Table of Contents
- Cloud Computing: A Brief Description
- Need for Privacy and Security in Cloud Computing
- The Privacy and Security Issues in Cloud Computing
- Case study 1: Account Hacking
- Case Study 2: Malware Injection
- Cloud Service Offering Types and Security Concerns
- Application Security Concerns
- Multi-Tenancy Security Concerns
- Data Security Concerns
- Accessibility Security Concerns
- Third-Party Relationships Security Concerns
- Virtualization Security Concerns
- Confidentiality Security Concerns
- Lack of Standardization Security Concerns
- Proposed Solutions
Cloud computing has been in the spotlight for the last five years or so because of its potential to transform the computing industry. The development has attracted numerous companies with the benefits it offers. It has changed the way the information technology (IT) is managed and consumed by promising accelerated innovation, cost efficiencies, ability to scale software applications on demand, and faster time-to-market. According to Georgescu and Suicimezov (2013), there is clear evidence that there is a paradigm shift towards cloud computing, and that its benefits are substantial.
However, as cloud computing continues to shape and develop rapidly both in the reality and conceptually, the economic, legal/contractual, interoperability, and service quality, as well as privacy and security issues, continue to pose significant challenges. In this study, safety and privacy concerns brought about by cloud computing are analyzed. The paper also offers some solutions that can be used in order to mitigate these problems. It is argued that cloud computing security issues include data and privacy concern, as well as infected applications.
The study also claims that the information leakage, denial of service, customer data manipulation, account hijacking, data scavenging, insecure VM migration, malicious VM creation, and VM escape are the major threats that cause security concerns for cloud computing. Some of the offered solutions include data encryption, fragmentation-redundancy-scattering, progressive credentials, digital signatures, and hyperSafe.
Cloud Computing: A Brief Description
According to Kamal and Kaur (2011), cloud computing refers to a model that enable convenient and on-demand access to the shared pool of networks configured by computing resources. Computing resources include servers, storages, applications, services, and networks; they can be rapidly released or provisioned with the minimal effort from the management or service provider interaction. Cloud computing involves applications distributed as a service over the Internet, as well as software and hardware systems in the data centers that provide those services.
The technology has four major cloud delivery models: private cloud; public cloud; community cloud; and hybrid cloud. Private cloud involves cloud computing delivery when the cloud services are provided solely by an organization of the cloud service providers. Public cloud stands for the cloud services available to the public but owned by an organization that is selling services. An example is the Amazon cloud service. Community cloud refers to the cloud services under the ownership of several organizations that is launched with the aim of supporting a particular community of mutual concern.
Examples of community cloud include missions, policy, security requirements, and compliance considerations. The services may be managed by a third party and may also exist off-site. The G-cloud or the government is another example of a community cloud (Munir, Al-Mutairi, & Mohammed, 2015). For the case of the G-cloud, the cloud services may be provided by one or more government agencies. Hybrid cloud involves a composition of several cloud computing infrastructures such as public and private cloud.
There are five major characteristics of cloud computing that differentiate them from other traditional computing services. These characteristics are resource democratization, abstraction infrastructure, elasticity/dynamism, utility model of allocation and consumption, and service oriented architecture.
Need for Privacy and Security in Cloud Computing
The cloud environment brings more complexity than the traditional data center as it involves a merger of a variety of technologies such as distributed and grid computing that use the Internet as a service delivery network. Under the cloud computing paradigm, organizations surrender the direct control over the security control. Cloud service providers handle most security issues of organizations by dealing with cloud computing. The use of virtual environments is a common practice in the technology.
Virtual machines have vulnerabilities that pose direct security threats to the security and privacy of the cloud services. The real-time migration of data over the Internet is one of the factors that cripple the use of cloud services. Trusting the cloud service providers with the data privacy and security is also an obstacle. Other factors include the vulnerabilities in the network and at the API of the users, as well as regulations for exporting the encryption.
The Privacy and Security Issues in Cloud Computing
There are numerous privacy and security issues in cloud computing because it encompasses several technologies such as networks, operating systems, resource scheduling, databases, virtualization, load balancing, transaction management, memory management, and currency control. Therefore, security issues that involve the administration of the elements mentioned above are also applicable in cloud computing.
For example, Modi, Patel, Borisaniya, Patel, and Rajarajan (2013) suggest that the virtualization paradigm has caused several security issues in cloud computing. The data security involves the encryption of data and appropriate policies used in data sharing. The use of data mining approaches is helpful in detecting malware in cloud computing. Data mining has been used intensively in the intrusion detection systems.
Case study 1: Account Hacking
In July 2012, UGNazi, a hacker group, by using AT&Ts voicemail system and Google's major flaw in the password recovery process, accessed the personal Gmail account of CloudFare. The hacker group made AT&Ts system redirect the CEO's emails to a fraudulent voicemail box. The hacking group then initiated account recovery feature for his personal email address. The group then recorded a voice mail message on the CEO's compromised voice mail such that it sounded as if someone was answering a call (Barron, Yu, & Zhan, 2013).
