurs in many of the

interactive nodes between the virtual machine, and is dynamic, unpredictable. Cloud computing environment provides a user the full access to resources which has also increased security risks.

Requirement of Security HDFS (Hadoop Distributed File System) is used in large-scale

cloud computing in typical distributed file system architecture, its design goal is to run on commercial hardware, due to the support of Google, and the advantages of open source, it has been applied in the basis of cloud facilities. HDFS is very similar to the existing distributed file system, such as GFS (Google File System); they have the same objectives, performance, availability and stability. HDFS initially used in the Apache Nutch web search engine and become the core of Apache Hadoop project.

HDFS used the master/slave backup mode. As shown in Figure6. The master is called Namenode, which manages the file system name space and controls access to the client. Other slave nodes is called Datanode, Datanode controls access to his client. In this storage system, a file is cut into small pieces of paper. Namenode maps the file blocks to Datanodes above. While HDFS does not have the POSIX compatibility, the file system still support the creation, delete, open, close, read, write and other operations on files.

Figure 6. HDFS Architecture

By analyzing of HDFS, data security needs of cloud computing can be divided into the following points:

1. The client authentication requirements in login: The vast majority of cloud computing through a browser client, such as IE, and the user’s identity as a cloud computing applications demand for the primary needs.

2. The existence of a single point of failure in Namenode: if namenode is attacked or failure, there will be disastrous consequences on the system. So the effectiveness of Namenode in cloud computing and its efficiency is key to the success of data protection, so to enhance Namenode’s security is very important.

3. The rapid recovery of data blocks and r/w rights control: Datanode is a data storage node, there is the possibility of failure and cannot guarantee the availability of data. Currently each data storage block in HDFS has at least 3 replicas, which is HDFS’s backup strategy. When comes to how to ensure the safety of reading and writing data, HDFS has not made any detailed explanation, so the needs to ensure rapid recovery and to make reading and writing data operation fully controllable cannot be ignored.

4. In addition to the above three requirements, the other, such as access control, file encryption, such as demand for cloud computing model for data security issues must be taken into account.

DATA SECURITYMODEL

A. Principle of Data SecurityAll the data security techniques are built on confidentiality,

integrity and availability of these three basic principles. Confidentiality refers to the so-called hidden the actual data or information, especially in the military and other sensitive areas, the confidentiality of data on the more strict requirements. For cloud computing, the data are stored in "data center", the security and confidentiality of user data is even more important. The so-called integrity of data in any state is not subject to the need to guarantee unauthorized deletion, modification or damage. The availability of data means that users can have the expectations of the use of data by the use of capacity.

B. Data Security ModelData model of cloud computing can be described in math as follows:

Df = C(NameNode) ; (1)

Kf= f * Df ; (2)

C(.) : the visit of nodes;

Df: the distributed matrix of the file f ;

Kf: the state of data distribution in Datanodes;

f: file, file f can be described as:

f = {F(1),F(2),…….F(n)}, means f is a set of n file

blocks F(i) F(j) = , i ; I,j ;

Df is a Zero-One matrix, it is L*L, L is the number of Datanode.

To enhance the data security of cloud computing, we provide a cloud

computing data security model called C2DSM. It can be described as

follows:

D’f = CA (namenode) (3)

Df = M. D’f (4)

Kf = E(f) Df (5)

CA (.): authentic visit to namenode;

Df : private protect model of file distributed matrix;

M: resolve private matrix;

E(f) : encrypted file f block by clock, get the encrypted file vector;

This model can be shown by figure 7

Figure 7. Cloud computing Data Security 1

The model used three-level defense system structure, in which each floor performs its own duty to ensure that the data security of cloud layers.

The first layer: responsible for user authentication, the user of digital certificates issued by the appropriate, manage user permissions.

The second layer: responsible for user's data encryption, and protect the privacy of users through a certain way.

The third layer: The user data for fast recovery, system protection is the last layer of user data.

With three-level structure, user authentication is used to ensure that data is not tampered. The user authenticated can manage the data by operations: Add, modify, delete and so on. If the user authentication system is deceived by illegal means, and malign user enters the system, file encryption and privacy protection can provide this level of defense. In this layer user data is encrypted, even if the key was the illegally accessed, through privacy protection, malign user will still be not unable to obtain effective access to information, which is very important to protect business users’ trade secrets in cloud computing environment. Finally, the rapid restoration of files layer, through fast recovery algorithm, makes user data be able to get the maximum recovery even in case of damage.

