Survey On Cloud Security Issues And Solutions

Published Date: 02 Nov 2017

Abstract- Cloud computing is a way to increase the capacity or add capabilities dynamically without investing in new infrastructure or training new personnel or licensing new software. Cloud computing is the long dreamed vision of computing as a utility. Security is one of the major issues which reduces the growth of cloud computing and complications with data privacy and data protection continue to plague the market. The advent of an advanced model should not negotiate with the required functionalities and capabilities present in the current model. A new model targeting at improving features of an existing model must not risk or threaten other important features of the current model. The architecture of cloud poses such a threat to the security of the existing technologies when deployed in a cloud environment. Cloud service users need to be vigilant in understanding the risks of data breaches in this new environment. In this paper, a survey of the different security risks that pose a threat to the cloud is presented. This paper is a survey more specific to the different security issues that has emanated due to the nature of the service delivery models of a cloud computing system.

Keywords: cloud computing, security, delivery models, deploy models

1.INTRODUCTION

Cloud computing is a compilation of existing techniques and technologies, packaged within a new infrastructure paradigm that offers improved scalability, elasticity, business agility, faster startup time, reduced management costs, and just-in-time availability of resources.The cloud provider’s security people are "better" than yours and leveraged .The web-services interfaces don’t introduce too many new vulnerabilities and the cloud provider aims at least as high as you do, at security goals, then cloud computing has better security.Cloud computing has grown from being a promising business concept to one of the fast growing segments of the IT industry. But as more and more information on individuals and companies are placed in the cloud, concerns are beginning to grow about just how safe an environment it is. Despite of all the hype surrounding the cloud, enterprise customers are still reluctant to deploy their business in the cloud. Security is one of the major issues which reduces the growth of cloud computing and complications with data privacy and data protection continue to plague the market. The advent of an advanced model should not negotiate with the required functionalities and capabilities present in the current model.

Attributes are provided by Rapid deployment, Low startup costs/ capital investment, Costs based on usage or subscription, Multi-tenant sharing of services/ resources.

Essential characteristics of cloud be On demand self-service, Ubiquitous network access, Location independent resource pooling, Rapid elasticity, Measured service.

(b)Regions for security problems

Cloud computing definitely makes sense if your own security is weak, missing features, or below average. Most security problems stem from:

1. Loss of control

2. Lack of trust (mechanisms)

3. Security problems exist mainly in 3rd party management

models.

4 .Every breached security system was once thought

infallible- SaaS (software as a service) and PaaS (platform

as a service) providers all trumpet the robustness of their

systems, often claiming that security in the cloud is tighter

than in most enterprises. But the simple fact is that every

security system that has ever been breached was once

thought infallible

5. Multi-tenancy- the cloud permits multiple clients to use

the same hardware at the same time, without them

knowing it, possibly causing conflicts of interest among

customers.

6.SLA-driven - cloud is administrated by service level

agreements that allow several instances of one application

to be replicated on multiple servers if need arises;

dependent on a priority scheme,  the cloud may minimize

or shut down a lower level application

7. Service-oriented - cloud allows one client to use multiple

applications in creating its own. 

8.Virtualized - applications are not hardware specific;

various programs may run on one machine using

virtualization or many machines may run one program.

9. Linearly scalable - cloud should handle an increase in data

processing linearly; if "n" times more users need a

resource, the time to complete the request with "n" more

resources should be roughly the same.

10.Data management - distribution, partitioning, security

and synchronization of data.

11. Self-healing - in case of application/network/data

storage failure, there will always be a backup running

without major delays, making the resource switch appear

seamless to the user. 

