See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/239732061

Cloud Security Challenges

Conference Paper · October 2012

DOI: 10.1109/TSSA.2012.6366028

CITATIONS READS

12 5,366

1 author:

Gurudatt Anil Kulkarni

Marathwada Mitra Mandal's Polytechnic
38 PUBLICATIONS   223 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Gurudatt Anil Kulkarni on 20 May 2014.

The user has requested enhancement of the downloaded file.

 2012 7th International Conference on Telecommunication Systems, Services, and Applications (TSSA)

Cloud Security Challenges

Gurudatt Kulkarni1, Nikita Chavan2, Ruchira Chandorkar3, Rajnikant Palwe5,
1, 2 Electronics & Rani Waghmare4, 5Department of Computer
Telecommunication Dept. 3,4Electronics & Engineering
Marathwada Mitra Mandal’s Telecommunication Dept Marathwada Mitra Mandal’s
Polytechnic, Pune, India Marathwada Mitra Mandal’s Polytechnic, Pune, India
gurudatt.kulkarni@gmail.com Polytechnic, Pune, India

Abstract—Deploying cloud computing in an enterprise services from the cloud, Public Organizations helps
infrastructure brings significant security concerns. in providing the infrastructure to execute the public
Successful implementation of cloud computing in an cloud.
enterprise requires proper planning and understanding of
emerging risks, threats, vulnerabilities, and possible
countermeasures. We believe enterprise should analyze the
company/organization security risks, threats, and available
countermeasures before adopting this technology. In a
cloud computing environment, the entire data reside over
a set of networked resources, enabling the data to be
accessed through virtual machines. Since these data
centers may lie in any corner of the world beyond the
reach and control of users, there are multifarious security
and privacy challenges that need to be understood and
taken care of. Also, one can never deny the possibility of a Figure1 Cloud Computing Service Models
server breakdown that has been witnessed, rather quite B. Private Cloud: It is used by the organizations
often in the recent times. There are various issues that internally and is for a single organization, anyone
need to be dealt with respect to security and privacy in a within the organization can access the data, services
cloud computing scenario. This extensive survey paper and web applications but users outside the
aims to elaborate and analyze the numerous unresolved organizations cannot access the cloud. Infrastructure
issues threatening the Cloud computing adoption and of private cloud is completely managed and corporate
diffusion affecting the various stake-holders linked to it. data are fully maintained by the organization itself.
Keywords - DoS attack, flooding attack, cloud, PaaS C. Hybrid Cloud: The Cloud is a combination of two or
more clouds (public, private and community).
Introduction [1,2]
Basically it is an environment in which multiple
Cloud computing provides different services rather than a unit
internal or external suppliers of cloud services are
of product. These services put forwarded 3 models: software
used. It is being used by most of the organizations
as a service (SAAS), platform as a Service (PAAS), and
(IBM and Junipers Network, 2009).
infrastructure as a Service (IAAS) (Iyer and Henderson, 2010;
Han, 2010, Mell and Grance, 2010). Figure1 Cloud
Computing Service Models
1. SAAS: it is run by cloud service provider and mostly
used by organizations. It is available to users through
internet.
2. PAAS: It is a tool (Windows, LINUX) used by
developers for developing Websites without installing
any software on the system, and can be executed without
any administrative expertise.
3. IAAS: It is operated, maintained and control by cloud
service providers that support various operations like
storage, hardware, servers and networking.
There are four types of cloud computing models listed by
NIST (2009): private cloud, public cloud, hybrid cloud and Figure2 Cloud Computing Type
community cloud. D. Community Cloud: The cloud is basically the mixture
A. Public Cloud: it is for the general public where of one or more public, private or hybrid clouds,
resources, web applications, web services are which is shared by many organizations for a single
provided over the internet and any user can get the cause (mostly security). Infrastructure is to be shared

