Background Of Infrastructure As A Service

Published Date: 02 Nov 2017

Cloud computing technology is the next generation of internet based, highly scalable distributed computing systems in which computational resources are offered 'as a service'. Cloud computing model is introduced by National Institute of Standards and Technology (NIST) as "a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction."

Although cloud computing has a lot of advantages and number of disadvantages, in order to get the best of applying cloud computing we need to analyze its security holes and show recommendation to face these issues.

1.2 Purpose and Scope

The study aims to give analysis of benefits, risks of cloud computing and show recommendations to fix the security holes in order to get the best out of applying cloud computing technology.

1.3 Variables

1.3.1 Independent Variables

Types of clouds (public or private cloud)

Levels of cloud computing, Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS).

Data protection legalizations and information laws.

1.3.2 Dependent variables

Level of data and applications security in the cloud.

1.4 Importance of the study

As cloud computing technology has become one of the most interesting and profitable IT fields in Egypt, and as many companies in the Egyptian market have invested in this field to be public cloud providers like for example Raya, Vodafone, Etisalat, and TE Data, therefore the importance of this study has increased to the top to give a clear vision for both the cloud providers and customers about the security issues concerning cloud computing to be able to take the right decisions and get the best out of this important technology.

1.5 Research Question

How to get the advantages and benefits of cloud computing technology while getting rid of disadvantages and being able to face its security holes?

2. Literature Review

2.1 Introduction

Cloud computing is one of the most top technologies nowadays. The most widely used definition of the cloud computing is introduced by National Institute of Standards and Technology (NIST) as "a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.".

The two main features of the cloud technology are multi-tenancy and elasticity. Elasticity enables scaling up and down resources allocated to a service based on the current service demands while multi tenancy enables sharing the same service instance among different tenants. Both characteristics focus on improving cost, resource utilization, and service availability.

The cloud has motivated industry to adopt cloud computing to host a wide spectrum of applications ranging from high intensive applications down to light weight services. The cloud model is also well-suited for small and medium businesses because it helps adopting IT without upfront costs in software licenses, infrastructure and other relevant requirements. Also governments become more interested in using cloud computing to reduce IT costs and increase availability and capabilities of their delivered services.

Although there are potential benefits that could be gained from the cloud computing model, the model still has a lot of issues that impact the model popularity. Multi tenancy and isolation, Vendor lock-in, isolation, data management, service portability, SLA management, elasticity engines, and cloud security are well known problems in the cloud computing model

From the perspective of cloud consumers security is a major concern that slows down the adoption of the cloud computing model because:

Companies are outsourcing security management to a third party that hosts their IT assets.

Different tenants have assets in the same location using the same instance of the service while being not sure of the strength of security controls used.

Lacking of security guarantees between the cloud consumers and the cloud providers.

Increased probability of attacks cause of hosting assets on publicly available infrastructure.

From the perspective of cloud providers’, security requires a lot of costs and resources. But skipping security from the cloud computing technology roadmap will violate the expected revenues. So public cloud providers have to understand consumers’ concerns and find out new security solutions that resolve these concerns.

2.2 Service models

Cloud computing providers offer their services according to three models: Infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS) where Infrastructure as a service (IaaS) is the most basic model and each higher model abstracts from the details of the lower models.

2.2.1 Infrastructure as a Service (IaaS)

Is considered the most basic cloud model, in infrastructure as a service model, providers offer computers, as virtual machines or as physical servers among other IT resources. The virtual machines can run as guests by hypervisors from different vendors such as VMware or Microsoft. Management of hypervisors' pools by the cloud operational support system leads to the ability to scale to support a large number of virtual machines. Other resources in Infrastructure as a service (IaaS) clouds include images in a virtual machines library, firewalls, raw and file-based storage, IP addresses, load balancers, and software bundles. For wide area, both Internet and dedicated virtual private networks can be used.

To be able to deploy their applications, cloud customers could install operating system images on the machines as well as the application software. In this model, the cloud user is the responsible for administrating and maintaining the operating systems and applications. Cloud providers in this model typically bill (IaaS) users on a utility basis, that is, cost will reflect the amount of IT resources allocated and consumed by each user. One of the services under (IaaS) is storage as a service (STaaS), which manages all the storage services in cloud computing. (STaaS) refers simply to a facility given to businesses that offers users the leverage of extra storage space in servers and data centers however there are a lot of security issues in this service such as privacy, integrity and reliability.

