Cloud computing security

1. ISSR
Cloud Computing Security
A project submitted in partial fulfillment of the
requirements for the degree of Pre-Master of
Information System
Project team:
Rania Ele Sawy Abd El Rahim
Mohamed Talaat Rashed Shalash
Maged Mohamed Farid Elwakil
Under supervision:
Dr. Ashraf Abd Elhady
Cairo 2012

2. Document Version History
Ver. No. Ver. Date Prepared By Reviewed By Description
1.0.0 12-4-2012
Mohamed Shalash
Rania Ele Sawy
Maged Elwakil
Initial Document
1.0.1 2-5-2012
Rania Ele Sawy
Mohamed Shalash
Maged Elwakil
Dr.Ashraf
AbdElhady
1.0.2
17-5-2012
Maged Elwakil Security models.
1.1.0 29-5-2012
Rania Ele Sawy
Mohamed Shalash
Maged Elwakil
Introduction,
Security models,
Cloud Security Definitions
Security Threats.
1.1.1 1-6-2012
Rania Ele Sawy
Mohamed Shalash
Security models
Security threats
1.1.2 4-6-2012
Rania Ele Sawy
Mohamed Shalash
Maged Elwakil
Ashraf Abd
Elhady
Page 2

3. Acknowledgement
On the behalf of the Institute of Statistical Studies and
Research, Cairo University, and on our own behalf, we would
like to express our profound thanks and great attitude to all
those respectable Professors in capacity of Dr. ASHRAF ABD
ELHADY who guided us through the preparation of this
research.
We would also appreciate the 2ND
Republic and its
spirit which inspired the Egyptians to move towards the
modernization, the establishment and the democracy of New
EGYPT.
Page 3

4. Abstract
Cloud computing has recently emerged as a new paradigm for
hosting and delivering services over the Internet. It is attractive to
business owners as it eliminates the requirement for users to plan
ahead for provisioning, and allows enterprises to start from the small
and increase resources only when there is a rise in service demand.
Cloud computing is becoming more and more popular today and is
ever increasing in popularity with large companies as they share
valuable resources in a cost effective way. Due to this increasing
demand for more clouds there is an ever growing threat of security
becoming a major issue. This research shall look at ways in which
security threats can be a danger to cloud computing and how they
can be avoided.
Page 4

5. Table of Contents
1.1 Introduction:.............................................................................................................8
1.2 History of Cloud Computing..................................................................................16
1.3 Glossary & Key terms............................................................................................18
1.4 Cloud Computing Goals and Objectives ...............................................................19
2.1 Background............................................................................................................21
2.2 Cloud Security Considerations...............................................................................21
Remote attestation: ...........................................................................................................21
2.3 Security Threats.....................................................................................................22
High risk in cloud security...................................................................................................22
2.4 Malware..................................................................................................................23
Viruses 23
Worms 24
Trojan horse 24
2.5 Web application and data security risk..................................................................24
Injection 24
Security misconfiguration...................................................................................................25
Insecure cryptographic storage..........................................................................................25
2.6 Threat mitigation....................................................................................................26
Symmetric cryptography.....................................................................................................26
Asymmetric Cryptography..................................................................................................26
Network intrusion detection system..................................................................................27
3.1 Governance............................................................................................................29
3.2 Compliance............................................................................................................30
3.3 Trust.......................................................................................................................31
3.4 Architecture............................................................................................................33
3.5 Identity and Access Management..........................................................................36
3.6 Software Isolation..................................................................................................37
Model 1:.......................................................................................................................46
Private Virtual Infrastructure model (PVI)..................................................................46
Model 2:.......................................................................................................................49
Cloud computing data security with the analysis of HDFS architecture.....................49
Model 3:.......................................................................................................................56
Towards Achieving Accountability, Auditability and Trust in Cloud Computing......56
Model 4:.......................................................................................................................63
Towards Trusted Cloud computing model...................................................................63
Trusted Cloud Computing platform (TCCP)...............................................................63
References....................................................................................................................68
Page 5

6. Chapter one
Page 6

7. Introduction
Page 7

8. 1.1 Introduction:
Companies in the past were required to invest heavily in
technology upfront, makes it difficult for small and new companies to
have the equipment needed to attain their business goals. Through
services like cloud computing, that upfront cost is largely offset, since
companies lease what they need from month to month. As the need
grows the amount leased grow. Therefore it is possible to customize
computing costs at all points in time. Trend is now more and more to
buy IT as a service instead of owning the devices and applications
and having dedicated support groups. The cloud computing are
collection of technologies and practices enabling computing to be
delivered across multiple computers and capacity is available as
needed and billed according to actual usage. It is so massive that it
affects not only business models, but also the underlying architecture
of how we develop, deploy, run, secure and deliver applications.
Cloud computing is a technology that uses the internet and
central remote servers to maintain data and applications. Cloud
computing allows consumers and businesses to use applications
without installation, access their personal files at any computer with
internet access.
The cloud computing security is one of the biggest issues in the
IT industry nowadays. Is the cloud provider has the ability to manage
potentially millions of customers? And this presents a massive
challenge in security issues. This depicts that many people are
worried about the cloud providers will not be able to cope with the
large scale and the infrastructure will not be able to scale properly
with large amounts of information and data security.
Privacy is important for organizations, especially when
individual’s personal information or sensitive information is being
stored but it is not yet completely understood whether the cloud
computing infrastructure will be able to support the storing of
sensitive information without making organizations liable from
breaking privacy regulations. Many believe that cloud authorization
systems are not robust enough with as little as a password and
username to gain access to the system, in many clouds, usernames
can be very similar, degrading the authorizations measures further.
If there is private or sensitive information being stored on a cloud
then there is a high chance that someone could tamper the
information. The customers will use the cloud computing and store
there information on it, if and only if the cloud providers are trusted.
Page 8

9. (Layered architecture of Cloud Computing)
Three well-known and frequently-used service models are the
following:
• Software-as-a-Service.
(SaaS) is a model of software deployment whereby one or more
applications and the computational resources to run them are
provided for use on demand as a turnkey service. Its main
purpose is to reduce the total cost of hardware and software
development, maintenance, and operations. Security provisions
are carried out mainly by the cloud provider. The cloud
subscriber does not manage or control the underlying cloud
infrastructure or individual applications, except for preference
selections and limited administrative application settings.
• Platform-as-a-Service.
(PaaS) is a model of software deployment whereby the
computing platform is provided as an on-demand service upon
which applications can be developed and deployed. Its main
purpose is to reduce the cost and complexity of buying,
housing, and managing the underlying hardware and software
components of the platform, including any needed program
and database development tools. The development
environment is typically special purpose, determined by the
cloud provider and tailored to the design and architecture of its
platform. The cloud subscriber has control over applications
and application environment settings of the platform. Security
provisions are split between the cloud provider and the cloud
subscriber.
• Infrastructure-as-a-Service.
(IaaS) is a model of software deployment whereby the basic
computing infrastructure of servers, software, and network
equipment is provided as an on-demand service upon which a
platform to develop and execute applications can be
established. Its main purpose is to avoid purchasing, housing,
and managing the basic hardware and software infrastructure
components, and instead obtains those resources as virtualized
objects controllable via a service interface. The cloud
subscriber generally has a broad freedom to choose the
operating system and development environment to be hosted.
Page 9

10. Security provisions beyond the basic infrastructure are carried
out mainly by the cloud subscriber.
Figure 1 Showing layers of the cloud delivery model
The PaaS provides Integrated Development Environment. (IDE)
includes data security, backup and recovery, application hosting, and
scalable architecture.
Figure 2 the Concept of Platform as a Service
Page 10

11. Cloud Models
There are three main types of cloud deployment models - public,
private and hybrid clouds.
Figure3 Public, Private, and Hybrid cloud deployment model
Public Clouds
Public clouds are the most common type of cloud. This is where
multiple customers can access web applications and services over the
internet. Each individual customer has their own resources which are
dynamically provisioned by a third party vendor. This third party
vendor hosts the cloud for multiple customers from multiple data
centers (see Figure 4.a), manages all the security and provides the
hardware and infrastructure for the cloud to operate. The customer
has no control or insight into how the cloud is managed or what
infrastructure is available.
Figure 4. a. Public cloud deployment model
Page 11

12. Private Clouds
Emulate the concept of cloud computing on a private network. They
allow users to have the benefits of cloud computing without some of
the pitfalls. Private clouds grant complete control over how data is
managed and what security measures are in place. This can lead to
users having more confidence and control. The major issue with this
deployment model is that the users have large expenditures as they
have to buy the infrastructure to run the cloud and also have to
manage the cloud themselves.
Hybrid Clouds
Incorporate both public and private clouds (see Figure 4.b) within
the same network. It allows the organizations to benefit from both
deployment models. For example, an organization could hold
sensitive information on their private cloud and use the public cloud
for handling large traffic and demanding situations.
Figure 4.b. Hybrid cloud deployment model
Comparing Cloud Deployment Models
Public cloud computing is one of several deployment models
that have been defined. A public cloud is one in which the
infrastructure and other computational resources that it comprises
are made available to the general public over the Internet. It is owned
by a cloud provider selling cloud services and, by definition, is
external to an organization. At the other end of the spectrum are
private clouds. A private cloud is one in which the computing
environment is operated exclusively for an organization. It may be
managed either by the organization or a third party, and may be
hosted within the organization’s data center or outside of it. A private
Page 12

