The History Of Layered Architecture Reference

Published Date: 02 Nov 2017

Framework(7LARF) For Cloud Computing Security

Jaishankar Patil, B.Vamshi Krishna

Department of Computer Science and Engineering

Malla Reddy College of Engineering And Technology

Jawaharlal Nehru Technological University Hyderabad Kukatpally, Hyderabad -500 085, Andhra Pradesh, India

Email: [email protected],[email protected]

Abstract�Cloud computing technologies are evolving as a

common way of infrastructure services and resources virtualization

and provisioning on-demand, it�s potential benefits are

cost savings and more productive for various organization. The

elastic nature of cloud makes it suitable for almost any type

of organization. But security issues like Privacy, Data-leakage

and Cyber-attacks are major concern in adoption of cloud.

These security issues can be improved by providing the multi-

layer Cloud Services Model (CSM) that combines commonly

adopted cloud service models, such as IaaS, PaaS, SaaS,etc in

one multilayer model.This paper focuses on layered architectural

framework for cloud infrastructure services provisioned on-

demand and top security threats and vulnerability which are

suggested by security experts. This security framework is for

end to end security in cloud computing architecture. Proposed

framework is developed by collective suggestions from security

experts , aimed at guaranteeing increased security to cloud

resources.

keywords:

Cloud

computing,

Security,

Architecture,

Trust,

SLA,Infrastructure-as-a-Service(IaaS),

Platform-as-aService(

PaaS)

and

Software-as-a-Service(SaaS).

I. IN T RO D U C T I O N

According to Gartner Cloud Computing is a style of computing

where massively scalable IT-related capabilities are

provided as a service across the Internet to multiple external

customers. We have seen rapid adoption of software as a

service (SaaS), infrastructure as a service (IaaS) and platform

as a service (PaaS), and strong growth in cloud delivery of

security services. Now is the time to plan how to ensure

company and customer data can be protected when cloud

services are used and how security policies and architectures

can take advantage of cloud delivery to actually increase levels

of security.[1]

Mainly multi-layer cloud services model(CSM) is divided in

7-layers, if we apply suitable security technique at individual

layers, we can increase level of security. CSM is vertical

cloud services interaction, integration and compatibility that

defines both relations between cloud service models (such as

IaaS, PaaS, SaaS) and other required functional layers and

components of the general cloud based services infrastructure.

This Layered Architectural Reference Framework Describes

which security technique need to apply for particular layer

out of 7 layers. CSM framework divides the architecture into

7 layers on the basis of services provided by the resources,

including integration and interoperability services. Cloud technologies

are evolving as a common way of infrastructure services

and resources virtualisation and provisioning on-demand.

In this way, they bring applications and infrastructure services

mobility and physical/hardware platform independency to the

existing distributed computing and networking technologies.

The proposed framework includes 7 layers, each layers are

composed of different resources, they are described as fallows

Layer 1 -Physical

platform

:

This layer composed of resources

like PC hardware, network, storage resources, servers,

compute resources and network infrastructure, workstations

and many more.

Layer 2 -Cloud

virtualisation

layer

:

This layer composed

of resources like virtual machine(e.g. represented by VMware,

Xen or KVM as virtualisation platforms) .

Layer 3 -Cloud

virtual

resources

composition

:

This layer

represented by the Cloud Management Software i.e hypervisor

such as OpenNebula, OpenStack, or others

Layer 4 -Infrastructure-as-a-Service

(IaaS)

:

This layer

composed of first three layers, moreover, the system infrastructure

can also include database management systems and

other storage services. The infrastructure in general is managed

by an upper management layer that guarantees runtime environment

customization, application isolation, accounting and

quality of service. The virtualization tools such as hypervisors

also sit in this layer to manage the resource pool and to partition

physical infrastructure in the form of customized virtual

machines. Depending on the end user needs, the virtualized

infrastructure is pre-configured with storage and programming

environment, what saves time for users who do not need to

build their system from scratch.

