Full Text

1. Introduction

Cloud computing is a technology that uses the internet and central remote servers to maintain data and applications. Cloud computing allows consumers and businesses to use applications without installation and access their personal files at any computer with internet access. This technology allows for much more inefficient computing by centralizing storage, memory, processing and bandwidth. A simple example of cloud computing is Yahoo email, Gmail, or Hotmail etc [3]. You don't need software or a server to use them. All a consumer would need is just an internet connection and you can start sending emails. The server and email management software is all on the cloud (internet) and is totally managed by the cloud service provider Yeah, Google etc. The consumer gets to use the software alone and enjoy the benefits. The analogy is, 'If you need milk, would you buy a cow?' All the users or consumers need is to get the benefits of using the software or hardware of the computer like sending emails etc. Just to get this benefit (milk) why should a consumer buy a (cow) software /hardware? Cloud computing-not to be confused with grid computing, utility computing, or autonomic computing-involves the interaction of several virtualized resources. Cloud Servers connect and share information based on the level of website traffic across the entire network. Services of cloud computing is shown by th fig. (1).

Cloud computing is broken down into three segments: "application", "storage" and connectivity." Each segment serves a different purpose and offers different products for businesses and individuals around the world. In June 2011, a study conducted by Version One found that 91% of senior IT professionals actually don't know what cloud computing is and two-thirds of senior finance professionals are clear by the concept, highlighting the young nature of the technology. In Sept 2011, an Aberdeen Group study found that disciplined companies achieved on average a 68% increase in their IT expense because cloud computing and only a 10% reduction in data center power costs. Cloud computing overlaps some of the concepts of distributed, grid and utility computing, however it does have its own meaning if contextually used correctly. The conceptual overlap is partly due to technology changes, usages and implementations over the years. Cloud computing really is accessing resources and services needed to perform functions with dynamically changing needs. An application or service developer requests access from the cloud rather than a specific endpoint or named resource. What goes on in the cloud manages multiple infrastructures across multiple organizations and consists of one or more frameworks overlaid on top of the infrastructures tying them together. Frameworks provide mechanisms for self-healing, self monitoring, resource registration and discovery, service level agreement definit ions, automatic reconfiguration.

2. Types of Cloud

In providing a secure Cloud computing solution, a major decision is to decide on the type of cloud to be implemented. Currently there are three types of cloud deployment models offered, namely, a public, private and hybrid cloud. These, together with their security implications will be discussed below. Within this paper vendors are referred to as cloud providers, or companies specializing in providing a tailor made cloud solution. These entities have established cloud infrastructure including virtual servers for storage matching required processing power. Organizat ions are entities, including business managers, executives and end-users, entering into an agreement with cloud vendors to utilize their cloud capabilit ies for personal and/or private use.

A. Public Cloud

A public cloud is one based on the standard cloud computing model, in which a service provider makes resources, such as applications and storage, available to the general public over the Internet. A public c loud is a model which a llows users' access to the cloud via interfaces using mainstream web browsers. It's typically based on a pay-per-use model, similar to a prepaid electricity metering system which is flexible enough to cater for spikes in demand for cloud optimization. This helps cloud clients to better match their IT expenditure at an operational level by decreasing its capital expenditure on IT infrastructure [4]. Public clouds are less secure than the other cloud models because it places an additional burden of ensuring all applications and data accessed on the public cloud are not subjected to malicious attacks.

B. Private Cloud

Private cloud is infrastructure operated solely for a single organization, whether managed internally or by a third-party and hosted internally or externally. They have attracted criticism because users "still have to buy, build, and manage them" and thus do not benefit from less hands -on management, essentially "[lacking] the economic model that makes cloud computing such an intriguing concept.

A private cloud is set up within an organization's internal enterprise datacenter. It is easier to align with security, compliance, and regulatory requirements, and provides more enterprise control over deployment and use. In the private cloud, scalable resources and virtual applications provided by the cloud vendor are pooled together and available for cloud users to share and use. It differs from the public cloud in that all the cloud resources and applications are managed by the organization itself, similar to Intranet functionality.

C. Hybrid Cloud

Hybrid cloud is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models. It can also be defined as multiple cloud systems that are connected in a way that allows programs and data to be moved easily from one deployment system to another.

A hybrid cloud is a private cloud linked to one or more external cloud services, centrally managed, provisioned as a single unit, and circumscribed by a secure network. It provides virtual IT solutions through a mix of both public and private clouds. Hybrid Clouds provide more secure control of the data and applications and allows various parties to access informat ion over the Internet. It also has an open architecture that allows interfaces with other management systems.

D. Community cloud

Several organizations jointly construct and share the same cloud infrastructure as well as policies, requirements, values, and concerns. The cloud community forms into a degree of economic scalability and democratic equilibrium. The cloud infrastructure could be hosted by a third-party vendor or within one of the organizations in the community.

