Cloud Computing: Security Issues and Challenges

Cloud Computing is a recently emerged paradigm, for sure out of infancy but yet not matured, is aiming at provisioning of computing resources in most efficient and economical way. Virtualization is the key technique behind Cloud Computing. It adopts Service Oriented Architecture which enables its clients to transform their requirements problems into services thus benefited by the solution provided by the Cloud. Besides provisioning of computing and storage resources, it expanded the traditional threat environment. The vulnerabilities and threats to Cloud are the issues which if successfully overcome would make Cloud a digital fort for its users. This paper surveys the weaknesses in Cloud architecture, internet protocols, operating system and application software, and in crypto system. It also identifies the challenges related to Cloud security and counter measures to resolve those issues. Keywords— Cloud Computing; Cloud Security; Cryptography; Virtualization.


I. INTRODUCTION
Cloud Computing (Cloud) provides ubiquitous network access to a poll of resources which are shared and configurable.It is based on shared services and convergence of infrastructure.It emerged from evolution and adoption of many prevalent technologies.It inherits many of its characteristics from client-server model, grid computing, mainframe computing, utility computing, and peer-to-peer architecture.Virtualization is the key technique behind Cloud Computing.It adopts Service Oriented Architecture (SOA) which enables its clients to transform their requirements problems into services thus benefited by the solution provided by the Cloud.Key advantages of cloud include agility, reduced costs, device independence, location independence, easy maintenance, high performance, extremely scalable and flexible, increase productivity, privacy, and security.
What is security in the context of information communication technologies (ICT)?NIST defines it as "The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability" [1].
The definition clearly identifies the goals of information security, the CIA (Confidentiality, Integrity, and Availability).Confidentiality simply means that, information which is intended to be kept secure, unauthorized people can't read it, Integrity means unauthorized people can't modify or destroy it, and Availability means authorized people are not prevented from use of it.
The attackers and attacks, constituting the threat environment, in one way or the other are intended break down CIA.The threat environment is well explained in [2] [3].
Vulnerabilities are the loop holes or weaknesses in the system or standard operating procedures that can be exploited by the evil doer may result in compromise.Threats are possible attacks that can be executed exploiting some vulnerability.
Cloud Computing is a recently emerged paradigm, for sure out of infancy but yet not matured, is aiming at provisioning of computing resources in most efficient and economical way.The vulnerabilities and threats to Cloud are the issues which if successfully overcome would make Cloud a digital fort for its users.This paper surveys the security issues being or may be confronted by Cloud.This paper is structured as follows; Section II briefly describes architecture, service model and deployment model of Cloud.Section III discusses the security issues.Section IV highlights the challenges being faced and countermeasures.Section V concludes the discussion and gives direction for future work.

II. CLOUD COMPUTING
"Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction" [4].The key characteristics that Cloud must have, the services type it can provide and how it can be deployed are summarized in Table 1.Cloud services are provided on demand over the internet on pay-for-use basis [5].It delivers computing resources in the form of services ranging from application to the data centers III.SECURITY ISSUES To have a better look into security issues related to Cloud, can be partitioned into following four components ; 1) physical layer, 2) virtualization layer , 3) service provider layer, 4) user layer.Figure 2 captures security issues at each layer.Now with the perspective of these four components security issues are discussed below.

A. Vulnerabilities
Virtualization/multi-tenancy is the key component of Cloud architecture.Cloud comes with three levels of virtualization: first at OS level, second at application level, and third at hypervisor level.Multiple guest OS run on the host OS using OS level virtualization.Since host OS is controlling and view into each guest OS, If it is compromised the entire guest OS are also compromised.Application level virtualization is catered at top layer of host OS.Now in the Virtual Machines (VM) running guest OS and its relevant applications suffers from the same vulnerability as was the case of OS level.VM Monitor (VMM) or Hypervisor runs on host OS.All other VMs that run guest OS are controlled by Hypervisor.If Hypervisor is compromised, the entire VMs thus all guest OS are compromised.A mere flaw in code of Hypervisor can put the entire infrastructure at risk.Breaches in Hypervisor can lead cross VM attacks.The examples of successful attacks at virtualization layer include SubVirt [7], and DKSM [8].
Cloud services are accessed through Internet that serves as backbone for it using web browsers or the APIs.So usage of Internet Protocol (IP) is inherent.Cloud has no exception from the attacks which are carried out by exploiting the weaknesses of IP.Since Proof-of-origin is not required in ARP, so using ARP poisoning, malicious VM exploiting this vulnerability can redirect in out traffic of some co-located VM to other malicious VM.
HTTP is stateless.The techniques used in web applications requiring session state makes it vulnerable and can be used for session hijacking.TCP/IP tacitly assumes routing tables of the routers along the path are not modified for some evil purpose.These loopholes in TCP/IP are equally cause vulnerability to Clouds typically for Public Clouds.Cloud services are accessed by its users through management interface.Any unauthorized access can lead to some critical risk for the whole infrastructure.There can be many users and administrators of a single organization having acquired Cloud services that results in increase in probability of unauthorized access.