From the model there will be follow theorems:

- Theory one: If is not a full order, then the user lost his data.

Verify:

if the file distribution matrix, so with the formula (5) , is

the L length vector.

If is not full order, can be convert to , is

(L-i) * (L-i) matrix, i 1;

become L-I length vector, that make confliction to the

definition of the model.

- Theory two: if , then the data of the user is

damaged. means the value of position i of file vector .

Verify:

means the number of store data in datanode, with

definition f={F(1),F(2),….F(n)}, if F(i) not existence, i=1 , 2….n,

then the file store failure if , then there will be

i=1,2….n, let not existence if f, the file

damaged.

- Theory three if there existed matrix J, J M, but = J.

, the private of user leak.

Verify:M is the user’s private matrix. With the matrix M

we can get . if J existed then illegal user may get

by J . There is existence of private leakence.

Model 3:

Towards Achieving Accountability, Auditability and Trust in Cloud Computing

IntroductionIt was revealed that 88% of potential cloud consumers

surveyed are worried about who has access to their data within the cloud, and would like to have more awareness of what “goes on” in the cloud’s backend physical servers.The lack of confidence in entrusting sensitive information to cloud computing service providers (CSPs) is one of the primary problems to widespread adoption of cloud computing.From a system design perspective, the notion of trust can be increased via reducing risk when using the cloud. While risk can be greatly mitigated via privacy protection and security measures such as encryption, they are not enough, particularly as full encryption of data in the cloud is at present not a practical solution.There is a need to complement such preventative controls with equally important detective controls that promote transparency, governance and accountability of the service providers.Current prominent providers are still not providing full transparency or capabilities for the tracking and auditing of the file access history and data provenance of both the physical and virtual servers utilized. Methods increasing the accountability and auditability of cloud service providers, such as tracing of file access histories, will allow service providers and users to reduce security threats.

This model focuses on the detective controls of tracing data and file movements in the cloud.

Achieving an Accountable Cloud1. Phases of Cloud Accountability

These phases are collectively known as the Cloud Accountability Life Cycle (CALC). We propose CALC as the following seven phases:

Figure 8. Phases of Cloud Accountability

a. Policy PlanningCSPs have to decide what information to log and which events to log on-the-fly.There are generally four important groups of data that must be logged:

- Event data – a sequence of activities and relevant information,.

- Actor Data – the person or computer component (e.g. worm) which trigger the event.

- Timestamp Data – the time and date the event took place.

- Location Data – both virtual and physical (network, memory, etc) server addresses at which the event took place.

b. Sense and TraceThe main aim of this phase is to act as a sensor and to trigger logging whenever an expected phenomenon occurs in the CSP’s (in real time).

c. LoggingConsiderations include the lifespan of the logs within the cloud, the detail of data to be logged and the location of storage of the logs

d. Safe-keeping of Logs- After logging is done, we need to protect the

integrity of the logs prevent unauthorized access and ensure that they are tamper-free

- Encryption may be applied to protect the logse. Reporting and Replaying

- Reporting tools generate from logs file-centric summaries and reports of the audit trails, access history of files and the life cycle of files in the cloud

f. Auditing- Logs and reports are checked and potential fraud-

causing loopholes highlightedg. Optimizing and Rectifying

- Problem areas and security loopholes in the cloud are removed or rectified and control and governance of the cloud processes are improved

2. Cloud Accountability Abstraction LayersNow we address the important question: what data to log? The answer ranges from a system-level log to a workflow-level audit trail transactional log. Such a range shows that there are many abstraction layers of data, and a framework is needed to reduce this kind of ambiguity and increase research focus and impact. As such, we propose the following layers of accountability in a cloud:

Figure 9. Abstraction Layers of Accountability

a. System LayerAt the lowest level lie the system layer logs. The system layer consists of logging within the following components:

- Operating System (OS)OS system and event logs are the most common type of logs associated with cloud computing at the moment. These logs are the main support factor to accountability of data in the cloud.The emphasis was on health and feedback on system status and ensuring uptime.

- File SystemThe file system is technically part of the OS, it is a major component in system layer. It is important to trace and record the exact file life cycle and history.

