Cloud computing security

bedim computing securityAbstract The term profane computing becomes more popular day by day. As this is happening, security concerns start to arise. Maybe the just about critical one is that as information is spread into the slander, the progress toer starts to lose the control of it.In this spirit we attempt to give a brief every(prenominal)placeview of what is described by the term Cloud computing and provide a small introduction to what we mean by Cloud computing security Brunette, 2009. Make a discussion of what argon the security benefits that Cloud computing introduces and also the security trys that arise due to its reading according to ENISA, 2009.Index Terms Cloud, security, risks, security benefits.IntroductionCloud computing funds started to build in early 90s. The main idea behind cloud computing is to bankrupt the al-Qaeda and the mechanisms that a system is composed of, from the maskings and services that delivers Brunette, 2009.Clouds be designed in such a way that can carapace easily, be always uncommitted and reduce the operational costs. That is come throughd due to on demand multi-tenancy of applications, information and hardw ar elections (such as network infrastructure, storage elections and so on). accord to Mell, 2009 Cloud computing is composed by five Essential Characteristics, three Service Models and four Deployment Models as shown in figure bellow.More details on each of the above components can be found in Mell, 2009SecurityThe way that security control is implemented on Cloud computing is most of the times similar to this of traditional IT environments. But due to the distributed nature of the assets security risks vary depending on the kind of assets in use, how and who manages those assets, what atomic number 18 the control mechanisms employ and where those are located and finally who consumes those assets Brunette, 2009.Furthermore earlier we mentioned that multi-tenancy. This means that a set of poli cies should be implementing how isolation of imaginativenesss, billing, segmentation and so on is achieved is a secure and brief way.In night club to measure whether the security that a Cloud Provider (CP) offers is adequate we should take under consideration the maturity, utileness, and completeness of the risk-adjusted security controls that the CP implements. Security can be implement at one or more levels. Those levels that cover just the Cloud infrastructure are physical security, network security, system security and application security. Additionally security can take place at a higher level, on people, duties and processes.It is necessary at this point to have understanding of the contrasting security responsibilities that round and end users have. And also that sometimes even among varied CPs the security responsibilities differ.Security BenefitsENISA, 2009 in its re mien has spotted the following pass security benefits that arise due to the use of Cloud computing.S ecurity and the benefits of scale when implementing security on a large system the cost for its implementation is overlap on all resources and as a go the investment end up being more effective and cost saving.Security as a market differentiator as confidentiality, integrity and resilience is a priority for numerous the end users, the decision on whether they will choose one CP over an separate is made based on the reputation this CP has on security issues. Hence competition among CPs made them provide high level services. measure interfaces for managed security services as CPs use receivedise interfaces to manage their security services the Cloud computing market benefits from the uniformity and tested solutions this introduces.Rapid, promising scaling of resources Cloud computing is considered resilient since it has the ability to dynamically reallocate resources for filtering, traffic shaping, authentication, encryption.Audit and evidence gathering since virtualization is us ed in order to achieve Cloud computing, it is easy to collect all the audits that we need in order to proceed with forensics analysis without causing a downtime during the gathering process.More timely, effective and effective updates and de shiftings another thing that Cloud computing benefits from virtualization is that virtual machines (VM) can come pre-patched and hardened with the latest updates. Also in look of a configuration fault or a disaster caused by changes made on the VM, we can rollback to a previous stable state.Benefits of resource concentration having all of your resources laborious makes it cheaper to maintain and allows physical access on those easier. That outweighs most of the times the risk the disadvantages that this generates.Security RisksThe following classes of cloud computing risks were identified by ENISA, 2009.Loss of governing body as users do not physically posses any resources, CPs can take control on a number of resources. If those resources are not cover from an SLA security risks arise.Lock-in as we write this paper there is still no standardization on how to bring information and resources among different CPs. That means in case a user decides to move from a CP to another or even to migrate those services in-house, might not be able to do so due to incompatibilities between those parties. This creates a dependency of the user to a particular CP..Isolation failure one of the disadvantages of multi-tenancy and shared resources occurs when the resource isolation mechanism fails to separate the resource among users. That can