13. cloud gives the organization greater control over the infrastructure
and computational resources than does a public cloud.
Two other deployment models that fall between public and
private clouds are community clouds and hybrid clouds. A
community cloud is somewhat similar to a private cloud, but the
infrastructure and computational resources are shared by several
organizations that have common privacy, security, and regulatory
considerations, rather than for the exclusive use of a single
organization. A hybrid cloud is a composition of two or more clouds
(private, community, or public) that remain unique entities but are
bound together by standardized or proprietary technology that
enables interoperability. Just as the different deployment models
affect an organization’s scope and control over the computational
environment of a cloud, so too does the service model supported by
the cloud affect them.
Figure 5 illustrates the differences in scope and control
between the cloud subscriber and cloud provider, for each of the
service models discussed above. Five conceptual layers of a
generalized cloud environment are identified in the center diagram
and apply to public clouds, as well as each of the other deployment
models. The arrows at the left and right of the diagram denote the
approximate range of the cloud provider’s and user’s scope and
control over the cloud environment for each service model. In
general, the higher the level of support available from a cloud
provider, the more narrow the scope and control the cloud
subscriber has over the system.
The two lowest layers shown denote the physical elements of a
cloud environment, which are under the full control of the cloud
provider, regardless of the service model. Heating, ventilation, air
conditioning (HVAC), power, communications, and other aspects of
the physical plant comprise the lowest layer, the facility layer, while
computers, network and storage components, and other physical
computing infrastructure elements comprise the hardware layer.
The remaining layers denote the logical elements of a cloud
environment. The virtualized infrastructure layer entails software
elements, such as hypervisors, virtual machines, virtual data storage,
and supporting middleware components used to realize the
infrastructure upon which a computing platform can be established.
While virtual machine technology is commonly used at this layer,
other means of providing the necessary software abstractions are not
excluded.
Page 13

14. Similarly, the platform architecture layer entails compilers,
libraries, utilities, and other software tools and development
environments needed to implement applications. The application
layer represents deployed software applications targeted towards
end-user software clients or other programs, and made available via
the cloud.
Figure 5 Differences in scope and control between the cloud subscriber and cloud provider, for
each of the service models
Some have argued that the distinction between IaaS and PaaS is
fuzzy, and in many commercial offerings, the two are more alike than
different. Nevertheless, these terms do serve a purpose,
distinguishing between very basic support environments and
environments having greater levels of support, and accordingly
different allocations of control, security and responsibility between
the cloud subscriber and the cloud provider.
While cloud computing can be implemented exclusively for an
organization as a private internal cloud, its main thrust has been to
provide a vehicle for outsourcing parts of that environment to an
outside party as a public cloud. As with any outsourcing of
information technology services, concerns exist about the
implications for computer security and privacy. The main issue
centers on the risks associated with moving important applications
or data from within the boundaries of the organization’s computing
Page 14

15. center to that of another organization (i.e., a public cloud), which is
readily accessible by the general public.
Reducing cost and increasing efficiency are primary motivations for
moving towards a public cloud, but reducing responsibility for
security should not be. Ultimately, the organization is accountable for
the overall security of the outsourced service. Monitoring and
addressing security issues that arise remain in the purview of the
organization, as doe’s oversight over other important issues such as
performance and availability. Because cloud computing brings with it
new security challenges, it is essential for an organization to oversee
and manage how the cloud provider secures and maintains the
computing environment and ensures data is kept secure.
Cloud security requires total situational awareness of the
threats to the network, infrastructure and information. One of the
biggest advantages to the cloud’s utility is also its biggest security
weakness. Abstraction allows the cloud to be pervasive and removes
knowledge of the underlying fabric of processors, storage, and
networking; however, without knowledge of the underlying fabric,
information owners’ understanding how to secure their applications
and information becomes very complex. Many of the security
principles used today to secure datacenters and networks rely on the
information owners’ ability to manage the underlying fabric of
servers, routers, firewalls, and intrusion detection devices to
understand when attacks are occurring and to responds to the
threats by shutting down access to resources and isolating pieces of
the fabric that are being attacked.
In a cloud, traditional security methodologies do not work as
the service providers cannot allow information owners, or clients, to
manipulate the security settings of the fabric. If this were allowed, it
would be possible for one client to change security settings illicitly in
their favor, or change security settings of other clients maliciously.
This situation is unacceptable since the information owner cannot
manage the security posture of their computing environment.
Therefore, a security model is needed that allows for an information
owner to protect their data while not interfering with the privacy of
other information owners within the cloud.
The cloud requires a model for handling security, one that is
shared between operators and clients. Operators need to give clients
visibility into the security posture of the fabric while maintaining
control. The clients need to have assurance that they can control the
privacy and confidentiality of their information at all times and have
Page 15

16. assurances that if needed, they can remove, destroy, or lock down
their data at any time.
A method of combining the requirements of the user and
provider is to let the clients control the security posture of their
applications and virtual machines while letting the service provider
control the security of the fabric. This provides a symbiotic security
stance that can be very powerful provided both parties hold up their
end of the agreement
Cloud service providers believe encryption
Can the key help with a lot of the security issues?
1. But what come along with the benefits of encryption are the
pitfalls as encryption can be processor intensive.
2. Encrypting is not always full proof for protecting data, there
can be times when little glitches occur and the data cannot be
decrypted leaving the data corrupt and unusable for customers
and the cloud service provider.
3. The clouds resources can also be abused as cloud providers
reassign IP addresses when a customer no longer needs the IP
address. Once an IP address is no longer needed by one
customer after a period of time it then becomes available for
another customer to use.
4. Cloud providers save money and do not need as many IP
addresses by reusing them, so it is in the cloud provider’s
interest to reuse them. Too many of these used IP addresses
can leave the cloud provider open to abuse of its resources.
1.2 History of Cloud Computing
Cloud computing history can be tracked back to the early years of
computing. One of the first computer concepts was interconnection.
Naturally, if two computers are connected, the next step for them is
to share resources and form supercomputers. Furthermore, the idea
gradually evolved from grid computing and virtualization to today’s
highly complex cloud computing technology. After years of testing
and debugging, final versions of this technology reached production
environments and commercialization began.
Utility companies deliver water, gas, and electricity as commodity
services to every home and business that is connected to their
“public” infrastructure. These utility services are provided on-
demand and on a pay-as-you-use basis. Today, the same can be true
for processing power, bandwidth, data storage, and enterprise
software services.
Page 16

17. How can utility, and outsourcing supplying IT? The essential
motivation is to separate the services, this allows customers to use
variable amounts of different environments as modified by their
business needs without the need to make any capital investments.
The use of IT becomes an operating expense (“opex”) rather than a
capital expense (“capex”). That also frees the usage of systems from
being tied to the depreciation cycles.
A number of new paradigms (See table 1) and terms related to
distribute computing have been introduced, promising to deliver IT
as a service, cloud computing, edge computing, grid computing and
utility computing.
New Computing
Paradigms
New Services
New or enhanced
Features
1 Cloud
computing
Software as a Service
(SaaS)
- Ubiquitous access
2 Edge
computing
Infrastructure as a
Service (IaaS)
- Reliability
3 Grid
computing
Platform as a Service
(PaaS)
- Scalability
- Virtualization
4 Utility
computing
Service-Oriented
Architecture (SOA)
- Exchangeability /
Location
independence
- Cost-effectiveness
Table 1 Computing Paradigms
It is difficult to draw lines between these paradigms: Some
commentators say that grid, utility and cloud computing refer to the
same thing; others believe there are only subtle distinctions among
them, while others would claim they refer to completely different
phenomenon. There are no clear or standard definitions, and it is
likely that vendor A describes the feature set of its cloud solution
differently than vendor B.
Page 17

18. 1.3 Glossary & Key terms
Item Description
opex operating expense
capex capital expense
SaaS Software as a Service
PaaS Platform as a Service
IaaS Infrastructure as a Service
SOA Service Oriented Architecture
NIST National Institute of Standards and Technology
TPM Trusted Platform Module
SSL secure sockets layer
UDDI Universal Description Discovery and Integrity
DDOS The distributed denial of service attacks
SOAP Simple Object Access Protocol
WSDP Web Service Description Language
CP Cloud Provider
LSASS Local Security Authority Subsystem Service
DES Data Encryption Standard
AES Advanced Encryption Standard
RSA Rivest-Shamir-Adleman
DSA Diffie-Hellmann and Digital Signature Algorithm
SAML Security Assertion Markup Language
PVI Private Virtual Infrastructure
TVD Trusted Virtual Datacenter
VTPM Virtual Trusted Platform Model
LoBot Locator Bot
HDFS Hadoop Distributed File System
GFS Google File System
IE Internet Explorer
CALC Cloud Accountability Life Cycle
TCCP Trusted Cloud Computing platform
TPM Trusted Platform Model
TCG Trusted Computing Group
TC Trusted coordinator
Hadoop Open source software that enables distributed parallel processing of
huge amounts of data across inexpensive, commodity servers.
HBase Is the Hadoop database. HBase is an open-source, distributed,
versioned, column-oriented store modeled. Real-time read/write
access to your Big Data, hosting of very large tables.
POSIX Portable Operating System Interface for uni-X. POSIX is a set of
standards codified by the IEEE. Establishing a set of guidelines for
operating system vendors to follow.
Page 18

