ACCESSING SECURED DATA IN CLOUD COMPUTING ENVIRONMENT
Cloud computing security
2. Cloud computing
“Cloud computing is a model for enabling convenient,
on-demand network access to a shared pool of
configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can be
rapidly provisioned and released with minimal
management effort or service provider interaction. This
cloud model promotes availability and is composed of
five essential characteristics, three service models, and
four deploymentmodels.”
3. The cloud computing model NIST defined has three
service models and four deployment models. The three
service models, also called SPI model, are: Cloud
Software as a Service (SaaS), Cloud Platform as a
Service (PaaS) and Cloud Infrastructure as a Service
(IaaS). The four deployment models are:
Private cloud,
Community cloud,
Public cloud and Hybrid cloud.
4. cloud computing security concerns remain a major
barrier for the adoption of cloud computing.
According to a survey from IDCI in 2009, 74% IT
managers and CIOs believed that the primary
challenge that hinders them from using cloud
computing services is cloud computing security issues.
Another survey carried out by Garter in 2009, more
than 70% CTOs believed that the primary reason not
to use cloud computing services is that there are
datasecurity and privacy concerns.
5. ADVANCED ISSUES IN CLOUD COMPUTING
SECURITY
1) Abstraction:
Cloud provides an abstract set of service end-points.
For a user, it is impossible to pin-point in which
physical machine, storage partition (LUN), network
port MAC address, switches etc. are actually involved.
Thus, in event of security breach, it becomes difficult
for a user to isolate a particular physical resource that
has a threat or has been compromised.
6. 2)Lack of execution controls: The external cloud user
does not have fine-gained control over remote
execution environment. Hence the critical issues like
memory management, I/O calls, access to external
shared utilities and data are outside the purview of the
user.
The client would want to inspect the execution traces
to ensure that illegal operations are not performed.
7. 3) Third-party control of data: In cloud, the storage
infrastructure, and therefore, the data possession is
also with the provider. So even if the cloud provider
vouches for data integrity and confidentiality, the
client may require verifiable proofs for the same.
8. 3) Multi-party processing: In multi-cloud scenario,
one party may use part of the data which other party
provides. In absence of strong encryption (as data is
being processed), it becomes necessary for
participating cloud computing parties to preserve
privacy of respective data.
9. Three specific areas of security
research
Trusted computing:
Information centric security (ICS)
Privacy preserving models
10. Trusted computing
It is a set technology being developed and promoted by
Trusted Computing Group (TCG).
To tackle the concern of un-trusted execution
environment, trusted platform modules enable a strong
endorsement key to attest users to a host and host to users.
All subsequent execution on an attested host-user pair can
then be validated through trusted path mechanism.
New techniques such as Provable Data Possession (PDP)
in untrusted cloud may be a more efficient mechanism as it
generates a probabilistic proof for data integrity based on
only a small portion of the file.
11. Similarly there are research works around Proof of
Retrievability (PoR) to give customer some
semblance of assurance that once data is stored in a
public cloud, it will be eventually retrievable.
Proof carrying codes is another mechanism through
which the cloud provider host can verify user
applications through formal proofs.
12. Information centric security (ICS)
Strong encryption of the entire data may not be useful
as the data is often processed in cloud in un-encrypted
form which makes it vulnerable.
One way of achieving ICS would be to use Policy based
or Role based access controls which can be defined in a
language like Extensible Access Control Markup
Language (XACML) which governs context-based
access rules in policy enforcement point of the data.
Any access request to the data can then be verified
through an assertion or by checking with central
server.
13. Another way could be to add access control metadata
in the form of Cryptographic Message Syntax (CMS) It
is more compact than XML, and is flexible enough to
freely add users to the ‘read’ list as long as each user
possesses a cryptographic key pair