occur either due to an attack (guest-hopping attacks) or due to poor mechanism design. In present days attacks of this kind are pretty rare compared to the traditional Oss but for sure we cannot rely just on that fact. risk category covers the failure of mechanisms separating storage, memory, routing and even reputation between different tenants.Compliance risks there is a possibility that investing o n achieving certification is put under risk due to the followingThe CP cannot provide evidence of their own compliance with the relevant requirementsThe CP does not permit audit by the cloud customer (CC).Also it is possible that compliance with industry standards is not able to be achieved when using public Cloud computing infrastructure.Management interface compromise CPs provide to the users, management interface for their resources on public Cloud infrastructures. That makes those interfaces available over the internet allowing remote access applications or web browsers vulnerabilities to allow access on resources from unauthorised users.Data protection CP is possible to handle selective information in ways that are not known (not lawful ways) to the user since the users looses the complete governance of the data. This problem becomes even more obvious when data are transferred often between locations. On the other hand, there are lot of CPs that provide information on how data are handled by them, mend other CPs offer in addition certification summaries on their data processing and data security activities.Insecure or incomplete data deletion there are various systems that upon request of a resource deletion will not completely wipe it out. Such is the case with Cloud computing as well. Furthermore difficulties to delete a resource on time might arise due to multi-tenancy or dues to the fact that many copies of this resource can exist for backup/ redundancy reasons. In cases like this the risk adds to the data protection of the user is obvious.Malicious insider there is always that possibility that an insider purposely causes damage. For that reason a policy specifying roles for each user should be available.The risks described above constitute the top security risks of cloud computing. ENISA, 2009 further categorises risks into policy and organisational risks, technical risks, legal risks and finally not specific risks.VulnerabilitiesThe list of vulnera bilities that follows ENISA, 2009, does not cover the entirety of possible Cloud computing vulnerabilities, it is though pretty detailed.abdominal aortic aneurysm Vulnerabilities Special care should be given on the authentication, authorization and accounting system that CPs will use. Poor designed AAA systems can result to unauthorized users to have access on resources, with unwanted results on both the CP (legal wise) and the user (loss of information).User provisiontion vulnerabilitiesCustomer cannot control provisioning process.Identity of customer is not adequately verified at registration.Delays in synchronisation between cloud system components (time wise and of profile content) happen.Multiple, unsynchronised copies of identity data are made.Credentials are vulnerable to interception and replay.User de-provisioning vulnerabilities Due to time delays that might occur, credential of user that have earlier logged out might appear to still be valid. contrasted access to manageme nt interface Theoretically, this allows vulnerabilities in end-point machines to compromise the cloud infrastructure (single customer or CP) through, for example, weak authentication of responses and requests.Hypervisor Vulnerabilities In virtualized environments Hypervisors is a small second of middleware that is used in order to be able to control the physical resources assigned to each VM. Exploitation of the Hypervisors layer will result on exploiting every single VM on a physical system. omit of resource isolation Resource use by one customer can affect resource use by another customer.For example IaaS infrastructures use systems on which physical resources are shared among VMs and hence many different users..Lack of reputational isolation The resource sharing can result on one user acting in such a way that its actions have impact on the reputation of another user.Communication encryption vulnerabilities while data move across the internet or among different location within t he CP premises it is possible that soulfulness will be reading the data when poor authentication, acceptance of self-signed certificates present and so on.Lack of or weak encryption of archives and data in transit In conjunction with the above when failing to encrypt data in transit, data held in archives and databases, un-mounted virtual machine images, forensic images and data, exquisite logs and other data at rest those are at risk.Poor key management procedures Cloud computing infrastructures require the management and storage of many different kinds of keys examples embarrass session keys to protect data in transit, file encryption keys, key pairs identifying cloud providers, key pairs identifying customers, authorisation tokens and revocation certificates. Because virtual machines do not have a fixed hardware infrastructure and cloud based content tends to be geographically distributed, it is more difficult to apply standard controls, such as hardware security module (HSM) storage, to keys on cloud infrastructures.Key generation low entropy for random number generation The confederacy of standard system images, virtualisation technologies and