3. Structure of Cloud computing

Structure is committed to highlighting the most significant ideas, opportunities an technologies that power the rise of cloud computing. Fig.(2) show the structure of cloud computing.

A. Infrastructure-as-a-Service

This is much like running a virtual server on your own equipment, except you are now running a virtual server on a virtual disk. This model is similar to a utility company model, as you pay for what you use. An example is Amazon Web Services at http://aws.amazon.com/ (IaaS): delivers the computer infrastructure, typically a virtualized computer as a service. The end user has full controls over the virtualized computer instance, and can customize the instance accordingly. The virtualization technology is used to provide multi-tenancy and isolation to the users as different virtual instances may be allocated to a single physical machine. Unlike purchasing the physical servers, IaaS is charged on a utility basis depending on the consumption of the resources.IaaS: delivers computer infrastructure typically a platform virtualization environment as a service. This includes servers, software, data-center space and network equipment, available in a single bundle and billed as per usage in a utility computing model.IaaS is generally used by organizations that have the in-house expertise to manage their IT requirements but don't have the infrastructure. They then hire the required infrastructure from IaaS providers and load up their libraries, applications, and data, after which they configure them themselves. A popular use of IaaS is in hosting websites, where the in-house infrastructure is not burdened with this task but leftfree to manage the business.

B. Platform as a Service

Platform as a Service is a combination of a development platform and a solution stack, delivered as a service on demand. It provides infrastructure on which software developers can build new applications or extend existing ones without the cost and complexity of buying and managing the underlying hardware and software and provisioning hosting capabilities. In other words, it provides the supporting infrastructure to enable the end user develop his own solutions. In addition to firms' IT departments who use PaaS to customize their own solutions, its users include independent software vendors (ISVs) as well, those who develop specialized applications for specific purposes. While earlier application development required hardware an operating system, a database, middleware, Web servers, and other software, with the PaaS model only the knowledge to integrate them is required. The rest is taken care of by the PaaS provider. Sometimes, PaaS is used to extend the capabilities of applications developed as SaaS. Examples of PaaS include Salesforce.com's Force.com, Google's App Engine, and Microsoft's Azure.

C. Software as a Service

Software as a Service is a model of software deployment where in a provider delivers its software as a service to be used by customers on demand. Almost half of the projected $42 billion opportunity is in software applications. Most CIO's enter Cloud Computing through Software as a Service project, because of the scalability, flexibility and cost savings involved. Whether it is finding the new gold nugget of information with data mining, analytics with databases, saving time on rendering large design or image files, or more complex financial analysis and life science applications, the opportunity to build and accelerate your applications based on on-demand resources has never been greater. Other applications include CRM, ERP, accounting, scheduling, automated billing, content management, HR management and so on; IT organizations are often seen as implementing critical areas of business strategy, critical in wringing out more profitability or creating a competitive advantage with solutions mirroring business needs.

4. Security Concerns of Cloud Computing

The major security challenge with clouds is that the owner of the data may not have control of where the data is placed. We are conducting research on secure cloud computing. Due to the extensive complexity of the cloud, we contend that it will be difficult to provide a holistic solution to securing the cloud, at present. Cloud system will: (i) support efficient storage of encrypted sensitive data. (ii) Store, manage and query massive amounts of data. (iii) support fine-grained access control and (iv) support strong authentication. Security issues for many of these systems and technologies are applicable to cloud computing. For example, the network that interconnects the systems in a cloud has to be secure. Finally, data mining techniques may be applicable to malware detection in clouds.

5. Cloud Computing Attacks

As more companies move to cloud computing, look for hackers to follow [4]. Some of the potential attack vectors criminals may attempt include:

A. Denial of Service (DoS) attacks

Some security professionals have argued that the cloud is more vulnerable to DoS attacks, because it is shared by many users, which makes DoS attacks much more damaging. Twitter suffered a devastating DoS attack during 2009.

Direct Denial of Service. When the Cloud Computing operating system notices the high workload on the flooded service, it will start to provide more computational power (more virtual machines, more service instances) to cope with the additional workload. Thus, the server hardware boundaries for maximum workload to process do no longer hold. In that sense, the Cloud system is trying to work against the attacker (by providing more computational power), but actually to some extent even supports the attacker by enabling him to do most possible damage on a service's availability, starting from a single flooding attack entry point. Thus, the attacker does not have to flood all n servers that provide a certain service in target, but merely can flood a single, Cloud-based address in order to perform a full loss of availability on the intended service.

B. Cloud Malware Injection Attack

A first considerable attack attempt aims at injecting a malicious service implementation or virtual machine into the Cloud system [5]. Such kind of Cloud malware could serve any particular purpose the adversary is interested in, ranging from eavesdropping via subtle data modifications to full functionality changes or blockings. This attack requires the adversary to create its own malicious service implementation module (SaaS or PaaS) or virtual machine instance (IaaS), and add it to the Cloud system. Then, the adversary has to trick the Cloud system so that it treats the new service implementation instance as one of the valid instances for the particular service attacked by the adversary [4]. If this succeeds, the Cloud system automatically redirects valid user requests to the malicious service implementation, and the adversary's code is executed. A promising countermeasure approach to this threat consists in the Cloud system performing a service instance integrity check prior to using a service instance for incoming requests. This can e.g. be done by storing a hash value on the original service instance's image file and comparing this value with the hash values of all new service instance images. Thus, an attacker would be required to trick that hash value comparison in order to inject his malicious instances into the Cloud system.

