Sunteți pe pagina 1din 14

Security Issues and Solutions in Cloud Computing Abstract

Cloud computing is a growing area of concern in the IT security community because cloud architectures are literally popping up all over. Public clouds are available from,, Microsoft, Oracle/Sun, Canonical/Eucalyptus and many other vendors. Private cloud technologies, where the cloud software is loaded on local or in-house server hardware, are available from VMware, Eucalyptus, Citrix, Microsoft, and there are thousands of vendors offering cloud solutions of all sorts. A search for private cloud hosting on produced 581,000 page results. With all of the hyperbole has come a large swell of early-adopters and developers. This paper is concerned with discovery of the vulnerabilities in the landscape of clouds, discovery of security solutions, and finding evidence that early-adopters or developers have grown more concerned with security. Keywords: cloud computing, cloud security

Security Issues and Solutions in Cloud Computing

This paper concerns security issues and solutions in cloud computing. Cloud computing is a catch-all phrase that covers virtualized operating systems running on virtual hardware on untold numbers of physical servers. The cloud term has consumed High-Performance Computing (HPC), Grid computing and Utility Computing. The Cloud Security Alliance has adopted the definition developed by NIST; a computing in the cloud is a model exhibiting the following characteristics, on-demand self-service, Broad Network Access, Resource pooling, and Rapid elasticity and Measured service (Cloud Security Alliance Guidance Version 2.1, 2009, p. 15). This is an area that appears to be growing larger and more pervasive as the benefits of cloud architectures become better understood. More organizations start their own cloud projects and more application developers sign on for cloud development as the hyperbole is shaken out and the real parameters of the key technologies are discovered and perfected. The basic areas of cloud vulnerability are similar to the standard issues that surround networking and networked applications. The issues specific to cloud architectures include network control being in in the hands of third parties and and a potential for sensitive data to be available to a much larger selection of third-parties, both on the staff of the cloud providers, and among the other clients of the cloud. The quick adoption of the cloud model is plain in the success of the Amazon Elastic Cloud Computing (EC2) product, the buy-in from IBM with their backing of the highly concurrent,

massively parallel language X-10 (Saraswat, Vijay, 2010) and Microsofts investment in its Azure cloud (Qiu et al., 2009). Janine Milne reported that eight of ten businesses surveyed in the UK were opting for private cloud initiatives rather than public cloud projects and they stated the issues of concern to be data security in transit, in storage or during processes (Milne, 2010). It is plain that the field is full and the harvest for the IT security profession and IT in general are excellent. The literature available on cloud security is plentiful, and there is enough higher-quality work to develop a conceptual framework for security issues and solutions

Cloud computing is a marketing term that refers to web-based application, storage, and communications services. Though this move to computing in the cloud seems to be inevitable, at least part of the reason why it is inevitable is expedience for the supplier companies, and vendor lock-in, or as Richard Stallman says in the Guardian, If you use a proprietary program or somebody elses web server, youre defenceless (sic). Youre putty in the hands of whoever developed that software. (Cloud computing is a trap, warns GNU founder | Technology |, 2008) Perhaps because the definition of Cloud Computing is so broad and vague, there is a tendency to define it by what it is not. There is also a tendency to define as cloud computing whatever is in great supply, such as a large data centers surplus processing capacity. Christodorescu, Sailer, Schales, Sgandurra & Zamboni (2009) point out that clouds are not synonymous with virtualization though most clouds must use some sort of virtualization at hardware, OS or application level (Christodorescu, Sailer, Schales, Sgandurra, & Zamboni, 2009, p. 99).