Layer 5 -Platform-as-a-Service

(PaaS)

:

It offers cloud

users a development platform to build their applications. In

general, PaaS includes the lower layer (IaaS) as well that is

bundled with the offered service. In general, pure PaaS offers

only the user level middleware, which allows development

and deployment of applications on any Cloud infrastructure

and generally includes specific component for developing

applications, advanced services for application monitoring,

management and reporting. The PaaS providers reduces risk

in terms of upgrade cost of underlying platforms and allows

cloud users to concentrate on the application development.

Layer 6 -Software

as

a

Service

(SaaS)

:

This layer

composed of software delivery model providing on-demand

access to applications. The most common examples of such

service are CRM and ERPF applications that are commonly

used in almost all the enterprises from small to large business.

In general, SaaS providers also constitute other layers of cloud

computing and thus, maintain the customer data and configure

the applications according to customer need.

Layer 7 -User

client

or

application

:

To access the cloud

services browsers is the entry point so browser is one one of

the component of user client and also session and many more.

The remainder of the paper is organized as follows. Section

2 provides overview and detailed related work. Section 3

describes top security risk in cloud computing environment.

Section 4 describes the proposed multi-layer cloud services

architecture. Sections 5 describes the security concerns beyond

the

architecture. Sections 6 describe conclusion and future work

of the proposed multi-layered architecture.

II. RE L AT E D WO R K

Cloud computing is a growing trend that offers an innovative

way to deliver software, data storage, and computing services.

While the term cloud computing refers in general to the delivery

of services on demand over a Internet. Most of the large

scale IT company�s like Amazon, Google, Rack space, IBM,

TCS-India, Wipro, Infosys, Microsft and VMware, etc offering

cloud computing services through out the world. They provide

the complete infrastructure to manage the IT services on-

demand basis. Customers can dynamically choose their computing

services according to their changing needs at reduced

costs. Adopting cloud computing may have positive as well as

negative impact on cloud user. Cloud services can be deployed

in different ways, depending on the organizational structure

and the provisioning location. Four deployment models are

usually distinguished, namely public, private, community and

hybrid cloud service usage[3].

A.

Public

Cloud

The deployment of a public cloud computing

system is characterized on one hand by the public

availability of the cloud service offering and on the other hand

by the public network that is used to communicate with the

cloud services. The cloud services and cloud resources are

procured from very large resource pools that are shared by all

end users.

B.

Private

Cloud

Private cloud computing systems emulate

public cloud service offerings within an organizations

boundaries to make services accessible for one designated

organization. Private cloud computing systems make use of

virtualization solutions and focus on consolidating distributed

IT services often within data centers belonging to the company.

C.

Community

Cloud

In a community cloud, organizations

with similar requirements share a cloud infrastructure. It may

be understood as a generalization of a private cloud, a private

cloud being an infrastructure which is only accessible by one

certain organization.

D.

Hybrid

Cloud

A hybrid cloud service deployment model

implements the required processes by combining the cloud

services of different cloud computing systems, e.g. private

and public cloud services. The hybrid model is also suitable

for enterprises in which the transition to full outsourcing has

already been completed, for instance, to combine community

cloud services with public cloud services

III. TO P SE C U R I T Y RI S K S

Top security threats and vulnerability which are suggested

by security experts are[4]

Loss

of

Governance:

In using cloud infrastructures, the

client necessarily cedes control to the Cloud Provider (CP) on

a number of issues which may affect security. At the same

time, SLAs may not offer a commitment to provide such

services on the part of the cloud provider, thus leaving a gap

in security defenses.

Lock-In:

There is currently little on offer in the way

of tools, procedures or standard data formats or services

interfaces that could guarantee data, application and service

portability. This can make it difficult for the customer to

migrate from one provider to another or migrate data and

services back to an in-house IT environment. This introduces a

dependency on a particular CP for service provision, especially

if data portability, as the most fundamental aspect, is not

enabled.

Isolation

Failure:

Multi-tenancy and shared resources are

defining characteristics of cloud computing. This risk category

covers the failure of mechanisms separating storage, memory,

routing and even reputation between different tenants (e.g., so-

called guest-hopping attacks). However it should be considered

that attacks on resource isolation mechanisms (e.g.,. against

hypervisors) are still less numerous and much more difficult

for an attacker to put in practice compared to attacks on

traditional Oss.