19. 1.4 Cloud Computing Goals and Objectives
Cloud computing has been defined by NIST as a model for
enabling convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned and
released with minimal management effort or cloud provider
interaction. Cloud computing can be considered a new computing
paradigm insofar as it allows the utilization of a computing
infrastructure at one or more levels of abstraction, as an on-demand
service made available over the Internet or other computer network.
Because of the implications for greater flexibility and availability at
lower cost, cloud computing is a subject that has been receiving a
good deal of attention lately.
Cloud computing services benefit from economies of scale
achieved through versatile use of resources, specialization, and other
practicable efficiencies. However, cloud computing is an emerging
form of distributed computing that is still in its infancy. The term
itself is often used today with a range of meanings and
interpretations. Much of what has been written about cloud
computing is definitional, aimed at identifying important paradigms
of use and providing a general taxonomy for conceptualizing
important facets of service.
Page 19

20. Chapter two
Cloud computing and
Cloud Security
Definitions,
Security Threats or
attacks
Page 20

21. 2.1 Background
The virtual servers are created instantaneously in the cloud
and used at the same time.
In a public cloud the data of the customers are kept in the provider
premises. The question of privacy is a real concern because there is
no guarantee that illegitimated eyes could not have access to that
sensitive information. Furthermore, because many services are
deployed through the Internet via the virtual servers using software
as a service (SaaS) there is a risk of malware infection and hacker
penetration. In fact, a web server can be compromised and served to
spread a bad URL (uniform resource locator) link and to redirect the
requests to a fake page where the malicious code will be downloaded
in order to infect and take control of the machines.
2.2 Cloud Security Considerations
• The infrastructure provider achieves full data security.
• Service providers typically do not have access to the physical
security system of data centers.
• Even for a virtual private cloud, the service provider can only
specify the security setting remotely, without knowing whether
it is fully implemented.
The infrastructure provider must achieve the following objectives:
1. Confidentiality, for secure data access and transfer.
2. Auditability, for attesting whether security setting of
applications has been tampered or not.
Confidentiality is usually achieved using cryptographic protocols
while auditability can be achieved using remote attestation
techniques.
Remote attestation:
Typically requires a trusted platform module (TPM) to generate non-
forgeable. System summary (i.e. system state encrypted using TPM’s
private key) as the proof of system security.
- It is critical to build trust mechanisms at every architectural layer
of the cloud.
Page 21

22. 2.3 Security Threats
Cloud computing and web services run on a network structure so
they are open to network type attacks:
1. The distributed denial of service attacks (DDOS)
If a user could hijack a server then the hacker could stop the
web services from functioning and demand a ransom to put the
services back online. To stop these attacks the use of syn
cookies and limiting users connected to a server all help stop a
DDOS attack.
2. The man in the middle attack.
If the secure sockets layer (SSL) is incorrectly configured then
client and server authentication may not behave as expected
therefore leading to man in the middle attacks.
3. Network sniffing.
With a packet sniffer an attacker can capture sensitive data if
unencrypted such as passwords and other web service related
security Configuration such as the UDDI (Universal Description
Discovery and Integrity), SOAP (Simple Object Access Protocol)
and WSDL (Web Service Description Language) files.
4. Port scanning
Port 80 is always open due to being the port that the web Server
sits on. However this can easily be encrypted and as long as the
server software is configured correctly then there should be no
intrusion.
High risk in cloud security
5. loss of governance
In using cloud infrastructures, the client necessarily cedes
control to the Cloud Provider (CP) on a number of issues which
may affect security.
6. LOCK-IN
There is currently little on offer in the way of tools, procedures
or Standard data formats or services interfaces that could
guarantee data, Application and service portability. This can
make it difficult for the customer to migrate from one provider
to another or migrates data and services back to an in-house IT
environment. This introduces a dependency on a particular CP
for service provision, especially if data portability, as the most
fundamental aspect, is not enabled.
Page 22

23. 7. Insecure or incomplete data deletion
When a request to delete a cloud resource is made, as with most
operating systems, this may not result in true wiping of the
data. Adequate or timely data deletion may also be impossible
(or undesirable from a customer perspective), either because
extra copies of data are stored but are not available, or because
the disk to be destroyed also stores data from other clients. In
the case of multiple tenancies and the reuse of hardware
resources, this represents a higher risk to the customer than
with dedicated hardware
2.4 Malware
Viruses
A virus is a malicious code, which makes copies of itself and
distribute those copies to other files and programs. It needs the user
interaction to propagate. When viruses infect a program, they
propagate to infect other programs on the system and other systems
that use a common infected program. Viruses can also infect the MBR
(master boot record) of the hard drive or a removable media.
The master boot record (MBR) of a hard drive is the unique location
on the disk where a computer basic’s input and output system can
locate and load the boot program. If there is an infected disk in the
drive when the computer boots, the virus can be loaded into the
memory. Viruses exploit the vulnerabilities related to some
applications document like word processing file and spreadsheet.
Most of those software are writing using macro programming
languages and the bad guys are taking advantage of those
capabilities.
Macros viruses spread from application that uses macros such as
Microsoft Office documents.
Email viruses travel as an attachment to email messages. They
replicate by automatically mailing themselves to people in the
victim’s email book.
Most viruses are pretty harmless and sometimes the user might not
notice them for years. The first virus which was able to hide without
being discovered was called Brain.
The Brain stealth virus hides itself in the memory by simulating all
the DOS system call that normally detects viruses, causing them to
return the information that the virus is absent.
Page 23

24. Worms
A computer worm is a program that executes, reproduces
independently and travels across network connection. It takes
advantage of known vulnerabilities to spread.
They are two types of worms: Network Service Worm and Mass
Mailing Worms.
Network Services Worms exploits the common vulnerability found in
network service associated with an operating system or an
application. Once they have exploited the targeted protocol in the
system they look for other possible systems over the same network
by performing scanning. An example of such a worm is Sasser, which
uses Server Message Block (SMB) and Local Security Authority
Subsystem Service (LSASS) in Windows to spread.
Mass Mailing Worms infect system by searching for email addresses
and sending a copy of itself to those addressees. Usually they use the
system email client. Embedded in most network software, computer
worms penetrate firewalls and other computer security measure.
Trojan horse
Trojan horse is an application which appears to be useful,
downloaded from the Internet and in fact is malware. They do not
spread and are separated into two parts: the server and the
controlled computer. When the malicious program is loaded in the
memory of the host, the attacker can take control of the computer by
sending command.
The client disguises itself and can spread via chat software such as
Skype, yahoo messenger and file sharing website.
2.5 Web application and data security risk
Injection
Injection flaws allow an intruder to forward malicious code
through the web application inside the system. Scripts written in
Python, Perl or any other programming language can be injected and
executed into the unsecure application. When the web application
handles HTTP (hypertext transfer protocol) request through as part
of an external request, it must be carefully examine otherwise a bad
guy can inject special characters or malicious commands in the
information which will certainly transfer these to the external system
for execution. SQL injection is a widespread form of injection. In this
type of attack, when the parameter that the application sends to the
Page 24

25. database is revealed, the attacker can append malicious SQL
command into the content of that parameter and trick the web
application to forward fake queries to the databases. A successful
SQL injection can lead to an authentication bypass allowing an
unauthorized user to login to the application without supplying a
valid username and password, information disclosure and remote
command execution.
Security misconfiguration
The web server and application server are the backbone of a
web application. They provide a number of services that the web
application uses including directory service, data storage and mail.
Failure to properly manage the configuration of these servers can
lead to a wide variety of security breaches. Security misconfiguration
can happen at the application stack, the framework, the web server,
the custom code and the platform.
External intruders and users with their own accounts can attempt to
compromise the system. Attackers use the unpatched flaws,
unprotected files and directories to have illegal access or knowledge
of the system.
The defaults account must always be changed because the attacker
can discover the standard admin page and log in with those defaults
passwords.
The server can also generate an error message that displays
information concerning its environment, users and associated data.
The information may be useful for launching a deadly attack. If one
attack fails, the attacker can still use the error information provided
to launch a more focused attack.
Insecure cryptographic storage
In the cloud, the need to store sensitive information by the web
application in the database or in the file system is important. The
information can be a credit card number, social security number,
account record and passwords. Therefore, the use of encryption is
relevant. By simply not encrypting the data which deserves the
encryption, there will be a flaw.
Developers usually make a mistake when using encryption and
the main areas where mistake are usually made are: failure to
encrypt critical data, insecure storage of keys, certificates and
passwords, improper storage of secrets in memory, poor choice of
algorithm. Almost every application is connected to a database; the
credentials used to make these connections should be encrypted to
Page 25