2. CLOUD COMPUTING SECURITY ISSUES

2.1 Attacks:

Cloud computing offers great potential to improve productivity and reduce costs, but at the same time it possesses many security risks

A. Denial of Service (DoS) Attacks

Some security professionals have argued that the cloud is more vulnerable to DoS attacks, because it is shared by many users, which makes DoS attacks much more damaging. In a denial-of-service attack, a malicious party barrages a server with so many requests that it can’t keep up, or causes it to reset. As a result, legitimate users can only access the server very slowly .[8]

B. Authentication Attacks

Authentication is a weak point in hosted and virtual services and is frequently targeted. There are many different ways to authenticate users for example, based on what a person knows, has, or is. The mechanisms used to secure the authentication process and the methods used are a frequent target of attackers[8]

C. Man-in-the-Middle Cryptographic Attacks

This attack is carried out when an attacker places himself between two users. Anytime attackers can place themselves in the communication’s path, there is the possibility that they can intercept and modify communications[8]

2.2 Security Risks of Cloud Computing

1.Secure data transfer:

 All of the traffic travelling between your network and whatever service you’re accessing in the cloud must traverse the Internet. Make sure your data is always travelling on a secure channel; only connect your browser to the provider via a URL that begins with "https." Also, your data should always be encrypted and authenticated using industry standard protocols, such as Ip( Protocol Security), that have been developed specifically for protecting Internet traffic.[13]

1.Secure software interfaces: The Cloud Security Alliance (CSA) recommends that you be aware of the software interfaces, or APIs, that are used to interact with cloud services. "Reliance on a weak set of interfaces and APIs exposes organizations to a variety of security issues related to confidentiality, integrity, availability, and accountability," says the group in its Top Threats to Cloud Computing document. CSA recommends learning how any cloud provider you’re considering integrates security throughout its service, from authentication and access control techniques to activity monitoring policies.[11]

Secure stored data:Your data should be securely encrypted when it’s on the provider’s servers and while it’s in use by the cloud service. In Demystifying Cloud Security, Forrester warns that few cloud providers assure protection for data being used within the application or for disposing of your data. Ask potential cloud providers how they secure your data not only when it’s in transit but also when it’s on their servers and accessed by the cloud-based applications. Find out, too, if the providers securely dispose of your data, for example, by deleting the encryption key.[13]

User access control: Data stored on a cloud provider’s server can potentially be accessed by an employee of that company, and you have none of the usual personnel controls over those people. First, consider carefully the sensitivity of the data you’re allowing out into the cloud. [13]

Data separation: Every cloud-based service shares resources, namely space on the provider’s servers and other parts of the provider’s infrastructure. Hypervisor software is used to create virtual containers on the provider’s hardware for each of its customers. But CSA notes that "attacks have surfaced in recent years that target the shared technology inside Cloud Computing environments." [11]

3. SECURITY TECHNIQUES

1.Secure data transfer:

Asymmetric and symmetric key encryption world respectively to later help

understand the advantages of our algorithm over these typical encryption methods.

The AES, which is also a symmetric key encryption algorithm but more secure than

the DES, has not been discussed here but instead has been compared to our algorithm in a later sub-section to highlight the computational edge of our algorithm.

DES

The DES has a 64-bit block size and uses a 56-bit key during execution (8 parity bit are stripped off from the full 64-bit key). It is a symmetric cryptosystem and was originally designed for implementation in hardware. When used for communication, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message, or to generate and verify a message authentication code (MAC). Though there have been two classes of attacks on the DES – the linear cryptanalysis in ,and the differential cryptanalysis ,both have proven to be impractical. Nevertheless, 56 bits keys are considered vulnerable to exhaustive search, which on an average would take 255 steps. Therefore, NIST has recommended the use of AES in place of DES to ensure higher security. [1,4]

RSA

The RSA cryptosystem is a public-key cryptosystem that offers both encryption and authentication. It works as follows:

1) Take two large primes, p and q, and compute their product n = p * q; n is

called the modulus.

2) Choose a number, e, less than n and relatively prime to (p - 1) * (q - 1).

3) Find another number d such that (e * d - 1) is divisible by (p - 1) * (q - 1).

The values e and d are called the public and private exponents, respectively.

The public key is the pair (n, e); the private key is (n, d).

4) Take the message m to be encrypted and calculate the ciphertext c as c = me mod n, where (n, e) is the public pair belonging to the receiver.