978-1-4673-4550-7/12/$31.00 ©2012 IEEE 88

 2012 7th International Conference on Telecommunication Systems, Services, and Applications (TSSA)
by several organizations within specific community
with common security, compliance objectives. It is
managed by third party or managed internally. Its
cost is lesser then public cloud but more than private
cloud.
I. CLOUD SECURITY [3, 4]
Security is one of the concerns about cloud computing that is
delaying its adoption. As only 5% turn over to cloud
computing. One of the biggest security concerns about is that
when you move your information over the cloud you will lose
control of it. The cloud gives you to access data, but you have
no way of ensuring no one else has access the data. In a cloud-
based software environment, physical security is stronger
because the loss of a client system doesn’t compromise data or
software. Cloud computing seems offer some incredible
benefits for communication: the availability of an incredible
array of software application, access to lightning-quick
processing power, unlimited storage, and the ability to easily.
Cloud computing takes hold as 69% of all internet users have
either stored data online or used a web-based software
application. "Washington, DC – Some 69% of online
Americans use webmail services, store data online, or use
software programs such as word processing applications
whose functionality is located on the web. In doing so, these
users are making use of “cloud computing,” an emerging
architecture by which data and applications reside in
cyberspace, allowing users to access them through any web-
connected device There are numerous security issues for cloud
computing as it encompasses many technologies including
networks, databases, operating systems, virtualization,
resource scheduling, transaction management, load balancing,
concurrency control and memory management.
Figure 3 Cloud Security View
Therefore, security issues for many of these systems and
technologies are applicable to cloud computing. For example,
the network that interconnects the systems in a cloud has to be
secure. Furthermore, virtualization paradigm in cloud
computing results in several security concerns. For example,
mapping the virtual machines to the physical machines has to
be carried out securely. Data security involves encrypting the
data as well as ensuring that appropriate policies are enforced
for data sharing. In addition, resource allocation and memory
management algorithms have to be secure. Finally, data
mining techniques may be applicable to malware detection in
978-1-4673-4550-7/12/$31.00 ©2012 IEEE
clouds. It is clear that the security issue has played the most
important role in hindering Cloud computing acceptance.
Without doubt, putting your data, running your software on
someone else's hard disk using someone else's CPU appears
daunting to many. Well-known security issues such as data
loss, phishing, and botnet (running remotely on a collection of
machines) pose serious threats to organization's data and
software. Moreover, the multi-tenancy model and the pooled
computing resources in cloud computing has introduced new
security challenges that require novel techniques to tackle
with. For example, hackers can use Cloud to organize botnet
as Cloud often provides more reliable infrastructure services at
a relatively cheaper price for them to start an attack.
A. Malware-injection attack problem
In the cloud system, as the client’s request is
executed based on authentication and authorization;
there is a huge possibility of Meta data exchange
between the web server and web browser. An
attacker can take advantage during this exchange of
metadata. Either the adversary makes his own
instance or the adversary may try to intrude with
malicious code. In this case, either the injected
malicious service or code appears as one of the valid
instance services running in the cloud. If the attacker
is successful, then the cloud service will suffer from
eavesdropping and deadlocks, which forces a
legitimate user to wait until the completion of a job
which was not generated by the user. This type of
attack is also known as a meta-data spoofing attack.
Figure 4 Malware Protection
B. Flooding attack problem
In a cloud system, all the computational servers work
in a service specific manner, with internal
communication between them. Whenever a server is
overloaded or has reached the threshold limit, it
transfers some of its jobs to a nearest and similar
service-specific server to offload itself. This sharing
approach makes the cloud more efficient and faster
executing requests. When an adversary has achieved
the authorization to make a request to the cloud, then
he/she can easily create bogus data and pose these
requests to the cloud server. When processing these
89
 2012 7th International Conference on Telecommunication Systems, Services, and Applications (TSSA)
requests, the server first checks the authenticity of the
requested jobs. Non-legitimate requests must be
checked to determine their authenticity, but checking
consumes CPU utilization, memory and engages the
IaaS to a great extent, and as a result the server will
offload its services to another server. Again, the same
thing will occur and the adversary is successful in
engaging the whole cloud system just by interrupting
the usual processing of one server, in essence
flooding the system.
C. Accountability check problem
The payment method in a cloud System is ―No use
No bill‖. When customer launches an instance, the
duration of the instance, the amount of data transfer
in the network and the number of CPU cycles per
user are all recorded. Based on this recorded
information, the customer is charged. So, when an
attacker has engaged the cloud with a malicious
service or runs malicious code, which consumes a lot
of computational power and storage from the cloud
server, then the legitimate account holder is charged
for this kind of computation. As a result, a dispute
arises and the provider’s business reputation is
hampered.
Figure 5 an example for attribute-based encryption
D. Browser Security
In a cloud computing system, the computational
processes are completed in the cloud server whereas
the client side just send a request and wait for the
result. Web browser is a common method to connect
to the cloud systems. Before a client can request for
services on the cloud system, the client is required to
authenticate himself whether he has an authority to
use the cloud system or not. In the security point of
view, these days, web browsers rely heavily upon
SSL/TLS process. They are not able to apply WS-
Security concept (XML Signature and XML
Encryption) to the authentication process. As a
consequence, when a web browser requests a service
from the web service in a cloud system, it cannot use
XML Signature to sign the client’s credentials (e.g.