Compliance

Risks:

Investment in achieving certification

(e.g., industry standard or regulatory requirements) may be

put at risk by migration to the cloud if the CP cannot

provide evidence of their own compliance with the relevant

requirements if the CP does not permit audit by the cloud

customer. In certain cases, it also means that using a public

cloud infrastructure implies that certain kinds of compliance

cannot be achieved. are accessible through the Internet and

mediate access to larger sets of resources (than traditional

hosting providers) and therefore pose an increased risk, especially

when combined with remote access and web browser

vulnerabilities.

Data

Protection:

Cloud computing poses several data

protection risks for cloud customers and providers. In some

cases, it may be difficult for the cloud customer (in its role as

data controller) to effectively check the data handling practices

of the cloud provider and thus to be sure that the data is

handled in a lawful way. This problem is exacerbated in cases

of multiple transfers of data, between federated clouds. On

the other hand, some cloud providers do provide information

on their data handling practices. Some also offer certification

summaries on their data processing and data security activities

and the data controls they have in place, e.g., SAS70

certification.

Insecure

or

Incomplete

Data

Deletion:

When a request

to delete a cloud resource is made, as with most operating

systems, this may not result in true wiping of the data.

Adequate or timely data deletion may also be impossible (or

undesirable from a customer perspective), either because extra

copies of data are stored but are not available, or because

the disk to be destroyed also stores data from other clients.

In the case of multiple tenancies and the reuse of hardware

resources, this represents a higher risk to the customer than

with dedicated hardware.

Malicious

Insider:

While usually less likely, the damage

which may be caused by malicious insiders is often far

greater. Cloud architectures necessitate certain roles which are

extremely high-risk. Examples include CP system administrators

and managed security service providers. NB: the risks

listed above do not follow a specific order of criticality; they

are just ten of the most important cloud computing specific

risks identified during the assessment. The risks of using

cloud computing should be compared to the risks of staying

with traditional solutions, such as desktop-based models. To

facilitate this, in the main document we have included estimates

of relative risks as compared with a typical traditional

environment. Please note that it is often possible, and in some

cases advisable, for the cloud customer to transfer risk to the

cloud provider; however not all risks can be transferred: If

a risk leads to the failure of a business, serious damage to

reputation or legal implications, it is hard or impossible for any

other party to compensate for this damage. Ultimately, you can

outsource responsibility but you can�t outsource accountability.

IV.

PRO P O S E D LAY E R E D AR C H I T E C T U R E O F CL O U D

CO M P U T I N G

Layered architectural view address the security issues in

cloud computing environment for providing security for the

customer. Basically proposed architecture is divided in seven

layers based on cloud computing services categorization as

Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS),

and Infrastructure-as-a-Service (IaaS) etc. Some of the important

layers of iaas are Network layer, storage layer, server

layer, Hypervisor layer and virtualization. The responsibility

of CSP is to secure all the layer in Iaas as shown in the below

framework. Application integrity and runtime environment is

taken care by Paas layer, and finally securities like Browser

security, data transmission security and session security are

taken care at user layer.

Ensuring

Security

Against

The

Various

Types

Of

Threats

At

Different

Layers

Layer

1:

Physical

Platform

In this layer security issues can be handled by cloud

service provider, the major security threats and solutions are

as follows.

A)

Network

Security

This layer talks about the logical security of routers,

switches other devices and locations where the data or virtual

images are stored in the data centre by configuring effectively.

Fig. 1. A Layered Architecture of Cloud Computing

To achieve this security different controls e.g. -firewalls,

IDS/IPS, patching and backups can be placed to manage

security of the network by denying unauthorized access. We

can deploy the AAA (Authentication, Authorization and Accountability)

servers for strong authentication. Others network

security treats are

�

DNS

Attack:

Domain Name Server (DNS) performs the

translation of a domain name to an IP address since the

domain names are much easier to remember. Hence the DNS

servers are needed. Domain Name System Security Extensions

(DNSSEC) reduces the effects of DNS attacks[5].