Cloud computing shares in common with other network-based application, storage and communication platforms certain vulnerabilities in several broad areas:

Web application vulnerabilities, such as cross-site scripting and sql injection (which are symptomatic of poor field input validation, buffer overflow; as well as default configurations or mis-configured applications. Accessibility vulnerabilities, which are vulnerabilities inherent to the TCP/IP stack and the operating systems, such as denial of service and distributed denial of services (Krgel, Toth, & Kirda, 2002)

Authentication of the respondent device or devices. IP spoofing, RIP attacks, ARP poisoning (spoofing), and DNS poisoning are all too common on the Internet. TCP/IP has some unfixable flaws such as trusted machine status of machines that have been in contact with each other, and tacit assumption that routing tables on routers will not be maliciously altered. Data Verification, tampering, loss and theft, while on a local machine, while in transit, while at rest at the unknown third-party device, or devices, and during remote back-ups. Physical access issues, both the issue of an organizations staff not having physical access to the machines storing and processing a data, and the issue of unknown third parties having physical access to the machines Privacy and control issues stemming from third parties having physical control of a data is an issue for all outsourced networked applications and storage, but cloud architectures have some specific issues that are distinct from the usual issues. Christodorescu, et al. show a significant gap between what is assumed and what is reality, i.e., all virtual machines are brought into existence clean, when in reality a compromised hypervisor can spawn compromised VMs, or all VM operating systems are known and available for audit, when in reality the Windows sourcecode, among others, is not available for audit (Christodorescu et al., 2009, p. 100).

Security Solutions
There are several groups interested in developing standards and security for clouds and cloud security. The Cloud Security Alliance (CSA) is gathering solution providers, non-profits and individuals to enter into discussion about the current and future best practices for information assurance in the cloud (Cloud Security Alliance (CSA) security best practices for cloud computing, 2009) The Cloud Standards web site is collecting and coordinating information about cloud-related standards under development by other groups (CloudsStandards, 2010). The Open Web Application Security Project (OWASP) maintains a top 10 list of vulnerabilities to cloud-based or Software as a Service deployment models which is updated as the threat landscape changes (OWASP, 2010). The Open Grid Forum publishes documents to containing security and infrastructural specifications and information for grid computing developers and researchers (Open Grid Forum, 2010).

Web Application Solutions

The best security solution for web applications is to develop a development framework that shows and teaches a respect for security. Tsai, W., Jin, Z., & Bai, X. (2009) put forth a four-tier framework for web-based development that though interesting, only implies a security facet in

the process (Tsai, Jin, & Bai, 2009, p. 1). Towards best practices in designing for the cloud by Berre, Roman, Landre, Heuvel, Skr, Udns, Lennon, & Zeid (2009) is a road map toward cloud-centric development (Berre et al., 2009), and the X10 language is one way to achieve better use of the cloud capabilities of massive parallel processing and concurrency .(Saraswat, Vijay, 2010)

Accessibility Solutions
Krgel, C., Toth, T., & Kirda, E. (2002) point out the value of filtering a packet-sniffer output to specific services as an effective way to address security issues shown by anomalous packets directed to specific ports or services (Krgel et al., 2002) (Krgel et al., 2002) An often-ignored solution to accessibility vulnerabilities is to shut down unused services, keep patches updated, and reduce permissions and access rights of applications and users.

Authentication Solutions
Halton and Basta (2007) suggest one way to avoid IP spoofing by using encrypted protocols wherever possible. They also suggest avoiding ARP poisoning by requiring root access to change ARP tables; using static, rather than dynamic ARP tables; or at least make sure changes to the ARP tables are logged. (Basta & Halton, 2007, p. 166).

Data Verification, Tampering, Loss and Theft Solutions

Raj, Nathuji, Singh and England (2009) suggest resource isolation to ensure security of data during processing, by isolating the processor caches in virtual machines, and isolating those virtual caches from the Hypervisor cache (Raj, Nathuji, Singh, & England, 2009, p. 80). Hayes points out that there is no way to know if the cloud providers properly deleted a clients purged data, or whether they saved it for some unknown reason (Hayes, 2008, p.(Hayes, 2008, p. 11). Would cloud-providers and clients have custody battles over client data?