2.2.2 Platform as a Service (PaaS)

In this model, providers offer a computing platform typically including operating systems, databases, programming languages, execution environment, and web server. Application programmers can develop and run their solutions on a cloud platform without the costs of buying and managing the hardware and software layers. In some offers of Platform as a service model, the computing and storage resources could scale automatically to match application workload such that cloud customer doesn’t have to allocate IT resources manually.

2.2.3 Software as a Service (SaaS)

In (SaaS) model, providers install and operate application software in the cloud and users access the software from cloud clients. The cloud users are not responsible of managing the cloud infrastructure neither platform on which the software is running. All this eliminates the need to install and run the application on the cloud user's own computers which simplify support and maintenance. What makes a cloud application different from other applications is the scalability. This can be achieved by cloning tasks onto multiple virtual machines at run time to meet the changing workloads. Load balancers distribute equally the work load over set of virtual machines. This process is hidden to the cloud user who has only a single access point.

To serve a large number of users, cloud applications can be multitenant that is each physical machine serves more than one cloud user organization. It is very common to refer to special types of cloud based service with a similar naming convention: test environment as a service, communication as a service, and desktop as a service.

Pricing model for (SaaS) applications most of times is a monthly or yearly flat fee per user, so cost is scalable and adjustable if users are added or removed at any point of time.

2.3 Deployment models

2.3.1 Public cloud

Public cloud deployment model contains applications, storage, and other resources which are made available to the general public by a provider. These services are free or charged on a pay-as-use model. Generally, public cloud service providers like Microsoft, Amazon, and Google operate the infrastructure and serve access only via Internet (direct connectivity is not offered).

2.3.2 Hybrid cloud

Hybrid cloud is a composition of two or more clouds (private or public) that remain unique entities but are linked together, offering benefits of multiple deployment models.

By utilizing "hybrid cloud" deployment model, individuals and companies are able to obtain levels of fault tolerance with locally immediate usability without the need of internet connection. Hybrid cloud model requires both on-premises resources and off-site cloud infrastructure.

Hybrid clouds lack the security and certainty of in-house software however it provides the flexibility of in house applications with the scalability and fault tolerance of cloud based services.

2.3.3 Private cloud

Private cloud is the deployment model where cloud infrastructure operated solely for a single organization, whether managed internally or outsourced and hosted externally or internally. Going on a private cloud model requires a significant degree of commitment in virtualization of the organization’s IT assets, and it will require the organization to reevaluate decisions about existing IT resources. If it is done right, it can have a very positive impact on a business, but each step of the project steps raises security issues that must be addressed in order to avoid serious vulnerabilities.

There is a lot of criticism because users still have to buy and manage their infrastructure and thus do not benefit from less management efforts and costs, essentially lacking the economic model that makes cloud computing such an interesting concept

2.4 Business benefits

Cloud computing is a dynamic scalable technology. Businesses can use as much computing service as is required on an hourly basis. As demand from external customers or internal uses increases or decreases, the necessary computing power, network, and storage capacity can be added or removed on an hourly basis. Most of cloud service providers leave this provisioning up to the customer organization.

The IT resources can be charged with operational costs rather than as a capital investment. Most of IT departments face a long approval cycle for capital funding, in addition to the delay of equipment delivery and installation. Cloud computing technology allows them to bring computing capacity instantly using their operational budgets.

The IT equipments doesn't reside in the company facility which means it does not require upgrades to the electrical system, modifications to the air conditioning system, allocation of floor space, or increasing the IT staff. Computers at the cloud service provider consume power, space and staffing support at the provider instead of the customer’s company.

There is a lot of competing public cloud providers offering this service. If the customer organization had any issues with the first cloud provider for example if the provider does not deliver acceptable performance, the customer organization can shift its business to another provider offering better service or lower prices.

2.5 Disadvantages

Of course as cloud computing has these benefits and advantages it has also corresponding disadvantages and concerns:

Many companies are uncertain to host their internal data on a computer that is external to their own company and that is potentially hosted with another company’s resources. Till now, there has been no client-to-client hacking of data or applications hosted in the cloud. That may be a result of sufficient security provisions, or it may be because of lack of value in this type of attacks.

Companies are concerned about the physical location of their data that are stored in the public cloud. The laws of the host country of the equipment apply to the data on the machines. Many Asian and European companies have showed concerns about having their data stored on computers located in the United States that fall under the jurisdiction of the U.S. Patriot Act, which allowing the U.S. government to access that data easily.

When you start an application in the public cloud you never know what are other applications running and using the same allocated resources. Because many companies are all sharing the resources, it is possible to run in a server where a neighborhood applications is extremely busy and noisy, leaving little room of computing resources for your applications to run and communicate resulting in users of cloud computing services may notice a big variation in the performance of their applications running in the public cloud.

