Cloud Computing Challenges and Related Security Issues: Prof. Raj Jain
Cloud Computing Challenges and Related Security Issues: Prof. Raj Jain
Cloud Computing Challenges and Related Security Issues: Prof. Raj Jain
A Survey Paper
1 of 10
Abstract
The field of cloud computing is still in its infancy as far as implementation and usage, partly because it is heavily promoted by technology advancement and is so high resource dependent that researches in academic institutions have not had many opportunities to analyze and experiment with it. However, cloud computing arises from the IT technicians desire to add another layer of separation in processing information. At the moment, a general understanding of cloud computing refers to the following concepts: grid computing, utility computing, software as a service, storage in the cloud and virtualization. These refer to a client using a provider's service remotely, also known as in the cloud. Even if there is an existent debate on whether those concepts should be separated and dealt with individually, the general consensus is that all those terms could be summarized by the cloud computing umbrella. Given its recent development and scarcity of academic published work, many discussions on the topic of cloud security have surfaced from engineers in companies that provide the aforementioned services. Nevertheless, academia is developing in a significant presence, being able to address numerous issues.
Table of Contents
1. Introduction 2. Current View 2.1. Innovation 2.2. Academia and Industry Partnership 2.3. Cloud Computing Challenges 3. Security Challenges 3.1 Data Security 3.2 Cloud Computing Security Issues 3.3 Security Benefits 4. Secure Architecture Models 4.1 End Users 4.2 System Architects 4.3 Developers 4.4 Third Party Auditors 4.5 Overview 5. Conclusion 6. Acronyms 7. References
1. Introduction
http://www.cse.wustl.edu/~jain/cse571-09/ftp/cloud/index.html
5/14/2009 5:44 PM
2 of 10
Cloud computing is not an innovation per se, but a means to constructing IT services that use advanced computational power and improved storage capabilities. The main focus of cloud computing from the provider's view as extraneous hardware connected to support downtime on any device in the network, without a change in the users' perspective. Also, the users' software image should be easily transferable from one cloud to another. Balding proposes that a layering mechanism should occur between the front-end software, middle-ware networking and back-end servers and storage, so that each part can be designed, implemented, tested and ran independent from subsequent layers. [Balding08] This paper introduces the current state of cloud computing, with its development challenges, academia and industry research efforts. Further, it describes cloud computing security problems and benefits and showcases a model of secure architecture for cloud computing implementation.
2. Current View
Critics argue that cloud computing is not secure enough because data leaves companies' local area networks. It is up to the clients to decide the vendors, depending on how willing they are to implement secure policies and be subject to 3rd party verifications. Salesforce, Amazon and Google are currently providing such services, charging clients using an on-demand policy. [Mills09] references statistics that suggest one third of breaches are due to laptops falling in the wrong hands and about 16% due to stolen items by employees. Storing the data in the cloud can prevent these issues altogether. Moreover, vendors can update application/OS/middleware security patches faster because of higher availability of staff and resources. According to cloud vendors, most thefts occur when users with authorized access do not handle data appropriately. Upon a logout from the cloud session, the browser may be configured to delete data automatically and log files on the vendor side indicate which user accessed what data. This approach may be deemed safer that storing data on the client side. There are some applications for which cloud computing is the best option. One example is the New York Times using Amazon's cloud service to generate PDF documents of several-decade old articles. The estimated time for doing the task on the Times' servers was 14 years, whereas the cloud provided the answer in one day for a couple hundred dollars. [Weinberg08] However, the profile of the companies that currently use the cloud technology includes Web 2.0 start-ups that want to minimize material cost, application developers that want to enable their software as a service or enterprises that are exploring the cloud with trivial applications. The fact that cloud computing is not used for all of its potential is due to a variety of concerns. The following surveys the market in terms of continuous innovation, academia and industry research efforts and cloud computing challenges.