When Google made a call to the CEO, the later did not recognize the number and left it to go to the voice mail. In addition, the hackers hacked the CEO's Gmail and added his account to the account recovery control. When the victim received an email that his password was changed, he immediately reset the password. However, the reset notified the hacker of the change, and he immediately reset his account. In the end, the CEO was prevented by the hackers from accessing his Gmail account, at all. A team from CloudFare was notified to come and investigate the hacking issue.
Case Study 2: Malware Injection
In May 2009, the U.S. Treasury Department, after discovering that malicious code was added to its parent website, moved four of the agencys public websites offline. The third party cloud service provider was a victim of an intrusion attack that affected numerous websites. Roger Thompson, Anti-Virus Guard Technologies CEO, found that the affected pages had malicious code injected. The code was very tiny and undetectable, and it redirected visitors to the Ukrainian website. The HTML code was known as the Inline Frame (iFrame).
- Free plagiarism report (on request)
- Free revision (within 2 days)
- Free title page
- Free bibliography
- Free outline (on request)
- Free email delivery
- Free formatting
- Quality research and writing
- BA, MA and PhD degree writers
- 100% confidentiality
- No hidden charges
- Never resold works
- 100% authenticity
- 24/7/365 Customer Support
- 12pt. Times New Roman
- Double/Single-spaced papers
- 1inch margins
- Any citation style
- Fully referenced papers
- Up-to-date sources
Cloud Service Offering Types and Security Concerns
There are three basic cloud services offering types: software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS). SaaS provides renting option from a service rather than installing or running software on the users computer. The major security issue with SaaS is the fact that different devices can access software applications through the client-server interface, for example, the Internet web browser. The burden of the computing security lies mostly with the cloud service provider.
The main reason for it is that there is a high degree of abstraction. Munir, Al-Mutairi, and Mohammed (2015) demonstrate that the SaaS model is based on a high level of the integrated functionality where the customers have minimal control or extensibility; thus, it is a great source of the security concern. The following sub-sections highlight the security issues with the SaaS layer of cloud computing.
Application Security Concerns
Cloud applications are delivered typically through the Internet via web browsers. However, faults in the web applications may lead to vulnerabilities for SaaS applications. Modi et al. (2013) assert that attackers have always been using the web with the aim to compromise computers of users and thereby perform malicious activities, including stealing of sensitive data. Although security challenges affecting SaaS may be similar to the ones associated with traditional web applications, the traditional solutions to security problems cannot be used to protect cloud computing from attacks effectively. Therefore, new approaches should be developed and implemented.
Multi-Tenancy Security Concerns
The SaaS models can be divided into maturity ones characterized by scalability, multi-tenancy, and configurability. Scalability enables each user of cloud computing services to have their customized software application. Configurability allows vendors to provide each customer with different instances of software application services using the same software application code. Under this model, clients can exchange some configuration options so that they can adequately satisfy their demands. In a multi-tenancy model, a single instance is used to serve different customers. Although this method allows for the more efficient use of resources, it limits the capabilities of scalability.
Multi-tenancy refers to sharing resources in cloud computing. Applications, memory, data, and networks possess a significant amount of security information. The business basis of cloud computing is that multiple users can share resources and use the same resource for the network, applications, and host levels. Even in situations when users are virtually isolated, hardware elements they share are not. A multi-latent architecture allows the software to split the data and configurations virtually so that each client can work with customized software and hardware application.
Multi-latency, therefore, provides cloud computing with a set of confidentiality threats. There is a correlation between the data confidentiality and authentication of users. Therefore, there should be policies to ensure that the data needs of different customers are kept separately from the data needs of various clients.
Data Security Concerns
Any technology form considers the data as a primary concern, but it becomes more pronounced through the use of SaaS. Cloud computing allows processing organizational data in plain text and storing them in the cloud. The provider of SaaS is the only person responsible for the security of data while they are being processed. Data backup should provide reliability in the cases of the data disaster.
However, the data backup may also cause security concerns (Samani, Reavis, & Honan, 2014). Cloud service providers usually rely on outsourced subcontractors, but this behavior again can raise some security issues. Here, the major threats to the data security include the data scavenging and data leakage.
Accessibility Security Concerns
Applications are readily available through cloud computing via the Internet devices, mobile devices, and public computers. However, such an increased accessibility exposes both the data and cloud computing services to common risks (Modi et al, 2013). The major security concern with accessibility is a denial of service. It happens when malicious users occupy all the possible resources, and the system cannot satisfy requests from its legitimate users.
PaaS provides a platform, upon which services offer applications, can be designed and executed. Unlike SaaS, PaaS provides more customer extensibility, as well as a better client control, due to the relatively lower abstraction degree. The security application of PaaS consists of two major software: security of the client applications and the PaaS security itself (Hashizume, Rosado, Fernandez-Medina and Fernandez, 2013). Providers of PaaS are responsible for ensuring that the platform software is secured. The following subsections present the primary security concerns with PaaS.