- Network LogsAs clouds are vast networks of physical and virtual servers over a large number of locations, we need to also monitor network logs within the cloud

b. Data Layer- This layer contains the logging of data transactions

and the life cycle of data. - The difference with the system layer is that the

system layer’s file system logs track the life cycle of files, whereas the data layer actually tracks the life cycle of data and the contents of files.

- The same file can contain different sets of data over time.

- Some examples of the data layer are:I. Data provenance, which records the so-called

chains of custody (e.g. the history of owners and authorized users) of the data found in the cloud

II. Data base logs (i.e. histories of updates and actions executed by a database management system to the database).

c. Workflow Layer- This layer primarily contains logs which reveal the

robustness or weaknesses of the governance and controls of a workflow or business process in an organization.

- It correlates with an organization’s strategic and management levels

- It is the key layer audited by most IT auditors and internal audits.

- Examples include:I. Audit trails from transactions in business

process and workflow management systems. II. Audit trails from information systems for the

customer organizations (e.g. ERP systems, Human Resource systems, etc)

III. Continuous auditing and monitoring tools.

Technical Approaches to Increasing AccountabilityWe provide three possible technical approaches to create tools and software which will achieve cloud accountability:

1. Central Watchdog/ Manager ServiceIn this approach, a watchdog service manages a certain set of nodes, and watches over the physical and virtual logs of all layers and stores the logs centrally.

2. Local File Tracking EmbedmentIn this approach, we imagine that a file is designed to dedicate some of its memory for storage of bite-sized local logs and provenance data. Currently, this is very difficult to achieve in current file extensions.

3. Domain segregationAccountability in cloud computing will be more achievable if there is a clear design of different domains from the perspective of CSPs or customers. Internal Zones can depict the CSP’s own network, with Trusted Zones for its Collaborators, and External Zones for networks outside these two zones. If the data leaves authorized zones, the event will be flagged.

Accountability and auditability is an important perspective towards increasing trust in cloud computing.Achieving accountability and auditability in cloud computing, this model proposed the Cloud Accountability Life Cycle (CALC) and three abstraction layers. With these conceptual foundations, researchers and practitioners can design tools and approaches which address all areas of cloud accountability.

Strengths and Weaknesses PonsStrengths

1. The design of this model take in consider of The Key Security and Privacy Issues

2. Proposed the Cloud Accountability Life Cycle (CALC) and three abstraction layers as a point of future researches.

Weaknesses 1. Future model difficult to applied this days.2. Need too many tools and third-party which need to control

them.3. Ignore migration in cloud computing.

Model 4:

Towards Trusted Cloud computing model

Trusted Cloud Computing platform (TCCP)Is a technical solution that guarantees the confidentiality and integrity of computation, in a way that is verifiable by the customers of the service.Confidentiality: To prevent unauthorized reading of information.Integrity: To prevent unauthorized writing of information.Availability: To provide access to information whenever consumers want.Vulnerability of IaaS:

- Anyone with privileged access to the host can read or manipulate a customer's data

- Consequently, customers cannot protect their VMs on their own

TCCPGuarantees the confidentiality and the integrity of a user's VM

- Allows users to attest to the IaaS provider- Determine whether the service is secure before they launch

their VM

This model is designed to applied on Eucalyptus operation system an open source IaaS platform that similar to Amazon's EC2 manages one or more clusters whose nodes run a virtual machine For simplicity, a single cloud manager(CM) that handles a single

cluster.

Figure10. Simplified architecture of Eucalyptus

Attack model By enforcing a security perimeter. the provider can prevent attacks that require physical access to

the machine. Sys-admins can login remotely to any machine with root

privileges at any point in time.

Trusted Cloud Computing Platform (TCCP) provides a closed box execution environment by extending the

concept of trusted platform to an entire IaaS backend TCCP guarantees the confidentiality and the integrity of a user’s. Two components

o a trusted virtual machine monitor(TVMM)o a trusted coordinator(TC)

Figure11. Trusted Cloud Computing Platform

1- Trusted virtual machine monitor (TVMM) Each node of the backend runs a TVMM that hosts customers’

VMs, and Prevents privileged users from inspecting or modifying them.

The TVMM protects its own integrity over time, and complies with the TCCP protocols.

Nodes embed a certified TPM chip and must go through a secure boot process to install the TVMM.

o Trusted Platform Model (TPM) proposed by Trusted Computing Group (TCG).

o This chip contains an endorsement private key that uniquely identifies the TPM and some cryptographic functions that cannot be modified.