�

Sniffer

Attacks:

These types of attacks are launched by

applications which can capture packets flowing in a network

and the transmitted data can be read if not encrypted. There are

chances that vital information flowing across the network can

be traced or captured. A sniffer program can record data/traffic

linked to other systems on the network through NIC (Network

Interface Card). A malicious sniffing detection platform based

on ARP (address resolution protocol) and RTT (round trip

time) can be used to detect a sniffing system running on a

network [6].

�

Issue

of

Reused

IP

Addresses:

Each node of a network is

provided with an IP address and the number of IP addresses

that can be assigned is limited. A large number of cases related

to re-used IP-address issue have been observed lately. When

a particular user moves out of a network, then the IP-address

associated with him (earlier) is assigned to a new user. This

sometimes risks the security of the new user as there is a

certain time lag between the change of an IP address in DNS

and the clearing of that address in DNS caches [7].

B)

Server

Security

This layer talks about the security of Cloud Servers. Here it

gives some guidelines for safe usage of cloud server. [8]Stop

your server instances when not in use.You shouldstopyour

cloud server instances while you are not using them. A good

workflow while using cloud computer instances is to start

them when you want to begin a work session, and then stop

them when you are done. Understand the basics of public-key

cryptography and Keep your key pair file in a safe place where

you can find it and it is not exposed through any web-facing

folder. Don�t surf the internet from your servers. Please do not

use the browsers installed on your cloud computing instances

to go to any website that you do access to complete your work.

There are a lot of security vulnerabilities in JavaScript, Flash,

and other technologies that make internet use entertaining and

productive.Only visit those websites which you trust.

�

Server

Security

in

Production:

A production server is

one that is serving your business contents live to end users

in a highly available and highly secure manner. Here are

some general principles that you should know[8].Turn off the

operating system components and services you are not using if

a computer is being used as a machine to launch web servers

and databases, but is not running a web server or a database

itself, then disable the web server and database software on

that computer.Limit account access. Use an administrative

account only for administrative tasks. Normal usage should

use an account with more restricted rights.Limit port access.

Use firewalls to restrict port availability, and be cautious when

opening ports. If you are using Web services, use Security

Groups as well as a firewall on your operating system for

defense in depth. Keep your operating system and server

software patched and up to date.

Layer

2:

Cloud

Virtualisation

Layer

Virtual

Machines

Security:

Vendors need to treat each

virtual machine as if it were a separate physical server when

it comes to security. Virtual machines share the same security

vulnerabilities as physical machines and should be protected

from the same problems; hardware failures, viruses, hacking,

data corruption. Best practices, as identified by the Center

for Internet Security with regards to virtual server security

include[9].

�

The firewalling of virtual machine layer service ports.

�

The use of encryption for communication.

�

Utilization of a hardened operating system for the

VM.

�

The disconnection of unused devices.

�

The checking of file integrity.

�

The use of strong passwords.

�

The use of data encryption techniques (File/DB).

�

The use of host based intrusion detection/prevention

(IDS/IPS).

Layer

3:

Cloud

Virtual

Resources

Composition

Hypervisor

Security:

In most cases control of individual

virtual machines is the responsibility of the Cloud users,

vendors need to ensure robust security of the hypervisor

itself the tool which keeps the individual virtual machines

separate. Service provider should pay particular attention to

the hypervisor as security breaches at this level can have

major cascading effects. Particular attention should be made

that vendors are using the latest production or stable version of

their particular hypervisor and that security patches are applied

quickly to maintain the integrity of the hypervisor layer[9].