Possible bugs in this large system have yet to be figured out. There have been instances in which the entire cloud services have crashed and been unavailable for hours or even days. If this happened, the hosted applications will be offline till the technical problem is fixed.

Some public cloud providers offer unique services and proprietary ways to communicate with the IT resources. It is possible for the customer company to get so deeply embedded into these unique services that can't move their applications without major changes to both applications and data.

It appears that a cloud provider has an infinite number of computers and storage disks to meet your needs. But there are a finite number of these resources available and your provider is multiplexing these between the thousands of applications that are starting and stopping every hour. If all customers called for services at the same time, the provider could run out of available resources. This is the cloud computing equivalent of a busy signal on Mother’s Day or an insurance claim following a major hurricane.

These concerns, and others that are much more technical in nature, are well known to the major cloud computing providers and the intermediary support companies. All providers are working on solutions to eliminate them. The real question is, "Can companies increase profits or decrease costs by using cloud computing as it exists now?" and "How will that change as the technology matures?"

2.6 Top Security Risks

The important classes of cloud-specific risks identified are:

Loss of governance:

When using cloud infrastructures, the client necessarily gives up control to the Cloud Provider (CP) on many issues which may affect security. At the same time, Service level agreements may not offer a solid commitment to provide these services on the part of the cloud provider, which leaves a gap in security defenses.

Lock-in:

There is little on offer in the way of procedures, tools, data formats or services interfaces that could guarantee services, data, and applications portability. This could make it difficult for the customer company to migrate from one cloud provider to another or migrate back to an in-house IT environment. This means the dependency on a particular cloud provider for service provision, especially if data portability as a fundamental aspect is not enabled.

Isolation failure:

Shared resources and multi-tenancy are main characteristics of cloud computing technology. This introduces a risk category covers the failure of mechanisms separating memory, storage, routing and even reputation between different tenants. However it should be noted these attacks on resource isolation mechanisms are still much more difficult and less frequent compared to attacks on traditional operating systems.

Compliance risks:

Migration to the cloud may put risk on investment in achieving certification (e.g., industry standard or regulatory requirements)

if the cloud provider cannot provide proof of his own compliance with the relevant requirements

If the cloud provider does not accept audit by the cloud customer (CC).

In certain cases, using a public cloud infrastructure implies that certain kinds of compliance can't be achieved (e.g., PCI DSS).

Management interface compromise:

Customer companies management interfaces of a public cloud provider are accessible through Internet and intermediate access to a larger set of resources (than traditional hosting providers) and therefore create an increased risk, especially when combined with web browser and remote access vulnerabilities.

Data protection:

Cloud computing technology creates several data protection risks for cloud customers and public cloud providers. In some cases, it may be difficult for the customer company as a data controller to effectively check the data handling practices of the public cloud provider to be sure that the data is handled in a legal way. This problem is even worse in cases of multiple transfers of data between many clouds. On the other hand, some public cloud providers provide information on their data handling practices. Others offer certification on their data security and data processing activities and the data controls they apply.

Insecure or incomplete data deletion:

When the customer company requests to delete a cloud resource, as with most operating systems, this doesn't result in true deletion of the data. Sufficient or timely data deletion may also be impossible or undesirable from the customer perspective, either because the disk to be destroyed also stores data from other clients or because extra copies of data are stored but are not available. In the case of multiple tenancies and the reuse of hardware resources, this creates a higher risk to the customers than with dedicated hardware.

Malicious insider:

While typically less likely, the damage which may be caused by malicious insiders is always far greater. Public cloud architectures demand certain roles which are extremely high-risk for example cloud provider system administrators and managed security service providers.

Legal implications of cloud computing

There is the issue of "reasonable security" in the cloud computing technology, and potential liability arising out of security breaches in the cloud. A company that provides a service to handle the personal information of another organization has the responsibility to ensure that there is reasonable security to protect confidential information. The data centers of cloud providers are located in various locations all over the world. This means data on the cloud could be stored in any country. The ‘physical location’ raises the question of legal governance over the data. In case of a conflict between the cloud vendor and the customer the question of which country’s court system will settle the dispute comes to the fore. In cases where there is litigation, an organization will have to deal with a third party cloud provider to gain access to information relevant to the litigation. Considering the multiple copies of data that may be created, recompiled, stored, reused, and reassembled, what constitutes a "record" for evidence may be difficult to grapple with the cloud.