26. prevent easy access to these data storage systems. The web
application must have cryptographic support. In the case of the credit
card number storage, a merchant should respect the compliance. The
compliance is a set of regulations applied and enforced with the
means of fines. Following the PCI DSS (payment card industry data
security standard) compliance requirement three; cardholder data
must be protected. The personal account number, the cardholder’s
name and the expiration date should be encrypted when transmitting
across different network.
2.6 Threat mitigation
Symmetric cryptography
Cryptography is a method of storing and transmitting data in a
form that only the recipient can read and process.
The mechanism that makes it up is to hide information from
unauthorized individuals. It is an effective way to keep sensitive
information, as it is stored on media.
Encryption is a method to convert readable data called plaintext into
an unreadable format called cipher text. Once it is transformed into
cipher text neither a human nor a machine can process it until it is
decrypted.
In symmetric cryptography, the sender and the receiver use the same
key for encryption and decryption. Symmetric keys are also called
secret keys because this type of encryption requires each user to
keep the key a secret and protected. The security of the symmetric
encryption is completely dependent on how well users protect the
key.
If a key is compromised, all messages encrypted with that key can be
decrypted and read by an attacker.
The following are examples of symmetric cryptography: Data
Encryption Standard (DES), Advanced Encryption Standard (AES)
and Blowfish.
Asymmetric Cryptography
Asymmetric cryptography utilizes the combination of two
different keys, one public key and one private key. Everyone can
know the public key but the private key is known and used only by
the owner. The two keys are mathematically related. If someone gets
the public key of another person, he or she could not be able to figure
out the corresponding private key. When Bob encrypts data with his
Page 26

27. private key, the receiver Alice must have a copy of Bob’s public key to
decrypt it.
The receiver can reply also in an encrypted form. In that case, Alice
encrypts the message using Bob’s public key and the message will be
decrypted at the other end using Bob’s private key because he is the
only person to have the private key. The both keys, public and private
can be used to encrypt and decrypt a message
The following are examples of asymmetric key algorithms: Rivest-
Shamir-Adleman (RSA), Diffie-Hellmann and Digital Signature
Algorithm (DSA).
Network intrusion detection system
An intrusion detection system aims to detect a security breach.
Intrusion detection can be defined as a method to detect
unauthorized use or attack to a computer, network or
telecommunication system. The basic idea behind the intrusion
detection system is to spot something suspicious happening on the
network and sound an alarm. In a typical intrusion detection system
product, the sensors collect traffic and user activity data and send
them to an analyzer that looks for abnormal activities.
When the analyzer detects an activity, it sends an alert to the
administrator interface. The network intrusion detection system uses
sensors with a network interface card in a promiscuous mode. When
a network interface card is in a promiscuous mode, it collects all
traffic, makes a copy of all packets, and then passes one copy to the
TCP stack and one copy to the analyzer to look for specific types of
patterns of known threats.
Page 27

28. Chapter three
The Key Security and
Privacy Issues
Page 28

29. Although the emergence of cloud computing is a recent development,
insights into critical aspects of security can be gleaned from reported
experiences of early adopters and also from researchers analyzing and
experimenting with available cloud provider platforms and associated
technologies. The sections below highlight privacy and security-related
issues that are believed to have long-term significance for cloud computing.
Where possible, to illustrate an issue, examples are given of problems
previously exhibited or demonstrated. Note that security and privacy
considerations that stem from information technology outsourcing.
Cloud computing has grown out of an amalgamation of technologies,
including service oriented architecture, virtualization, Web 2.0, and utility
computing, therefore many of the privacy and security issues involved can
be viewed as known problems cast in a new setting. The importance of
their combined effect, however, should not be discounted. Cloud computing
does represent a thought-provoking paradigm shift that goes beyond
conventional norms to de-parameterize the organizational infrastructure,
at the extreme, displacing applications from one organization’s
infrastructure to the infrastructure of another organization, where the
applications of potential adversaries may also operate.
3.1 Governance
Governance implies control and oversight over policies, procedures,
and standards for application development, as well as the design,
implementation, testing, and monitoring of deployed services.
With the wide availability of cloud computing services, lack of
organizational controls over employees engaging such services arbitrarily
can be a source of problems. While cloud computing simplifies platform
acquisition, it doesn't alleviate the need for governance; instead, it has the
opposite effect, amplifying that need.
The ability to reduce capital investment and transform it into operational
expenses is an advantage of cloud computing. Cloud computing can lower
the initial cost of deploying new services and thus align expense with actual
use. However, the normal processes and procedures set in place by an
organization for acquiring computational resources as capital expenditures
may be easily bypassed by a department or an individual and the action
obscured as operational expenses. If such actions are not governed by an
organization, its policies and procedures for privacy, security, and
oversight could be overlooked and the organization put at risk. For
example, vulnerable systems could be deployed, legal regulations could be
ignored, charges could amass quickly to unacceptable levels, and resources
could be used for unsanctioned purposes, or other untoward effects could
occur.
Page 29

30. Many businesses also prefer operational expenses over capital
expenditures, because of tax considerations (e.g., the ability to manage the
cost of capital better and deduct operational expenses in the accounting
period in which they are incurred versus depreciating the capital
expenditure over time).
3.2 Compliance
Compliance involves conformance with an established specification,
standard, regulation, or law.
Various types of security and privacy laws and regulations exist within
different countries at the national, state, and local levels, making
compliance a potentially complicated issue for cloud computing.
Data Location, One of the most common compliance issues facing an
organization is data location. Use of an in-house computing center allows
an organization to structure its computing environment and to know in
detail where data is stored and what safeguards are used to protect the
data. In contrast, a characteristic of many cloud computing services is that
detailed information about the location of an organization’s data is
unavailable or not disclosed to the service subscriber. This situation makes
it difficult to ascertain whether sufficient safeguards are in place and
whether legal and regulatory compliance requirements are being met.
External audits and security certifications can to some extent alleviate this
issue, but they are not a panacea.
When information crosses borders, the governing legal, privacy, and
regulatory regimes can be ambiguous and raise a variety of concerns.
Consequently, constraints on the trans-border flow of sensitive data, as
well as the requirements on the protection afforded the data, have become
the subject of national and regional privacy and security laws and
regulations. Among the concerns to be addressed is whether the laws in the
jurisdiction where the data was collected permit the flow, whether those
laws continue to apply to the data post transfer, and whether the laws at
the destination present additional risks or benefits Technical, physical and
administrative safeguards, such as access controls, often apply.
Law and Regulations, The Privacy Act likewise governs the collection,
maintenance, use, and dissemination of personally identifiable information
about individuals that is maintained in systems of records by federal
agencies.
In many countries throughout the world huge lows and regulations require
public and private organizations to protect the privacy of personal data and
the security of information and computer systems.
Electronic Discovery, Electronic discovery involves the identification,
collection, processing, analysis, and production of electronic documents in
Page 30

31. the discovery phase of litigation. Organizations also have other incentives
and obligations to preserve and produce electronic documents, such as
complying with audit and regulatory information requests, and for
government organizations, with Freedom of Information Act (FOIA)
requests. Documents not only include electronic mail, attachments, and
other data objects stored on a computer system or storage media, but also
any associated metadata, such as dates of object creation or modification,
and non-rendered file content (i.e., data that is not explicitly displayed for
users).
The capabilities and process of a cloud provider, such as the form in which
data is maintained and the electronic discovery-related tools available,
affect the ability of the organization to meet its obligations in a cost
effective, timely, and compliant manner. For example, a cloud provider’s
archival capabilities may not preserve the original metadata as expected,
causing spoliation (i.e., the intentional, reckless, or negligent destruction,
loss, material alteration, or obstruction of evidence that is relevant to
litigation), which could negatively impact litigation.
3.3 Trust
Under the cloud computing paradigm, an organization relinquishes
direct control over many aspects of security and, in doing so, confers an
unprecedented level of trust onto the cloud provider.
Insider Access, Data processed or stored outside the confines of an
organization, its firewall, and other security controls bring with it an
inherent level of risk. The insider security threat is a well-known issue for
most organizations and, despite the name, applies as well to outsourced
cloud services. Insider threats go beyond those posed by current or former
employees to include contractors, organizational affiliates, and other
parties that have received access to an organization’s networks, systems,
and data to carry out or facilitate operations. Incidents may involve various
types of fraud, sabotage of information resources, and theft of confidential
information.
Incidents may also be caused unintentionally, for instance, a bank
employee sending out sensitive customer information to the wrong Google
mail account.
Moving data and applications to a cloud computing environment operated
by a cloud provider expands the insider security risk not only to the cloud
provider’s staff, but also potentially among other customers using the
service.
Data Ownership, The organization’s ownership rights over the data must
be firmly established in the service contract to enable a basis for trust. The
continuing controversy over privacy and data ownership rights for social
Page 31

32. networking users illustrates the impact that ambiguous terms can have on
the parties involved. Ideally, the contract should state clearly that the
organization retains ownership over all its data; that the cloud provider
acquires no rights or licenses through the agreement to use the data for its
own purposes, including intellectual property rights or licenses; and that
the cloud provider does not acquire and may not claim any security
interest in the data. For these provisions to work as intended, the terms of
data ownership must not be subject to unilateral amendment by the cloud
provider.
Composite Service, Cloud services themselves can be composed through
nesting and layering with other cloud services. For example, a SaaS
provider could build its services upon the services of a PaaS or IaaS cloud.
The level of availability of the SaaS cloud would then depend on the
availability of those services. Cloud services that use third-party cloud
providers to outsource or subcontract some of their services should raise
concerns, including the scope of control over the third-party, the
responsibilities involved, and the remedies and recourse available should
problems occur. Trust is often not transitive, requiring that third-party
arrangements be disclosed in advance of reaching an agreement with the
cloud provider, and that the terms of these arrangements are maintained
throughout the agreement or until sufficient notification can be given of
any anticipated changes.
Visibility, Migration to public cloud services relinquishes control to the
cloud provider for securing the systems on which the organization’s data
and applications operate.
Management, procedural, and technical controls used in the cloud must be
commensurate with those used for internal organizational systems or
surpass them, to avoid creating gaps in security. Since metrics for
comparing two computer systems are an ongoing area of research, making
such comparisons can be a formidable task. Cloud providers are typically
reluctant to provide details of their security and privacy, since such
information might be used to devise an avenue of attack. Moreover,
detailed network and system level monitoring by a cloud subscriber is
generally not part of most service arrangements, limiting visibility and the
means to audit operations directly.
Transparency in the way the cloud provider operates is a vital ingredient
for effective oversight over system security and privacy by an organization.
To ensure that policy and procedures are being enforced throughout the
system lifecycle, service arrangements should include some means for
gaining visibility into the security controls and processes employed by the
cloud provider and their performance over time. Ideally, the organization
would have control over aspects of the means of visibility, such as the
Page 32