a lack of input devices means that systems have much less entropy than physical RNGsLack of standard technologies and solutions This is the case of lock-in risk, where users cannot move across different providers due to the lack of standards.No control on vulnerability assessment process If CPs will not prevent their users from port scanning and testing for possible vulnerabilities and also there is no audit on the time of use (ToU) for a user (something that places certificate of indebtedness on the customer) skanky infrustrusture security problems will arise.Possibility that internal (Cloud) network probing will occur Cloud customers can perform port scans and other tests on other customers within the internal network.Possibility that co-residence checks will be performed Side-channel attacks exploiting a la ck of resource isolation allow attackers to determine which resources are shared by which customers.Lack of forensics readiness While the cloud has the potential to improve forensic readiness, many providers do not provide appropriate services and terms of use to modify this. For example, SaaS providers will typically not provide access to the IP logs of clients accessing content. IaaS providers may not provide forensic services such as recent VM and disc images.Sensitive media sanitization Shared tenancy of physical storage resources means that sensitive data may leak because data destruction policies applicable at the end of a lifecycle may either be impossible to implement because, for example, media cannot be physically destroyed because a disk is still being used by another tenant or it cannot be located, or no procedure is in place.Synchronizing responsibilities or contractual obligations external to cloud Cloud customers are often unaware of the responsibilities assigned to them within the terms of service. There is a tendency towards a misplaced attribution of responsibility for activities such as archive encryption to the cloud provider even when it is clearly stated in the terms of the contract between the two parties that no such responsibility has been undertaken.Cross cloud applications creating hidden dependency Hidden dependencies exist in the services supply chain (intra- and extra-cloud dependencies) and the cloud provider architecture does not abet continued operation from the cloud when the third parties involved, subcontractors or the customer company, have been separated from the service provider and vice versa.SLA clauses with conflicting promises to different stakeholders An SLA might include terms that conflict one another, or conflict clauses made from other providers.SLA causes containing excessive business risk From CPs perspective an SLA can hide a bunch of business risks when someone thinks of the possible technical failures tha t might arise. At the end user point SLAs can include terms that can be disadvantageous.Audit or certification not available to customers The CP cannot provide any assurance to the customer via audit certification.Certification schemes not adapted to cloud infrastructures CPs will not in truth take any actions to provide security measures that comply with Cloud computing security standards.Inadequate resource provisioning and investments in infrastructure This vulnerability comes in hand with the one that follows. Provisioning of resources should be done carefully in order to avoid failures of the provided services.No policies for resource capping CPs should make really well provisioning of their resources. Also end users should be able to configure the resources that are allocated to them. If the limits of requested resources exceed this of the available resources results can be unpredictable.Storage of data in multiple jurisdictions and lack of transparency Multiple copies of use rs data can exist since mirroring of the data is performed in order to achieve redundancy. During that time the user should we aware of where are those data stored. Such a move can introduce unwanted vulnerabilities since CPs may violate regulations during this time.Lack of information jurisdictions there might be a case where data are stored using high level of user rights. In that case end users should be aware of it in order to take preventing measures.ConclusionIn this paper we tried to give a brief overview of cloud computing and discuss what security on Cloud computing means.Furthermore, we made it easy for the reader to understand what the benefits and risks of moving toward Cloud computing are.Vulnerabilities of Cloud computing are listed as those were described in ENISA, 2009, allowing us to have a full view of what are the considerations that we should keep in mind when moving on Cloud computing.It is also well understood that exhaustive risk and security control is not re commended on all Cloud computing implementations. The level of control should always depend on prior evaluation.There are still lot of open research areas on improving Cloud computing security, some of those are Forensics and evidence gathering mechanisms, resource isolation mechanisms and interoperability between cloud providers.ReferencesENISA, 2009 ENISA editors. (2009). Cloud Computing Benefits, risks and recommendations for information security. . Accessed 25 March 2010Brunette, 2009 Glenn Brunette and Rich Mogull (2009). Security Guidance for Critical Areas of Focus in Cloud Computing, mutant 2.1 Accessed 25 March 2010Mell, 2009 Peter Mell and Tim Grance (2009). The NIST Definition of Cloud Computing, Version 15. Accessed 26 March 2010