Secure Cloud Architecture
Secure Cloud Architecture
net/publication/276196135
CITATIONS READS
12 563
2 authors, including:
Kashif Munir
University of Hafr Al Batin
22 PUBLICATIONS 29 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
Call for Chapters : Cloud Computing Technologies for Green Enterprises, http://www.igi-global.com/publish/call-for-papers/call-details/2324 View project
Call for Chapters: Advancing Consumer-Centric Fog Computing Architectures View project
All content following this page was uploaded by Kashif Munir on 02 August 2016.
ABSTRACT
Cloud computing is set of resources and services offered through the Internet. Cloud
services are delivered from data centers located throughout the world. Cloud computing
facilitates its consumers by providing virtual resources via internet. The biggest challenge in
cloud computing is the security and privacy problems caused by its multi-tenancy nature and the
outsourcing of infrastructure, sensitive data and critical applications. Enterprises are rapidly adopting
cloud services for their businesses, measures need to be developed so that organizations can be assured
of security in their businesses and can choose a suitable vendor for their computing needs. Cloud
computing depends on the internet as a medium for users to access the required services at any time on
pay-per-use pattern. However this technology is still in its initial stages of development, as it suffers
from threats and vulnerabilities that prevent the users from trusting it. Various malicious activities
from illegal users have threatened this technology such as data misuse, inflexible access control and
limited monitoring. The occurrence of these threats may result into damaging or illegal access of
critical and confidential data of users. In this paper we identify the most vulnerable security
threats/attacks in cloud computing, which will enable both end users and vendors t o k n o w a b o u t
the k e y se c ur it y threats associated with cloud computing and propose relevant solution directives to
strengthen security in the Cloud environment. We also propose secure cloud architecture for
organizations to strengthen the security.
KEYWORDS
Cloud Computing; Security and Privacy; Threats, Vulnerabilities, Secure Cloud Architecture.
1. INTRODUCTION
With Cloud Computing becoming a popular term on the Information Technology (IT) market,
security and accountability has become important issues to highlight. There are a number of
security issues/concerns associated with cloud computing but these issues fall into two broad
categories: Security issues faced by cloud providers (organizations providing Software-,
Platform-, or Infrastructure-as-a-Service via the cloud) and security issues faced by their
customers.[1] In most cases, the provider must ensure that their infrastructure is secure and that
their clients’ data and applications are protected while the customer must ensure that the
provider has taken the proper security measures to protect their information.[2]
Cloud computing has emerged as a way for IT businesses to increase capabilities on the fly
without investing much in new infrastructure, training of personals or licensing new software
[3].
DOI : 10.5121/acij.2013.4102 9
Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013
NIST defines Cloud computing as a “model for enabling ubiquitous, convenient, on demand
network access to a shared pool of configurable computing resources that can be rapidly
provisioned and delivered with minimal managerial effort or service provider interaction” [4]. It
follows a simple “pay as you go” model, which allows an organization to pay for only the
service they use. It eliminates the need to maintain an in-house data center by migrating
enterprise data to a remote location at the Cloud provider’s site. Minimal investment, cost
reduction, and rapid deployment are the main factors that drive industries to utilize Cloud
services and allow them to focus on core business concerns and priorities rather than dealing
with technical issues. According to [5], 91 % of the organizations in US and Europe agreed that
reduction in cost is a major reason for them to migrate to Cloud environment.
As shown in Figure. 1, Cloud services are offered in terms of Infrastructure-as-a- service (IaaS),
Platform-as-a-service (PaaS), and Software-as-a-service (SaaS). It follows a bottom-up
approach wherein at the infrastructure level; machine power is de- livered in terms of CPU
consumption to memory allocation. On top of it, lies the layer that delivers an environment in
terms of framework for application development, termed as PaaS. At the top level resides the
application layer, delivering software outsourced through the Internet, eliminating the need for
in-house maintenance of sophisticated software [6]. At the application layer, the end users can
utilize software running at a remote site by Application Service Providers (ASPs). Here,
customers need not buy and install costly software. They can pay for the usage and their
concerns for maintenance are removed.
2. RELATED WORK
In [7] the authors discussed the security issues in a cloud computing environment. They
focused on technical security issues arising from the usage of cloud services. They discussed
security threats presented in the cloud such as VM-Level attacks, isolation failure,
management interface compromise and compliance risks and their mitigation. They also
presented cloud security architecture, using which; organizations can protect themselves
against threats and attacks. According to the authors the key points for this architecture are:
single-sign on, increased availability, defense in depth approach, single management console
and Virtual Machine (VM) protection.
