Security Issues In Cloud Environments

Published Date: 02 Nov 2017

Keywords- Cloud computing, IaaS, SaaS, PaaS, Threats, Security in cloud computing

I. INTRODUCTION

Cloud computing is one of the emerging technology that can be used to access the services remotely. Most of the information technology based organisations are using cloud services for accessing different services like Software as a service, Platform as a service or Infrastructure as a service. In the past few years the infrastructure demand within an organisation is increasing due to increase use of internet and technology. This increasing demand for solution and services are well served by the cloud computing services. Cloud computing services provide the ability to any organisation acquiring the services to build up solutions and their infrastructure very fast.

The organisation(s) using the cloud services always have scope to scale up their usability i.e. get the on demand services from the cloud service providers and pay for the type of cloud services they use along with its duration. The organisation then does not have to worry about purchasing the hardware or then maintaining it. All the maintenance services are performed by the vendors of cloud and charge their clients according to the services.

The most important aspect in setting up the cloud environment is security to its consumers. Most of the consumers are worried about the security of their data and privacy which is very critical for the vendors to maintain and implement in the cloud deployments. All the data storage that take place in cloud happen in remote locations which also encourages the data protection act according to the country who is providing those services [1].

II. TYPES OF CLOUD SERVICES

As shown in the below Figure-1, the different deployment models are as follows,

Figure-1: Deployment model for Cloud [2]

a. Software-as-a-Service (S-a-a-S).

SaaS provides the capability of services and provision to its consumers for running the applications on the cloud environments. All the services that the consumers can access are available either through the web-browser or some client devices like emails [3]. In this service model, consumers does not have any control or can manage the cloud infrastructure which includes operating systems, any deployed applications or networking of the systems [4].

This service provides the on-demand solutions to the consumers based on user access license to the cloud services. All of the consumers are always charged based on the demand and consumption of services [5]. This service model provides the cloud services to its users so that they don't have to worry about software, hardware requirements, operating system and issues related to them. Google App is an example for SaaS [6].

b. Infrastructure-as-a-Service (I-a-a-S).

IaaS provides capability of cloud to provision various resources like storage, networks, computer resources which can be utilised by consumers to install, deploy/configure and execute/run the applications. In this service model consumers have the full control over the infrastructure of the cloud where they can manage and have the full control over resources allowing them to perform networking, install and deploy applications or even can select network components like firewalls [7]. I-a-a-S model with other service models like P-a-a-S and S-a-a-S offer great deal of scalability to cloud computing system. Amazon, Rackspace provide wide range of cloud deployments for I-a-a-S [8].

c. Platform-as-a-Service (P-a-a-S).

PaaS enhances the capability of the cloud to provision its consumers for creating and managing the applications built by using different and varied programming languages and tools [9]. This service provides the capability for including Software-development-kit (SDK) with domain names, deployment environment, dynamic and scalable applications with hosting environments. Windows Azure is an example of PaaS [10].

III. CLOUD DEPLOYMENT MODELS

Cloud computing has 4 deployment models,

i. Private cloud

Private cloud also known as internal cloud is always deployed within a restricted region or say particular organisation. Private clouds are thus hosted within the organisation boundaries who itself owns it [8]. In this deployment model an organisation deploys and implements its cloud environment within which its services can be used by the user [11].

This service deployment model since is setup with an organisation involves the entire efforts to be done by the organisation itself for buying, building & managing resources within the cloud environment. This also involves cloud security to be implemented by the standards, procedures and policies by organization [12].

Advantages -

a. Private cloud implementation performs high level of automation of the servers and IT infrastructure reducing managerial and costs overheads.

b. Improves the server utilization providing higher capability to infrastructure [13].

Limitations -

a. IT teams has to spend lot of time and resources to set-up the cloud environment which involves purchase, set-up and maintenance [13].

ii. Public cloud

Public cloud is a service that is open to general public which is maintained by third party vendor who sells the cloud services. Anyone like any corporation, organisation or end users who needs the cloud services can contact these vendors based on their requirements [8].

Vendors charge the customers for their services to the end users. In case of public cloud all the services are provided to the users and they do not have any control over the physical or logical implementation of the services. Security of the cloud services is maintained by the provider [12]. The end users can access the cloud services to get all the IT related services which are scalable on-demand. This ways the end users do not have to set-up or maintain the IT infrastructure [8].

Advantages -

a. Provides on-demand solutions to the consumers.

b. Helps to enhance and scale the application and infrastructure [13].

Limitations -

a. Security and privacy of the data [13].

iii. Community cloud

Community cloud deployments are the one done by the open groups community which is conceptually in the middle of private and public clouds. These kind of cloud deployments are maintained together by the members of various organisations [8].

iv. Hybrid cloud

Hybrid cloud is a combination of different deployments of cloud. These deployments are implemented using the composition of two or more private, public or community combination of cloud deployments [14]. Hybrid deployments for cloud are different as it uses cloudburst, which is used for load balancing. Cloudburst refers to the application that runs in private as well as public cloud. This helps in doing the expansion of cloud and its services when required.