33. threshold for alerts and notifications or the level of detail and schedule for
reports, to accommodate its needs.
Risk Management, With cloud-based services, some subsystems or
subsystem components are outside of the direct control of a subscribing
organization. Many people feel more comfortable with risk when they have
more control over the processes and equipment involved. At a minimum, a
high degree of control provides the option to weigh alternatives, set
priorities, and act decisively in the best interest of the organization when
faced with an incident. Risk management is the process of identifying and
assessing risk, and taking the necessary steps to reduce it to an acceptable
level.
Public cloud-based systems, as with traditional information systems,
require that risks are managed throughout the system lifecycle.
Assessing and managing risk in systems that use cloud services can be a
challenge. To the extent practical, the organization should ensure that
security controls are implemented correctly, operate as intended, and meet
its security requirements. Establishing a level of trust about a cloud service
is dependent on the degree of control an organization is able to exert on the
provider to provision the security controls necessary to protect the
organization’s data and applications, and also the evidence provided about
the effectiveness of those controls. However, verifying the correct
functioning of a subsystem and the effectiveness of security controls as
extensively as with an organizational system may not be feasible in some
cases, and other means (e.g., third-party audits) may be used to establish a
level of trust. Ultimately, if the level of trust in the service falls below
expectations and the organization is unable to employ compensating
controls, it must either reject the service or accept a greater degree of risk.
3.4 Architecture
The architecture of the software systems used to deliver cloud
services comprises hardware and software residing in the cloud. The
physical location of the infrastructure is determined by the cloud provider
as is the implementation of the reliability and scalability logic of the
underlying support framework. Virtual machines often serve as the
abstract unit of deployment and are loosely coupled with the cloud storage
architecture. Applications are built on the programming interfaces of
Internet-accessible services, which typically involve multiple cloud
components communicating with each other over application
programming interfaces. Many of the simplified interfaces and service
abstractions belie the inherent complexity that affects security.
Attack Surface, The hypervisor or virtual machine monitor is an
additional layer of software between an operating system and hardware
Page 33

34. platform that is used to operate multi-tenant virtual machines. Besides
virtualized resources, the hypervisor normally supports other application
programming interfaces to conduct administrative operations, such as
launching migrating, and terminating virtual machine instances. Compared
with a traditional non-virtualized implementation, the addition of a
hypervisor causes an increase in the attack surface.
The complexity in virtual machine environments can also be more
challenging than their traditional counterparts, giving rise to conditions
that undermine security.
Virtual Network Protection, Most virtualization platforms have the ability
to create software-based switches and network configurations as part of
the virtual environment to allow virtual machines on the same host to
communicate more directly and efficiently.
For example, for virtual machines requiring no external network access, the
virtual networking architectures of most virtualization software products
support same-host networking, in which a private subnet is created for
intra-host communications. Traffic over virtual networks may not be
visible to security protection devices on the physical network, such as
network-based intrusion detection and prevention systems. To avoid a loss
of visibility and protection against intra-host attacks, duplication of the
physical network protection capabilities may be required on the virtual
network.
Ancillary Data, While the focus of protection is placed mainly on the
application data, as guardians of the realm, cloud providers hold significant
details about the service users’ accounts that could be compromised and
used in subsequent attacks. Payment information is one example; other,
more subtle types of information, can also be involved. For example, a
database of contact information stolen from a SaaS cloud 20 provider, via a
targeted phishing attack against one of its employees, was used in turn to
launch successful targeted electronic mail attacks against subscribers of the
cloud service. The incident illustrates the need for cloud providers to
promptly report security breaches occurring not only in the data the cloud
provider holds for its subscribers, but also the data it holds about its
subscribers.
Another type of ancillary data held by IaaS cloud providers is virtual
machine images. A virtual machine image entails the software stack,
including installed and configured applications, used to boot the virtual
machine into an initial state or the state of some previous checkpoint.
Sharing virtual machine images is a common practice in some cloud
computing environments. Image repositories must be carefully managed
and controlled to avoid problems.
Page 34

35. The provider of an image faces risks, since an image can contain
proprietary code and data and embody vulnerabilities. An attacker may
attempt to examine images to determine whether they leak information or
provide an avenue for attack. This is especially true of development images
that are accidentally released. The reverse may also occur—an attacker
may attempt to supply a virtual machine image containing malware to
users of a cloud computing system. For example, researchers demonstrated
that by manipulating the registration process to gain a first-page listing,
they could readily entice cloud users to run virtual machine images they
contributed to the image repository of a popular cloud provider. The risks
for users running tainted images include theft and corruption of data.
Client-Side Protection, A successful defense against attacks requires
securing both the client and server side of cloud computing. With emphasis
typically placed on the latter, the former can be easily overlooked. Web
browsers, a key element for many cloud computing services, and the
various available plug-ins and extensions for them are notorious for their
security problems. Moreover, many browser add-ons do not provide
automatic updates, increasing the persistence of any existing
vulnerabilities.
Maintaining physical and logical security over clients can be troublesome,
especially with embedded mobile devices such as smart phones. Their size
and portability can result in the loss of physical control. Built-in security
mechanisms often go unused or can be overcome or circumvented without
difficulty by a knowledgeable party to gain control over the device. Smart
phones are also treated more as fixed appliances with a limited set of
functions, than as general-purpose systems. No single operating system
dominates and security patches and updates for system components and
add-ons are not as frequent as for desktop clients, making vulnerabilities
more persistent with a larger window of opportunity for exploitation.
The increased availability and use of social media, personal Webmail, and
other publicly available sites also have associated risks that are a concern,
since they can negatively impact the security of the browser, its underlying
platform, and cloud services accessed, through social engineering attacks.
For example, spyware was reportedly installed in a hospital system via an
employee’s personal Webmail account and sent the attacker more than
1,000 screen captures, containing financial and other confidential
information, before being discovered. Having a backdoor Trojan, keystroke
logger, or other type of malware running on a client does not bode well for
the security of cloud or other Web-based services it accesses. As part of the
overall security architecture for cloud computing, organizations need to
review existing measures and employ additional ones, if necessary, to
Page 35

36. secure the client side. Banks are beginning to take the lead in deploying
hardened browser environments that encrypt network exchanges and
protect against keystroke logging.
Server-Side Protection, Virtual servers and applications, much like their
non-virtual counterparts, need to be secured in IaaS clouds, both physically
and logically. Following organizational policies and procedures, hardening
of the operating system and applications should occur to produce virtual
machine images for deployment. Care must also be taken to provision
security for the virtualized environments in which the images run. For
example, virtual firewalls can be used to isolate groups of virtual machines
from other hosted groups, such as production systems from development
systems or development systems from other cloud-resident systems.
Carefully managing virtual machine images is also important to avoid
accidentally deploying images under development or containing
vulnerabilities.
Hybrid clouds are a type of composite cloud with similar protection issues.
In a hybrid cloud the infrastructure consists of a private cloud composed
with either a public cloud or another organization’s private cloud. The
clouds themselves remain unique entities, bound together by standardized
or proprietary technology that enables unified service delivery, but also
creates interdependency. For example, identification and authentication
might be performed through an organization’s private cloud infrastructure,
as a means for its users to gain access to services provisioned in a public
cloud.
Preventing holes or leaks between the composed infrastructures is a major
concern with hybrid clouds, because of increases in complexity and
diffusion of responsibilities. The availability of the hybrid cloud, computed
as the product of the availability levels for the component clouds, can also
be a concern; if the percent availability of any one component drops, the
overall availability suffers proportionately.
3.5 Identity and Access Management
Data sensitivity and privacy of information have become increasingly an
area of concern for organizations and unauthorized access to information
resources in the cloud is a major concern.
One recurring issue is that the organizational identification and
authentication framework may not naturally extend into the cloud and
extending or changing the existing framework to support cloud services
may be difficult. The alternative of employing two different authentication
systems, one for the internal organizational systems and another for
external cloud-based systems, is a complication that can become
unworkable over time. Identity federation, popularized with the
Page 36