In [8] the authors analyzed vulnerabilities and security risks specific to cloud computing
systems. They defined four indicators for cloud-specific vulnerability including: 1) it is
10
Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013
intrinsic to or prevalent in core technology of cloud computing, 2) it has its root in one of
NIST’s essential cloud characteristics, 3) it is caused by cloud innovations making security
controls hard to implement, 4) it is prevalent in established state-of-the- art cloud offerings. The
authors were certain that additional cloud-specific vulnerabilities will be identified; others will
become less of an issue as the field of cloud computing matures. However, they believe
that using a precise definition of what constitutes vulnerability and the four indicators
they identified will provide a level of precision and clarity that the current discourse about
cloud computing security often lacks.
In [9] the author discussed some vital issues to ensure a secure cloud environment. This
included a basic view of security policies (e.g., inside threats, access control and system
portability), software security (e.g., virtualization technology, host operating system, guest
operating system and data encryption) and hardware security (e.g., backup, server location
and firewall). The author concluded that an important issue for the future of cloud security is
the use of open standards to avoid problems such as vendor lock-in and incompatibility.
Furthermore, the author believes that although there are no security standards specific to cloud
computing, conventional security concepts can be usefully applied.
La‘Quata Sumter et al. [10] sa ys: The rise in the scope of cloud computing has brought
fear about the Internet security and the threat of security in cloud computing is continuously
increasing. Consumers of the cloud computing services have serious concerns about the
availability of their data when required. Users have server concern about the security and
access mechanism i n c l o u d computing environment. To assure users that there information is
secure, safe not accessible to unauthorized people, they have proposed the design of a system
that will capture the movement and processing of the information kept on the cloud. They have
identified there is need of security capture device on the cloud, which will definitely ensure
users that their information is secure and safe from security threats and attacks. The
proposed implementation is based on a case study and is implemented in a small cloud
computing environment. They have claimed that there proposed security model for cloud
computing is a practical model cloud computing.
The advantage of their work is assurance of security to the end users of cloud. The limitation of
this study is there proposed framework is not feasible for large scale cloud computing
environments.
Meiko Jensen et al. [11] have shown that to improve cloud computing security, the security
capabilities of both web browsers and web service frameworks, should be strengthened. This
can best be done by integrating the latter into the former.
M. Jensen et al. [12] focus on special type of Denial of Service attacks on network based service
that relies on message flooding techniques, overloading the victims with invalid requests. They
describe some well known and some rather new attacks and discuss commonalities and
approaches for countermeasures.
Armbust M Fox et al. [13] discuss that resources should be virtualized to hide the
implementation of how they are multiplexed and shared.
Wayne [14]: In this paper benefits of cloud computing are highlighted along with the basic
security issues that are still associated with cloud services. Shaping the security of critical
systems is very important. Addressing the security issues faced by end users is extremely
mandatory, Researchers and professionals must work on the security issues associated with
cloud computing. Strong security policies must be designed to ensure data is safe and
prevented from unauthorized access, in both corporate data centers and in the cloud
11
Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013
servers. This research brings primary problems in terms of cloud security, which are alleged to
cloud computing security and privacy issues. Further the study gazes primary security and
privacy Problems. It mainly focuses public clouds that needs significant consideration and
presents required facts and figures to make organizations data security decisions. Key
security issues identified and addressed in this paper are end user trust, Insider Access,
Visibility, Risk Management, Client-Side Protection, Server-Side Protection, Access Control
and Identity management.
The strengths of their work is identification and discussion on cloud computing security
issues which educates end users about security and private risks associated with cloud
services. The weakness is that they haven‘t proposed any tool or framework to address
identifies issues.
Rituik Dubey et al. [15] define different attacks scenarios and propose counter schemes for each.
M. Okuhara et al. [16] explain how customers, despite their deep-seated concerns and
uneasiness about cloud computing, can enjoy the benefits of the cloud without worry if cloud
services providers use appropriate architectures for implementing security measures. They
also describe the security problems that surround cloud computing and outline Fujitsu’s
security architecture for solving them.
