paper-6 research challenges and security issues in cloud computing

8/2/2019 Paper-6 Research Challenges and Security Issues in Cloud Computing

1/7

International Journal of Computational Intelligence and Information Security, March 2012 Vol. 3, No. 3

42

Research Challenges and Security Issues in CloudComputing

R. Kalaichelvi Chandrahasan, S Shanmuga Priya and Dr. L. Arockiam

AMA International University, Kingdom of Bahrain

M.I.E.T Engg College, Tiruchirappalli, IndiaSt. Joseph's College, Tiruchirappalli, India

[email protected], [email protected], [email protected]

Abstract

Cloud computing is a promising computing standard where computing resources in large data center are

made available as services over Internet. Cloud computing has become prominent IT by offering the business

environment data storage capacity. This new profitable paradigm for computing is an attractive, massive, large-

scale investment that includes any subscription-based or pay-per-use service over the Internet. It is on-demand

access to virtualized IT services and products. Salesforce, Amazon and Google are currently providing such

services, charging clients using an on-demand policy. As the users deal their sensitive data to clouds i.e. publicdomains, the major hurdles for cloud adoption are lack of security and access control. The main setback is that

the insecure information flows as service provider can access multiple virtual machines in clouds. So it is

necessary to build up proper security for cloud implementation. The aim of this paper is to provide an overall

view of cloud computing with the aim to highlight the possible security issues and vulnerabilities connected with

virtualization infrastructure.

Keywords: Cloud Computing; Virtualization; On-Demand Policy; Security; Service Provider; PublicDomains

1. Introduction

Cloud computing takes virtual infrastructure and builds upon research in distributed computing, grid

computing, utility computing, autonomic computing, networking, web services and software services. It has

shown tremendous potential to empowerment, agility, multi-tenancy, reliability, scalability, availability,performance, security and maintenance. Through Cloud environment Email, Instant messaging, business

software, and web content management can be offered. It incorporates many existing technologies such as

information and infrastructure consisting of pools of computers, networks, distributed services application,

information and storage resources. The US National Institute of Standards and Technology (NIST) defines cloud

as follows: Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of

configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly

provisioned and released with a minimal management effort or service provider interaction. This cloud model

promotes availability and is composed of five essential characteristics, three delivery models, and four

deployment models. [1].

Due to the ever growing interest in cloud computing, we focus on issues that are specific to cloud

environment. The rest of this document is organized as follows. Section 2 describes an overview of Cloud that

embraces the characteristics of cloud computing, service models, deployment models and cloud scalability.Section 3 presents the security challenges in cloud and the seven layers on the basis of CSA followed by the

Service Level Agreement and widely used languages for describing web services in Section 4. Finally, Section 5

concludes the paper and discusses the future work.

2. Cloud: Overview

2.1Characteristics of Cloud Computing

The five characteristics of cloud computing embrace on-demand self-service, ubiquitous network

access, location independent resource pooling, rapid elasticity, and measured service [6].

2.2 Service Models

There are three layers referred as delivery models that provide the resources to the clients.


2/7


43

Cloud Software as a Service (SaaS): The top layer provides the customer with ready to use application

running on the infrastructure of service provider. The applications are easily accessible from several client

devices as on-demand services. As clients obtain software from different providers, ensuring the information by

these services is well secured becomes an issue. Salesforce, DocLanding, Zoho, Workday are instances of SaaS

are used for different purposes such as email, billing, human resource management etc.

Cloud Platform as a Service (PaaS): It is the middle layer that provides platform oriented service,controlling the installed applications and available hosting environment configuration. Services that the

application can request from an OS can be a constraint in PaaS. Google App Engine, LoadStorm are the instances

of PaaS for running web applications and testing their performance.

Cloud Infrastructure as a Service (IaaS): The bottom layer provides infrastructure services such as

memory, cpu and storage. The consumer can deploy and run software. It reduces hardware costs. License cost is

reduced in all layers. Trusting virtual machines, setting hosts, acquiring inter host communication are significant

areas to be considered in IaaS. Amazon S3 and FlexiScale are the best examples of IaaS for storage and

maintaining virtual servers.

Figure 1: Cloud Computing Map [2]

2.3 Deployment Models

The major factor to provide a secure cloud computing is the type of cloud to be implemented. The types

of cloud deployment models offered are:

Private cloud: This cloud infrastructure is functioned only for particular organization.

