icrtitcs-2012 conference publication
DESCRIPTION
This presentation was delivered at the 2nd International Conference on Recent Trends in Information Technology and Computer Science in Mumbai. The paper deals with security issues in Cloud Computing, its mitigation and proposes a secure cloud mechanism with an implementation of the single-sign on mechanism on the Ubuntu Enterprise CloudTRANSCRIPT
ICRTITCS 2012 ICRTITCS 2012
17-18 Dec, 201217-18 Dec, 2012
Cloud Computing: Security Issues, Cloud Computing: Security Issues, Mitigation and a Secure Cloud Mitigation and a Secure Cloud
Architecture Architecture
Tejaswi Agarwal Tejaswi Agarwal School of Computing Science and School of Computing Science and
Engineering Engineering Vellore Institute of Technology-Vellore Institute of Technology-
Chennai Chennai
Amrit Sahoo Amrit Sahoo Department of Computer Science and Department of Computer Science and
Engineering Engineering National Institute of Technology-National Institute of Technology-
Trichy Trichy
ABSTRACT
Cloud computing, an emerging field in Information technology has changed the perception of infrastructure architectures, software delivery and deployment models.
In a nutshell, cloud computing could be classified as a term for delivering hosted services, dynamically scalable and shared resources on the internet.
Research in this technology has gained tremendous momentum in the past few years since its inception and one of the key research areas is considered to be the security aspects of cloud computing.
OBJECTIVE
This paper will classify the three models of cloud computing, some key differentiating
aspects between cloud, grid and distributed computing, a comprehensive study on the major
security concerns in cloud computing, its mitigation and describe a secure cloud
computing framework with an implementation of Single Sign on mechanism on Ubuntu
Enterprise Cloud
INTRODUCTIONThe most widely accepted definition of Cloud Computing given by National Institute of Science and Technology, USA is “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”
Cloud computing involves getting services at a much lesser cost for the user, and the maintenance cost is zero as the service provider is responsible for availability.
• Backgroud: Backgroud: • SAAS: SAAS: Software as a service is software that is deployed as a Software as a service is software that is deployed as a
hosted service and accessed over the Internet to run behind a hosted service and accessed over the Internet to run behind a firewall in your local area network or personal computer. This is an firewall in your local area network or personal computer. This is an “on-demand” model deploying patches and upgrades to the “on-demand” model deploying patches and upgrades to the application transparently, and delivering access to end users over application transparently, and delivering access to end users over
the Internet through a browser or smart-client applicationthe Internet through a browser or smart-client application • PAAS: PAAS: PaaS can be defined as a computing platform that allows PaaS can be defined as a computing platform that allows
the creation of web applications quickly and easily and without the the creation of web applications quickly and easily and without the complexity of buying and maintaining the software and complexity of buying and maintaining the software and infrastructure underneath it . PaaS enables the end user to create infrastructure underneath it . PaaS enables the end user to create and maintain software using the libraries and tools of the service and maintain software using the libraries and tools of the service provider. provider.
• IAAS:IAAS: Infrastructure as a service refers to a facility availed by Infrastructure as a service refers to a facility availed by organisations that offers users the leverage of extra support organisations that offers users the leverage of extra support operations, including storage, hardware, servers and networking operations, including storage, hardware, servers and networking components. The resources are owned by the service provider and components. The resources are owned by the service provider and the client pays on per-use basis.the client pays on per-use basis.
CLOUD, GRID AND CLOUD, GRID AND
DISTRIBUTED DISTRIBUTED COMPUTING COMPUTING • Cloud computing is a model where an application Cloud computing is a model where an application
doesn't access resources it requires directly, rather it doesn't access resources it requires directly, rather it accesses them through a service. accesses them through a service.
• It has evolved out of the need for a more economic It has evolved out of the need for a more economic and scalable form of computing . and scalable form of computing .
• Distributed computing is the management of Distributed computing is the management of numerous computer systems which are limited in numerous computer systems which are limited in memory and processing power memory and processing power
• A Grid is a hardware and software infrastructure that A Grid is a hardware and software infrastructure that clusters and integrates high-end computers, clusters and integrates high-end computers, networks, databases, and scientific instruments from networks, databases, and scientific instruments from multiple sources to form a single virtual system. multiple sources to form a single virtual system.
Security Issues in Cloud Computing• A. Insider and Outsider Threats :• These trusted insiders are employees or contractors of the
organization and are given access to perform their daily duties and it is difficult to restrict their access.