[17] takes a detailed look at cloud computing security risks and conclude that, as computing
takes a step forward to cloud computing, security should not move backward. Users should
not accept moving backward in terms of security, and computing technology and security both,
must advance together.
[18] shows that some of the cutting edge technologies for cloud security are: self-protecting
data, trusted monitors, and searchable encryption. With the integration of these technologies
into their solutions, customers will have even more trust in their cloud provider.
[19] discusses the fundamental trusted computing technologies on which latest approaches to
cloud security are based.
[20] argues that, with continued research advances in trusted computing and computation-
supporting encryption, life in the cloud can be advantageous from a business-intelligence stand
point, over the isolated alternative that is more common now a days.
[21] describes Amazon Web Services’ (AWS) physical and operational security processes for
network and infrastructure under Amazon Web Services (AWS) management. It also gives
service specific security implementations for Amazon Web Services (AWS).
12
Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013
External network attacks in the cloud are increasing at a notable rate. Malicious user outside the
Cloud often performs DoS or DDoS attacks to affect the availability of Cloud services and
resources. Port scanning, IP spoofing, DNS poisoning, phishing are also executed to gain access
of Cloud resources. A malicious user can capture and analyze the data in the packets sent over
this network by packet sniffing. IP spoofing occurs when a malicious user impersonates a
legitimate users IP address where they could access information that they would not have
been able to access otherwise. Availability is very important. Not having access to services
when needed can be a disaster for anyone especially in the case of being denied service. This
can occur when exhaustion of the host servers causes requests from legitimate consumers to be
denied. This can cost a company large amounts of money and time if the services they depend
on to operate are not available.
Internal attacker (authorized user) can easily get access to other user’s resources without being
detected. An insider has higher privileges and knowledge (related to network, security
mechanism and resources to attack) than the external attacker. Therefore, it is easy for an insider
to penetrate an attack than external attackers.
implementations, which can twist strong encryption into weak encryption or sometimes no
encryption at all. For example in cloud virtualization providers uses virtualization software to
partition servers into images that are provided to the users as on-demand services [24].
Although utilization of those VMs into cloud providers' data centres provides more flexible and
efficient setup than traditional servers but they don't have enough access to generate random
numbers needed to properly encrypt data. This is one of the fundamental problems of
cryptography. How do computers produce truly random numbers that can't be guessed or
replicated? In PCs, OS typically monitors users' mouse movements and key strokes to gather
random bits of data that are collected in a so-called Entropy Pool (a set of unpredictable
numbers that encryption software automatically pulls to generate random encryption
passkeys). In servers, one that don't have access to a keyboard or mouse, random numbers are
also pulled from the unpredictable movements of the computer's hard drive. VMs that act as
physical machines but are simulated with software have fewer sources of entropy. For
example Linux-based VMs, gather random numbers only from the exact millisecond time on
their internal clocks and that is not enough to generate strong keys for encryption [25].
14
Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013
Mitigation: This can be avoided by using a proper security model for Cloud provider’s interface
and ensuring strong authentication and access control mechanism with encrypted transmission.
Mitigation: To avoid this risk, more transparency is required in security and management
process including compliance reporting and breach notification.
Mitigation: Implementation of SLA for patching, strong authentication, and access control to
administrative tasks are some of the solutions to address this issue.
Mitigation: Some of the mitigation strategies to address this threat include security policies,
strong authentication, and activity monitoring.
Mitigation: To avoid this Cloud provider should disclose partial infrastructure details, logs, and
data. In addition to this, there should also be a monitoring and alerting system.
Mitigation: However, better authentication and authorization and IDS/IPS can provide
protection against such an attack.
16
Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013
6.3.1 VM Escape
In this type of attack, an attacker’s program running in a VM breaks the isolation layer in order
to run with the hypervisor’s root privileges instead with the VM privileges. This allows an
attacker to interact directly with the hypervisor. Therefore, VM Escape from the isolation is
provided by the virtual layer. By VM Escape, an attacker gets access to the host OS and the
other VMs running on the physical machine.
Mitigation: To overcome such an attack, information about services and applications should be
kept in encrypted form. Strong authentication (and authorization) should be enforced for
accessing such critical in- formation.
Mitigation: Better authentication and isolation between VMs can provide protection against
such attacks.