37. introduction of service oriented architectures, is one solution that can be
accomplished in a number of ways, such as with the Security Assertion
Markup Language (SAML) standard or the OpenID standard.
Authentication, A growing number of cloud providers support the SAML
standard and use it to administer users and authenticate them before
providing access to applications and data. SAML provides a means to
exchange information, such as assertions related to a subject or
authentication information, between cooperating domains. SAML request
and response messages are typically mapped over the Simple Object Access
Protocol (SOAP), which relies on the eXtensible Markup Language (XML)
for its format. SOAP messages are digitally signed. For example, once a user
has established a public key certificate for a public cloud, the private key
can be used to sign SOAP requests.
SOAP message security validation is complicated and must be carried out
carefully to prevent attacks. For example, XML wrapping attacks have been
successfully demonstrated against a public IaaS cloud. XML wrapping
involves manipulation of SOAP messages. A new element (i.e., the wrapper)
is introduced into the SOAP Security header; the original message body is
then moved under the wrapper and replaced by a bogus body containing an
operation defined by the attacker. The original body can still be referenced
and its signature verified, but the operation in the replacement body is
executed instead.
Access Control, SAML alone is not sufficient to provide cloud-based
identity and access management services. The capability to adapt cloud
subscriber privileges and maintain control over access to resources is also
needed. As part of identity management, standards like the eXtensible
Access Control Markup Language (XACML) can be used by a cloud provider
to control access to cloud resources, instead of using a proprietary
interface. XACML focuses on the mechanism for arriving at authorization
decisions, which complements SAML’s focus on the means for transferring
authentication and authorization decisions between cooperating entities.
XACML is capable of controlling the proprietary service interfaces of most
providers, and some cloud providers already have it in place. Messages
transmitted between XACML entities are susceptible to attack by malicious
third parties, making it important to have safeguards in place to protect
decision requests and authorization decisions from possible attacks,
including unauthorized disclosure, replay, deletion and modification.
3.6 Software Isolation
High degrees of multi-tenancy over large numbers of platforms are needed
for cloud computing to achieve the envisioned flexibility of on-demand
provisioning of reliable services and the cost benefits and efficiencies due
Page 37

38. to economies of scale. To reach the high scales of consumption desired,
cloud providers have to ensure dynamic flexible delivery of service and
isolation of subscriber resources. Multi-tenancy in cloud computing is
typically done by multiplexing the execution of virtual machines from
potentially different users on the same physical server. It is important to
note that applications deployed on guest virtual machines remain
susceptible to attack and compromise, much the same as their non-
virtualized counterparts. This was dramatically exemplified by a bot net
found operating out of an IaaS cloud computing environment.
Hypervisor Complexity, The security of a computer system depends on the
quality of the underlying software kernel that controls the confinement and
execution of processes.
A virtual machine monitor or hypervisor is designed to run multiple virtual
machines, each hosting an operating system and applications, concurrently
on a single host computer, and to provide isolation between the different
guest virtual machines.
A virtual machine monitor can, in theory, be smaller and less complex than
an operating system. These characteristics generally make it easier to
analyze and improve the quality of security, giving a virtual machine
monitor the potential to be better suited for maintaining strong isolation
between guest virtual machines than an operating system is for isolating
processes. In practice, however, modern hypervisors can be large and
complex, comparable to an operating system, which negates this advantage.
For example, Xen, an open source x86 virtual machine monitor,
incorporates a modified Linux kernel to implement a privileged partition
for input/output operations, and KVM, another open source effort,
transforms a Linux kernel into a virtual machine monitor. Understanding
the use of virtualization by a cloud provider is a prerequisite to
understanding the security risk involved.
Attack Vectors, Multi-tenancy in virtual machine-based cloud
infrastructures, together with the subtleties in the way physical resources
are shared between guest virtual machines, can give rise to new sources of
threat. The most serious threat is that malicious code can escape the
confines of its virtual machine and interfere with the hypervisor or other
guest virtual machines. Live migration, the ability to transition a virtual
machine between hypervisors on different host computers without halting
the guest operating system, and other features provided by virtual machine
monitor environments to facilitate systems management, also increase
software size and complexity and potentially add other areas to target in an
attack.
Several examples illustrate the types of attack vectors possible. The first is
mapping the cloud infrastructure. While seemingly a daunting task to
Page 38

39. perform, researchers have demonstrated an approach with a popular IaaS
cloud. By launching multiple virtual machine instances from multiple cloud
subscriber accounts and using network probes, assigned IP addresses and
domain names were analyzed to identify service location patterns. Building
on that information and general technique, the plausible location of a
specific target virtual machine could be identified and new virtual
machines instantiated to be eventually co-resident with the target.
Once a suitable target location is found, the next step for the guest virtual
machine is to bypass or overcome containment by the hypervisor or to
takedown the hypervisor and system entirely. Weaknesses in the provided
programming interfaces and the processing of instructions are common
targets for uncovering vulnerabilities to exploit. For example, a serious flaw
that allowed an attacker to write to an arbitrary out-of-bounds memory
location was discovered in the power management code of a hypervisor by
fuzz emulated I/O ports. A denial of service vulnerability, which could
allow a guest virtual machine to crash the host computer along with the
other virtual machines being hosted, was also uncovered in a virtual device
driver of a popular virtualization software product.
More indirect attack avenues may also be possible. For example,
researchers developed a way for an attacker to gain administrative control
of guest virtual machines during a live migration, employing a man-in-the-
middle attack to modify the code used for authentication. Memory
modification during migration presents other possibilities, such as the
potential to insert a virtual machine-based rootkit layer below the
operating system. A zero-day exploit in HyperVM, an open source
application for managing virtual private servers, purportedly led to the
destruction of approximately 100,000 virtual server-based Websites
hosted by a service provider. Another example of an indirect attack
involves monitoring resource utilization on a shared server to gain
information and perhaps perform a side-channel attack, similar to attacks
used in other computing environments. For example, an attacker could
determine periods of high activity, estimate high-traffic rates, and possibly
launch keystroke timing attacks to gather passwords and other data from a
target server.
3.7 Data Protection
Data stored in the cloud typically resides in a shared environment
collocated with data from other customers. Organizations moving sensitive
and regulated data into the cloud, therefore, must account for the means by
which access to the data is controlled and the data is kept secure.
Data Isolation, Data can take many forms. For example, for cloud-based
application development, it includes the application programs, scripts, and
Page 39

40. configuration settings, along with the development tools. For deployed
applications, it includes records and other content created or used by the
applications, as well as account information about the users of the
applications. Access controls are one means to keep data away from
unauthorized users; encryption is another. Access controls are typically
identity-based, which makes authentication of the user’s identity an
important issue in cloud computing.
Database environments used in cloud computing can vary significantly. For
example, some environments support a multi-instance model, while others
support a multi-tenant model. The former provide a unique database
management system running on a virtual machine instance for each cloud
subscriber, giving the subscriber complete control over role definition, user
authorization, and other administrative tasks related to security. The latter
provide a predefined environment for the cloud subscriber that is shared
with other tenants, typically through tagging data with a subscriber
identifier. Tagging gives the appearance of exclusive use of the instance, but
relies on the cloud provider to establish and maintain a sound secure
database environment.
Various types of multi-tenant arrangements exist for databases. Each
arrangement pools resources differently, offering different degrees of
isolation and resource efficiency. Other considerations also apply. For
example, certain features like data encryption are only viable with
arrangements that use separate rather than shared databases. These sorts
of tradeoffs require careful evaluation of the suitability of the data
management solution for the data involved. Requirements in certain fields,
such as healthcare, would likely influence the choice of database and data
organization used in an application. Privacy sensitive information, in
general, is a serious concern.
Data must be secured while at rest, in transit, and in use, and access to the
data must be controlled. Standards for communications protocols and
public key certificates allow data transfers to be protected using
cryptography. Procedures for protecting data at rest are not as well
standardized, however, making interoperability an issue due to the
predominance of proprietary systems. The lack of interoperability affects
the availability of data and complicates the portability of applications and
data between cloud providers.
Currently, the responsibility for cryptographic key management falls
mainly on the cloud service subscriber. Key generation and storage is
usually performed outside the cloud using hardware security modules,
which do not scale well to the cloud paradigm. NIST’s Cryptographic Key
Management Project is identifying scalable and usable cryptographic key
Page 40

41. management and exchange strategies for use by government, which could
help to alleviate the problem eventually.
Protecting data in use is an emerging area of cryptography with little
practical results to offer, leaving trust mechanisms as the main safeguard.
Data Sanitization, The data sanitization practices that a cloud provider
implements have obvious implications for security. Sanitization is the
removal of sensitive data from a storage device in various situations, such
as when a storage device is removed from service or moved elsewhere to
be stored. Data sanitization also applies to backup copies made for
recovery and restoration of service, and also residual data remaining upon
termination of service. In a cloud computing environment, data from one
subscriber is physically commingled with the data of other subscribers,
which can complicate matters.
For instance, many examples exist of researchers obtaining used drives
from online auctions and other sources and recovering large amounts of
sensitive information from them. With the proper skills and equipment, it is
also possible to recover data from failed drives that are not disposed of
properly by cloud providers.
3.8 Availability
In simple terms, availability is the extent to which an organization’s
full set of computational resources is accessible and usable. Availability can
be affected temporarily or permanently, and a loss can be partial or
complete. Denial of service attacks, equipment outages, and natural
disasters are all threats to availability. The concern is that most downtime
is unplanned and can impact the mission of the organization.
3.9 Temporary Outages
Despite employing architectures designed for high service reliability
and availability, cloud computing services can and do experience outages
and performance slowdowns. A number of examples illustrate this point. In
February 2008, a popular storage cloud service suffered a three-hour
outage that affected its subscribers, including Twitter and other startup
companies. In June 2009, a lightning storm caused a partial outage of an
IaaS cloud that affected some users for four hours. Similarly, in February
2008, a database cluster failure at a SaaS cloud caused an outage for several
hours, and in January 2009, another brief outage occurred due to a network
device failure. In March 2009, a PaaS cloud experienced severe degradation
for about 22 hours due to networking issues related to an upgrade.
At a level of 99.95% reliability, 4.38 hours of downtime are to be expected
in a year.
Page 41