This kind of hybrid deployment is used when an organisation wants to use its critical applications within their premises i.e. private deployment and some of the features that can be accessed publicly which is done by the public cloud [8].

IV. CLOUD ARCHITECTURE

The architecture of the cloud comprises of various functionalities and layers which is shown in Figure-2 below.

a. Characteristics

The cloud environment provides the capability for on-demand services, setting up the networking environment and generating virtual environments. The cloud services can extend its services based on the requirements from the consumers [13].

Figure-2: Cloud Architecture [13].

b. Resource pooling and Multi-tenancy

Multi-tenancy enables the cloud to extend it services such that multiple consumers can use the same cloud environment and resources being shared among each other [15]. These resources usage should ensure the privacy and security of data [13].

c. Cloud service models

The cloud services provide various level of services like Software as a service, Platform as a service and Infrastructure as a service. These services are configurable within the cloud environments and provide ability to the vendors and the consumers to adopt for different type of services that are required for their working [13].

d. Cloud reference deployment models

The cloud environments support different type of deployments like Public, private, hybrid and community clouds [16].

V. SECURITY ISSUES IN CLOUD ENVIRONMENTS

Cloud environments since are also setup on the computers systems so they are also vulnerable to normal and usual security attacks. All the traditional security issues could also occur in the cloud environments like man-in-the-middle attacks, viruses or malwares could impact them. Since the cloud services are implemented by the cloud service providers and the consumers does not have any control over the environment or their setup or implementation, that is why it gets difficult for the consumers to know about the security of the cloud services [17].

The main challenges that are vital is availability of cloud services, performance and security of the data. As the cloud environment provides different services like Software as a service, platform as a service and infrastructure as a service, that is why different level of securities are also required [18].

Following are the security issues which cloud environments are vulnerable to [19],

- Access to privileged user: As the sensitive data can be processed from outside the enterprise it introduces risk to the data and privacy.

- Data location: Clients using the cloud environment does not know the exact location of data being hosted. Distributed location of the data could result into lack of control over the data and needs more security.

- Recovery: Any problems that can occurs in the cloud environment like non-availability of the environment, or break down of the environment can cause issues to the users. This requires the cloud environment to deal with such issues.

- Data segregation: Mostly there are multiple tenants who might be using the same cloud environment and might be sharing the resources which demands for solution to the conflicts and provide data privacy to its users. This also needs that the data should be encrypted such that the people have the cloud environment also cannot decrypt and explore the data and compromise the privacy.

- Investigative support: It sometimes gets difficult to investigate the cloud services as the data and logging for different customers are co-located at the same place or may even be distributed due to ever changing of the locations.

Figure-3: Different aspects of cloud security [20]

VI. SECURITY THREATS AND MITIGATION

Figure-3 displays the various elements associated with the cloud security.

a. Virtual environment attacks: Hypervisor such as vSphere, VMware used during the implementation of cloud can cause threats to the environment. These attacks can be prevented using Intrusion detection system (IDS) or Intrusion prevention systems (IPS) [21].

b. Abuse of cloud computing environment: As the cloud services can be accessed by anyone who can pay for the its services, this also allows many anonymous users to enter the environment and generate spams and malicious code to the environments. These attacks can be mitigated by strengthening the registration process, monitoring credit card fraud, introspection of traffic generated by users network [21].

c. Governance loss: The cloud service providers have full access to the cloud environment and the services offered to their clients. This also could lead to security attacks from insiders. These attacks and issues could be resolved by ensuring the commitment from the cloud service providers on a Service level agreements (SLA) [21].

d. Lock in: This means the inability of consumers who wish to migrate from one cloud service to other. This could be due to the loss of customer data and absence of adequate tools to use for migration. These issues can be mitigated by applying application programming interfaces at cloud level [21].

e. Insecure interfaces: Using weak interfaces to interact with the APIs or cloud services might expose the data and privacy in cloud to various security threats and vulnerabilities. To mitigate these issues require strong authentication process in interfaces and would be good to analyse the security model of the cloud [21].

f. Account/Service hijacking: These issues could arise due to phishing attacks, frauds, or due to any software vulnerabilities in the cloud environment. To mitigate such issues, the account information should be secured and not shared within the users and services, implement multi-factor authentication mechanisms [21].

VII. CONCLUSION

Cloud computing is growing technology and is a crucial area to understand and know about the various security implications associated with it. There are many security issues that a cloud environment is vulnerable of and can be mitigated using the different solutions and deployment models. Cloud computing provides various services to the consumers based on the demand and solution required for the infrastructure and amount of access that will be required.