C. Side Channel Attacks

An attacker could attempt to compromise the cloud by placing a malicious virtual machine in close proximity to a target cloud server and then launching a side channel attack.

D. Authentication attacks

Authentication is a weak point in hosted and virtual services and is frequently targeted. There are many different ways to authenticate users; for example, based on what a person knows, has, or is. The mechanisms used to secure the authentication process and the methods used are a frequent target of attackers. Currently, regarding the architecture of SaaS, IaaS, and Paas, there is only IaaS offering this kind of information protection and data encryption. If the transmitted data is categorized to high confidential for any enterprise, the cloud computing service based on IaaS architecture will be the most suitable solution for secure data communication. In addition, the authorization of data process or management for those data belonged to the enterprises but stored on the service provider's side must be authorized by the user side (enterprises) to instead of the service providers. Most user-facing services today still use simple username and password type of knowledge-based authentication, with the exception of some financial institutions which have deployed various forms of secondary authentication (such as site keys, virtual keyboards, shared secret questions, etc.) to make it a bit more difficult for popular phishing attacks.

E. Man-in-the-middle cryptographic attacks

This attack is carried out when an attacker places himself between two users. Anytime attackers can place themselves in the communication's path, there is the possibility that they can intercept and modify communications.

6. Cloud computing security steps

The security steps are given bellow-

(i) Understand the cloud by realizing how the cloud's uniquely loose structure affects the security of data sent into it. This can be done by having an in-depth understanding of how cloud computing transmit and handles data.

(ii) Demand Transparency by making sure that the cloud provider can supply detailed information on its security architecture and is willing to accept regular security audit. The regular security audit should be from an independent body or federal agency.

(iii) Consider the Legal Implications by knowing how the laws and regulations will affect what you send into the cloud.

(iv) Pay attention by constantly monitoring any development or changes in the cloud technologies and practices that may impact your data's security.

7. Strong User Authentication

Thus the most effective way to ensure users are adequately authenticated when using browsers to access services in the cloud, is to facilitate an additional authentication factor outside of the browser (in addition to username/password). Which is essentially multi-factor authentication, but available options today are rather limited when considering requirements of scalability and usability.

A. Preparing the network for a Cloud computing implementation

Cloud computing represents a huge change in the way a business functions, and that's especially true for an organization's IT infrastructure [6]. Nobody is affected more by this transition than the network administrators tasked with keeping an organization's data and network users safe.

Sharing data, applications and IT infrastructures can present significant cost and productivity benefits, but it all takes place outside of the comfort zone of the corporate firewall and physical environment. As a network administrator, your task during a cloud computing implementation is to ensure users and data remain secure after transitioning data, applications, an infrastructure, or all of the above to the cloud. Although there is a shared responsibility with the cloud provider for the security of enterprise data, ultimately enterprise security pros are responsible. In this tip, we'll discuss how to prepare an enterprise network for the security aspects that come with extending network infrastructure into the cloud.

B. Keep a forensics and Web log

Providers need to know where their customer's data is at all times, Krause says. "There's got to be a way to follow the audit trial, where the data was at any point in time," he says. A forensics and Web log accomplishes this, he says. "Enable logging so you get visibility on how people are using your services you put in the cloud," Balding suggests. "You might detect some attacks that way. If you don't turn on the logging, you're not seeing any of the bad stuffor hacker potential," Balding says. Also check with IT to see if other divisions of the company have already signed up for the cloud service, because if they have, a security breach can occur. Balding says to confer with the finance department to see if anyone else in the company has spent money on that service. It's a company hazard if the same information is in the cloud twice, he says.

7. Conclusion

Cloud computing has a potential for cost savings to the enterprises but the security risk are also enormous. Enterprise looking into cloud computing technology as a way to cut down on cost and increase profitability should seriously analyze the security risk of cloud computing. In this paper key security considerations and challenges which are currently faced in the Cloud computing industry are highlighted. While current offerings explore trail-and error control methods, a great deal of investment must be made in the managing security around this evolving technology. Enterprise should verify and understand cloud security, carefully analyze the security issues involved and plan for ways to resolve it before implementing the technology. Pilot projects should be setup and good governance should be put in place to effectively deal with security issues and concerns. Authentication and authorization is Done to insure Data Security in cloud computing. Its security deficiencies and benefits need to be carefully weighed before making a decision to implement it. However, the future looks less cloudy as far as more people being attracted by the topic and pursuing research to improve on its drawbacks.