42. Periods of scheduled maintenance are also usually excluded as a source of
downtime in SLAs and able to be scheduled by the cloud provider with
short notice. The level of reliability of a cloud service and its capabilities for
backup and recovery need to be addressed in the organization’s
contingency planning to ensure the recovery and restoration of disrupted
cloud services and operations, using alternate services, equipment, and
locations, if required. Cloud storage services may represent a single point
of failure for the applications hosted there. In such situations, the services
of a second cloud provider could be used to back up data processed by the
primary provider to ensure that during a prolonged disruption or serious
disaster at the primary, the data remains available for immediate
resumption of critical operations.
3.10 Prolonged and Permanent Outages
The possibility exists for a cloud provider to experience serious
problems, like bankruptcy or facility loss, which affect service for extended
periods or cause a complete shutdown. For example, in April 2009, the
Federal Bureau of Investigation raided computing centers in Texas and
seized hundreds of servers, when investigating fraud allegations against a
handful of companies that operated out of the centers. The seizure
disrupted service to hundreds of other businesses unrelated to the
investigation, but who had the misfortune of having their computer
operations collocated at the targeted centers.
Other examples of outages are the major data loss experienced in
2009 by a bookmark repository service, and the abrupt failure of an on-line
storage-as-a-service provider, who closed without warning to its users in
2008. Changing business conditions may also cause a cloud provider to
disband its services, as occurred recently with an online cloud storage
service. The organization’s contingency plan should address prolonged and
permanent system disruptions through support for continuity of
operations that affect the restoration of essential functions elsewhere.
Denial of Service, A denial of service attack involves saturating the target
with bogus requests to prevent it from responding to legitimate requests in
a timely manner. An attacker typically uses multiple computers or a botnet
to launch an assault. Even an unsuccessful distributed denial of service
attack can quickly consume large amounts of resources to defend against
and cause charges to soar. The dynamic provisioning of a cloud in some
ways simplifies the work of an attacker to cause harm. While the resources
of a cloud are significant, with enough attacking computers they can
become saturated. For example, a denial of service attack against a code
hosting site operating over an IaaS cloud resulted in more than 19 hours of
downtime.
Page 42

43. Besides attacks against publicly accessible services, denial of service
attacks can occur against internally accessible services, such as those used
in cloud management.
Internally assigned non-routable addresses, used to manage resources
within a cloud provider’s network, may also be used as an attack vector. A
worst-case possibility that exists is for elements of one cloud to attack
those of another or to attack some of its own elements.
Value Concentration, A response to the question “Why do you do rob
banks?” is often attributed to Willie Hutton, a historic and prolific bank
robber his answer: “because that is where the money is.” In many ways,
data records are the currency of the 21st century and cloud-based data
stores are the bank vault, making them an increasingly preferred target due
to the collective value concentrated there. Just as economies of scale exist
in robbing banks instead of individuals, a high payoff ratio also exists for
successfully compromising a cloud.
As opposed to a direct approach, finesse and circumvention was Willie’s
trademark.
That style works as well in the digital world of cloud computing. For
instance, a recent exploit involved targeting an electronic mail account of a
social networking service administrator, reportedly by answering a set of
security questions to gain access to the account, and using the information
found there to gain access to company files stored in a PaaS cloud. Similar
weaknesses have been identified in public clouds. A registered electronic
mail address and valid password for an account are all that are required to
download authentication credentials from a cloud provider’s management
dashboard, which in turn grant access to all of the account’s resources.
Since lost passwords can be reset by electronic mail, an attacker controlling
the mail system of an account, or passively eavesdropping on the network
through which electronic mail containing a password reset would pass,
could effectively take control of the account.
Having data collocated with that of an organization with a high threat
profile could also lead to a denial of service, as an unintended casualty from
an attack targeted against that organization. Similarly, side effects from a
physical attack against a high profile organization’s cloud-based resources
are also a possibility. For example, over the years, facilities of the Internal
Revenue Service have attracted their share of attention from would-be
attackers.
3.11 Incident Response
As the name implies, incident response involves an organized
method for dealing with the consequences of an attack against the security
of a computer system. The cloud provider’s role is vital in performing
Page 43

44. incident response activities, including incident verification, attack analysis,
containment, data collection and preservation, problem remediation, and
service restoration.
Revising an organization’s incident response plan to address differences
between the organizational computing environment and a cloud computing
environment is an important, but easy-to-overlook prerequisite to
transitioning applications and data.
Collaboration between the service subscriber and provider in recognizing
and responding to an incident is essential to security and privacy in cloud
computing. The complexity of the service can obscure recognition and
analysis of incidents. For example, it reportedly took one IaaS provider
approximately eight hours to recognize and begin taking action on an
apparent denial of service attack against its cloud infrastructure, after the
issue was reported by a subscriber of the service. Understanding and
negotiating the provisions and procedures for incident response should be
done before entering a service contract, rather than as an afterthought. The
geographic location of data is a related issue that can impede an
investigation, and is a relevant subject for contract discussions.
Response to an incident should be handled in a way that limits damage and
reduces recovery time and costs. Being able to convene a mixed team of
representatives from the cloud provider and service subscriber quickly is
an important facet to meeting this goal. Remedies may involve only a single
party or require the participation of both parties. Resolution of a problem
may also affect other subscribers of the cloud service. It is important that
cloud providers have a transparent response process and mechanisms to
share information with their subscribers during and after the incident.
Page 44

45. Chapter Four
Deployment Models of
Cloud Security
Page 45

46. Model 1:
Private Virtual Infrastructure model (PVI)
Private Virtual Infrastructure allows organizations to utilize
cloud resources with the level of assurance that is required to meet
their confidentiality concerns. PVI provide security architecture for
cloud computing which uses a new trust model to share the
responsibility of security in cloud computing between the Service
provider and client, decreasing the risk exposure to both.
The PVI cloud security model is a virtual datacenter over the existing
cloud infrastructure.
- The PVI datacenter is under control of the information owner.
- The cloud fabric is under control of the service provider.
PVI Cloud Security Architecture
The Private Virtual Infrastructure architecture has two layers.
The IaaS fabric layer provides computation resources managed by
the service provider, while the PVI layer provides a virtual datacenter
managed by the client. The service provider assumes responsibility
for providing the physical security and the logical security of the
service platform required for the PVI layer. Each client is responsible
for securely provisioning their virtual infrastructure with
appropriate firewalls, intrusion detection systems, monitoring and
logging to ensure that data is kept confidential. PVI enables the client
to build a virtual infrastructure that meets these requirements.
PVI is based on five tenets proposed as a basis for cloud security.
1. Trusted Cloud Platform
It provide the ability to verify security settings of the
underlying fabric, security services which protect and monitor
the fabric and identity certificate presented to the virtual
environment that attests these services by using Trusted
Virtual Datacenter (TVDc) builds upon Trusted Virtual
Domains, which provides strong isolation and integrity
guarantees that significantly enhance the security and
management capabilities in virtualized environments.
2. PVI Factory
- The most sensitive component of PVI.
- It is the root authority for: (Provisioning – VTPM key
generation - Certificate generation & management).
Virtual Trusted Platform Model (VTPM)
Page 46

47. It is a cryptographic component that stores cryptographic keys.
- Should be under full control of the information owner.
- It serves as the controller and policy decision point for
the PVI.
- It is responsible for ensuring the integrity of the PVI and
handling incidents in the event of a security breach.
3. Measurement and Secure Provisioning
- Providers must allow clients transparent insight into
their infrastructures.
- LoBot can perform the fabric pre-measurement which
allows PVI to share the responsibility of security
management. Locator Bot (LoBot) is a VM architecture
and secure transfer protocol based on VTPM.
- After LoBots probe target platforms for security
properties they can securely provision VMs on those
platforms.
4. Secure Shutdown and Data Destruction
- This process is required to ensure all sensitive data is
removed before new processes are allowed to run on it.
- The VM do not provide that, so there is a
recommendation to enclose that on future VM monitors
or through LoBot.
5. Monitoring and Auditing
- LoBot provide continuous monitoring of the cloud
environment.
- Locator Bot (LoBot) is the architecture and protocol for
secure provisioning and secure migration of virtual
machines within an IaaS cloud. LoBot provides many
other security features for PVI such as environmental
monitoring, tamper detection and secure shutdown
How PVI work? …We must know
- A LoBot is a self-contained virtual machine with a VTPM
- Probe application that is provisioned on a target machine.
1. Upon startup, the VTPM binds itself to the target’s TPM, and
then the Probe application reads the platform configuration
from the target TPM’s and obtains identifying information
about the platform. This information is then combined with the
Page 47