The number of trademark filings covering cloud computing brands, goods and services is increasing as companies seek to better position themselves for cloud computing branding and marketing efforts. Therefore ensuring the uniqueness of a trademark with the advent of a cloud has been further complicated. Sharing and transferring data within the cloud is a problem. Organizations are legally prohibited from transferring personal information to countries that do not provide the same level of protection with respect to personal information. That means cloud providers will not be in a position to make any contractual promises to their clients because in many cases they cannot say which countries data will be transferred to and from. Systems are vulnerable to damage or interruption from earthquakes, terrorist attacks, flood, fires, etc. Customers have to ensure therefore that they are insured against loss of business due to such potential losses.

Security issues in cloud computing

Due to its distributed nature, the cloud results in weak security systems those are easy to break into. The security of the system is only as strong as the weakest user’s set-up. Weak password recovery workflows, key loggers, and phishing attacks present bigger security risks. In collaborative web applications that are built for groups, like Google Apps or any web-based software, any breach of security spreads across all participants. In cloud computing an organization’s data is locked-in and the third party in control. When you participate in the cloud, you depend on a third party to make decisions about your data and platforms.

Cloud computing also comes with chances of server unavailability and account lock-out. When the Internet goes down, access to one’s data is cut off. An important measure of security often overlooked by companies is how much downtime a cloud service provider experiences. The client should request the provider’s reliability reports to determine whether these meet the requirements of their business. Exception monitoring systems is another important area which companies should ask their service providers about.

The biggest concern with cloud computing is that it puts all of a company’s data and applications in one place. Businesses should be wary of putting sensitive company information in public clouds. They should instead stick to low volume, low-risk applications and build internal and private clouds to enable collaboration within the organization and externally with partners. Security is one of the most often-cited objections to cloud computing. Cloud users face security threats from both outside and inside the cloud. This responsibility is divided among the cloud user, the cloud provider and any third party vendors that users rely on for security-sensitive software or configurations.

Data access and interoperability

The issue of data access and interoperability continues to be an outstanding matter for inherently distributed applications and federated organizations. Common best practices and standards are needed to achieve the fundamental properties of portability and interoperability for cloud applications and environments. A major challenge of moving applications to the cloud for most organizations is the need to master multiple languages and operating environments. In most of cloud applications a back-end process relies on a relational database, so the code is written in any query language. On the customer company side, program logic is implemented in JavaScript. Standing between the database and the client is a server application that might be written in a scripting language. Information exchanged between the various layers is likely to be encoded in some variation of XML.

Any web application needs to be available to legitimate visitors from all over the world. A true cloud spans the entire globe, with a server presence in multiple simultaneous locations. Besides technical issues, a cloud provider could suffer outages for non-technical reasons, including going out of business or being the target of regulatory action. Therefore organizations should be wary of this and put in place measures to ensure business continuity and service availability when outages occur. Data lock-in by the service provider is a contentious issue for the customer. Software stacks have improved interoperability among platforms, but the storage Application programming Interfaces (APIs) for cloud computing are still proprietary. Thus, customers cannot extract their data and programs from one site to run on another.

This has prohibited some organizations from adopting cloud computing technology. Customer lock-in may be attractive to public cloud computing providers, but their users are in danger of price increases, to reliability issues, or even to providers going out of business. Applications continue to be more data intensive. Data bottlenecks are likely to occur as more users subscribe to a cloud service. Cloud users and cloud providers have to think about the implications of placement and traffic at every level of the system if they want to minimize costs.

Privacy issues in cloud computing

Privacy is a fundamental right enshrined in the UN Universal Declaration of Human Rights. There are various forms of privacy, including "control of information about ourselves" and "the right to be alone". Many kinds of data are needed to be secured. These include any information that can be used to identify or locate an individual. Sensitive information such as personal financial information and job performance information is considered confidential. Behavioral information such as viewing practices for digital content, customers’ recently visited websites or product usage history need to be protected as well.

Violation of privacy occurs as a result of a number of cloud dynamics. In the cloud the infrastructure is shared between organizations and is off-premise. Therefore there are threats associated with data being stored remotely and because of virtualization. Virtualization is the technology of running multiple independent virtual systems on a less physical resource making one computer act as many, and sharing the resources of hosts across multiple environments. The cloud is also a dynamic environment. Services can be aggregated and changed dynamically by customers and service providers can change the provisioning of services anytime. Sensitive data may move around within an organization and across organizational boundaries. Legal compliance and adequate protection has to be maintained therefore.