Essential characteristics
On-demand self-service • Provisioning of computing capabilities to the customer.
• Automatic provisioning on demand.
• e.g.network storage, server time etc.

Broad network access
• Capabilities are accessible through standard networks, primarily Internet.• Devices that can access these capabilities include mobile phones, workstations, laptops etc.

Resource pooling
• Multi-tenancy • Resources are shared by all customers.
• Resources are location independent.
• Resources may be physical or virtual.Rapid elasticity • Elastically provisioning /releasing of resources.
• Must be scalable and flexible enough to meet maximum demands.

Measured service
• Measuring capabilities for the type of services provisioned.
• Automatic control and optimization of resources usage.
• Monitoring and controls.
• Reports and accounting of utilized services for both customer and service provider.

Service Models
Software as a Service (SaaS) • Customer can use only the provided application running on underlying cloud infrastructure.• Capabilities are accessible through Internet or APIs.
• No control of underlying infrastructure.

Platform as a Service
(PaaS) • Customer can deploy/configure it's or third party application, the only limitation is supported by underlying infrastructure.• No control of underlying infrastructure like operating system, servers, storage etc.

Infrastructure as a Service (IaaS)
• Customer is provisioned computing resources of processing, network, storage.
• Customer can run/deploy arbitrary software including operating system, applications.• Customer can only control components related to it.
• No control of underlying infrastructure.

Private cloud
• Cloud infrastructure is exclusively provisioned to single organization.
• Ownership, management and operation may be of organization or third party or by both.• Commonly exist on premises of organization, may exist off premises.

Community cloud
• Cloud services are provided to some specific community.
• Community belongs to the organizations having shared concerns.
• Ownership, management and operation may be of multiple organizations or third party or by both.• No restriction of on premises may exist off premises.

Public cloud
• Services are provisioned to general public.
• Ownership, management and operation may be of business/ government/ academic organization or third party or by both.• Commonly exist on premises of cloud owner.
Hybrid cloud [6] • Combination of two or more above mentioned infrastructure types.
• The infrastructures are only bound together by application portability and data.• Their distinctness remains preserved.
Cryptography definitely serves here to provide security, but the other side that must be taken care of is Cryptanalysis has also advanced typically with the processing power of these days machines the encryption techniques considered strong in the past are much weaker and easily breakable against their computing power.The stronger cryptography techniques should be used while accessing Cloud services for protection of data and privacy.[9] [10] The defects in the design and in the architecture of applications pave the way for vulnerabilities of injections.
Application components can be disclosed/discovered using Lightweight Directory Access Protocol (LDAP) injection, OS injection, SQL injection flaws.The data acquired by exploiting these flaws may be of organization's private data or some other organization's data host by the same Cloud [11] .
Cloud services are accessed by the users through APIs published by Cloud providers.So these are of vital importance in orchestrating the provisioned services.Security of Cloud services is directly proportional to the security of these APIs.Browser based vulnerabilities include SSL certificates spoofing, phishing, attacks on browser cache [12].Cloud APIs must support methods of key agreement specified in standards keys are used/ stored in browsers.
In [13], result of vulnerability tests of five platforms (Salesforce, Flicker, iCloud, Dropbox, CloudMe ) are mentioned, they were able to identify cross site scripting, carriage return line feed (CRLF), and SQL injection attacks.