Layer

4:

Infrastructure-as-a-Service(IaaS)

A)

Data

Security

or

Storage

Security:If you are concerned

about storing sensitive and confidential data in the cloud, you

should encrypt the data (individual files) before uploading it

to the cloud. For example encrypt the data using any open

source or commercial PGP-based tools before storing to Cloud

server and decrypt it after download. File encryption depends

on the operating system. Eg: Amazon EC2 instances running

Windows can use the built-in Windows Encrypting File System

(EFS) feature. This feature will handle the encryption and

decryption of files and folders automatically and make the

process transparent to the users. However despite its name,

EFS doesnt encrypt the entire file system; instead, it encrypts

individual files. If you need a full encrypted volume, consider

using the open-source True Crypt product; this will integrate

very well with NTFS-formatted EBS volumes data so that

only the users and processes on the server can see the data

in clear text, but anything or anyone outside the server see

only encrypted data. When the client�s objective is met or the

client wants to discontinue the service, client�s data should

be removed from server. There should be proper disposal

mechanism to dispose the data because that data may contain

critical information and may cause risk if reached to wrong

person. A special attention must be on the garbage disposal

from the virtual image location. Data Coloring and Software

Watermarking are all so use to secure the data form dataleakagep[

10].

B)

Identity

and

Access

Management(IAM):Identity and Access

Management (IAM)[11] enables to create multiple Users

and manage the permissions for each of these Users within

Admin Account. A User has an identity with unique security

credentials that can be used to access role based Services.

IAM eliminates the need to share passwords or access keys,

and makes it easy to enable or disable a Users access as appropriate.

IAM enables you to implement security best practices,

such as least privilege, by granting unique credentials to every

User within admin account and only grant permission to access

the role based Services and resources required for the Users to

perform their job. IAM is secure by default; new Users have

no access to Services until permissions are explicitly granted

by admin. There should be automatic identity provisioning

at the time when a new user is going to avail the services.

Automated provisioning, authentication and authorization are

the major concern for security. We can solve this problem

by using various solutions such as single sign-on, federated

identity, access control list, directory based service, access on

the basis of attributes and Role based services.

Layer

5:

Platform-as-a-Service(PaaS)

A)

Operating

System

Security

This aspect of security assumes an understanding of the

difference between physical machines and virtual machines.

Assuming the differences virtualization is the division of a

single physical server into multiple virtual servers containing

multiple sets of segregated data. The operating system which

hosts virtual machines requires extra security as it is the

manager for guest virtual machines. Any vulnerability within

base OS can have impact on individual virtual machines. If

the vulnerabilities is within a particular virtual machine, it will

effect only that machine whereas, vulnerabilities in the host OS

could give hackers access to all virtual machines on the same

piece of hardware. Host machines should have extra protection

including, an intrusion detection system, The minimum number

of user accounts possible Controls to limit administrator

access to named accounts, Strong/ complex access passwords,

no publicly accessible network services, hardened systems

running only the necessary programs, services and drivers.

B)

Cloud

Application

Integrity

Security

In a Cloud Computing system the major responsibility

is integrating and maintaining instances of virtual machines

(IaaS) or explicit service execution modules (PaaS). For any

user request, the Cloud system is responsible for determining a

free-to-use instance of implementation type, for the requested

service and for accessing that new instance the address is to

be communicated for the requesting user. Cloud Mal ware

Injection Attack is a basic attack in Cloud system. This type

of attack aims at injecting a service implementation or virtual

machine into the Cloud system. Such kind of Cloud malware

could serve any particular purpose to the attacker who can

modify the data, affect the functionality or completely block

the system. Such attacks can be prevented with the help

of following guidelines. File Allocation Table (FAT) system

architecture is virtually supported by all existing operating

systems. Information about the instances that had been already

executed from the customers machine is stored in FAT table.

This information can be used for cross check when user

is going to run the code or application again. This takes

Hypervisor to be deployed at provider�s end. This Hypervisor

will be considered the most secured and sophisticated part of

the cloud system whose security cannot be breached by any

means. The Hypervisor is responsible for scheduling all the

instances, but before scheduling it will check the integrity of

the instance from the FAT table of the customers VM. Another

approach is to store the OS type of the customer in the first

phase when a customer opens an account. As the cloud is

totally OS platform independent, before launching an instance

in the cloud, cross checking can be done with the OS type

from which the instance was requested from with the account

holders OS type.