2.1 Innovation
Nevertheless, there numerous ways in which cloud computing can expand on the issue of security. For example, QualysGuard is a compilation of products that are used to discover network weaknesses. It is used by over 200 companies in Forbes Global 2000, so it acquired significant acceptance in the marketplace. QualysGuard main idea is to place an appliance behind the firewall that would monitor various security issues. The box encrypts all its data and has no access to client stored data; however, it does contain a back porch by allowing a certain IP address and admin to modify scripts and credentials. In this fashion, it proposes a new type of security to the cloud, so that whenever an attack is made on a certain service, it may be monitored by a 3rd party and cut off before it disrupts proper access or attempts to falsely validate itself to the cloud.
http://www.cse.wustl.edu/~jain/cse571-09/ftp/cloud/index.html
5/14/2009 5:44 PM
3 of 10
new ways of improving computing and storage costs across various cloud platforms and integrate communication standards among different providers. This is a relatively new group formed in the mid-2008, which confirms the novelty of the field. The OCC has undertaken the following goals: . development of standards for cloud computing and frameworks for interoperating between clouds . develop benchmarks for cloud computing . support reference implementations for cloud computing, preferably open source reference implementations . manage a test bed for cloud computing - the Open Cloud Testbed . sponsor workshops and other events related to cloud computing
Figure 1 . OCC Network Topology The architecture in fig. 1 shows the OCC network and the connection among server racks at University of Illinois at Chicago, StarLight in Chicago, Calit2 in La Jolla and John Hopkins University in Baltimore to the switches, routers and wide area routers in between. Using the aforementioned architecture, the OCC published has worked towards implementing high traffic flow design and protocols among several locations. [OCC08]
http://www.cse.wustl.edu/~jain/cse571-09/ftp/cloud/index.html
5/14/2009 5:44 PM
4 of 10
. Linearly scalable - cloud should handle an increase in data processing linearly; if "n" times more users need a resource, the time to complete the request with "n" more resources should be roughly the same. . Data management - distribution, partitioning, security and synchronization of data.
3. Security Challenges
Start-up companies often lack the protection measures to weather off an attack on their servers due to the scarcity of resources - poor programming that explores software vulnerabilities (PHP, JavaScript, etc) open ports to firewalls or inexistent load-balance algorithms susceptible to denial of service attacks. For this reason, new companies are encouraged to pursue cloud computing as the alternative to supporting their own hardware backbone. However cloud computing does not come without its pitfalls. For starters, a cloud is a single point of failure for multiple resources. Even though network carriers such as AT&T believe a distributed cloud structure is the right implementation, it faces major challenges in finding the optimal approach for low power transmission and high network availability [Croll08]; some people believe that major corporations will shy away from implementing cloud solutions in the near future due to ineffective security policies. One problem comes from the fact that different cloud providers have different ways to store data, so creating a distributed cloud implies more challenges to be solved between vendors.
http://www.cse.wustl.edu/~jain/cse571-09/ftp/cloud/index.html
5/14/2009 5:44 PM
5 of 10
[Gartner08] identified seven issues that need to be addressed before enterprises consider switching to the cloud computing model. They are as follows: . privileged user access - information transmitted from the client through the Internet poses a certain degree of risk, because of issues of data ownership; enterprises should spend time getting to know their providers and their regulations as much as possible before assigning some trivial applications first to test the water . regulatory compliance - clients are accountable for the security of their solution, as they can choose between providers that allow to be audited by 3rd party organizations that check levels of security and providers that don't . data location - depending on contracts, some clients might never know what country or what jurisdiction their data is located . data segregation - encrypted information from multiple companies may be stored on the same hard disk, so a mechanism to separate data should be deployed by the provider. . recovery - every provider should have a disaster recovery protocol to protect user data . investigative support - if a client suspects faulty activity from the provider, it may not have many legal ways pursue an investigation . long-term viability - refers to the ability to retract a contract and all data if the current provider is bought out by another firm Given that not all of the above need to be improved depending on the application at hand, it is still paramount that consensus is reached on the issues regarding standardization.