17
Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013
Virtual firewall appliances should be deployed instead of first-generation firewalls. This allows
network administrators to inspect all levels of traffic, which includes basic web browser traffic,
to peer-to-peer applications traffic and encrypted web traffic in the SSL tunnel .Intrusion
Prevention Systems (IPS) should be installed to protect networks from internal threats from
insiders.
end users do not send sensitive or critical information outside of the corporate network. DLP
help a network administrator control what data end users can transfer.
hypervisor to hypervisor at the click of a button, whatever protection you've chosen has to
handle these activities with ease. Plus, as the number of VMs increases in the data center, it
becomes harder to account for, manage and protect them. And if unauthorized people gain
access to the hypervisor, they can take advantage of the lack of controls and modify all the VMs
housed there.
These virtual machines are vulnerable like their physical counterparts. Hence, to adequately
protect virtual machines, t h e y should he isolated from o t h e r network segments and
deep inspection at the network level should be implemented to prevent them both from
internal and external threats. Illegal internal access should be restricted by implementing
intrusion prevention systems and unauthorized external access should be protected by using
secure remote access technologies like IPSec or SSL VPN.
8. CONCLUSION
In this research paper we have discussed the characteristics of a cloud security that contains
threats/attacks and vulnerabilities. Organizations that are implementing cloud computing by
expanding their on-premise infrastructure, should be aware of the security challenges faced by
cloud computing. To protect against the compromise of the compliance integrity and security
of their applications and data, defense in depth approach must be applied. This line of defense
includes firewall, Intrusion detection and prevention, integrity monitoring, log inspection, and
malware protection. Proactive organizations and service providers should apply this protection
on their cloud infrastructure, to achieve security so that they could take advantage of cloud
computing ahead of their competitors. In this paper, a physical cloud computing security
architecture has been presented. In future, the proposed architecture may be modified with
the advancement of security technologies used for implementing this physical cloud
security architecture. By considering the contributions from several IT industries worldwide,
it’s obvious that cloud computing will be one of the leading strategic and innovative
technologies in the near future.
REFERENCES
[1] "Swamp Computing" a.k.a. Cloud Computing". Web Security Journal. 2009-12-28. Retrieved 2010-
01-25.
[2] "Thunderclouds: Managing SOA-Cloud Risk", Philip Wik". Service Technology Magazine. 2011-10.
Retrieved 2011-21-21.
[3] What cloud computing really means. InfoWorld. http://www.infoworld.com/d/cloud-
computing/what-cloud-computing-really-means-031?page=0,0
[4] Mell P, Grance T (2011) The nist definition of cloud computing (draft).
http://csrc.nist.gov/publications/drafts/800–145/Draft-SP-800-145_cloud-definition.pdf
[5] Ponemon (2011) Security of cloud computing providers study. http://www.ca.com/~/media/Files/
IndustryResearch/security-of-cloud-computing-providers-final-april-2011.pdf
[6] Software as a service-Wikipedia. Wikipedia. http://en.wikipedia.org/wiki/Software_as_a_service
[7] A. Tripathi and A. Mishra, “Cloud computing security considerations” IEEE Int. conference on
signalprocessing, communication and computing (ICSPCC), 14-16 Sept., Xi'an, Shaanxi, China,
2011
[8] Vadym Mukhin, Artem Volokyta, “Security Risk Analysis for Cloud Computing Systems”
The 6th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing
Systems: Technology and Applications, Prague, Czech Republic, 15-17 September 2011
[9] Mathisen, “Security Challenges and Solutions in Cloud Computing” 5th IEEE International
Conference on Digital Ecosystems and Technologies (IEEE DEST2011) , Daejeon, Korea, 31
May -3 June 2011
[10] R. La‘Quata Sumter, ―Cloud Computing: Security Risk Classificationǁ, ACMSE 2010, Oxford, USA
20
Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013
[11] Meiko Jensen ,Jorg Sehwenk et al., “On Technical Security,Issues icloud Computing ”IEEE
International conference on cloud Computing, 2009.
[12] M.Jensen ,N.Gruschka et al., “The impact of flooding Attacks on network based
services”Proceedings of the IEEE International conference on Availiabilty,Reliability and
Security (ARES) 2008.
[13] Armbrust ,M. ,Fox, A., Griffth, R., et al “Above the clouds: A Berkeley View of Cloud Computing” ,
UCB/EECS-2009-28,EECS Department University of California Berkeley, 2009
http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.pdf
[14] Wayne A. Jansen, ―Cloud Hooks: Security and Privacy Issues in Cloud Computingǁ, 44th Hawaii
International Conference on System Sciesnces 2011.