C)

Side

Channel

Attacks

Security

An attacker could attempt to compromise the cloud by

placing a malicious virtual machine in close proximity to a

target cloud server and then launching a side channel attack.

Side-channel attacks have emerged as a kind of effective security

threat targeting system implementation of cryptographic

algorithms. Evaluating a cryptographic systems resilience to

side-channel attacks is therefore important for secure system

design. Security can be provided using combination of virtual

firewall appliance and randomly encryption decryption (using

concept of confusion diffusion) because it provides security

against both front end and back end side of cloud computing

architecture and also provide RAS (Reliability, Availability,

and Security)[12].

Layer

6:

Software-as-a-Service(SaaS)

A)

Wrapping

Attack

Security

For a wrapping attack, the attacker does its deception during

the translation of the SOAP message in the TLS (Transport

Layer Service) layer. The body of the message is duplicated

and sent to the server as a legitimate user. The server checks

the authentication by the Signature Value (which is also

duplicated) and integrity checking for the message is done.

As a result, the attacker is able to intrude in the cloud and

can run malicious code to interrupt the usual functioning of

the cloud servers. This could be prevented by increasing the

security during the message passing from the web server to

a web browser by using the SOAP message. Specifically, as

the signature value is appended, by adding a redundant bit

(STAMP bit) with the SOAP header. This bit will be toggled

when the message is interfered with a third party during the

transfer. When it is received in the destination, the STAMP bit

is checked first and if it is found toggled, then a new signature

value is generated in the browser end and the new value

sent back to the server as recorded to modify the authenticity

checking. The attacker can no longer interrupt the customer

request with a duplication of the SOAP body because the

previous signature value is already altered. For this purpose,

only a random signature value generator is needed in the

browser end and only the extra message overhead of one bit

is required for an authenticity check.

B)

Data

Transmission

Security

If data is secured in servers and at client side but get leaked

or tampered in between before the delivery at either side, i.e.

security of data while transmission. In the recent days we can

find a lot of incidences in which data is breached in between

by man in the middle (MITM) attack or other similar attacks.

We can deploy any preventive techniques available to ensure

security of data during transmission. We can choose one or

combination of many techniques as per need and feasibility

from VPN, SSL/TLS, IPSEC, etc.

Layer

7:

User

Client

Or

Application

A)

Bowser

Security

To access the cloud services browsers is the entry point

so browser is one of the most unsecured part of the cloud

computing. Usually hackers try to hack through the browser.

Although browsers encrypt their communications with cloud

providers, subtle disclosures of information are still possible.

For example, the very presence or absence of message traffic,

or the sizes of messages sent, or the originating locations

may leak information that is indirect but still of importance to

some subscribers. Additionally, even strong cryptography can

be weakened by implementation mistakes, a common mistake

is to generate keys or passwords in a manner that reduces

their strength, thus making the cryptography vulnerable to

brute-force guessing attacks. Furthermore, man in the middle

attacks on the cryptographic protocols used by browsers can

allow an attacker to hijack a subscriber�s cloud resources. Even

the browser may get contaminated if user visits malicious

websites. Web browsers are often vulnerable to malicious

Web sites. One work-around to this issue is for subscribers

to use multiple browsers and to dedicate specific browsers

to important SaaS applications and not to perform general-

purpose Web surfing that may expose them to attack.

B)

Session

Security

After logging in, a user establishes a session with the

platform. Use session security to limit exposure to your

network when a user leaves their computer unattended while

still logged on. It also limits the risk of internal attacks, such

as when one employee tries to use another employees session.

You can control the session expiration time window for user

logins. Session expiration allows you to select a timeout for

user sessions. The default session timeout is two hours of

inactivity. When the session timeout is reached, users are

prompted with a dialog that allows them to log out or continue

working. If they do not respond to this prompt, they are

automatically logged out.

V.

BE YO N D TH E A R C H I T E C T U R E AR E A S OF CR I T I C A L

FO C U S

A.