username and password) in order to authenticate the
user and XML Encryption to encrypt the SOAP
message in order to protect data from unauthorized
978-1-4673-4550-7/12/$31.00 ©2012 IEEE
parties. The web browser has to use SSL/TLS to
encrypt the credential and use SSL/TLS 4-way
handshake process in order to authenticate the client.
Nevertheless, SSL/TLS only supports point-to-point
communications, meaning that if there is a middle
tier between the client and the cloud server, such as a
proxy server or firewall, the data has to be decrypted
on the intermediary host.
E. Service Provider Security Issues
The public cloud computing surroundings offered by
the cloud supplier and make sure that a cloud
computing resolution satisfies organizational security
and privacy needs. The cloud supplier to provision
the safety controls necessary to safeguard the
organization’s information and applications, and
additionally the proof provided regarding the
effectiveness of these controls migrating
organizational information and functions into the
cloud.
F. Identity and access management [3, 5,6]
Identity and Access Management (IAM) features are
Authorization, Authentication, and Auditing (AAA)
of users accessing cloud services. In any organization
“trust boundary” is mostly static and is monitored and
controlled for applications which are deployed within
the organization’s perimeter. In a private data center,
it managed the trust boundary encompasses the
network, systems, and applications. And it is secured
via network security controls including intrusion
prevention systems (IPSs), intrusion detection systems
(IDSs), virtual private networks (VPNs), and
multifactor authentication. With cloud computing, the
organization’s trust boundary will become dynamic
and the application, system, and network boundary of
an organization will extend into the service provider
domain. Application security and user access controls
will compensate for the loss of network control and to
strengthen risk assurance. Strong authorization,
authentication based on claims or role, trusted sources
with user activity monitoring, identity federation ,
accurate attributes, single sign-on (SSO), and
auditing.
G. Privacy
Privacy is the one of the Security issue in cloud
computing. Personal information regulations vary
across the world and number of restrictions placed by
number of countries whether it stored outside of the
country. For a cloud service provider, in every
jurisdiction a single level of service that is
acceptable. Based on contractual commitments data
can store within specific countries for privacy
regulations, but this is difficult to verify. In Private
and confidential customer data fast rising for the
consequences and potential costs of mistakes for
companies that handle. But professionals develop the
security services and the cloud service privacy
practices. An effective assessment strategy must
cover data protection, compliance, privacy, identity
90
 2012 7th International Conference on Telecommunication Systems, Services, and Applications (TSSA)
management, secure operations, and other related
security and legal issues.
H. Securing Data in Transmission [6,7]
Encryption techniques are used for data in
transmission. To provide the protection for data only
goes where the customer wants it to go by using
authentication and integrity and is not modified in
transmission. SSL/TLS protocols are used here. In
Cloud environment most of the data is not encrypted
in the processing time. But to process data, for any
application that data must be unencrypted. In a fully
homomorphism encryption scheme advance in
cryptography, which allows data to be processed
without being decrypted.
Figure 6 Encryption Technique
To provide the confidentiality and integrity of data-
in-transmission to and from cloud provider by using
access controls like authorization, authentication,
auditing for using resources, and ensure the
availability of the Internet-facing resources at cloud
provider. Man-in-the-middle attacks is cryptographic
attack is carried out when an attacker can place
themselves in the communication’s path between the
users. Here, there is the possibility that they can
interrupt and change communications.
CONCLUSION
Although Cloud computing can be seen as a new phenomenon
which is set to revolutionise the way we use the Internet, there
is much to be cautious about. There are many new
technologies emerging at a rapid rate, each with technological
advancements and with the potential of making human’s lives
easier. There are several other security challenges including
security aspects of virtualization. We believe that due to the
complexity of the cloud, it will be difficult to achieve end-to-
end security. However, the challenge we have is to ensure
more secure operations even if some parts of the cloud fail.
978-1-4673-4550-7/12/$31.00 ©2012 IEEE
View publication stats
For many applications, we not only need information
assurance but also mission assurance. Therefore, even if an
adversary has entered the system, the objective is to thwart the
adversary so that the enterprise has time to carry out the
mission. As such, building trust applications from untrusted
components will be a major aspect with respect to cloud
security.
ACKNOWLEDGMENT
Mr.Gurudatt Kulkarni one of the authors is indebted to
Principal Prof. Mrs. Rujuta Desai for giving permission for
sending the paper to the conference. Mrs. Rani Waghmare is
also thankful to the Vice President Mr. S.D. Ganage &
Secretary Mr. B.G. Jadhav, Marathwada Mitra Mandal for
giving permission to send the paper for publication. We would
also like to thanks our colleagues such as Lecturer Mrs. Geeta
Joshi and Jayant Gambhir for supporting us.
REFERENCES
[1] Dikaiakos et.al, “Cloud Computing: Distributed Internet Computing for
IT and Scientific Research”, IEEE, Volume 13, Issue 5, Sept.-Oct. 2009,
Page: 10 - 13.
[2] Liang-Jie Zhang et.al, “CCOA: Cloud Computing Open Architecture”,
IEEE, 6-10 July 2009, Page(s):607 – 616.
[3] Tripathi, A.; Mishra, A.; IT Div., Gorakhpur Centre, Gorakhpur, India
“Cloud Computing Security Considerations”, Signal Processing,
Communications and Computing (ICSPCC), 2011 IEEE International
Conference
[4] M. A. Rahaman, A. Schaad, and M. Rits. Towards secure SOAP
message exchange in a SOA. In SWS ’06: Proceedings of the 3rd ACM
workshop on Secure Web Services, pages 77–84, New York, NY, USA,
2006. ACM Press.
[5] Meiko Jenson, Jorg Schwenk, Nils Gruschka, Luigi Lo Iacono. On
Technical Security Issues in Cloud Computing. IEEE International
Conference on Cloud Computing 2009.
[6] D. Kormann and A. Rubin, ―Risks of the passport single sign on
protocol, no. 1–6, pp. 51–58, 2000.
[7] http://www.sys-con.com/node/1203943
[8] Handbook on securing cyber-physical Critical infrastructure, 2012,
Pages 389-410, shucheng Yu, Wenjing Lou, Kui Ren
91