Monday, November 30, 2009

Secutiry Implications of Cloud Computing




Narendran Calluru Rajasekar

November 30th, 2009


Supervised by

Dr Chris Imafidon

(formerly Queen Mary University of London)


UEL Logo

MSC Internet Systems Engineering

University of East London,




Oxford Univ Logo

Anne-Marie Imafidon

University of Oxford.


Table of Contents


1 Abstract

2 Cloud Computing

2.1 Definition

2.2 Understanding Cloud Computing

3 Security Implications

3.1 Security Components

3.1.1 Encryption

3.1.2 Intrusion Detection/Prevention Systems

3.1.3 Antivirus

3.1. 4Firewall

3.2 Security Threat

3.3 Authentication and Access

3.4 Data Security

3.5 Tempting Target for Cybercrime

3.6 Benefit to Risk Ratio

3.7 Legal Issues

4 Conclusion

5 Appendix - Glossary

6 References



1 Abstract

This paper is focussed on the security implications of cloud computing. Before analysing the security implications, the definition of cloud computing and brief discussion to under cloud computing is presented. The actual analysis of this paper focuses on the basic security components of cloud computing and security threats involved in various aspects of cloud computing.

There are many leading providers in the market like Google, Amazon, Microsoft, HP and IBM. They provide different services and call it with their own names. What exactly is cloud computing? It isn't new; it already exists in different forms such as Virtualisation, Software as a Service, Utility Computing etc. The major aspect in cloud computing is that it is exploited based on the pay per usage charging model.

Though cloud provides many benefits one of which is moving the capital expense to operational expense, the security and legal issues are very high and an organisation can decide to adopt cloud only on based on benefits to risk ratio.

The security implications in cloud computing is discussed in detail in this paper.


Keywords: Cloud Computing, Cloud Security, Cloud Legal Issues, Security Implications


^table of contents^


2 Cloud Computing

2.1 Definition

Cloud computing is an evolving technology and has no concrete definition for it yet. The cloud service providers provide different services based on different capabilities such as SaaS (Software as a Service), PaaS (Platform as a Service), IaaS (Infrastructure as a Service). After analysing definitions from 20 different authors, Vaquero, L., L. Rodero-Merino, et al. (2008) proposed the following definition for cloud computing.

"Clouds are a large pool of easily usable and accessible virtualized resources (such as hardware, development platforms and/or services). These resources can be dynamically reconfigured to adjust to a variable load (scale), allowing also for an optimum resource utilization. This pool of resources is typically exploited by a pay-per-use model in which guarantees are offered by the Infrastructure Provider by means of customized SLA"

- Vaquero, L., L. Rodero-Merino, et al. (2008)

2.2Understanding Cloud Computing

According to Dikaiakos, M., D. Katsaros, et al. (2009), vision of 21st century is accessing Internet services from light weight portable devices, instead of accessing it from a traditional Desktop PC. Cloud computing is a technology which will facilitate companies or organisation to host their services without worrying about IT infrastructure and other supporting services.

The cloud concept draws on the existing technologies which aren't new such as Centralised Computing, Distributed Computing, Utility Computing, SaaS. It is new in the way it integrates all the above and shifts them from a processing unit to a network (Weiss, A., 2007).

The cloud computing facilitates a starting company by moving Capital Expense to Operational Expense (Computing, D. and M. Creeger, 2009). Amazon (EC2, S3), Microsoft Azure, IBM Blue Cloud, HP Cloud Assure are some of the cloud computing services available in the market Kaufman, L. M. (2009).

Organisations can decide upon their operating model either by running their own private cloud or buy it from 3rd party service providers based on their requirements (Grossman, R., 2009). The private cloud is similar to public cloud but it has its own security and compliance needs hosted for and by their own (Rash, W., 2009).

Cloud computing provides extensive computing power for web services but is not mature enough to perform HPC (High Performance Computing). Napper, J. and P. Bientinesi (2009) experimentally shown that the execution speed per dollar spent decreased exponentially with increase computing cores and hence the cost of solving linear systems increased exponentially. Which means cloud computing is in its evolving stage.


^table of contents^


3 Security Implications

Sloan, K. (2009) has explored and demystified the technologies involved in cloud computing in which he discusses about the challenges posed in security of cloud computing. According to him, security components could be added to the security layer and be delivered as Security as a Service. Figure 1 shows the security architecture of cloud computing.