[15] Rituik Dubey et al., “Addressing Security issues in Cloud
Computing”http://www.contrib.andrew.cmu.edu/~rdubey/index_files/cloud%20com puting.pdf
[16] M. Okuhara et al., “Security Architecture for Cloud Computing”,
www.fujitsu.com/downloads/MAG/vol46-4/paper09.pdf
[17] “A Security Analysis of Cloud Computing” http://cloudcomputing.sys- con.com/node/1203943
[18] “Cloud Security Questions? Here are some answers”http://cloudcomputing.sys-
con.com/node/1330353
[19] Cloud Computing and Security –A Natural Match, Trusted Computing Group(TCG)
http://www.trustedcomputinggroup.org
[20] “Controlling Data in the Cloud:Outsourcing Computation without outsourcing Control
http://www.parc.com/content/attachments/ControllingDataInTheCloud- CCSW-09.pdf
[21] “Amazon Web services: Overview of Security processes “ September 2008 http://aws.amazon.com
[22] T. Schreiber, “Session Riding a Widespread Vulnerability in Today'sWeb Applications” [Online],
Available: http://www.securenet.de/papers/Session_Riding.pdf, white paper, 2004. [Accessed:
20-Jul-2011].
[23] J., Grimes, P., Jaeger, J., Lin, “Weathering the Storm: The Policy Implications of Cloud
Computing” [Online], Availablehttp://ischools.org/images/iConferences/CloudAbstract13109F
INAL.pdf , [Accessed: 19-Jul-2011].
[24] B. Grobauer, T. Walloschek, and E. Stocker, “Understanding Cloud Computing
Vulnerabilities,” Security & Privacy, IEEE, vol. 9, no. 2, pp.50-57, 2011.
[25] A., Greenberg, “Why Cloud Computing Needs More Chaos”
[Online],Available:http://www.forbes.com/2009/07/30/cloud-computing- security-technology-cio-
network-cloud-computing.html, 2009, [Accessed: 20-Jul-2011].
[26] Top 7 threats to cloud computing. HELP NET SECURITY. http://www.net-
security.org/secworld.php?id=8943
[27] Rion Dutta, ”Planning for Single SignOn”, White Paper, MIEL e- Security Pvt
[28] M. Armbrust, et al., A view of cloud computing. Commun. ACM. vol. 53 (2010), pp. 50-58
[29] Miranda Mowbray and Siani Pearson, A client-based privacy manager for cloud computing. In Proc.
Fourth International Conference on Communication System Software and Middleware (ComsWare),
Dublin, Ireland, 16-19 June 2009.
Authors
Kashif Munir receives his BSc degree in Mathematics and Physics from Islamia
University Bahawalpur in 1999. He received his MSc degree in Information
Technology from University Sains Malaysia in 2001. He also obtained another MS
degree in Software Engineering from University of Malaya, Malaysia in 2005. His
research area was in the field secure network for mobile devices, Cloud and pervasive
computing.
Mr. Kashif was the lecturer at Stamford College, Malaysia. Currently, he is Lecturer
in the Computer Science & Engineering Unit at Hafr Al-Batin Community College\KFUPM, Saudi
Arabia. He is doing his PhD at Malaysian University of Science and Technology, Malaysia.
21
Advanced Computing: An International Journal ( ACIJ ), Vol.4, No.1, January 2013
Prof. Dr. Sellappan Palaniappan is currently the Acting Provost and the Dean of
School of Science and Engineering at Malaysia University of Science and
Technology (MUST). Prior to joining MUST, he was an Associate Professor at the
Faculty of Computer Science and Information Technology, University of Malaya.
He holds a PhD in Interdisciplinary Information Science from the University of
Pittsburgh and a Master in Computer Science from the University of London.
Dr. Sellappan is a recipient of several Government research grants and has published numerous journals,
conference papers and IT books. He has served as an IT Consultant for several local and international
agencies such as the Asian Development Bank, the United Nations Development Programme, the World
Bank and the Government of Malaysia. He has conducted workshops for companies. He is also an
external examiner/assessor for several public and private universities. He was a member of IEEE (USA),
Chartered Engineering Council (UK) and British Computer Society (UK), and is currently a member of
the Malaysian National Computer Confederation (MNCC).
22