ABSTRACT
Cloud Computing is a
flexible, cost-effective, and proven delivery platform for providing
business or consumer IT services over the Internet. However, cloud
Computing presents an added level of risk because essential services are
often outsourced to a third party, which makes it harder to maintain
data security and privacy, support data and service availability, and
demonstrate compliance. Cloud Computing leverages many technologies
(SOA, virtualization, Web 2.0); it also inherits their security issues,
which we discuss here, identifying the main vulnerabilities in this kind
of systems and the most important threats found in the literature
related to Cloud Computing and its environment as well as to identify
and relate vulnerabilities and threats with possible solutions.
CHAPTER ONE
1.0 Introduction
The importance of Cloud Computing is
increasing and it is receiving a growing attention in the scientific and
industrial communities. A study by Gartner [2011] considered Cloud
Computing as the first among the top 10 most important technologies and
with a better prospect in successive years by companies and
organizations.
Cloud Computing enables ubiquitous,
convenient, on-demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage, applications, and
services) that can be rapidly provisioned and released with minimal
management effort or service provider interaction.
Cloud Computing appears as a
computational paradigm as well as a distribution architecture and its
main objective is to provide secure, quick, convenient data storage and
net computing service, with all computing resources visualized as
services and delivered over the Internet [Zhao G, Liu J, Tang Y:2011,
Zhang S, Zhang S:2012:p342]. The cloud enhances collaboration, agility,
scalability, availability, ability to adapt to fluctuations according to
demand, accelerate development work, and provides potential for cost
reduction through optimized and efficient computing [Marinos A, Briscoe
G:2011:p53].
Cloud Computing combines a number of
computing concepts and technologies such as Service Oriented
Architecture (SOA), Web 2.0, virtualization and other technologies with
reliance on the Internet, providing common business applications online
through web browsers to satisfy the computing needs of users, while
their software and data are stored on the servers [Marinos A, Briscoe
G:2009:p93]. In some respects, Cloud Computing represents the maturing
of these technologies and is a marketing term to represent that maturity
and the services they provide [Centre for the Protection of National
Infrastructure:2010].
Although there are many benefits to
adopting Cloud Computing, there are also some significant barriers to
adoption. One of the most significant barriers to adoption is security,
followed by issues regarding compliance, privacy and legal matters [8].
Because Cloud Computing represents a relatively new computing model,
there is a great deal of uncertainty about how security at all levels
(e.g., network, host, application, and data levels) can be achieved and
how applications security is moved to Cloud Computing [Rosado DG, Gómez
R, Mellado D:2012:p12]. That uncertainty has consistently led
information executives to state that security is their number one
concern with Cloud Computing [Mather T, Kumaraswamy S:2009:p43].
Security concerns relate to risk areas
such as external data storage, dependency on the “public” internet, lack
of control, multi-tenancy and integration with internal security.
Compared to traditional technologies, the cloud has many specific
features, such as its large scale and the fact that resources belonging
to cloud providers are completely distributed, heterogeneous and totally
virtualized. Traditional security mechanisms such as identity,
authentication, and authorization are no longer enough for clouds in
their current form [Li W, Ping L:2009:p45]. Security controls in Cloud
Computing are, for the most part, no different than security controls in
any IT environment. However, because of the cloud service models
employed, the operational models, and the technologies used to enable
cloud services, Cloud Computing may present different risks to an
organization than traditional IT solutions. Unfortunately, integrating
security into these solutions is often perceived as making them more
rigid [Cloud Security Alliance:2012].
Moving critical applications and
sensitive data to public cloud environments is of great concern for
those corporations that are moving beyond their data center’s network
under their control. To alleviate these concerns, a cloud solution
provider must ensure that customers will continue to have the same
security and privacy controls over their applications and services,
provide evidence to customers that their organization are secure and
they can meet their service-level agreements, and that they can prove
compliance to auditors [Rittinghouse JW:2009:p123].
We present here a categorization of
security issues for Cloud Computing focused in the so-called SPI model
(SaaS, PaaS and IaaS), identifying the main vulnerabilities in this kind
of systems and the most important threats found in the literature
related to Cloud Computing and its environment. A threat is a potential
attack that may lead to a misuse of information or resources, and the
term vulnerability refers to the flaws in a system that allows an attack
to be successful. There are some surveys where they focus on one
service model, or they focus on listing cloud security issues in general
without distinguishing among vulnerabilities and threats. Here, we
present a list of vulnerabilities and threats, and we also indicate what
cloud service models can be affected by them. Furthermore, we describe
the relationship between these vulnerabilities and threats; how these
vulnerabilities can be exploited in order to perform an attack, and also
present some countermeasures related to these threats which try to
solve or improve the identified problems.