5) To decrypt, the receiver exponentiates the ciphertext to retrieve the message;that is, m = cd mod n; the relationship between d and e ensures that the

receiver gets the correct message.

RSA relies heavily on the operation of modular exponentiation, which is performed by a series of modular multiplications. It is due to this that RSA implementations are slower by a great margin than block ciphers like DES which is generally at least 100 times faster in software and between 1,000 and 10,000 times as fast in hardware depending on the implementation[2].

One-Time Pad

The one-time pad was first designed by Vernam in 1926 ,and its security was subsequently proven by Shannon in 1949]. It is constructed using a key chosen randomly which is at least as big as the message to be protected. Then, the key and the message are bitwise XORed to produce the cipher text, which is sent to the receiver. The receiver, in possession of the key used by the sender, is able to bitwise XOR the cipher text with this key and obtains the plaintext. Any intruder on intercepting the cipher text can only guess the plaintext since the key is chosen randomly.

The important difference between our implementation and that of the theoretical one-time pad is in the security offered under particular conditions.[3]

2.Access Control

Key Policy Attribute-Based Encryption (KP-ABE)In KP-ABE, data are associated with attributes for each of which a public key component is defined. The encryptor associates the set of attributes to the message by encrypting it with the corresponding public key components. Each user is

assigned an access structure which is usually defined as an access tree over data attributes, i.e., interior nodes of the access tree are threshold gates and leaf nodes are associated with

attributes. User secret key is defined to reflect the access structure so that the user is able to decrypt a ciphertext if and only if the data attributes satisfy his access structure

Encryption :

This algorithm takes a message M , the public keyPK , and a set of attributes I as input. It outputs the ciphertextE with the following format:E = (I, E˜ , {Ei }i∈ I )where E˜ = MY s , Ei = T s , and s is randomly chosen fromZp .

Decryption :

This algorithm takes as input the ciphertextE encrypted under the attribute set I , the user’s secret key SK for access tree T , and the public keyPK . It first computes e(Ei , ski ) = e(g, g)pi (0)s for leaf nodes. Then, it aggregates these pairing results in thebottom-up manner using the polynomial interpolation technique

B. Proxy Re-Encryption

Proxy Re-Encryption (PRE) is a cryptographic primitive in which a semi-trusted proxy is able to convert a ciphertext encrypted under Alice’s public key intoanother ciphertext that can be opened by Bob’s private key without seeing the underlying plaintext. More formally, a

PRE scheme allows the proxy, given the proxy re encryption key rka↔ b , to translate ciphertexts under public key pka into ciphertexts under public key pkb and vice versa.[5,6]

3.Secure Data Transmission

Stegnography:

Here we are more focusing on Identification field of the IP header to hide secret encrypted data .Identification field is used only when fragmentation occurs. At the receiver end, to reassemble the packets, identification field tells the right order for that. If fragmentation is not occurred, then identification field will always be unused, so that we can use this 16 bit field to hide secret encrypted message. To avoid fragmentation, we use MTU. Maximum transfer unit decides limit for packet size for transmission over network. Sender and receiver, both should have awareness of MTU unit. For the encryption and decryption we use Elliptic curve cryptography. Elliptic Curve Cryptography is a public key cryptography. In public key cryptography each user or the device taking part in the communication generally have a pair of keys, a public key and a private key, and a set of operations associated with the keys to do the cryptographic operations. Only the particular use knows the private key whereas the public key is distributed to all users taking part in the communication. Some public key algorithm may require a set of predefined constants to be known by all the devices taking part in the communication. Domain parameters in ECC are an example of such constants. Public key cryptography, unlike private key cryptography, does not require any shared secret between the communicating parties but it is much slower than the private key cryptography. The mathematical operations of ECC is defined over the elliptic curve

y = x3 + ax + b,where 4a + 27b ¹ 0. Each value of the 'a' and 'b' gives a different elliptic curve. All points (x, y) which satisfies the above equation plus a point at infinity lies on the elliptic curve. The public key is a point in the curve and the private key is random number. The public is obtained by multiplying the private key with the generator point G in the curve. Generator point G, parameters ‘a’, ’b’and some another constants constitutes with domain parameter of ECC. For the secure file transfer by using Steganography, we propose a conceptual scheme. Consider Alice as sender and Bob is a receiver. Alice wants to transfer secrete file for Bob over a network.