B. Threats
According to Cloud Security Alliance (CSA), following are the threats specifically relevant to Cloud Organization acquiring Cloud services must assess the risk involved in the case of loss over control of these services because the computing infrastructure exists on off premises.
There are issues of jurisdiction as the data might be traversing across the continents.The customer might be in some other geography having different obligations of laws than the Cloud service provider.So the business model is heavily dependant on reliable end-to-end encryption of data and trust management approaches opted.
In the initial phase of organizations acquiring Cloud services with insufficient knowledge of this paradigm, they can put the Cloud infrastructure at risk by inappropriate usage of processing and storage capabilities and deployment of un-trusted applications [15].IaaS and PaaS are specifically vulnerable to such abusive usage of Cloud services.This scenario requires Cloud vendors to employ effective mechanism for user registration, verification, validation and authentication.It also arouses the need for monitoring of network traffic and behavior of new clients.
Custom interfaces build using APIs to interact with the Cloud add another layer on top of APIs, thus increasing complexity and risk if inappropriately used.Here mechanisms of authentication and authorization can be compromised which ultimately lead to breaches into confidentiality and integrity.In the worst cases whole infrastructure with all three service models is endangered.
One of the most severe threats is trusted insider with malicious intention having knowledge of the whole or part of the system thus knows how to bypass security mechanism placed.It may have privileges to bypass firewalls and intrusion prevention /detection system.
Virtualization, multi-tenancy, and sharing of resources let the attacker exploit the loopholes, and jeopardize the one or the all three service models.Applications are running in the VMs, many users might be using that application.Vulnerability in any application may lead to attack on VM there by on Hypervisor [18].
Weak encryption, lack of control over audit, authorization and authentication results in loss of Integrity of Data.Data theft and data loss may be other outcome of these weaknesses.
In the event of successful redirection of users to an illegitimate website consequent upon phishing, or fraud or software exploitation, or reusing of credentials may lead to service hijacking.
Cloud users are unaware of underlying implementation infrastructure and security architecture.
On one side it offers an ease to the users and on other it puts them into greater risk.If partial details of architecture and monitoring logs related to user are shared with user, along with some notification mechanism, it will enable the user to make profile of risk involved.
Weak passwords, key loggers and other fraudulent mechanism may cause a user to be a victim of identity theft.It could result in serious consequences to the real user because he is considered to be accountable for compromise, and may jeopardize the whole Cloud service model.
With these vulnerabilities and threats to the Cloud system; Attacker can launch DoS attack by flooding the victim with requests, injection attacks, attacks on virtualization using VM escape or Hypervisor root kits, metadata spoofing, man-in-the-middle attack, phishing, backdoor channel attack.
Smart phones come with the features suitable/rely on cloud services.Besides Management of mobility, it creates another dimension of threats to cloud [17].

IV. CHALLENGES AND COUNTERMEASURES
The biggest challenge to Cloud is guarantying CIA; it is not new, in fact a traditional goal of information security.
Building the users trust on Cloud, and winning their satisfaction is another big task, to accomplish this efforts are needed to enhance users' awareness about Cloud [16].
From perspective Cloud provider, processing efficiency and meeting the storage of huge amount of data are the major concerns.
The countermeasures against security issues highlighted in this paper are summarized as following.
Security must be considered shared responsibility of Cloud users and providers.The usage of stronger encryption techniques and security frameworks should not be substituted.Compliance of industry established security standards like PCI-DSS, IPSec, TLS and government regulation like FISMA not only enable to win users trust and satisfaction but also provides a solid foundation.Users' strict adherence to procedures and controls on both ends of Cloud will strengthen security posture.Intrusion Prevention System (IPS), Intrusion Detection System (IDS), Firewalls can definitely reduce the vulnerabilities to some comfort level.Cloud providers must have business continuity plan and disaster recovery plan to respond to likely and unlikely incidents [19].

V. CONCLUSIONS AND FUTURE WORK
Finally security has no upper limit; organizations strive to achieve a security posture that ensures level of comfort corresponding to the importance levels of data.
Internet protocols are envisioned to provide best effort delivery, they inherently have some vulnerability.
On one hand, Virtualization of hardware and software resources is an essential characteristic of Cloud for provisioning of service oriented architecture.On the other it poses a serious threat as compromise/vulnerability in any module of VM causes whole infrastructure at risk.Increasing computing capabilities are also easing cryptanalysis, thus key lengths must conform to security standards and regulations promulgated by governments or industry.
Most importantly, security must be considered a shared responsibility between the Cloud users and providers.
The challenges identified in earlier section will continue to evolve with the faces discussed in this paper and with new faces.The counter measures against these challenges will also be following the same pace.They will continue to invite research community to bring up with new ideas and excel in the field of information security.
Virtualization being the most important feature of Cloud is also a vulnerability of same scale.In the next step of this work, weaknesses of existing server operating systems (of major vendors) related to virtualization will be identified and rectification of identified vulnerabilities will be presented.

Figure 1
Figure 1 depicts the general architecture of Cloud.The key characteristics that Cloud must have, the services type it can provide and how it can be deployed are summarized in Table1.Cloud services are provided on demand over the internet on pay-for-use basis[5].It delivers computing resources in the form of services ranging from application to the data centers

Figure 2 .
Figure 2. Cloud Architecture Layers and Related Security Issues