An Investigation into Threats to Cloud Computing Security - Coursework Example

An Investigation into Threats to Cloud Computing Security A lot of research has gone into building a secure cloud computing structure that we get to use today. However, a lot remains to be done. From the last part of the twentieth century, many core computing experts and mobile technology seers have developed newer and better cloud security solutions which have more control in stages like encryption, virtualization and optical frameworks. The article studies major papers in this field and evaluates the potency of the solutions provided in them. It tries to find out which solutions hold applicable in present day mobile technology and which require a more elaborate set-up. The study also finds out any existing gaps in each of the studies undertaken by the researchers. Introduction : The competitiveness in the field of actively developing cloud security solutions is often confusing to a layman since he cannot differentiate nature of one solution and its applicability from the other. However, for a student of computing, the applications, solutions and suggestions all fall in one frame, which is led by the common and challengingly new threats to security over the cloud. Data fed in to the cloud is secure only as long as the correct solutions are used. And to define the word ‘correct’ in this context, it is highly important to recognize which new threat is the most imposing, be it IaaS, SaaS or PaaS, and which type of threat the solution is addressing. Needless to say, there are quite many threats to cloud security that has triggered such heavy amount of research work. With data access and service hijacking on top concerns, there is a frenzy of activity in these areas. Other than that, there is abuse and nefarious use of cloud computing, use of insecure interfaces and APIs, presence of undocumented malicious insiders, shared technology issues specially in inter-cloud scenarios, and entry of unknown risk profiles. Survey : Security Issues at Application level Ontology is often neglected as a source of security solutions in ACPs (access control policies). According to Hu et al’s presentation at the first International Conference of Cloud Computing, using an SACPL (Semantic Access Control Policy Language) that is derived on ontology, to describe ACPs in the cloud environment would be a workable solution. According to their study, the ideal way to approach this would be to use XACML syntax elements in two sets, one set has ACOOS semantic information annotated while the other set has other elements like confidentiality and priority. The approach easily solves all issues involving mutual understanding and semantic inter-operability on distributed ACPs of resources. This is definitely good when cross organizational set up is involved. On the downside however, the approach does not support automatic conflict resolution for policies and rules. It also fails to provide semantics-based ACP mechanism in cases of variable granularity. With studies in encryption based security revealing how important it is to get the data to be secure, Diallo et al (2012) came up with an approach that uses CloudProtect to extend the middleware. CloudProtect will perform the function of storing the user’s application data in encrypted form and therefore, would protect the privacy of the data. While this is highly secure, it is a difficult step by step procedure that delays processing when applications require user’s data in plain text format. Therefore, the approach is not universally applicable. Security issues at Network Level: Intrusion Detection Systems All cloud computing experts are aware that multiple VM joint s on the cloud lead to increased security concerns. While different researchers have attempted to come up with different solutions, Bakshi and Yogesh (2010) have come up with a procedure to secure VMs from DDoS attacks. According to their approach, using an IDS tool, like the Snort derived NIDS tool, can help stop DDoS attacks on the VM. The tool has to be installed in the VM and will be able to block packets coming from an IP which shows suspicious activity. In fact, when not directed to block the packets, the tool still sends in notifications of such suspicious activity to the source IP. The tool also transfers all the service running through the affected VM to another VM for undisrupted services. This is useful only as long as the suspicious activity detected is correct. Sometimes useful services are thought of as suspicious activity and blocked, which is a loss for the source IP. Mazzariello et al (2010) suggested a similar defense using Snort based tools. Open source Eucalyptus Cloud environment has cloud controllers and physical hosing machines. The tool is installed on both these points and detects intrusions through external networks. This approach saves the trouble of installing different IDS tools on different VMs. However, both of the above approaches are not useful in stopping intrusions that are not recognized by Snort. With many studies indicating towards the use of V-IDS, we cannot but ignore the contribution of Pasquale Donadio (2012), who suggests a pretty complete study on the efficacy of and possibilities of using V-IDS in his work, “Virtual Intrusion Detection Systems” in the cloud. According to him, multiple performance based goals are addressed through the use of this approach. And the icing on the cake comes with the fact that the use of V-IDS across inter cloud scenarios will allow users to surf the internet securely. Out of the many network level security solutions, this by far is the most recent and promising solutions as it addresses virtualization with equal importance as it gives to intrusion detection systems. Talking of DDoS attacks, a very recent study showed that even DDoS can be classified into traditional and economic forms. According to