Community cloud: This cloud infrastructure is available to several specific groups of organizations.

Public cloud: The purpose of this cloud infrastructure is to public or large industry group can serve multiple

tenants.

Hybrid cloud: It is composite of two or more than two clouds.

2.4 Scalable Web Architectures

In terms of scalability of cloud computing, it has two dimensions, namely horizontal cloud scalability

and vertical cloud scalability [15].

Horizontal cloud scalability: It is the facility in which multiple clouds can be integrated and connected

to have one logical cloud. For instance a calculation cloud can be integrated with storage cloud or two

calculation clouds can integrate into a larger calculation cloud.

Vertical cloud scalability: It is the facility in which the capacity of a cloud can be developed byenhancing individual existing nodes in the cloud. For example providing a server with more physical memory or


3/7


44

improving the bandwidth that connects two nodes. Additionally, a node can be gradually upgraded from a single

power machine to a data center.

Users can store their data in the cloud without they need to know where it keeps the data or how it

accesses the data.

3. Security Challenges In Cloud

As promising as it is, cloud computing is also facing many security issues including sensitive data

access, data segregation, privacy, authentication and identity management, policy integration, bug exploitation,

recovery, accountability, visibility under virtualization, malicious insiders, management console security, account

control, and multi-tenancy issues[3], [4]. Solutions to various cloud security issues include cryptography, public

key infrastructure, standardization of APIs, and improving virtual machine support and legal support. Public

clouds clutch the highest risk of data exposure and hence it must be managed with the proper caution. Hence

understanding the challenges and security risks in cloud environment and developing solutions are essential to

the success of this evolving paradigm [6].

A survey was conducted by International Data Corporation (IDC) IT group to rate the cloud services

and its issues in 2008. The Figure 2 shows the respondents rating. It shows that security is the major concern in

cloud computing paradigm.

Figure 2: Cloud Challenges/Issues survey [17].

3.1 Data Security

Cloud vendors face major issues in confidentiality, integrity and availability in data security.

Confidentiality refers to who stores the encryption keys. Integrity refers to no common policies that exist for data

transfer. Lastly, the most problematic issue is availability i.e. it is very hard to make applications and resources.

Data security includes Privileged user access, Regulatory compliance, Data location, Data segregation, Recovery,

Investigative Support, Long-term viability [5], [10].

3.2 Key security challenges

3.2.1 Authentication

As cloud users store their information to various services across the Internet, it can be accessible by

unauthorized people. Henceforth for authenticating users and services cloud should have identity management

system.

3.2.2 Access Control

To identify and allow only authorized users, cloud should have a fine access control policies. Such

services should be flexible, easily manageable and their privilege distribution is administered efficiently. Also theaccess control services should be incorporated based on Service Level Agreement (SLA).


4/7


45

3.2.3 Policy Integration

The end users may access many cloud providers such as Amazon, Google, LoadStorm and other

providers. They may have their own policies and approaches and hence there might be conflicts among their

policies. Hence we need to have a mechanism to detect these inconsistencies among their policies and to have

solutions for them.

3.2.4 Service Management

To meet customers' needs, many cloud providers together form a new composed service and provides a

packaged service to customers. At this scenario, there should be a service integrator to get the finest interoperable

services.

3.2.5 Trust Management

As the cloud environment is service oriented, a trust management approach should be developed. It

should include trust negotiation factors for the cloud providers and cloud users. The idea is, the providers need to

have some level of trust on the users to release their services to, and their users should have some level of trust

on the providers to choose their service from [11], [12], [13].

3.3 SevenLayersinCloud:

A cloud is structured in seven layers on the basis of Cloud Security Alliance: 1) Facility Layer, 2)

Network Layer, 3) Hardware Layer, 4) OS Layer, 5) Middleware Layer, 6) Application Layer and 7)The User

Layer [7], [8] [14].

3.3.1 The Facility Layer

The facility layer provides physical security. A high priority should be considered in controlling and

monitoring physical access to the hardware. Closed-circuit cameras and patrolling security guards, alarm system,

administrator logging, authentication, confidentiality agreements, background checks, and visitor access should

be incorporated into surveillance of physical security. Also an architectural security should be adequate to guard

the data center from any kind of physical attack.

3.3.2 The Network Layer

The provider furnishes the network access to the users to access the customer data across the Internet in

cloud. Hence the network defense devices should collect information about security events on the networks. The

provider should maintain, monitor and audit network flow data. Also the customer should request these audits for

verification.