Privacy and Control Solutions

Hayes (2008) points out an interesting wrinkle here, Allowing a third-party service to take custody of personal documents raises awkward questions about control and ownership: If you move to a competing service provider, can you take a data with you? Could you lose access to a documents if you fail to pay a bill? (Hayes, 2008, p. 11). The issues of privacy and control cannot be solved, but merely assured with tight service-level agreements (SLAs) or by keeping the cloud itself private.
Physical access solutions

One simple solution, which Milne (2010) states to be a widely used solution for UK businesses is to simply use in-house private clouds (Milne, 2010). Nurmi, Wolski, Grzegorczyk, Obertelli, Soman, Youseff, & Zagorodnov show a preview of one of the available home-grown clouds in their (2009) presentation. The Eucalyptus Open-Source Cloud-Computing System (Nurmi et al., 2009).

The largest gaps between cloud-security practice and cloud-security research lies in the fact that the assumptions in the research leave out some very important differences between cloud security and virtual machine security, as pointed out by Christodorescu et al. (2009). My research questions will center around these differences, and I intend to develop a mixed-method research framework to discover how the vulnerabilities are exploited, and what must be done to close the vulnerabilities. One of the pieces of the framework might be developing a way to monitor the clouds management software, and another might be development of isolated processing for specific clients applications. Having a way to tell whether the virtual machines in the cloud are patched properly would also be a useful part of the framework. Peoples behavior can be tracked and monitored; for instance whether people allow the automated patching software to run, or updating anti-virus software definitions (on virtual machines running operating systems that are susceptible to viruses, worms and other such malware), or whether people understand how to harden their virtual machines in the cloud.

Annotated Bibliography
Basta, A., & Halton, W. (2007). Computer Security and Penetration Testing (1st ed.). Delmar Cengage Learning. This source is an exhaustive overview of the common computer security issues and penetration tools used to exploit these vulnerabilities. The methodology of the several experiments with the tools of the penetration-testing trade is quantitative primary research by Halton. This textbook

was peer-reviewed, and the authors are both educators in the field of IT and IT security. Basta received his PhD in Mathematics from Alexandria University in Egypt and Halton helped develop the Masters in IT Security & Assurance at Capella University. Writing this book was very useful in my professional career. It is one of fifteen or sixteen very good resource for concisely-written security basics. It would be immodest to give it a rating for quality. Berre, A. J., Roman, D., Landre, E., Heuvel, W. V. D., Skr, L. A., Udns, M., Lennon, R., et al. (2009). Towards best practices in designing for the cloud. In Proceeding of the 24th ACM SIGPLAN conference companion on Object oriented programming systems languages and applications (pp. 697-698). Orlando, Florida, USA: ACM. Retrieved from &coll=portal&dl=ACM&CFID=80867670&CFTOKEN=24312614 Towards best practices in designing for the cloud by Berre, A. J., Roman, D., Landre, E., Heuvel, W. V. D., Skr, L. A., Udns, M., Lennon, R., & Zeid, A. (2009). The authors biographies are present and it is readily apparent that they have the skills and experience to write about this topic (Berre et al., 2009, p. 2). This document is more like a brochure than a report of research findings, but it gives a good framework upon which to develop best practices for cloud development. I give it a 2 out of 10. It is credible but not very useful (Berre et al., 2009). It has not been cited in any other work (ACM Portal, 2010). Christodorescu, M., Sailer, R., Schales, D. L., Sgandurra, D., & Zamboni, D. (2009). Cloud security is not (just) virtualization security: a short paper. In Proceedings of the 2009 ACM workshop on Cloud computing security (pp. 97-102). Chicago, Illinois, USA: ACM. Retrieved from Cloud security is not (just) virtualization security: a short paper by Christodorescu, M., Sailer, R., Schales, D. L., Sgandurra, D., & Zamboni, D. (2009)..There are five listed authors on this piece, and they are all researchers at IBM, a company well known for its interest in cloud computing. There are no footnotes but the mechanics of the article and the flow are excellent. There are sixteen references on this rather short, six page paper. This article comes from the proceedings of an ACM workshop, which is second-best, so far as refereed publication goes. A feature article in one of the ACM journals would be stronger. It has not been cited by any other work, per the ACM catalog (ACM Portal, 2010) (ACM Portal, 2010) There is no evidence that this article has been reviewed by peers, and I give it an 8 out of 10 for quality. (Christodorescu et al., 2009).