Future directions

Cloud computing model is not mature as of now and there are many areas that can be explored. Security is one of the most important aspect for users as well as the vendors for cloud computing. There are different tools and modes already in use to overcome the security issues in cloud computing, however there is still a scope to come up with reliable solutions which could ensure the integrity, reliability and confidentiality of data and privacy within cloud environments [22].

VIII. REFERENCES

[1] S. Sengupta, V. Kaulgud and V.S. Sharma. "Cloud Computing Security--Trends and Research Directions", IEEE World Congress on Services (SERVICES). IEEE. pp: 524-531. 4-9 July 2011.

[2] A. Behl and K. Behl. "An analysis of cloud computing security issues". World Congress on Information and Communication Technologies (WICT). IEEE. pp: 109-114. Oct. 30 2012-Nov. 2 2012.

[3] M. Hamdi. "Security of cloud computing, storage, and networking", International Conference on Collaboration Technologies and Systems (CTS). IEEE. pp: 1-5. 21-25 May 2012.

[4] Cloud Computing, 2011. Available at: http://csrc.nist.gov/groups/SNS/cloud-computing/.

[5] A. Rosenthal, P. Mork, M. Li, J. Stanford, D. Koester and P. Reynolds. "Cloud computing: A new business paradigm for biomedical information sharing". Journal of Biomedical Informatics. Journal homepage: www.elsevier.com/locate/yjbin. 2009

[6] A. Bouayad, A. Blilat, N. El Houda Mejhed and M. El Ghazi. "Cloud computing: Security challenges", Colloquium in Information Science and Technology (CIST). IEEE. pp: 26-31. 22-24 Oct. 2012.

[7] R. F. Smallwood. "Evaluating & deploying cloud computing for electronic records management: technology, security & implementation issues : a management primer". [New Orleans, La.], E-Records Institute at IMERGE Consulting. 2011.

[8] R. L. Krutz and R. D. Vines (2010). Cloud security: a comprehensive guide to secure cloud computing. Indianapolis, IN, Wiley.

[9] S. Qamar, N. Lal and M. Singh. "Internet Ware Cloud Computing: Challenges". (IJCSIS) International Journal of Computer Science and Information Security, Vol. 7, No. 3, March 2010.

[10] L. Youseff, M. Butrico and D. Da Silva. "Toward a Unified Ontology of Cloud Computing". In Grid Computing Environments Workshop (GCE '08), Austin, Texas, USA. pp: 1-10. November 2008.

[11] E. A. Marks and B. Lozano. "Executive's guide to cloud computing". Hoboken, N.J., Wiley. 2010.

[12] T. Mather, S. Kumaraswamy and S. Latif. "Cloud security and privacy". Beijing, O'Reilly. 2010.

[13] Cloud Security Alliance. (2011). Available at: http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf

[14] K. Rangan. The Cloud Wars: $100+ billion at stake. Tech. rep., Merrill Lynch. 2008.

[15] I. Gul, A. Rehman, and M.H. Islam. "Cloud computing security auditing", The 2nd International Conference on Next Generation Information Technology (ICNIT). IEEE. pp: 143-148. 21-23 June 2011.

[16] X. Xiaoping and Y. Junhu. "Research on Cloud Computing Security Platform". Fourth International Conference on Computational and Information Sciences (ICCIS). IEEE. pp: 799-802. 17-19 Aug. 2012.

[17] W. Liu. "Research on cloud computing security problem and strategy", 2nd International Conference on Consumer Electronics, Communications and Networks (CECNet). IEEE. pp: 1216- 1219. 21-23 April 2012.

[18] Z. Xin, L. Song-qing and L. Nai-wen. "Research on cloud computing data security model based on multi-dimension", International Symposium on Information Technology in Medicine and Education (ITME). IEEE. vol 2. pp: 897-900. 3-5 Aug. 2012.

[19] F. Sabahi. "Cloud computing security threats and responses". 3rd International Conference on Communication Software and Networks (ICCSN). IEEE. pp: 245-249. 27-29 May 2011.

[20] G. Kulkarni, J. Gambhir, T. Pati and A. Dongare. "A security aspects in cloud computing", 3rd International Conference on Software Engineering and Service Science (ICSESS). IEEE. pp: 547-550. 22-24 June 2012.

[21] A. Tripathi and A. Mishra. "Cloud computing security considerations". International Conference on Signal Processing, Communications and Computing (ICSPCC). IEEE. pp: 1-5. 14-16 Sept. 2011.

[22] F.B. Shaikh and S. Haider. "Security Threats in Cloud Computing". International Conference for Internet Technology and Secured Transactions (ICITST). IEEE. pp: 214-219. 11-14 Dec. 2011.