The remainder of the paper is organized
as follows: Section 2 presents the results obtained from our systematic
review. Next, in Section 3 we define in depth the most important
security aspects for each layer of the Cloud model. Later, we will
analyze the security issues in Cloud Computing identifying the main
vulnerabilities for clouds, the most important threats in clouds, and
all available countermeasures for these threats and vulnerabilities.
Finally, we provide some conclusions.
1.1 Background of Study
Several trends are opening up the era of
Cloud Computing, which is an Internet-based development and use of
computer technology. The ever cheaper and more powerful processors,
together with the software as a service (SaaS) computing architecture,
are transforming data centers into pools of computing service on a huge
scale. The increasing network bandwidth and reliable yet flexible
network connections make it even possible that users can now subscribe
high quality services from data and software that reside solely on
remote data centers.
Moving data into the cloud offers great
convenience to users since they don’t have to care about the
complexities of direct hardware management. The pioneer of Cloud
Computing vendors, Amazon Simple Storage Service (S3) and Amazon Elastic
Compute Cloud (EC2) are both well known examples. While these
internet-based online services do provide huge amounts of storage space
and customizable computing resources, this computing platform shift,
however, is eliminating the responsibility of local machines for data
maintenance at the same time. As a result, users are at the mercy of
their cloud service providers for the availability and integrity of
their data. Recent downtime of Amazon’s S3 is such an example . From the
perspective of data security, which has always been an important aspect
of quality of service, Cloud Computing inevitably poses new challenging
security threats for number of reasons. Firstly, traditional
cryptographic primitives for the purpose of data security protection can
not be directly adopted due to the users’ loss control of data under
Cloud Computing. Therefore, verification of correct data storage in the
cloud must be conducted without explicit knowledge of the whole data.
Considering various kinds of data for each user stored in the cloud and
the demand of long term continuous assurance of their data safety, the
problem of verifying correctness of data storage in the cloud becomes
even more challenging. Secondly, Cloud Computing is not just a third
party data warehouse. The data stored in the cloud may be frequently
updated by the users, including insertion, deletion, modification,
appending, reordering, etc. To ensure storage correctness under dynamic
data update is hence of paramount importance. However, this dynamic
feature also makes traditional integrity insurance techniques futile and
entails new solutions. Last but not the least, the deployment of Cloud
Computing is powered by data centers running in a simultaneous,
cooperated and distributed manner. Individual user’s data is redundantly
stored in multiple physical locations to further reduce the data
integrity threats. Therefore, distributed protocols for storage
correctness assurance will be of most importance in achieving a robust
and secure cloud data storage system in the real world. However, such
important area remains to be fully explored in the literature.
1.2 Statement of Problem
Cloud computing has become a social
phenomenon used by most people every day. As with every important social
phenomenon there are issues that limit its widespread adoption.
Most issues start from the fact that the
user loses control of his or her data, because it is stored on a
computer belonging to someone else (the cloud provider). This happens
when the owner of the remote servers is a person or organization other
than the user; as their interests may point in different directions (for
example, the user may wish that his or her information is kept private,
but the owner of the remote servers may want to take advantage of it
for their own business).
1.3 Objective of the Study
Due to the issue of security and privacy on cloud computer the researcher objectives to this study are as fellows.
- Design an encryption system attached to the system that will enable
any user before sending data to the cloud be encrypted with security key
- Device a means of sharing data in a more secure and reliable manner over the cloud system.
- Create the awareness of the security threats in cloud computer to
the people so as the alert them on how to secure there information.
1.4 Motivation/Research Thoughts
The question focus was to identify the
most relevant issues in Cloud Computing which consider vulnerabilities,
threats, risks, requirements and solutions of security for Cloud
Computing. This question had to be related with the aim of this work;
that is to identify and relate vulnerabilities and threats with possible
solutions. Therefore, the research question addressed by our research
was the following: What security vulnerabilities and threats are the
most important in Cloud Computing which have to be studied in depth with
the purpose of handling them? The keywords and related concepts that
make up this question and that were used during the review execution
are: secure Cloud systems, Cloud security, delivery models security, SPI
security, SaaS security, Paas security, IaaS security, Cloud threats,
Cloud vulnerabilities, Cloud recommendations, best practices in Cloud.
This lead into this research work by the researcher.
1.5 Significance of the Study
Enlighten the people, the users of cloud
computer on the security challenges and how to resolve this issues.
Enhance the use and the effectiveness of the cloud computing among the
people. Remove the fear of using cloud computing from the people since
the research will come up with a new design that will solve the issue of
privacy and third party
1.6 Abbreviation/Definition
OOPS Object Oriented Programming Concepts
TCP/IP Transmission Control Protocol/Internet Protocol
JDBC Java Data Base Connectivity
EIS Enterprise Information Systems
BIOS Basic Input/Output System
RMI Remote Method Invocation
JNDI Java Naming and Directory Interface
ORDBMS Object Relational Database Management System
CSP Cloud Service Provider (CSP)
J2ME Java 2 Micro Edition