Service

Level

Agreement

Service-level agreements (SLAs) are offered by Service

providers to express their commitment to delivery of a certain

QoS. To customers it serves as a warranty. An SLA usually

include availability and performance guarantees. Additionally,

metrics must be agreed upon by all parties as well as penalties

for violating these expectations. Most service providers focus

their SLA terms on availability guarantees, specifying the

minimum percentage of time the system will be available

during a certain period for instance, although cloud consumers

do not have control over the underlying computing resources,

they do need to ensure the reliability and performance of

resources when consumers have migrated their core business

functions onto their entrusted cloud. In other words, it is

vital for consumers to obtain guarantees from providers on

service delivery. Typically, these are provided through Service

Level Agreements (SLAs) negotiated between the providers

and consumers.

B.

Disaster

Recovery

and

Business

Continuity

To minimize service interruption due to hardware failure,

natural disaster, or other catastrophes, Service provider should

implements a disaster recovery program at all of its data centers.

This program includes multiple components to minimize

the risk of any single point of failure, including the following:

Data replication and backup: To help ensure availability in the

event of a disaster, Service user data is replicated to multiple

systems within a data center, and also replicated to a secondary

data center. service provider operates a geographically distributed

set of data centers that is designed to maintain service

continuity in the event of a disaster or other incident in a single

region. High-speed connections between the data centers help

ensure swift fail over. Management of the data centers is

also distributed to provide location-independent, around-theclock

coverage, and system administration. In addition to

the redundancy of data and regionally disparate data centers,

Service provider should also have a business continuity plan

for user data. This plan accounts for major disasters, such as a

seismic event or a public health crisis, and it assumes people

and services may be unavailable for up to 30 days. This plan

is designed to enable continued operations of our services for

our customers.

C.

Physical

Security

Cloud service provider should have experience in designing,

constructing, and operating large-scale datacenters. This

experience has been applied to the service platform and

infrastructure. Physical access is strictly controlled both at

the perimeter and at building ingress points by a professional

security staff utilizing video surveillance, intrusion detection

systems, and other electronic means. Authorized staff must

pass two-factor authentication a minimum of two times to access

datacenter floors. All visitors and contractors are required

to present identification and are signed in and continually

escorted by authorized staff. CSP only provides datacenter

access and information to employees and contractors who

have a legitimate business need for such privileges. When an

employee no longer has a business need for these privileges,

his or her access is immediately revoked, even if they continue

to be an employee of CSP. All physical access to datacenters

by employees is logged and audited routinely.

VI. C ONCLUS IO N AN D FUTURE SCOPE

The elastic nature of cloud makes it suitable for almost any

type of organization. But security issue is major concern in

adoption of cloud. It is very difficult to manage confidentiality,

integrity and availability of data in cloud. Different CSPs are

trying their best but they have their own security policies.

These different policies overwhelmed the clients since they

all have different set of standards and client is not aware of

what and how CSPs are providing security. So a systematic and

standard approach is needed. This paper proposing a layered

framework for cloud security that can be used as a standard.

We tried to cover every layer of security i.e Software-as-aservice

(SaaS), Platform as a service (PaaS) and Infrastructure

as a service (IaaS). Inclusion of this kind of standard for cloud

security in SLAs will definitely be beneficial in terms of building

trust and maintaining privacy by giving a wide range of

security solutions and transparency in service policies. Current

work is in very early stage and in future it can be expanded

as a complete cloud security framework by any standardizing

organization. The framework should be developed by experts

with involvement of CSPs and clients at every stage. Many

other domains may be possibly come out like Host Operating

System level security. A guideline to secure cloud from various

threats and vulnerabilities may also be included. Finally, we

can say cloud security is not at its maturity level and this

initiative will definitely act as ray of hope.