Cloud Computing Security Architecture

Figure 1: Cloud Computing Security Architecture (Source: Sloan, K., 2009)

To ensure CIA (Confidentiality, Integrity and Availability) of the information, the service provider should offer tested encryption schema, stringent access controls and scheduled data backups (Kaufman, L. M., 2009).

There are many clouds available in the market and the enterprises will start using different clouds for different operations. Eventually there will be a situation where the cloud integration services would be required which again would require a different approach of security implications (Kim, W., 2009). Also there is no single regulatory organisation which regulates the standards for cloud security. Organisation needs to check where the assurance comes from? (Everett, C., 2009).

Although, the basic security components have been identified, the security requirement varies with respect to the domain and business needs. Cloud Security Alliance (2009, April) has identified 15 different domains in cloud computing as shown in the figure 2.

Different domains in cloud computing security

Figure 2: Different domains in cloud computing security Source: Cloud Security Alliance (2009, April)

Since the area is vast and there is no standards clearly defined, cloud security clearly lags and business needs to understand the dangers and weigh them against the benefits (Greene, T., 2009).

For instance, the database service provided by Amazon S3 doesn't support flexible authorisation and granular security (Brantner, M., D. Florescu, et al., 2008).

3.1 Security Components

3.1.1 Encryption

To guarantee the privacy of information hosted on servers in cloud, the information could be encrypted which can only be decrypted at the client level with a key. Again this is only reliable if the data can be quickly decrypted at the client level as it might need high processing power. The multi-core processors which are evolving will make this possible and provide greater integration of information (Hewitt, C., 2008).

A researcher at IBM has cracked a problem with "homomorphic encryption" which is believed boost cloud computing by enabling service providers to analyse the data without actually compromising them (Saran, C., 2009).

In reality, even the leading service providers don't deliver high level of security. For instance, Google services can be used using both http and https. Though by default the service runs using https which is SSL encrypted, it sometime drops back to http which in unencrypted. This will allow attackers to monitor the network traffic and capture the credentials of a specific user (news article: Computer Fraud & Security, 2009). Also when uploading email attachments, Google doesn't use https by default, although the settings could be change to use https always (Herrick, D., 2009).

3.1.2 Intrusion Detection/Prevention Systems

Providing security for cloud computing requires more than authentication using passwords and confidentiality in data transmission. Vieira, K., A. Schulter, et al. (2009) have proposed a solution for intrusion detection in cloud computing. The solution consists of two kinds of analysis behavioural analysis and knowledge analysis. In behavioural analysis, the data mining techniques were used to recognize expected behaviour or a sever deviation of behaviour and in knowledge analysis security policy violations and attack patterns were analysed to detect or prevent intrusion.

3.1.3 Antivirus

Antivirus scanning can be done on the cloud to reduce the risk of malicious activities. It is an expensive operation and doing it once ahead of time for benefit of many could be advantageous, and with the power of cloud more anti-virus engines can be employed to make more efficient. The challenge here is bridging the gap between the threat release and the virus signature release (Walsh, P. J., 2009). Although antivirus scanning is an expensive operation, it should be repeated with the release of new virus signatures.

3.1.4 Firewall

Firewalls could be implemented as a virtual machine image running in its own processing compartment or at the hardware level at each gateway in "out of band" firewall management channels (Sloan, K., 2009).

3.2 Security Threat

The communication between cloud services and consumers can be secured using SSL. Since the technology is too familiar, users usually ignore the warning which can be exploited by attackers. Google has demonstrated such type of exploitation in cloud based services. On the other hand, a flaw in indexing system design of Zoho has resulted in security vulnerability where one user can read others documents. Also there are other XSS and CSRF attacks which were successful on cloud which makes it vulnerable to attacks (Mansfield-Devine, S., 2008).

In SaaS model, the developer should always assume that intruders have full access to the client as anyone including intruders can buy the software. Though they are not supplied with source code, they still have access to binaries using which they can exploit the vulnerabilities. Hence there should always be a verification mechanism to verify client requests before execution (Viega, J., 2009).

3.3 Authentication and Access

There are different authentication mechanisms for different services. The most commonly used mechanisms are Open Id, Open Auth, and User Request Token. The Open Id and Open Auth mechanism is usually used in mobile devises where the authentication information cannot be stored, or have it firewalled as done in regular PC. Yahoo and Google use User Request Token mechanism for authentication where as Amazon AWS uses a custom mechanism which mirrors the Open Id and Open Auth mechanisms and in addition to it, the calling program signs the outbound header elements using HMAC-SHA1 algorithm (Christensen, J., 2009).