Third-Party Relationships Security Concerns
PaaS provide both traditional programming languages and third-party web services such as mashups. According to Sen (2014), mashups have several source elements integrated into a single unit. Therefore, the PaaS model inherits security issues related to mashup web services, for example, the network and data security. Also, the users of PaaS must depend on the security of the web tools, as well as third-party services, which cause some privacy issues. Data scavenging is the most common security concern associated with third party relationships.
Virtualization Security Concerns
Virtualization enables users of the cloud service to create, copy, migrate, share, and roll back a virtual machine that would allow them to run different applications. However, technologies may bring additional layer that, in its turn, might provide opportunities for hackers to attack the system. Therefore, the extra layer must possess sufficient protection. According to Modi et al. (2013), virtualized environments are vulnerable to attacks of different types including data scavenging and service hijacking.
Virtualization provides additional entry points to cloud computing, and it increases the complexity of ensuring the safety of data. Also, customer data-manipulation may take place in the virtual environments.
IaaS allows vendors to offer the storage space and computing power on demand. Unlike both Paas and SaaS, IaaS provides a greater customer control and extensibility. In the traditional computing scenario, data security is entirely the burden of the firm owning the data (Samani, Reavis, & Honan, 2014). In the cloud computing scenario, the data security responsibility is divided between the two main parties: the client and the cloud service provider.
Confidentiality Security Concerns
Confidentiality refers to authorized systems or parties with access privileges in protected data. In cloud computing, keeping data and information confidential and secure is one of the biggest problems affecting cloud computing. In this way, some particular problems may arise regarding who is allowed to create the data, where they can be stored, who can get access to them, what steps should be taken if they are deleted, how should they be backed up, and how the data transfer should occur. The more the number of components, equipment, and applicants involved in cloud computing, the more the increased points of access and the more the security threats.
According to Hashizume et al. (2013), a significant number of cloud computing attacks occur because of the existence of multiple locations from where the protected data could be accessed. Clients find it harder to check how service providers handle the cloud service and determine whether the handling is safe or not. Hashizume et al. (2013) suggest that in order to modify these problems, such strategies as data encryption, data dispersion, public key infrastructures, and standardization of APIs should be implemented. Moreover, data leakage is associated with the decreased confidentiality.
Lack of Standardization Security Concerns
Cloud computing is an immature technology, which makes it difficult to develop a comprehensive and acceptable set of standards. Most compliance policies and standards in cloud computing do not envision compliance with policies and regulations. In terms of SaaS, Samani, Reavis, and Honan (2014) suggest that compliance is a complex issue because data is located in the databases of providers. Such storage may cause compliance matters, for example, data segregation, privacy, and security that must all be enforced by the providers. It is for this reason, therefore, that organizations have been established to research and design specifications for cloud computing.
For example, such organizations as the European Network and Information Security Agency, Cloud Security Alliance, and Cloud Standards Customer Council were established to develop the best regulations and practices. However, cloud computing has been so exciting that it has drawn a series of standards that, in turn, have caused confusion in the industry. For this reason, individual working groups in cloud computing have been pushing for the coordination and collaboration regarding the information and resources sharing between clients and cloud service providers.
There are six areas in the cloud computing environment, in which the software and the equipment require attention. They include data at rest, data in transit, and authentication of processes/user/application, separation of data belonging to different clients, cloud regulatory and legal issues, and incident response.
For the data at rest, Munir, Al-Mutairi, and Mohammed (2015) suggest that cryptographic encryption appliances are the best option. However, the software encryption may make the processes less secure and slower because an adversary may steal the encryption key from the encrypted machines without being noticed.
Encryption can still be used for providing security for the data in transit. The integrity and authentication protection mechanism ensure that the data in transit can only go to the destinations where customers want them to be and that the data cannot be modified in transit. For any deployment of cloud, strong authentication is an essential requirement.
According to Hashizume et al. (2013), the authentication of users forms the basis for controlling the access to data. The cloud environment requires the use of authentication more than ever because the cloud environment is accessible to everyone who is using the Internet.
Some organizations have gone ahead to allow the real-time communication between providers of cloud services and legitimate customers, as well as other security systems. Whenever the customers identity and access privilege are revoked, the identity management of the client notifies cloud providers so that the access privileges of the user are modified within a short time.
Cloud computing is a new concept that offers a broad range of benefits for individuals who use it. However, it has also raised several security issues that may limit its use. Cloud computing leverage several IT technologies and, in the process, inherit their security problems.
Different cloud models such as SaaS, PaaS, and IaaS have inherent security issues. SaaS presents security issues such as multi-latency, application security, data security, and accessibility issues. IaaS contains security problems such as the virtualization and third-party concerns.
All these matters are majorly affected by security threats such as account hijacking, data scavenging, and denial of service, data leakage, customer data manipulation, insecure VM migration, and VM hoping. Organizations should implement encryption strategies, hyperSafe technologies, progressive credentials, and relevant policies in order to prevent security programs.