The speed and flexibility of adjustment to vendor offerings that benefits business and provide a strong motivation for the use of cloud computing might come at the cost of compromise to the safety of data. Cloud computing enables new services to be made available in the cloud by combining other services, e.g. a ‘print on demand’ service can be provided by combining a printing service with a storage service. This procedure of service combination is typically under less control than previous service combinations carried out within traditional multi-party enterprise scenarios. There may be varied degrees of security and privacy in each of the components.

Regulatory issues

In the cloud there are a number of issues that need to be regulated. Potential physical location of data centers could be anywhere, with geography-blind distribution of applications and data. As a practical commercial matter, national regulations should be able to influence the actual deployment of cloud services in countries around the globe. Without concrete guarantees on the privacy of data held by cloud providers, the diffusion of cloud services may be hampered by the perceived risk in entrusting sensitive data to external cloud services. In the US and Europe the regulations require some cloud offerings to allow users to stipulate the country in which their data will be stored. Non-US firms whose servers are located in the US can have their information accessed by the US government under the US Patriot Act and Homeland Security Act.

This impacts information privacy policy. Strongly related to the notion of service level agreements and policy, is that of governance – how to manage sets of virtual resources. At the infrastructure level, applications may consist of many virtual machines, virtual storage and virtual networks. Managing these virtual missions, or virtual data centers, requires policy and enforcement from both the provider and consumer.

In a private cloud, the infrastructure for implementing the cloud is controlled completely by the enterprise. Usually, private clouds are implemented in the enterprise’s data centre and managed by internal staff. A private cloud maintains all the corporate information in resources under the control of the legal and contractual umbrella of the organization. This removes the legal, regulatory, and security concerns associated with information being processed on third party computing resources. In a public cloud however, external organizations provide the infrastructure and management required to implement the cloud. Public clouds have the disadvantage of hosting data in an offsite organization outside the legal and regulatory umbrella of the company. In addition to that, as most public clouds leverage a worldwide network of data centers, it is very hard to document the physical location of the data at any specific moment.

2.7 Hypotheses Development

Existence of data protection legalization is a must to provide cloud security.

Adapting public cloud model increases the level of security threats and concerns.

Moving up in the cloud computing level up to the Software as a Service (SaaS) level increases the potential of security holes.

3. Discussion and Conclusion

The cloud computing technology is one of the most promising computing technologies for both cloud providers and cloud consumers. But to best utilize the cloud computing there is a growing need to block the existing security holes.

For sure the existence of data protection legalizations and information laws will help to increase the cloud security, as it will be a must to cloud providers to fulfill all these laws in their security practices and policies; however it’s not a must to have these laws in order to have data security in the cloud as the lack of data security will prohibit customers of going into the cloud, so even if there are no information protection laws the cloud providers still have to apply strong information security policies.

The deployment model affects the level of security threats facing the cloud customers, as the company goes from private towards public model the security holes increase, these holes include the normal hacking threats, the internet and web browsers holes, and the risks resulting of sharing storages among multi tenants.

As the customer goes up in the cloud computing level up to the software as a service level, the probability of being hacked is greater, each layer adds new security holes and potential risks, strong security policies should be applied by an experienced security administration team of the cloud provider.

Following are points and steps that should be considered to secure cloud computing:

Investigation Support: Auditing tools should be provided to the customers to determine how data is stored, used, protected, and verify policy enforcement. However investigation of banned activity is quite difficult because data for multiple customer companies may be collocated and may be also geographically spread across number of hosts and data centers. To resolve this audit tools must be contractually devoted along with the confirmation.

Network Security: A hacker can deny the access of any Internet service by using IP Spoofing which can be a cause of security damage. To solve this we could use Digital Signature technique. SSL (Secure Socket Layer) Protocol is used for handling security of message communication on Internet.

Encryption Algorithms: clearly cloud service providers encrypt the user’s data using strong encryption algorithms. But the problem is that encryption accident can create data totally unusable and encryption also causes difficulties for the availability. To solve this issue the public cloud provider should offer proof that encryption system were planned and tested by qualified specialists.

Backup: Natural disaster could spoil the physical devices that may cause data loss. To face this problem, backup of data is the key of guarantee of service provided by provider.

Customer satisfaction: It’s hard for the customer organization to really confirm the currently used security policies and initiatives of a computing cloud provided by the provider because the customer in general has no access

Focus on the problem, using of model-based approach to get many views and link these views in a holistic security model.

Provided mechanisms and APIs should have flexible security interfaces.

Support of multi-tenancy policies where each customer can see only his security configurations.

Support of integration and harmonization with third parties security controls at all layers to provide integrated security.

Be ready to meet non stopping IT environmental changes and stakeholders needs.