http://www.cse.wustl.edu/~jain/cse571-09/ftp/cloud/index.html
5/14/2009 5:44 PM
6 of 10
Improvement of Secure Software refers to several aspects in the development lifecycle of a product. Initially, a company that is thinking of placing their application in the cloud knows that the cost of running the application are directly proportional with the number of processing cycles, thus creating an incentive for an optimal implementation. Secondly, it becomes easier to monitor the effects of various security policies implemented in the software, without the overhead of traditional switching environments from development to production or to testing. Creating a new environment simply means creating a clone of the extant one. Thirdly, software run behind an architecture that is build for secure transactions at a physical, data link, network and transport layer, making it easier to design the application without the outspoken need of a security software engineer. Moreover, some cloud providers may use code scanning to detect vulnerabilities in the application code. [Balding08]
http://www.cse.wustl.edu/~jain/cse571-09/ftp/cloud/index.html
5/14/2009 5:44 PM
7 of 10
5/14/2009 5:44 PM
8 of 10
information or shut down a service. For this reason, the cloud should include a denial of service (DOS) protection. One way of enforcing DOS protection is done by improving the infrastructure with more bandwidth and better computational power which the cloud has abundantly. However, in the more traditional sense, it involves filtering certain packets that have similar IP source addresses or server requests. The next issue concerning the cloud provider to end users is transmission integrity. One way of implementing integrity is by using secure socket layer (SSL) or transport layer security (TLS) to ensure that the sessions are not being altered by a man in the middle attack. At a lower level, the network can be made secure by the use of secure internet protocol (IPsec). Lastly, the final middle point between end users and the cloud is transmission confidentiality or the guarantee that no one is listening on the conversation between authenticated users and the cloud. The same mechanisms mentioned above can also guarantee confidentiality.
4.3 Developers
Developers building an application in the cloud need to access the infrastructure where the development environment is located. They also need to access some configuration server that allows them to test applications from various views. Cloud computing can improve software development by scaling the software environment through elasticity of resources. For example, one developer can get extra hard space as an on-demand resource, instead of placing a work order and wait for several days for the permission. Developers may desire extra virtual machines to either generate test data or to perform data analysis, processes which take significant time. Also, using more processing power from the cloud can help in catching up with the development schedule. The cloud also helps developers create multiple evaluation versions environments for their applications, bypassing the need to incorporate additional security within the application and placing the burden on the cloud provider. One significant drawback of cloud computing at the moment is its limitations to Intel x86 processor architecture. Even if this may very well change in the future, it is another stumbling block that developers and cloud computing experts need to overcome. Software monitoring may be done by monitoring API calls for server requests. With an architectural model where data is centralized, all eyes are focused in one direction, which implies better monitoring, although ultimately the issue rests with the developers/clients on how much effort will be directed in this regard. As far as security patches for the software as service approach, updating a patch is easier done in the cloud and shared with everyone seamlessly, rather than finding every machine that has the software installed locally.
http://www.cse.wustl.edu/~jain/cse571-09/ftp/cloud/index.html
5/14/2009 5:44 PM
9 of 10
4.5 Overview
The cloud is the resource that incorporates routers, firewalls, gateway, proxy and storage servers. The interaction among these entities needs to occur in a secure fashion. For this reason, the cloud, just like any data center, implements a boundary protection also known as the demilitarized zone (DMZ). The most sensitive information is stored behind the DMZ. Other policies that run in the cloud are resource priority and application partitioning. Resource priority allows processes or hardware requests in a higher priority queue to be serviced first. Application partitioning refers to the usage of one server or storage device for various clients that may have data encrypted differently. The cloud should have policies that divide the users' view of one application from the backend information storage. This may be solved by using virtualization, multiple processors or network adaptors. [OSA09]
5. Conclusion
Cloud computing is still struggling in its infancy, with positive and negative comments made on its possible implementation for a large-sized enterprise. IT technicians are spearheading the challenge, while academia is bit slower to react. Several groups have recently been formed, such as the Cloud Security Alliance or the Open Cloud Consortium, with the goal of exploring the possibilities offered by cloud computing and to establish a common language among different providers. In this boiling pot, cloud computing is facing several issues in gaining recognition for its merits. Its security deficiencies and benefits need to be carefully weighed before making a decision to implement it. However, the future looks less cloudy as far as more people being attracted by the topic and pursuing research to improve on its drawbacks.
