Article details

Title: Considerations on Cloud Computing Security
Author(s): Mihai Togan                  

Abstract: The major progress in the field of network technologies along with the growth in the need of computing resources determines more and more organizations to outsource their storage and data processing needs. This new economic and computing model is commonly referred to as cloud computing. The security issues raised by the use of cloud systems still is, in the opinion of many experts, the main barrier in the widespread adoption of the services provided by these infrastructures. This paper contains a number of issues and considerations regarding the security of cloud environments. The first part of this paper presents some security issues raised by the peculiarities and the architecture of cloud infrastructures. The security issues of cloud services can be viewed from multiple directions. One of them is related to the cloud model used. The paper discusses some particular aspects of each of the IaaS, PaaS and SaaS–recognized cloud models, but also aspects related to the process of outsourcing data to the cloud. The second part of the paper presents a series of security solutions. The security techniques discussed hereinafter are mapped to security requirements characteristic of cloud environments both in terms of services and client applications.

Keywords: cloud, security issues, virtualization, data, services, security techniques.

References:

[1] M. ZHOU, R. ZHANG, W. XIE, W. QIAN, A. ZHOU Security and Privacy in Cloud Computing: A Survey, Proc of the 6th Int. Conf. on Semantics Knowledge and Grid (SKG), pp. 105–112, IEEE Computer Society, Washington, D.C., Nov. 1–3, 2010
[2] Z. XIAO, Y. XIAO Security and Privacy in Cloud Computing, IEEE Communications Surveys & Tutorials, Vol. 15, No. 2, pp. 843–859, Jul. 2013
[3] S.P. AHUJA, D. KOMATHUKATTIL A Survey of the State of Cloud Security, Network and Communication Technologies, Vol. 1, No. 2, pp. 66–75, Dec. 2012
[4] E. AGUIAR, Y. ZHANG, M. BLANTON An Overview of Issues and Recent Developments in Cloud Computing and Storage Security, In K.J. Han et al. (Eds.), High Performance Cloud Auditing and Applications, pp. 3–33, Springer, New York, NY, 2014
[5] S. PEARSON Privacy, Security and Trust in Cloud Computing, In S. Pearson and G. Yee (Eds.), Privacy and Security for Cloud Computing, pp. 3–42, Springer–Verlag, London, UK, 2013
[6] M. PEARCE, S. ZEADALLY, R. HUNT Virtualization: Issues, Security Threats, and Solutions, ACM Computing Surveys, Vol. 45, No. 2, Feb. 2013
[7] D.A.B. FERNANDES, L.F.B. SOARES, J.V. GOMES, M.M. FREIRE, P.R.M. INCIO Security Issues in Cloud Environments A Survey, International Journal of Information Security, Vol. 13, No. 2, pp. 113–170, 2014
[8] J. HEISER, M. NICOLETT Assessing the Security Risks of Cloud Computing, Gartner, Jun. 2008
[9] ENISAs Report Cloud Computing: Benefits, Risks and Recommendations for Information Security, European Network and Information Security Agency, Nov. 2009
[10] F. LIU, J. TONG, J. MAO, R.B. BOHN, J.V. MESSINA, M.L. BADGER, D.M. LEAF NIST Cloud Computing Reference Architecture, National Institute of Standards and Technology, Sep. 2011
[11] NIST Cloud Computing Security Reference Architecture, National Institute of Standards and Technology, 2013
[12] CSA Security Guidance for Critical Areas of Focus in Cloud Computing V3.0, Cloud Security Alliance, 2011
[13] CSA The Notorious Nine: Cloud Computing Top Threats in 2013, Cloud Security Alliance, Feb. 2013
[14] CSA Top Threats to Cloud Computing V1.0, Cloud Security Alliance, Mar. 2010
[15] L.M. VAQUERO, L. RODERO–MERINO, D. MORN Locking the Sky: a Survey on IaaS Cloud Security, Computing, Springer–Verlag, Vol. 91, No. 1, pp. 93–118, Jan. 2011
[16] D. PEREZ–BOTERO, J. SZEFER, R.B. LEE Characterizing Hypervisor Vulnerabilities in Cloud Computing Servers, Proc. of the 2013 International Workshop on Security in Cloud Computing (SCC), pp. 3–10, ACM, New York, NY, May 2013
[17] G. WANG, T.S.E. NG The Impact of Virtualization on Network Performance of Amazon EC2 Data Center, Proc. of the 29th Conference on Information Communications (INFOCOM10), pp. 1–9, IEEE Press, San Diego, CA, Mar. 14–19, 2010
[18] T. RISTENPART, S. YILEK When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography, Proc. of the 17th Annual Network and Distributed Security Symposium (NDSS), pp. 1–18, The Internet Society, San Diego, CA, Feb. 28–Mar. 3, 2010
[19] L. RODERO–MERINO, L.M. VAQUERO, E. CARON, A. MURESAN, F. DESPREZ Building Safe PaaS Clouds: A Survey on Security in Multitenant Software Platforms, Computers & Security, Vol. 31, No. 1, pp. 96–108, Feb. 2012