48. VTPM’s which is cryptographically sealed in a blob that is
transferred to the PVI factory.
2. The PVI factory decrypts the blob and examines the
information received to determine whether the environment is
safe. Once the target environment is determined to be safe, the
PVI factory configures the VM and securely transfers it to the
target environment, via the LoBot protocol, in a blob encrypted
such that only the target platform may execute source
environment.
3. At the target environment, the LoBot probe application
receives and unseals the source environment. If the source
environment was tampered with during transfer, it will be
detected during the decryption phase.
PVI Strengths
1. New paradigm for securing and managing cloud computing
services based on a synergistic relationship between the
vendor and customer of cloud services
2. Provides information owners the flexibility to manage their
own data
3. This model takes into account all key security.
PVI Weaknesses
1. This model just dealing with infrastructure layer and plat form
layer Ignoring application layer in cloud computing.
2. Introduces Secure Shutdown and Data Destruction and
monitoring and auditing tenets in the PVI model without any
methods to obtain them.
3. Introduces PVI factory and Locater Bot Protocol
Page 48

49. Model 2:
Cloud computing data security with the analysis of HDFS
architecture.
This Model analyses the basic problem of cloud computing data
security. With the analysis of HDFS architecture, we get the data
security requirement of cloud computing and set up a mathematical
data model for cloud computing. Finally we build a data security
model for cloud computing.
Introduction
The emergence of the Cloud system has simplified the
deployment of large-scale distributed systems for software vendors.
The Cloud system provides a simple and unified interface between
vendor and user, allowing vendors to focus more on the software
itself rather than the underlying framework. Applications on the
Cloud include Software as a Service system and Multi-tenant
databases. The Cloud system dynamically allocates computational
resources in response to customers’ resource reservation requests
and in accordance with customers’ predesigned quality of service.
Risk coming with opportunity, the problem of data security in cloud
computing become bottleneck of cloud computing.
Data Security Problem of Cloud Computing
A. Security Problem Drive from VM
The virtual machine technology is considered as a cloud
computing platform of the fundamental component. Virtual Machine
technology bring obvious advantages, it allows the operation of the
server which is no longer dependent on the physical device, but on
the virtual servers. In virtual machine, a physical change or migration
does not affect the services provided by the service provider. If user
needs more services, the provider can meet user’s needs without
having to concern the physical hardware.
However, the virtual server from the logical server group
brings a lot of security problems. The traditional data center security
measures on the edge of the hardware platform, while cloud
computing may be a server in a number of virtual servers, the virtual
server may belong to different logical server group, therefore there is
the possibility of attacking each other ,which brings virtual servers a
lot of security threats. Virtual machine extending the edge of clouds
makes the disappearance of the network boundary, thereby affecting
Page 49

50. almost all aspects of security, the traditional physical isolation and
hardware-based security infrastructure cannot stop the clouds
computer environment of mutual attacks between the virtual
machine.
B. The Existence of Super-user
Cloud provider carries out the management and maintenance
of data, the existence of super-users to greatly simplify the data
management function, but it is a serious threat to user privacy.
Super-powers is a double edged sword, it brings convenience to
users and at the same time poses a threat to users. In an era of
personal privacy, personal data should be really protected, and the
fact that cloud computing platform to provide personal services in
the confidentiality of personal privacy on the existence of defects. Not
only individual users but also the organizations have similar
potential threats, e.g. corporate users and trade secrets stored in the
cloud computing platform may be stolen. Therefore the use of super
user rights must be controlled in the cloud.
C. Consistency of Data
Cloud environment is a dynamic environment, where the user's
data transmits from the data center to the user's client. For the
system, the user's data is changing all the time. Read and write data
relating to the identity of the user authentication and permission
issues. In a virtual machine, there may be different users’ data which
must be strict managed. The traditional model of access control is
built in the edge of computers, so it is weak to control reading and
writing among distributed computers. It is clear that traditional
access control is obviously not suitable for cloud computing
environments. The traditional access control mechanism has serious
shortcomings.
D. New Technology
The concept of cloud computing is built on new architecture.
The new architecture comprised of a variety of new technologies,
such as Hadoop, Hbase, which enhances the performance of cloud
systems but brings in risks at the same time. In the cloud
environment, users create many dynamic virtual organizations, first
set up in co-operation usually occurs in a relationship of trust
between organizations rather than individual level. So those users
based on the expression of restrictions on the basis of proof strategy
is often difficult to follow; which frequently occurs in many of the
Page 50

51. interactive nodes between the virtual machine, and is dynamic,
unpredictable. Cloud computing environment provides a user the full
access to resources which has also increased security risks.
Requirement of Security
HDFS (Hadoop Distributed File System) is used in large-scale
cloud computing in typical distributed file system architecture, its
design goal is to run on commercial hardware, due to the support of
Google, and the advantages of open source, it has been applied in the
basis of cloud facilities. HDFS is very similar to the existing
distributed file system, such as GFS (Google File System); they have
the same objectives, performance, availability and stability. HDFS
initially used in the Apache Nutch web search engine and become the
core of Apache Hadoop project.
HDFS used the master/slave backup mode. As shown in
Figure6. The master is called Namenode, which manages the file
system name space and controls access to the client. Other slave
nodes is called Datanode, Datanode controls access to his client. In
this storage system, a file is cut into small pieces of paper. Namenode
maps the file blocks to Datanodes above. While HDFS does not have
the POSIX compatibility, the file system still support the creation,
delete, open, close, read, write and other operations on files.
Figure 6. HDFS Architecture
By analyzing of HDFS, data security needs of cloud computing can be
divided into the following points:
Page 51

52. 1. The client authentication requirements in login: The vast
majority of cloud computing through a browser client, such as
IE, and the user’s identity as a cloud computing applications
demand for the primary needs.
2. The existence of a single point of failure in Namenode: if
namenode is attacked or failure, there will be disastrous
consequences on the system. So the effectiveness of Namenode
in cloud computing and its efficiency is key to the success of
data protection, so to enhance Namenode’s security is very
important.
3. The rapid recovery of data blocks and r/w rights control:
Datanode is a data storage node, there is the possibility of
failure and cannot guarantee the availability of data. Currently
each data storage block in HDFS has at least 3 replicas, which is
HDFS’s backup strategy. When comes to how to ensure the
safety of reading and writing data, HDFS has not made any
detailed explanation, so the needs to ensure rapid recovery and
to make reading and writing data operation fully controllable
cannot be ignored.
4. In addition to the above three requirements, the other, such as
access control, file encryption, such as demand for cloud
computing model for data security issues must be taken into
account.
DATA SECURITYMODEL
A. Principle of Data Security
All the data security techniques are built on confidentiality,
integrity and availability of these three basic principles.
Confidentiality refers to the so-called hidden the actual data or
information, especially in the military and other sensitive areas, the
confidentiality of data on the more strict requirements. For cloud
computing, the data are stored in "data center", the security and
confidentiality of user data is even more important. The so-called
integrity of data in any state is not subject to the need to guarantee
unauthorized deletion, modification or damage. The availability of
data means that users can have the expectations of the use of data by
the use of capacity.
Page 52

53. B. Data Security Model
Data model of cloud computing can be described in math as follows:
Df = C(NameNode) ; (1)
Kf= f * Df ; (2)
C(.) : the visit of nodes;
Df: the distributed matrix of the file f ;
Kf: the state of data distribution in Datanodes;
f: file, file f can be described as:
f = {F(1),F(2),…….F(n)}, means f is a set of n file
blocks F(i) F(j) = , i ; I,j ;
Df is a Zero-One matrix, it is L*L, L is the number of Datanode.
To enhance the data security of cloud computing, we provide a cloud
computing data security model called C2DSM. It can be described as
follows:
D’f = CA (namenode) (3)
Df = M. D’f (4)
Kf = E(f) Df (5)
CA (.): authentic visit to namenode;
Df : private protect model of file distributed matrix;
M: resolve private matrix;
E(f) : encrypted file f block by clock, get the encrypted file vector;
This model can be shown by figure 7
Page 53

54. Figure 7. Cloud computing Data Security 1
The model used three-level defense system structure, in which
each floor performs its own duty to ensure that the data security of
cloud layers.
• The first layer: responsible for user authentication, the user of
digital certificates issued by the appropriate, manage user
permissions.
• The second layer: responsible for user's data encryption, and
protect the privacy of users through a certain way.
• The third layer: The user data for fast recovery, system
protection is the last layer of user data.
With three-level structure, user authentication is used to
ensure that data is not tampered. The user authenticated can manage
the data by operations: Add, modify, delete and so on. If the user
authentication system is deceived by illegal means, and malign user
enters the system, file encryption and privacy protection can provide
this level of defense. In this layer user data is encrypted, even if the
key was the illegally accessed, through privacy protection, malign
user will still be not unable to obtain effective access to information,
which is very important to protect business users’ trade secrets in
cloud computing environment. Finally, the rapid restoration of files
layer, through fast recovery algorithm, makes user data be able to get
the maximum recovery even in case of damage.
From the model there will be follow theorems:
- Theory one: If is not a full order, then the user lost his data.
Verify:
Page 54

55. if the file distribution matrix, so with the formula (5) , is
the L length vector.
If is not full order, can be convert to , is
(L-i) * (L-i) matrix, i 1;
become L-I length vector, that make confliction to the
definition of the model.
- Theory two: if , then the data of the user is
damaged. means the value of position i of file vector .
Verify:
means the number of store data in datanode, with
definition f={F(1),F(2),….F(n)}, if F(i) not existence, i=1 , 2….n,
then the file store failure if , then there will be
i=1,2….n, let not existence if f, the file
damaged.
- Theory three if there existed matrix J, J M, but = J.
, the private of user leak.
Verify:
M is the user’s private matrix. With the matrix M
we can get . if J existed then illegal user may get
by J . There is existence of private leakence.
Page 55