2FA (Two Factor Authentication) is one other authentication mechanism which requires two identities or proof which user knows (PIN or Password) / has (Hardware Token, Mobile Phone, Smartcard). Though this mechanism is more secure than the other type of authentication, handling tokens or smartcards could be a burden to users. In this scenario, mobile phones or smart phones can act as a proof if software which generates tokens similar to hardware tokens is installed on it (Abraham, D., 2009).

3.4 Data Security

The organisations using cloud computing should maintain their own data backups even if the providers backs up data for the organisation. This will help continuous access to their data even at the extreme situations such as data providers going bankruptcy or disaster at data center etc (Viega, J., 2009).

Mowbray, M. and S. Pearson (2009) has proposed a client based privacy manager to eliminate the fear of data leakage and loss of privacy in cloud computing. In the paper, they have presented a scenario of which can undergo a security threat; theft of sales data and various ways that an intruder can gain knowledge based on the un-encrypted data. The threats include the collection of personal information and getting inappropriate access to the information. Based on this scenario a set of requirements was derived which include the minimization of personal and sensitive data used in cloud and maximising security protection of data. Finally the overall architecture for client-based privacy data manager has been depicted.

On the other hand, Wang, C., Q. Wang, et al. (2009) says that the model in which public verifiability is enforced can be used where the third party auditor audits the data without intervening with user's time to ensure the data security.

3.5 Tempting Target for Cybercrime

Internet is always a ground of attack for malicious activities. The cloud computing offers a tempting target for cybercrime for various reasons. To maintain data integrity, many providers require 100% of customer's data to be placed in cloud which means that if compromised 100% of data is available to attackers. Leading providers such as Google and Amazon have existing infrastructure to deflect cyber attacks, but this might not be the case with all providers. The cloud architecture is such that it has interlinks with multiple entities and compromise with any one of the weakest links would compromise all the linked entities (Kaufman, L. M., 2009).

The cloud community watching services analyses the cloud activities constantly to detect and prevent newly injected viruses and malicious activities. Active participation of many organisations in this community will help them to curb the malicious activities more effectively (Hawthorn, N., 2009).

3.6 Benefit to Risk Ratio

Viega, J. (2009) presents a scenario of software industry where developers would not have much control over IT Infrastructure. In this scenario, IaaS would be beneficial where the communication between the cloud and local machine is encrypted so that man in middle cannot intercept the traffic. This would be a huge cost saving for the company.

As discussed in section 3.2, in SaaS model the attackers have very less information i.e., the binaries of the software which is quite justifiable to have modest application security program. The cost-effective reality for many organisations is to hire someone to do cheap security testing and skip the cost of training developers on security best practices and review their work (Viega, J., 2009).

3.7 Legal Issues

IT industry's recent focus is on cloud computing due to the 'credit crunch' and a global recession. The key legal issues in cloud with respect to sourcing arrangements are DPA (Data Protection Act 1998), duties of confidentiality and database right. For instance, in the method of storing large volume of data in cloud, the servers could spread across the world. It is debatable whether the informed consent can actually be given in this vague situation. Similarly there are intricacies over confidentiality and database rights as well (Joint, A., E. Baker, et al., 2009).

It is perfectly possible to use cloud-computing in UK in a legal compliant and low risk manner. This would require alteration in operating model which could erode the benefits of cloud computing if not considered in early stages and if contractual or operational management is not properly adopted, there could be significant increase of operational risk (Joint, A., E. Baker, et al., 2009).

A news article published by Computer Fraud & Security (August, 2009) indicates that the data might be subject to search and seizure by government agencies if not specific contracts are made between the service providers. When Google was asked how this situation would be handled, they said that their customers would be notified about any legal order it receives. Hence it is up to the customers to get specific agreements from the service providers.


^table of contents^


4 Conclusion

The definition of cloud computing is emerging as the various organisations that are developing cloud services are evolving. It is evident that the cloud computing by itself is in evolving stage and hence the security implications in it aren't complete. Even the leading cloud computing providers such as Amazon, Google etc are facing many security issues and are yet to stabilise. Achieving complete solution for legal issues is still a question. With this level of issues in cloud computing, decision to adopt cloud computing in an organisation could be made only based on the benefits to risk ratio.

There is a general assumption at the basic level of all security mechanisms that brute force attack would take considerable time to break it. Considering the power of cloud computing with distributed technology can bring to the computing power, breaking the keys used currently is not far from now! This is a flaw in the low level assumption which could collapse entire security of cloud.