Cloud computing is a trap, warns GNU founder | Technology | (n.d.). . Retrieved March 31, 2010, from This short article, printed in the UK-based Guardian paper and also online on their web site, points out the self-fulfilling prophesy aspect of cloud computing, with quotes from the always remarkable Richard Stallman and also Larry Ellison of Oracle, among others. Larry Ellison says The interesting thing about cloud computing is that weve redefined cloud computing to include everything that we already do, (Cloud computing is a trap, warns GNU founder | Technology |, 2008) He is pointing out the marketing spin that large companies, such as developed the SAAS model to get paid for their excess network capability. This is an opinion piece and though thought-provoking, gets only 3 out of 10 for quality. Cloud Security Alliance (CSA) security best practices for cloud computing. (2009). . Retrieved April 16, 2010, from The Cloud Security Alliance is an industry group created to promote best practices in security within cloud computing platforms and to educate practitioners to use cloud technologies to make other computer architectural models more secure (Cloud Security Alliance (CSA) security best practices for cloud computing, 2009) (Cloud Security Alliance (CSA) security best practices for cloud computing, 2009) This goal is in alignment with my own aims in research and practice, and the site is a useful source for news related to cloud security. Cloud Security Alliance Guidance Version 2.1. (2009). . Cloud Security Alliance. Retrieved from This resource is a best practices document provided by the Cloud Security Alliance (Cloud Security Alliance (CSA) security best practices for cloud computing, 2009)(CloudStandards, 2010) for guiding practitioners toward a more secure infrastructure. This is a useful starting point for developing a framework for further research. CloudStandards. (2010 3). . Retrieved April 16, 2010, from