VII. RE F E R E N C E S

[1] The Definition of Cloud Computing By gartner

http://www.gartner.com/technology/research/cloudcomputing/

cloud-security-management.jsp

[2] Green Cloud computing and Environmental

Sustainability. Saurabh Kumar Garg and Rajkumar

Buyya Cloud computing and Distributed Systems

(CLOUDS) Laboratory Dept. of Computer Science and

Software Engineering The University of Melbourne,

Australia Email: saurabhg, [email protected]

http://www.cloudbus.org/papers/CloudEnvSustainability2011.

pdf

[3] http://www.cloud-competence-center.com /understanding/

cloud-computing-deployment-models/

[4] Alexander Seger, ENISA security risk

assessment of cloud computing:�Benefits, risks

and recommendations for information security�

http://www.coe.int/t/dghl/cooperation/economiccrime

/cybercrime/cy-activity-interface-2010/presentations/Outlook

/Udo

[5] Char Sample, Senior Scientist, BBN Technologies, Diana

Kelley, Partner, Security Curve, Cloud computing security:

Routing and DNS security threats.

[6] Zouheir Trabelsi, Hamza Rahmani, Kamel Kaouech,

Mounir Frikha, Malicious Sniffing System Detection Platform,

Proceedings of the 2004 International Symposium on Applications

and the Internet (SAINT�04), pp. 201-207, 2004, ISBN:

0-7695-2068-5.

[7] Tim Mather, Subra Kumaraswamy, Shahed

Latif, Cloud Security and Privacy: An Enterprise

Edition on Risks and Compliance (Theory in Practice),

OReilly Media, Sep. 2009; ISBN: 978-0596802769.

http://oreilly.com/catalog/9780596802776.

[8] https://www.e-education.psu.edu/cloudGIS/security

[9] U-Cloud Cloud SeCuRiTy and WhaT VendoRS and

CuSTomeRS need To do To STay SeCuRe By RackSpace

http://c3444884.r84.cf0.rackcdn.com/cloudu/pdfs/Elephant-inthe-

Room.pdf

[10] Amazon Web Services -Security Best Practices

January 2011 http://media.amazonwebservices.com/

WhitepaperSecurityBestP

ractices2010:pdf

[11] http://aws.amazon.com.com/iam

[12] International Journal of Engineering and Advanced

Technology (IJEAT) ISSN: 2249 8958, Volume-2,

Issue-2, December 2012 183 Security against Side

Channel Attack in Cloud Computing Bhrugu Sevak

http://www.ijeat.org/attachments/File/v2i2/B0854112212.pdf

[13] Cloud Computing: Issues and Challenges Tharam

Dillon Digital Ecosystems and Business Intelligence Institute

Curtin University of Technology Perth, Australia

[email protected], Chen Wu and Elizabeth Chang

Digital Ecosystems and Business Intelligence Institute

Curtin University of Technology Perth, Australia chen.wu,

[email protected] 2010 24th IEEE International Conference

on Advanced Information Networking and Applications

[14] Security Issues in Cloud Computing: A survey Rizwana

Shaikh SIES Graduate School of Technology, Nerul, Navi

Mumbai, M. Sasikumar Center for Development of Advanced

Computing, Kharghar, Navi Mumbai International Journal of

Computer Applications (0975 8887) MI. Volume 44 No19,

April 2012

[15] A Novel Open Security Framework for Cloud Computing

Devki Gaurav Pal, Ravi Krishna, Prashant Srivastava,

Sushil Kumar, Monark Bag, Vrijendra Singh Cyber Law and

Information Security Division Indian Institute of Information

Technology Allahabad, Uttar Pradesh-211012, India International

Journal of Cloud Computing and Services Science (IJCLOSER)

Vol.1, No.2, June 2012, pp. 45 52 ISSN: 2089-3337

[16] Security Architecture of Cloud Computing

V.KRISHNA REDDY1, Dr. L.S.S.REDDY Department

of Computer Science and Engineering, Lakireddy

Bali Reddy College of Engineering, Mylavaram.

[email protected] V.Krishna Reddy et al. /

International Journal of Engineering Science and Technology

(IJEST)

[17] Survey on Security Issues in Cloud Computing and

Associated Mitigation Techniques Rohit Bhadauria* School

of Electronics and Communications Engineering Vellore Institute

of Technology, Vellore, India [email protected]

Sugata Sanyal School of Technology and Computer Science

Tata Institute of Fundamental Research, Mumbai, India

[email protected] http://arxiv.org/pdf/1204.0764.pdf