6. Acronyms
OCC - Open Cloud Consortium IP - Internet Protocol SLA - Service Level Agreement(s) PHP - PHP Hypertext Preprocessor API - Application Programming Interface DHCP - Dynamic Host Configuration Protocol FTP - File Transfer Protocol MAC - Media Access Control OSA - Open Secure Architecture DOS - Denial of Service SSL - Secure Socket Layer TLS - Transport Layer Security LAN - Local Area Network IPsec - Secure Internet Protocol DMZ - Demilitarized Zone
7. References
[Balding08] Craig Balding, "ITG2008 World Cloud Computing Summit", 2008 http://cloudsecurity.org/
http://www.cse.wustl.edu/~jain/cse571-09/ftp/cloud/index.html
5/14/2009 5:44 PM
10 of 10
[Croll08] Alistair Croll, "Why Cloud Computing Needs Security", 2008 http://gigaom.com/2008/06/10/the-amazon-outage-fortresses-in-the-clouds/ [Erickson08]Jonothan Erickson, "Best Practices for Protecting Data in the Cloud", 2008 http://www.ddj.com/security/210602698 [Brodkin08] Jon Brodkin, "Seven Cloud-Computing Security Risks", 2008 http://www.networkworld.com/news/2008/070208-cloud.html [Mills09] Elinor Mills, "Cloud Computing Security Forecast: Clear Skies", 2009 http://news.zdnet.com/2100-9595_22-264312.html [Perry08] Geva Perry, "How Cloud & Utility Computing Are Different", 2008 http://gigaom.com/2008/02/28/how-cloud-utility-computing-are-different/ [Weinberg08] Neil Wienberg, "Cloudy picture for cloud computing", 2008 http://www.networkworld.com/news/2008/043008-interop-cloud-computing.html?ap1=rcb [Schwartz08] Ephraim Schwartz, "Hybrid model brings security to the cloud", 2008 http://www.infoworld.com/d/cloud-computing/hybrid-model-brings-security-cloud-364 [OCC08] The Open Cloud Consortium, 2008 http://www.opencloudconsortium.org/index.html [OSA09] Open Security Architecture, 2009 http://www.opensecurityarchitecture.org/cms/ [Jager08]Paul Jaeger, Jimmy Lin, Justin Grimes, "Cloud Computing and Information Policy", March 2008 [Rittinghouse09] John Rittinghouse, "Cloud Computing: Implementation, Management, and Security", 2009 [Armrust09] Michael Armbrust, Armando Fox, ... , "Above the Clouds: A Berkley View of Cloud Computing", February 10, 2009 [Reese09] George Reese, "Cloud Application Architectures", April 2009, O'Reilly Media [Miller08] Michael Miller, "Cloud Computing: Web-Based Applications That Change the Way You Work and Collaborate Online", August 2008 [Lamb09] John Lamb, "The Greening of IT: How Companies Can Make a Difference for the Environment", April 2009, IBM Press [Gu08] Yunhong Gu, Robert L. Grossman: Sector and Sphere: The Design and Implementation of a High Performance Data Cloud, UK, 2008.
Last Modified: April 30, 2009 This and other papers on latest advances in network security are available on line at http://www.cse.wustl.edu /~jain/cse571-09/index.html Back to Raj Jain's Home Page
http://www.cse.wustl.edu/~jain/cse571-09/ftp/cloud/index.html
5/14/2009 5:44 PM