Cloud Standards is an aggregation site chronicling the progress of several organizations that develop the technological standards for the architecture, control and security of clouds. This is a useful site for monitoring the progress of standardization, and for developing my own research questions (CloudStandards, 2010)(Hayes, 2008). Hayes, B. (2008). Cloud computing. Commun. ACM, 51(7), 9-11. Retrieved from dl=ACM&CFID=80867670&CFTOKEN=24312614 Cloud computing by Hayes, B. (2008). This is an overview article in the ACMs Communications of the ACM. There is only a single author and though plainly a credible journalist, the author makes no claim to special expertise in this area. It is easy to read but contains only second-hand information. It has been cited thirteen times by other researchers and has been a starting place for over 15,000 readers, based upon the ACMs record. It is a weak source from a solid journal , and I give it a 4 out of 10 (Krgel et al., 2002). Krgel, C., Toth, T., & Kirda, E. (2002). Service specific anomaly detection for network intrusion detection. In Proceedings of the 2002 ACM symposium on Applied computing (pp. 201208). Madrid, Spain: ACM. Retrieved from ID=80867670&CFTOKEN=24312614 This resorce is an example of quantitative research relating to Service Specific Anomaly Detection. Krgel, Toth and Kirda present the results from a sample of over 75,000 DNS packets to show the value of anomaly detection in the DNS service for developing security solutions for networks (Krgel et al., 2002)(Tsai et al., 2009, p. 2). I give it 7 out of 10 rating for quality. Milne, J. (2010, February 9). Private cloud projects dwarf public initiatives. Retrieved from Milne shows the result of a 2009 survey of UK businesses, and shows the physical access issue is taken very seriously in the UK. The surveu reported appears to be a quantitative study of businesses, and is of medium quality, as it published on the business website, and the writers qualifications are not mentioned. I give it a 2 out of 10 for quality. Nurmi, D., Wolski, R., Grzegorczyk, C., Obertelli, G., Soman, S., Youseff, L., & Zagorodnov, D. (2009). The Eucalyptus Open-Source Cloud-Computing System. In Proceedings of the 2009 9th IEEE/ACM International Symposium on Cluster Computing and the Grid (pp. 124-131). IEEE Computer Society. Retrieved from UIDE&CFID=80024999&CFTOKEN=42205166 The Eucalyptus Open-Source Cloud-Computing System by Nurmi, D., Wolski, R., Grzegorczyk, C., Obertelli, G., Soman, S., Youseff, L., & Zagorodnov, D. (2009). is from yet another conference proceeding. It eminates from the University of California, Santa Barbara, and this feature, as well as the open-source nature of the topic, lead one to imagine their bias is not commercial. The article is only eight pages long but carries forty-one references. It has been cited in four other works (ACM Portal, 2010). It is a useful article in the private cloud space. I give it 7 out of 10 for quality (Nurmi et al., 2009). OWASP. (2010 2). . Retrieved April 16, 2010, from The Open Web Application Security Project (OWASP) is a not-for-profit organization that develops security software for application testing(OWASP, 2010). OWASP is concerned with Internet and cloud technologies because these areas of study contain myriad application-level vulnerabilities, which are poorly understood by the people who deploy web applications. This is a useful site for application-security researchers. Open Grid Forum. (2010). . Retrieved April 16, 2010, from The Open Grid Forum (OGF) is a community of users, developers, and vendors leading the global standardization effort for grid computing (Open Grid Forum, 2010). This is a central point for discussion of grid computing standards. It is a useful site for developing research questions in the grid and cloud space. Raj, H., Nathuji, R., Singh, A., & England, P. (2009). Resource management for isolation enhanced cloud services. In Proceedings of the 2009 ACM workshop on Cloud computing security (pp. 77-84). Chicago, Illinois, USA: ACM. Retrieved from M&CFID=80867670&CFTOKEN=24312614 Resource management for isolation enhanced cloud services by Raj, H., Nathuji, R., Singh, A., & England, P. (2009). This source was first presented at the same 2009 ACM conference as the Christodorescu et al. article above. All four authors are Microsoft employees, so it would not be terribly surprising if their research is done in Microsofts Azure cloud and uses the Hypervisor VM management tool. The writing is effective and the results, though not injurious to Microsoft, may be useful in evaluating other companies tools. They have sixteen cited works and are cited

in no other research per the ACM Portal. This is primary research and so I give it 7 out of 10 for quality and validity (Raj et al., 2009). Saraswat, Vijay. (2010). Report on the Programming Language X10. Retrieved from This document is the current specification for the X10 programming language. The author is one of the project members and programmers on the team, and an IBM employee. It is an authoritative piece, retrieved from the projects home page. I would give it 9 out of 10 for quality. The only thing that would make it a perfect ten would be if it was published through a refereed scholarly journal. Tsai, W., Jin, Z., & Bai, X. (2009). Internetware computing: issues and perspective. In Proceedings of the First Asia-Pacific Symposium on Internetware (pp. 1-10). Beijing, China: ACM. Retrieved from citation.cfm?id=1640206.1640207&coll=GUIDE&dl=GUIDE&CFID= 80867670&CFTOKEN=24312614 This resource is high-quality overview of an initiative called Internetware, which focuses on a development model suggested by Yang in 2008 with a four-step structure based upon building a software project through the following four models:

Basic component model, Context-driven model, Collaborative model, Intelligent trustworthy model (Tsai, Jin, & Bai, 2009, p1) There are five focal points for Internetware: Lifecycle model for Internetware, Ontology, Modeling and simulation, Social ranking for software evaluation, and Adaptation and control (Tsai et al., 2009, p. 2). I give it 7 out of 10 for quality and validity.