Sandar et al (2012), EDoS, which is arguable the HTTP or XML based DDoS attack, can be handled by using firewall and a puzzle server. While the firewall detects it at the Cloud’s entry point, the puzzle server requires authentication by the user. Their study used traditional firewalls which are not used in cloud technology these days. A scheduler based approach has been brought in by Lin et al (2010). They have suggested that the Grid be integrated with intrusion detection systems which collects traffic information from multiple switches using multiple dispatchers. The Scheduler sends the information to the intrusion detector which reports if detector load is low in any case. The solution utilizes several nodes and is therefore, prone to snags, although it can be relied upon to overcome performance bottlenecks and sortens out distribution of load. Security Issues in data Access and Storage Level With respect to data access over the cloud, a heavy number of commercial security solutions are available to the common user. The study proposed by Mowbray et al (2009) is a careful combination of preference settings, privacy managers and data access features. The main idea rests in the fact that such privacy settings will not allow the attacker to reveal data stored on the cloud. Only the rightful owner of the data can retrieve the information since he or she will directly de-obfuscate the data. It is important that the feedback module and personae module in their suggestion aptly support the data access system on the cloud, which is in turn created using cryptographic techniques. The use of challenge questions is another clever solution that came up in Stolfo et al’s (2012) work. According to the practice, user behavior profiling is used based on data access patterns. This way the decoy documents stored on the cloud have the user’s real data act as sensors to any illegitimate access to the data and block with challenge questions whenever there is a doubt. This is an efficient way except for the fact that when multiple users are present for the same user. Storing multiple user data for same client is often a problem and therefore, challenge questions are posed no matter the validity of the data owner’s identity. For OS level detection and securing of threats, Volokyta et al (2012) suggested that virtual machines be monitored to increase security. The process relies on the use of a detector that monitors the host OS for integrity checking. A log file is used to store information regarding all malicious activities and an integrated Cloud resources checks the log file using a VMM. The only main drawback of this method is that if the VMM is manipulated, the guest operating softwares can be susceptible to foreign intrusion. Analysis of studies: Gaps and opportunities As is evident from the study above the top threats to cloud computing are many in number with data loss and leakage and service hijacking being on the topmost of the list. While other solutions try to address DDoS reports, there are a host of solutions targeted at IaaS, SaaS, and PaaS levels of cloud computing. As mentioned earlier, the use of a carefully developed design (Pearson, 2009) is a great way to begin. Yet there are several hurdles to be crossed. Whether it is at the level of authentication or at the level of virtualization, there is a great deal of work remaining to be completed to face up to the many cloud based challenges. To begin with, in the work that has been done up to now, there is a clear indication of localization of solutions. The solutions are being proposed for identified bugs or hacking mechanisms. They are applicable to only one or two kinds of malicious activities. With many security protocols monitoring the main node or virtual machine managers, the chances of compromise by hackers has increased. According to Celesti et al (2010), addressing problems in inter-cloud scenarios has further become tough due to the IDP coming from different sources, some of which may be developed for malicious purposes. Therefore, a universal approach that installs monitoring units at multiple levels of the cloud computing system is the ideal solution today. The prototype designed by Donadio (2012) and his team was realized on OpenNebula and DRAGON technologies and proved worthy of use across other open source technologies. The work is based on a combination of virtualization, cloud computing and GMPLS control plane. The outcome of this study is yet to be studied across other open source technologies and may be useful for the purpose of commercial mobile-cloud integration. In spite of such conclusive works derived after thorough reconsideration of studies like those conducted by Satyanarayana et al (2009), wherein the performance of VM monitoring and overlay creation over cloudlet set-ups can efficiently secure mobile cloud technology. The technology has sufficient promise in it and does not fail to take into account the possibilities of combining virtualization with mobile technology. However, practical applications in commercial perspectives are important and will not be workable unless the cloudlet creation and integration protocols are standardized through well defined algorithms. Therefore, it becomes very evident that in the coming years, design of the cloud environment will play an important role in creating the correct opportunities for integration of security solutions. According to Pearson (2009), production environments based on cloud can offer very fast and swift services to end users, which therefore require a small design with lesser number of nodes to monitor and secure. This design concern is important to ensure that user’s data is safe in the cloud as well as networked environments. He suggests the use of a privacy impact assessment to ensure that the process of designing keeps security upmost in the mind all through initiation, planning, execution, closure, and