4. PARAMETARS TAKEN FOR SEURITY ISSUES

(a) Cloud Models:

Delivery models

1. Infrastructure-as-a-Service (IaaS):

As the name implies, you are buying infrastructure. You own the software and are purchasing virtual power to execute as needed. This is much like running a virtual server on your own equipment, except you are now running a virtual server on a virtual disk. This model is similar to a utility company model, as you pay for what you use.

2. Platform-as-a-Service (PaaS):

In this model of cloud computing, the provider provides a platform for your use. Services provided by this model include all phases of the System Development Life Cycle (SDLC) and can use Application Program Interfaces (APIs), website portals, or gateway software. Buyers do need to look closely at specific solutions, because some providers do not allow software created by their customers to be moved off the provider’s platform.

3. Software-as-a-Service (SaaS):

This model is designed to provide everything and simply rent out the software to the user. The service is usually provided through some type of front end or web portal. While the end user is free to use the service from anywhere, the company pays a per use fee.

Deployment Models

Public Cloud: A cloud infrastructure is provided to many customers and is managed by a third party. Multiple enterprises can work on the infrastructure provided, at the same time

1. Easy and inexpensive set-up because hardware, application and bandwidth costs are covered by the provider. Scalability to meet needs.

2. No wasted resources because you pay for what you use.

3. The term "public cloud" arose to differentiate between the standard model and the private cloud.

Private Cloud: A community cloud may be established where several organizations have similar requirements and seek to share infrastructure so as to realize some of the benefits of cloud computing. With the costs spread over fewer users than a Volume public cloud (but more than a single tenant) this option is more expensive but may offer a higher level of privacy, security and/or policy compliance. Examples of community cloud include Google's "Gov Cloud".

Community cloud: Private cloud (also called internal cloud or corporate cloud) is a marketing term for a proprietary computing architecture that provides hosted services to a limited number of people behind a firewall. Advances in virtualization and distributed computing have allowed corporate network and datacenter administrators to effectively become service providers that meet the needs of their "customers" within the corporation. Marketing media that uses the words "private cloud" is designed to appeal to an organization that needs or wants more control over their data than they can get by using a third-party hosted service such as Amazon's Elastic Compute Cloud (EC2) or Simple Storage Service (S3).

Hybrid Cloud: A hybrid cloud is a Cloud Computing environment in which an organization provides and manages some resources in-house and has others provided externally. For example, an organization might use a public cloud service, such as Amazon Simple Storage Service (Amazon S3) for archived data but continue to maintain in-house storage for operational customer data. Ideally, the hybrid approach allows a business to take advantage of the scalability and cost-effectiveness that a public cloud computing environment offers without exposing mission-critical applications and data to third-party vulnerabilities.

5. CONCLUSION

Cloud computing is the future of IT industries It helps the industries to get efficient use of their IT Hardware and Software resources at low cost. This paper totally discuss about the cloud computing security issues and Challenges. This paper also analyze cloud computing vulnerabilities, security threats cloud computing faces and presented the security objective that need to be achieved. On one hand, the security-sensitive applications of a Cloud computing require high degree of security on the other hand, cloud computing are inherently vulnerable to security attacks. Therefore, there is a need to make them more secure and robust to adapt to the demanding requirements of these networks. The future of cloud computing is really appealing, giving the vision of cheap communications. At present, the general trend in cloud computing is toward mesh architecture and large scale. Improvement in bandwidth and capacity is required, which implies the need for a higher frequency and better spatial spectral reuse. Large scale cloud computing is another challenging issue in the near future which can be already foreseen.