Read more: Under Creative Commons License: Attribution Non-Commercial

The benefits and challenges of cloud computing

In recent years, cloud computing has emerged as an important solution offering enterprises a potentially cost effective model to ease their computing needs and accomplish business objectives. Wilson Law, a manager at member firm, Moore Stephens LLP Singapore, provides some key benefits below worth considering:

a) Optimized server utilisation - as most enterprises typically underutilise their server computing resources, cloud computing will manage the server utilisation to the optimum level. b) Cost saving - IT infrastructure costs are almost always substantial and are treated as a capital expense (CAPEX). However if the IT infrastructure usually becomes an operating expense (OPEX). In some

countries, this results in a tax advantage regarding income taxes. Also, cloud computing cost saving can be realised via resource pooling. c) Dynamic scalability - many enterprises include a reasonably large buffer from their average computing requirement, just to ensure that capacity is in place to satisfy peak demand. Cloud computing provides an extra processing buffer as needed at a low cost and without the capital investment or contingency fees to users. d) Shortened development life cycle - cloud computing adopts the service-orientates architecture (SOA) development approach which has significantly shorter development life cycle that that required by the traditional development approach. Any new business application can be developed online, connecting proven functional application building blocks together. e) Reduced time for implementation - cloud computing provides the processing power and data storage as needed at the capacity required. This can be obtained in near-real time instead of weeks or months that occur when a new business initiative is brought online in a traditional way. For all the above benefits of cloud computing, it also incorporates some unique and notable technical or business risk as follows: a) Data location - cloud computing technology allows cloud servers to reside anywhere, thus the enterprise may not know the physical location of the server used to store and process their data and applications. Although from the technology point of view, location is least relevant, this has become a critical issue for data governance requirements. It is essential to understand that many Cloud Service Providers (CSPs) can also specifically define where data is to be located. b) Commingled data - application sharing and multi-tenancy of data is one of the characteristics associated with cloud computing. Although many CSPs have multi-tenant applications that are secure, scalable and customisable, security and privacy issues are still often concerns among enterprises. Data encryption is another control that can assist data

confidentiality. c) Cloud security policy / procedures transparency - some CSPs may have less transparency than others about their information security policy. The rationalisation for such difference is the policies may be proprietary. As a result, it may create conflict with the enterprises information compliance requirement. The enterprise needs to have detailed understanding of the service level agreements (SLAs) that stipulated the desired level of security provided by the CSPs. d) Cloud date ownership - in the contract agreements it may state that the CP owns the data stored in the cloud computing environment. The CSP may demand for significant service fees for data to be returned to the enterprise when the cloud computing SLAs terminates. e) Lock-in with CSPs proprietary application programming interfaces (APIs) - currently many CSPs implement their application by adopting the proprietary APIs. As a result, cloud services transition from one CSP to another CSP, has become extremely complicated, timeconsuming and labour-intensive. f) Compliance requirements - todays cloud computing services, can challenge various compliance audit requirements currently in place. Data location; cloud computing security policy transparency; and IAM, are all challenging issues in compliance auditing efforts. Examples of the compliance requirement including privacy and PII laws; Payment Card Industry (PCI) requirements; and financial reporting laws. g) Disaster recovery - it is a concern of enterprises about the resiliency of cloud computing, since data may be commingled and scattered around multiple servers and geographical areas. It may be possible that the data for a specific point of time cannot be identified. Unlike traditional hosting, the enterprise knows exactly where the location is of their data, to be rapidly retrieved in the event of disaster recovery. In the cloud computing model, the primary CSP may outsource capabilities to third parties, who may also outsource the

recovery process. This will become more complex when the primary CSP does not ultimately hold the data. Businesses are under increasing pressure to sharpen their business practices. Too few people are aware of the security threats that are emerging. Nevertheless, they are responsible for ensuring that sensitive data will remain authentic, accurate, available, and will satisfy specific compliance requirements. Thus, it is essential for an organisation to understand their current IT risks profile in order for them to determine the companys levels of IT risk tolerance and IT risk policies, and oversee management in the design, implementation and monitoring of the risk management and internal controls system.