^table of contents^


5 Appendix - Glossary

Term Definition
2FA Two Factor Authentication
CIA Confidentiality, Integrity and Availability
CRSF Cross Site Request Forgery
DPA Data Protection Act 1998
HMAC Hash based Message Authentication Code
HPC High Performance Computing
HTTP Hyper Text Transfer Protocol
HTTPS Secure Hyper Text Transfer Protocol
IaaS Infrastructure as a Service
PaaS Platform as a Service
SaaS Software as a Service
SHA1 Secure Hash Algorithm
SSL Secure Socket Layer
XSS Cross Site Scripting


^table of contents^


6 References

[1] Kaufman, L. M. (2009)."Data Security in the World of Cloud Computing." IEEE Security andPrivacy 7(4): 61-64.

[2] Kim, W. (2009). "Cloud Computing: Today and Tomorrow."Journal of object technology 8(1): 65-72.

[3] Grossman, R. (2009). "The Case for Cloud Computing." ITPROFESSIONAL 11(2): 23-27.

[4] Rash, W. (2009). Is cloud computing secure? Prove it. tech in-depth,eWeek. 2009: 8-10.

[5] Computing, D. and M. Creeger (2009). "Cloud Computing: AnOverview." Distributed Computing 7(5).

[6] Weiss, A. (2007). "Computing in the clouds." COMPUTING 16.

[7] Saran, C. (2009). Cryptography breakthrough could secure cloudservices. Computer Weekly. 2009: 20.

[8] Hawthorn, N. (2009). "Finding security in the cloud."Computer Fraud & Security 2009(10): 19-20.

[9] Everett, C. (2009). "Cloud computing - A question oftrust." Computer Fraud & Security 2009(6): 5-7.

[10] (2009). "Data in the cloud might be seized by governmentagencies without you knowing." Computer Fraud & Security 2009(8): 1.

[11] (2009). "Industry to Google: encrypt your cloud." ComputerFraud & Security 2009(6): 3-20.

[12] Hewitt, C. (2008). "ORGsfor scalable, robust, privacy-friendly client cloud computing." IEEEInternet Computing 12(5): 96-99.

[13] Viega, J. (2009). "Cloud Computing and the Common Man."Computer 42(8): 106-108.

[14] Vaquero, L., L. Rodero-Merino, et al. (2008). "A break in theclouds: towards a cloud definition." ACM SIGCOMM Computer CommunicationReview 39(1): 50-55.

[15] Wang, C., Q. Wang, et al. (2009). Ensuring data storage security incloud computing.

[16] Vieira, K., A. Schulter, et al. (2009). "Intrusion DetectionTechniques in Grid and Cloud Computing Environment."

[17] Napper, J. and P. Bientinesi (2009). Can cloud computing reach thetop500?, ACM New York, NY, USA.

[18] Mowbray, M. and S. Pearson (2009). A client-based privacy managerfor cloud computing, ACM.

[19] Herrick, D. (2009). Google this!: using Google apps forcollaboration and productivity, ACM.

[20] de Assunao, M., A. di Costanzo, et al. (2009). Evaluating thecost-benefit of using cloud computing to extend the capacity of clusters, ACMNew York, NY, USA.

[21] Cloud_Security_Alliance (2009, April). "Security Guidance forCritical Areas of Focus in Cloud Computing." Retrieved Nov 25, 2009, from

[22] Christensen, J. (2009). Using RESTful web-services and cloud computingto create next generation mobile applications, ACM.

[23] Dikaiakos, M., D. Katsaros, etal. (2009). "Cloud Computing: Distributed Internet Computing for IT andScientific Research." IEEE Internet Computing 13(5): 10-13.

[24] Brantner, M., D. Florescu, et al. (2008). Building a database on S3,ACM.

[25] Greene, T. (2009). "Cloudsecurity fears cast shadow at RSA." Network World 26(16).

[26] Joint, A., E. Baker, et al.(2009). "Hey, you, get off of that cloud?" Computer Law and SecurityReview: The International Journal of Technology and Practice 25(3): 270-274.

[27] Walsh, P. J. (2009). "Thebrightening future of cloud security." Network Security 2009(10): 7-10.

[28] Sloan, K. (2009)."Security in a virtualised world." Network Security 2009(8): 15-18.

[29] Mansfield-Devine, S. (2008)."Danger in the clouds." Network Security 2008(12): 9-11.

[30] Abraham, D. (2009). "Why2FA in the cloud?" Network Security 2009(9): 4-5.


^table of contents^


No comments:

Post a Comment