2- Trusted coordinator (TC) The TC manages the set of nodes that can run a customer’s VM

securely. To be trusted, a node must be located within the security

perimeter, and run the TVMM The TC can cope with the occurrence of events such as adding

or removing nodes from a cluster, or shutting down nodes temporarily for maintenance or upgrades.

A user can verify whether the IaaS service secures its computation by attesting to the TC.

External trusted entity (ETE) Maintained by a third party with little or no incentive to

collude with the IaaS provider. hosts the TC securely updates the information provided to the TC sys-admins that manage the IaaS have no privileges inside the

ETE, and therefore cannot tamper with the TC.

Detailed DesignThis section contains the details about TCCP mechanisms. The protocols that manage the set of nodes of the platform

that are trusted. The protocols that secure the operations involving VM

management, namely launching and migrating VMs

1- To be trusted, a node must register with the TC

Figure12. Message exchange during node registration

2- VM launch

Figure13. Message exchange during VM launch

3- VM migration

Figure14. Message exchange during VM Migrate

TCCP Strengths1- TCCP guarantees confidential execution of guest VMs, and allows

users to attest to the IaaS provider and determine if the service is secure before they launch their VMs.

2- The model focus problem that clients of cloud computing services currently have no means of verifying the confidentiality and integrity of their data and computation. It provides a paradigm and a design to address this problem.

3- Design the model using mechanisms and protocols concerns cloud computing.

4- This model takes into account all key security.

TCCP Weaknesses 1- This model is designed to applied on Eucalyptus operation system 2- Use third party and do not provide a method to control it.

Conclusion

Cloud computing offers real alternatives to IT departments for improved flexibility and lower cost. Markets are developing for the delivery of software applications, platforms, and infrastructure as a service to IT departments over the “cloud”. These services are readily accessible on a pay-per-use basis and offer great alternatives to businesses that need the flexibility to rent infrastructure on a temporary basis or to reduce capital costs. Open source clouds cloud offer smaller businesses the chance to try out the benefits of cloud computing. Once cloud computing technology has been improved and network technology has also been improved a real golden opportunity exists for the future. Each cloud solution must however be tailored to each company but they can all benefit from the numerous advantages the technology brings to the table. The technology is still in early days but already there is much hype surrounding the technology and with impressive results so far this will continue to grow.

References

1- Computer Security Incident handling Guide [online].National Institute Of Standard and technology, Gaithersburg USA : Mach 2008

2- Virus and threat description Virus: Brain [online]. F-secure corporation :2009

3- Microsoft Security Information [online] .Microsoft Corporation :2011

4- Trojan Virus [online],TopBits A6 2004 Injection Flaws-The Open Web Application Security Project [online], Mediawiki : 10 October 2008.

5- Top 10 2010-A6-Security misconfiguration-The Open Web Application Security Project [online]. Mediawiki : 14 june 2010

6- A8 2004 Insecure Storage –Open Web Application Security project [online]. Mediawiki: 10 October 2008 .

7- Payment Card Industry Data Security Standard –Navigating the PCI DSS [online].

8- PCI Security Standard Council LLC: October 2010.9- Shon Harris .CISSP. USA:McGraw-Hill ;2010. p.686-687.10- Wayne Jansen, Timothy Grance. National Institute Of

Standards And Technology. Guidelines On Security And Privacy In Public Cloud Computing, January 2011.

11- F. John Krautheim. Private Virtual Infrastructure For Cloud Computing. University Of Maryland, Baltimore County, 1000 Hilltop Circle, Baltimore, MD 21250.

12- Nuno Santos. Krishna P. Gummadi. Rodrigo Rodrigues. Towards Trusted Cloud Computing. MPI-SWS.

13- Qi Zhang · Lu Cheng · Raouf Boutaba . Cloud Computing: State-Of-The-Art And Research Challenges. The Brazilian Computer Society 2010.

14- Danish Jamil. Hassan Zaki. Cloud Computing Security . Danish Jamil Et Al. / International Journal Of Engineering Science And Technology (Ijest).

15- Kevin Curran, Sean Carlin And Mervyn Adams. Security Issues In Cloud Computing. Kevin Curran Et Al./ Elixir Network Engg. 38 (2011) 4069-4072

16- Michael Armbrust, Armando Fox, and others. A View of Cloud Computing. communications of the ac m | April 2010 | vol. 53 | no.