[20] S. SUBASHINI, V. KAVITHA A Survey on Security Issues in Service Delivery Models of Cloud Computing, Journal of Network and Computer Applications, Vol. 34, No. 1, pp. 1–11, Jan. 2011
[21] M. JENSEN, N. GRUSCHKA, R. HERKEN?NER A Survey of Attacks on Web Services, Computer Science – Research and Development, Vol. 24, No. 4, pp. 185–197, Nov. 2009
[22] J. SZEFER, E. KELLER, R.B. LEE, J. REXFORD Eliminating the Hypervisor Attack Surface for a More Secure Cloud, Proc. of the 18th ACM Conference on Computer and Communications Security (CCS), pp. 401–412, Chicago, IL, Oct. 2011
[23] J. M. McCUNE, Y. LI, N. QU, Z. ZHOU, A. DATTA, V. GLIGOR, A. PERRIG TrustVisor: Eficient TCB Reduction and Attestation, Proc of the IEEE Symposium on Security and Privacy (SP), pp. 143–158, Oakland, CA, May 2010
[24] J. HUA, K. SAKURAI Barrier: A Lightweight Hypervisor for Protecting Kernel Integrity via Memory Isolation, Proc. of the 27th Annual ACM Symposium on Applied Computing (SAC12), pp. 1470–1477, Trento, Italy, Mar. 26–30, 2012
[25] D. BASAK, R. TOSHNIWAL, S. MASKALIK, A. SEQUEIRA Virtualizing Networking and Security in the Cloud, ACM SIGOPS Operating Systems Review, Vol. 44, No. 4, pp. 86–94, Dec. 2010
[26] F. LIU, X. SU, W. LIU, M. SHI The Design and Application of Xen–based Host System Firewall and its Extension, Proc. of the IEEE International Conference on Electronic Computer Technology, pp. 392–395, Macau, China, Feb. 20–22, 2009
[27] D. KIRKLAND Entropy (or rather the lack thereof) in OpenStack Instances... and how to Improve that, Oct. 2012, https://www.openstack.org/ summit/san–diego–2012/openstack–summit–sessions/presentation/ entropy–or–lack–thereof–in–openstack–instances
[28] S. MOSER Change I7d8c1f9b: add 'random seed' entry to instance metadata, 2012
[29] INTEL Intel Digital Random Number Generator (DRNG): Software Implementation Guide, Intels Guide, May 2012
[30] ID Quantique Quantis and Virtualization, Version 20130626, IDQ Whitepaper, Jun. 2013
[31] F. AZMANDIAN, M. MOFFIE, M. ALSHAWABKEH, J. DY, J. ASLAM D. KAELI Virtual Machine Monitor–Based Lightweight Intrusion Detection, ACM SIGOPS Operating Systems Review, Vol. 45, No. 2, pp. 38–53, Jul. 2011
[32] C. GENTRY A Fully Homomorphic Encryption Scheme, Ph.D. Thesis, Stanford University, Stanford, CA, Sep. 2009
[33] C. GENTRY Computing Arbitrary Functions of Encrypted Data, Communications of the ACM, Vol. 53, No. 3, pp. 97–105, Mar. 2010
[34] M. van DIJK, C. GENTRY, S. HALEVI, V. VAIKUNTANATHAN Fully Homomorphic Encryption over the Integers, in H. Gilbert (Ed.): Eurocrypt 2010, Lecture Notes in Computer Science, Vol. 6110, pp. 24–43, International Association for Cryptologic Research, 2010
[35] Z. BRAKERSKI, C. GENTRY, V. VAIKUNTANATHAN Fully Homomorphic Encryption without Bootstrapping, Proc. of the 3rd Innovations in Theoretical Computer Science Conference, ITCS 2012, pp. 309–325, 6–10 Jan., 2012
[36] Amazon Web Services: Overview of Security Processes, Technical White Paper, Amazon Inc., Nov. 2014
[37] Amazon Web Services: Risk and Compliance, Technical White Paper, Amazon Inc., 2014
[38] Amazon Web Services: Service Health Dashboard, Web Application, Amazon Inc.
[39] GOOGLE Security Whitepaper: Google Apps Messaging and Collaboration Products, Whitepaper, Google, 2011
[40] IBM Security and High Availability in Cloud Computing Environments, Technical White Paper, IBM Global Technology Services, Jun. 2011
[41] T. DIERKS, E. RESCORLA The Transport Layer Security (TLS) Protocol, Version 1.2, Standard Internet, IETF RFC 5246, Aug. 2008
[42] D. EASTLAKE Domain Name System Security Extensions, Standard Internet, IETF RFC 2535, Mar. 1999
[43] B.P. BRUEGGER, D. HHNLEIN, J. SCHWENK TLS–Federation A Secure and Relying–Party–Friendly Approach for Federated Identity Management, Proc. of BIOSIG 2008: Biometrics and Electronic Signatures, P–137, pp. 93–104, Bonn, Germany, 2008
[44] T. SCAVO (Ed.) SAML V2.0 Holder–of–Key Assertion Profile, Working Draft 09, Nov. 2009
[45] S. GAJEK, L. LIAO, J. SCHWENK Stronger TLS Bindings for SAML Assertions and SAML Artifacts, Proc. of the 5th ACM CCS Workshop on Secure Web Services (SWS08), pp. 11–20, ACM Press, Oct. 2008
[46] I. DACOSTA, S. CHAKRADEO, M. AHAMAD, P. TRAYNOR One–Time Cookies: Preventing Session Hijacking Attacks with Stateless Authentication Tokens, ACM Transactions on Internet Technology (TOIT), Vol. 12, No. 1, pp. 1–24, Jun. 2012
[47] ALERTLOGIC State of Cloud Security Report: Targeted Attacks and Opportunistic Hacks, Technical Report, Alert Logic, 2013