3.3.3 The Hardware Layer

As the customer access services from virtual machines, the provider should maintain and monitor the

hardware that the hardware is tamper-free. The provider should have appropriate protocols to monitor the

connection topology, memory use, bus speeds, processor loads, and disk storage and so on.

3.3.4 The OS Layer

The vital important factor to be considered in cloud environment is securing the host OS. If it can be

accessed by the illegal users, the customer data would be compromised. The provider should deploy an OS that

manages to identify where the security policy or configuration might be lacking and prevent future inventions.

3.3.5 The Middleware Layer

Middleware involves virtualization management tools, data format conversion, performing security

functions, and managing access controls. The middleware mediates between the applications and the OS. It

should monitor and secure communication between various systems. So, the provider should make sure that all

middleware will accept and transmit only encrypted data and protect it against malicious manipulation.


5/7


46

3.3.6 The Applications Layer

The providers provide the application as a service to the public. So the code can be exposed to

potentially malicious users. Hence secure coding and secure software development should be an important factor

to be considered. Customers should prefer applications in which the source code and business logic can be

carefully examined by neutral third parties for potential flaws. Also applications should monitor sufficiently to

detect violations in web based applications. The provider should widely deploy stricter security policies inapplication layer.

3.3.7 The User Layer

The cloud users can be of two types: Web based application cloud users and members of customer

organization user. Former access cloud information in insecure environment, while the later use information

which have security policy. However access patterns can be monitored for malicious behavior. For example,

Google Apps monitors login behavior such as the time and IP address, makes this information available to the

user, and notifies the user of aberrant behavior. This idea could be extended to make digests of such alerts

available to IT managers about the accounts for which their organization is responsible. In addition, the customer

might access sensitive data in public areas. The authorized users can demolish many security policies in a few

clicks because of his carelessness as web browsers have much vulnerability to manipulate. So user education is

the best way to avoid such problems in cloud environment.

4. The Service Level Agreement

As several cloud adoption exist in emerging markets such as Service Oriented Architecture, the quality

and reliability of the services become important factors. Nevertheless the requirements of the service consumers

vary considerably. From the cloud providers' viewpoint, all demands of cloud customer cannot be fulfilled. And

hence as a negotiation process, provider and customer commit to an agreement. In SOA terms, this agreement is

referred to as a Service Level Agreement (SLA). This SLA serves as the basis for the expected level of service

between the consumer and the provider. A constant monitoring on Quality of Service (QoS) is necessary to

enforce SLAs [16], [18].

The service level agreement is a contract or agreement between the cloud provider and cloud customer.

In cloud computing the service and data maintenance is done by some vendors. So, the client has no control over

the data or the processes on data. The communication media in this scenario is Internet i.e. public environment.

The only means the vendor can gain trust of client is through the SLA. The SLA should embrace a definition of

services, customers needs, performance measurement, problem management, customer duties, warranties, and

eliminate unrealistic expectations, termination of agreement [9].

As cloud provides services like SaaS, PaaS, and IaaS, each service has its own security issues. So the

SLA has to define several levels of security. Some of them are:

a. Customer-based SLAb. Service-based SLAc. Multilevel SLAd. Corporate-level SLAe. Service-level SLAf. Web service level agreement

Mainly it should cover a specific range of issues such as performance of services to be delivered,

tracking and reporting problems, resolution of disputes, clients and providers responsibilities, confidential

information and termination.

Cloud APIs are application programming interfaces (APIs) used to construct applications in the cloud

computing environment. With the growing adoption of cloud, a number of service-oriented architecture (SOA)

services have been emerged. The widely used languages are REST cloud storage APIs and Web Services

Description Language (WSDL). These APIs are Web tolerant. They offer extremely good services in advanced

services such as secure sharing and collaboration.

5. Considerations and Future Work

Enterprises are implementing cloud computing phenomenon. As it is essential for the adoption of cloud

system, they should be aware of emerging security concerns and main research challenges faced by cloudcomputing. This paper articulated the challenges and issues on the way towards adopting Cloud. The non-profit


6/7


47

organization "Cloud Security Alliance" formed to use the best practices for providing security assurance has been

presented. Additionally we analyzed the Service Level Agreement that builds trust between cloud providers and

cloud customers. We conclude that we need security at different levels such as Server access security, Internet

access security, Database access security, Data privacy security, Program access security. A secure cloud

computing environment depends on identifying security solutions. A deeper study on current security approaches

to deal with different security issues related to the cloud should be the focused of future work.