• On the application level the cloud faces threats in the form of Denial of service (DoS) attacks, Distributed Denial of service attacks (DDoS), backdoors, cookie poisoning and also CAPTCHA breaking
• B. Loss of data : • Data loss can occur in many forms such as downtimes, network or
system failures. If a vendor closes down due to legal issues, this might also pose a problem of data loss for the user. Since the amount of data in the cloud is increasing at an exponential rate in the cloud, handling data loss is a major challenge.
• C. Service Disruption and Account C. Service Disruption and Account hijacking hijacking
• Amazons EC2 and RDS services suffered a major outage for Amazons EC2 and RDS services suffered a major outage for four days in 2011 when their data centre in Northern four days in 2011 when their data centre in Northern Virginia was affected. This service disruption affected Virginia was affected. This service disruption affected millions of cloud computing customers millions of cloud computing customers
• D. Abuse and unethical use of D. Abuse and unethical use of cloud computing cloud computing
• Providers with weak registration process give anonymity and Providers with weak registration process give anonymity and are potential targets of abuse. Cloud services are often taken are potential targets of abuse. Cloud services are often taken advantage of to create botnet commands and control and advantage of to create botnet commands and control and host malicious data. host malicious data.
• E. Confidentiality and Privacy E. Confidentiality and Privacy • Privacy concerns exist wherever personal information is Privacy concerns exist wherever personal information is
collected and stored digitally and improper disclosure control collected and stored digitally and improper disclosure control leads to privacy issues. leads to privacy issues.
MITIGATION CONCEPTS MITIGATION CONCEPTS
• A. Insider and Outsider Threats: A. Insider and Outsider Threats: The first step The first step would be to identify any abnormal behaviour that may indicate would be to identify any abnormal behaviour that may indicate malicious attacks and automatically block them. All sensitive data malicious attacks and automatically block them. All sensitive data usage must be monitored and access to private data must be audited. usage must be monitored and access to private data must be audited.
• A careful monitoring of the network can help identify threats like DoS A careful monitoring of the network can help identify threats like DoS or DDoS attack whose symptoms include slowing down of network and or DDoS attack whose symptoms include slowing down of network and request from large number of users.request from large number of users.
• B. Loss of data: B. Loss of data: The key to data loss prevention is a The key to data loss prevention is a content and context aware Data Loss Prevention (DLP) system. A DLP content and context aware Data Loss Prevention (DLP) system. A DLP works by first identifying sensitive information that needs to be works by first identifying sensitive information that needs to be protected and indexes it. It must provide agents to scan for sensitive protected and indexes it. It must provide agents to scan for sensitive data and threats. A DLP must be provided at various levels such as the data and threats. A DLP must be provided at various levels such as the Network layer; storage layer, endpoint DLP and file-level DLPNetwork layer; storage layer, endpoint DLP and file-level DLP
• `̀
• C. Service disruptions and C. Service disruptions and account hijackingaccount hijacking
• Increase in capacity of servers handling requests as Increase in capacity of servers handling requests as majorly service disruptions are caused when an majorly service disruptions are caused when an unexpected amount of request gets targeted at a particular unexpected amount of request gets targeted at a particular
clustercluster. . • D. Abuse and nefarious use: D. Abuse and nefarious use: Stricter Stricter
registration process to check on multiple account creation registration process to check on multiple account creation by single user. Use of CAPTCHAs to make it difficult for by single user. Use of CAPTCHAs to make it difficult for automated account creation automated account creation
• E. Confidentiality and Privacy : E. Confidentiality and Privacy : Maintaining flexibility of identity management and offering Maintaining flexibility of identity management and offering users maximum choice and privacy protection. users maximum choice and privacy protection.