decommission. The study is however, limited to predictions that all privacy assessment and audit protocols are well defined and standardized internationally. As indicated above, the use of extensive encryption and challenge questions may lead to security of data. However, since the cloud is a dynamic platform wherein the user ma access data from any IP, there may be trouble in accessing the data by the original user. The Path Computational Client – Path Computational Element approach suggested by Donadio (2012) is a wise solution since it powers self automation for all the systems. Although the elements of cloud computing which are not compatible with the PCEP may not benefit from this approach, the approach sure reduces the number of nodes to monitor. The scheduler system suggested by Lin et al (2010) has a traditional flavor to it since schedulers work only in pre-set frequencies. The need to take care of ad hoc intrusions does not get addressed in this respect and is therefore, unfit for the mobile technology applications of today. Ontology and IDS based tools seem to hold promise for future applications and studies while VMMs hold a certain amount of promise when integrated in cloudlet technology. Many of the developments being made in this field correspond with the directions in which studies in network science. Network science, a factor that is increasingly becoming important in cloud computing, relies on probability, graph and dynamic systems theory to describe processes like synchronization and virus spread. These include new external graphs, asymptotic scaling laws, new levels on topology metrics. If conclusions from these approaches can be applied to cloud computing threats, then a number of holistic universal solutions can be achieved. The main aim of the cloud computing fraternity should be towards gathering all recent research information on a single database server and allowing students and professors of cloud computing to access all files while developing their results. In fact, to optimize studies on cloud security, local cloud design and functional information must be shared. Conclusion With this we come to closing thoughts of this study, which mainly revolves around the use of self regulatory approach to virtual machine managers and encryption protocols. PCEP provides unique scope in this regard while cloudlet creation adds a new dimension to the entire cloud computing environment. Needless to say, the future holds a lot in store for mobile technology to find the right level of security in cloud computing. To start the drive, one needs to seriously take into account the research base provided by Satyanarayana (2009), Donadio (2012), and Pearson (2009). These easily give us a header into the rest of the studies and how to go about integrating them into a set framework. It is indeed important that security issues in data access, application level and network levels of cloud computing are taken care of. While a lot can be said about VMMs being more relevant in securing mobile cloud computing protocols, there is equal amount of evidence that IDS can be perfected using different tools on not just VMMs but also on other elements of the cloud computing system. An efficient design layout will further support these tools while minimizing their requirement on the while. Ultimately, it is highly essential that mobile cloud grows secure since more and more end users are storing important data through their smartphones and hand devices like tablets and smartwatches. In such a scenario, it becomes important to address threats to a whole new world of mobile cloud technology, which is on the rise these days. References 1. Bakshi A, Dujodwala YB (2010) Securing cloud from ddos attacks using intrusion detection system in virtual machine. In: Proceedings of the 2010 second international conference on communication software and networks, ICCSN’10, pp 260–264 2. Diallo MH, Hore B, Chang EC, Mehrotra S, Venkatasubramanian N (2012) Cloudprotect: managing data privacy in cloud applications. In: IEEE CLOUD 3. Hu L, Ying S, Jia X, Zhao K Towards an approach of semantic access control for cloud computing. In: Proceedings of the 1st international conference on cloud computing, pp 145–156 4. Lin D, Squicciarini A (2010) Data protection models for service provisioning in the cloud. In: Proceeding of the ACM symposium on access control models and technologies, SACMAT’10 5. Mazzariello C, Bifulco R, Canonoco R (2010) Integrating a network ids into an open source cloud computing. In: Sixth international conference on information assurance and security (IAS), pp 265–270 6. Mowbray M, Pearson S (2009) A client-based privacy manager for cloud computing. In: Proceedings of the fourth international ICST conference on communication system softWAre and middleware, COMSWARE’09, pp 1–8 7. Sandar SV, Shenai S (2012) Economic denial of sustainability (edos) in cloud services using http and xml based ddos attacks. Int J Comput Appl 41(20):11–16 8. Stolfo SJ, Salem MB, Keromytis AD (2012) Fog computing: mitigating insider data theft attacks in the cloud. In: 2012 IEEE symposium on security and privacy workshops. IEEE Press, New York, pp 125–128 9. Pearson, S. (2009) Taking Account of Privacy when Designing Cloud Computing Services. Hewlett-Packard Development Company, L.P. retrieved on 16th September, 2014 from: http://shiftleft.com/mirrors/www.hpl.hp.com/techreports/2009/HPL-2009-54.pdf 10. Satyanarayana,M., Bahl,P., Caceres,R., & Davies,N. (2009). The Case for VM-Based Cloudlets in Mobile Computing. Pervasive Computing. Retrieved on 16th September, 2014 from: http://www-inf.telecom-sudparis.eu/COURS/MOPS-RM/Articles/Satyanarayanan09-VMBasedCloudlets.pdf 11. Volokyta A (2012) Secure virtualization in cloud computing. In: 2012 international conference on modern problems of radio engineering telecommunications and computer science (TCSET), p 395 Read More