References

[1] http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc[2] Ramgovind S, EloffMM, Smith E, "The Management of Security in Cloud Computing", Information

Security for South Africa (ISSA) conference, pp 1-7, Sep 2010

[3] Meiko Jensen, Jorg Sehwenk et al., On Technical Security Issues in cloud Computing IEEE Internationalconference on cloud Computing, pp 109-116, October 2009.

[4] Mladen A. Vouk, "Cloud Computing Issues, Research and Implementations" Journal of Computing andInformation Technology - CIT 16, 4, pp 235246, 2008

[5] Herminder Singh & Babul Bansal "Analysis Of Security Issues And Performance Enhancement In CloudComputing" International Journal of Information Technology and Knowledge Management, Volume 2,

No. 2, pp. 345-349, July-December 2010

[6] Hassan Takabi, James B.D.Joshi, Gail Joon Ahn, "SecureCloud: Towards a Comprehensive SecurityFramework for Cloud Computing Environments" 34th Annual IEEE Computer Software and Applications

Conference Workshops, pp 393-398, 2010

[7] Jonathan Spring Software Engineering, "Monitoring Cloud computing by layer part 1" Security & Privacy,IEEE vol 9, Issue 2, pp 66-68, Mar 2011

[8] Jonathan Spring Software Engineering, "Monitoring Cloud computing by layer part 2" Security &Privacy, IEEE vol 9, Issue 3, pp 52-55, May 2011

[9] Balachandra Reddy, Ramakrishna Paturi, Dr.Atanu, "Cloud security Issues", IEEE Internationalconference on Services Computing, pp 517-520, 2009

[10] Hassan Takabi and JamesB.D., "Security and Privacy Challenges in Cloud Computing Environments",Security & Privacy, IEEE, vol 8, Issue 6, pp 24-31, Dec 2010.[11] Nelson Gonzalez, Charles Miers, "A quantitative analysis of current security concerns and solutions for

cloud computing", Third IEEE International conference on Cloud Computing Technology and Science, pp

231-238, 2011

[12] Subhashis Sengupta, Vikrant Kaulgud and Vibhu Saujanya Sharma, "Cloud Computing Security-Trendsand Research Directions", IEEE World Congress on Services, pp 524-531, 2011

[13] Siani Pearson and Azzedine Benameur, "Privacy, Security and Trust Issues Arising from CloudComputing" 2nd IEEE International Conference on Cloud Computing Technology and Science, pp 693-

702, 2010

[14] Cloud Security Alliance Web site, http://www.cloudsecurityalliance.org/[15] Lijun Mei, W.K. Chan and T.H. Tse, "A Tale of Clouds: Paradigm Comparisons and Some Thoughts on

Research Issues", IEEE Asia-Pacific Services Computing Conference, pp 464-469, 2008

[16] Pankesh Patel, Ajith Ranabahu and Amit Sheth1, "Service Level Agreement in Cloud Computing", CloudWorkshops at OOPSLA, 2009

[17] www.idc.com[18] Service Level Agreement Definition and contents,http://www.service-level-agreement.net, accessed on

March 10, 2009.


7/7


48

Authors Profile

Ms. R. Kalaichelvi Chandrahasan is working as an Asst. Professor in AMA International

University, Kingdom of Bahrain. She is currently pursuing her research in Karpagam

University, Coimbatore, India. She has published 4 research articles in the International /

National Journals. Her areas of research interests are in Cloud Computing, Data mining andSemantic Web mining.

Dr. L. Arockiam is working as an Associate Professor in St.Josephs College, India.

He has published 102 research articles in the International / National Conferences

and Journals. He has also authored two books: "Success through Soft Skills" and

"Research in a Nutshell" His areas of research interests are: Software Measurement,

Cloud Computing, Cognitive Aspects in Programming, Web Service, Mobile

Networks and Data mining.

Ms. S Shanmuga Priya is working as an Asst. Professor in M.I.E.T Engg College,

Trichy. She is currently pursuing her research in Bharathidasan University,

Tiruchirappalli, India. Her areas of research interest are Java, Networking and Cloud

Computing.
http://www.arockiam.in/publications.php?cat=inthttp://www.arockiam.in/publications.php?cat=int

paper-6 research challenges and security issues in cloud computing

Documents