• 2. Ensuring system integrity that indicates whether a 2. Ensuring system integrity that indicates whether a system has a trustworthy executing environment system has a trustworthy executing environment
SECURE CLOUD SECURE CLOUD ARCHITECTURE ARCHITECTURE
• A. Single sign-on and Authentication: A. Single sign-on and Authentication: Single-sign on for all cloud users to Single-sign on for all cloud users to enable users to access multiple enable users to access multiple application and services thus enabling a application and services thus enabling a strong authentication at user level strong authentication at user level
• B. Secure, consistent backups and B. Secure, consistent backups and restoration of cloud-based resources restoration of cloud-based resources
• C. Encryption of critical data C. Encryption of critical data • D. Increased availability: D. Increased availability:
IMPLEMENTATIONIMPLEMENTATION
• The architecture of Eucalyptus [13], which is The architecture of Eucalyptus [13], which is the main component of Ubuntu Enterprise the main component of Ubuntu Enterprise Cloud, has been designed as modular set of Cloud, has been designed as modular set of five simple elements that can be easily five simple elements that can be easily scaled: scaled:
• 1. Cloud Controller (CLC) 1. Cloud Controller (CLC) • 2. Walrus Storage Controller (WS3) 2. Walrus Storage Controller (WS3) • 3. Elastic Block Storage Controller (EBS) 3. Elastic Block Storage Controller (EBS) • 4. Cluster Controller (CC) 4. Cluster Controller (CC)
• 5. Node Controller (NC5. Node Controller (NC) )
IMPLEMENTATIONIMPLEMENTATION
Single Sign OnSingle Sign On• Single sign on was implemented by using a Single sign on was implemented by using a
central authentication server with the central authentication server with the authentication server supplying user authentication server supplying user credentials to the appropriate server, whenever credentials to the appropriate server, whenever a client requests to use an application on a client requests to use an application on another server. This was developed using PHP another server. This was developed using PHP and Javascript [14] which enables a client to and Javascript [14] which enables a client to register on a centralised server and store their register on a centralised server and store their credentials. This authentication proxy server credentials. This authentication proxy server uses an LDAP database to maintain client uses an LDAP database to maintain client credentials of registered users. credentials of registered users.
CONCLUSION/FUTURE SCOPE• The new era of “cloud computing” offers many benefits,
includ-ing lower IT costs and greater flexibility for businesses as well as new and easier ways for individuals to connect, share common interests, and access information.
• This paper presented a complete structure of cloud computing, major security risks and their mitigation and implementation of a secure cloud architecture using which ser-vice provides could offer extensive services to customers with complete security. Single sign-on greatly enhances the usability of the Cloud environment by allowing users to authenticate once to access applications on multiple machines.
• It is essential to know the fact that a single measure cannot completely resolve the security issue, however, with a correct security strategy, multiple layers of security control it is possible to reduce the threat and make the cloud computing era a successful revolution
REFERENCES[1] Farhan Bashir, Shaikh, “Security threats in Cloud Computing” 6th International conference on Internet Technology and Secure Transactions, IEEE 2011 [2] Jianfeng Yang, Zhibin Chen, “Cloud Computing Security issues” 978-1-4244-5392-4/10 2010 IEEE [3] Ian Foster, Yong Zhao, Ioan Raicu, Shiyong Lu. "Cloud Computing and Grid Computing 360-Degree Compared", IEEE Grid Computing Environments (GCE08) 2008, co-located with IEEE/ACM Supercomputing 2008. [4] Alok Tripathy, Abhinav Mishra “Cloud computing security considerations” IEEE, 2011 [5] Rohit Bhadauria, Rituparna Chaki, Nabendu Chaki, Sugata Sanyal: A Survey on Security Issues in Cloud Computing CoRR abs/1109.5388: (2011) [6]Amazon Web services: Official Amazon report: http://aws.amazon.com [7] Rocha F. “The Final Frontier: Confidentiality and Privacy in the Cloud” IEEE Volume:44 Issue:9 Sept. 2011 [8] Sara Qaisar ,Kausar Fiaz Khawaja “Cloud Computing: Network/Security Threats and Countermeasures” Interdisciplinary Journal of Contempory research in business January 2012 Vol.3, No. 9 [9] T. Takebayashi et al.: Data Loss Prevention Technologies FUJITSU Sci. Tech. J., Vol. 46, No. 1 (January 2010) [10] David Q. Liu Shilpashree Srinivasamurthy “Survey on Cloud Computing Security” IEEE-2011 [11] Jeff Naruchitparames and Mehmet Hadi Gunes, “Enhancing Data Privacy and Integrity in the Cloud”. [12] W. Mao, F. Yan, and C. Chen, “Daonity: grid security with behaviour conformity from trusted computing,” in 1st ACM workshop on Scalable trusted computing. ACM, 2006, pp. 43–46. [13] Johnson D, Kiran Murari, Murthy Raju, Suseendran RB, Yogesh Girikumar, ”Eucalyptus Beginner‟s Guide - UEC Edi-tion”, v1.0, 25 May 2010, CSS Corp. Pvt. Ltd. [14] http://techportal.ibuildings.com/2009/03/31/php-and-the-cloud/ [15] Andrew Sudbury, Director, Security Metrics Design & Best Practices, ”Highlights of a Security Scorecard Project”, ClearPoint Metrics.
Thank Thank you!you!