You are on page 1of 6

Secure Cloud Computing for Critical Infrastructure: A Survey

Younis A.Younis, Madjid Merabti and Kashif Kifayat


School of Computing and Mathematical Sciences, Liverpool John Moores University, Liverpool, L3 3AF, UK Y.A.-Younis@2012.ljmu.ac.uk {m.merabti, k.kifayat}@ljmu.ac.uk AbstractCloud computing has been considered as one of the
promising solutions to our increasing demand for accessing and using resources provisioned over the Internet. It offers powerful processing and storage resources as on-demand services with reduce cost, and increase efficiency and performance. All of these features and more encourage enterprises, governments and even critical infrastructure providers to migrate to the cloud. Critical infrastructures are considered as a backbone of modern societies such as power plants and water. However, with all of these promising facilities and benefits, there are still a number of technical barriers hinder utilizing the cloud such as security and quality of services. The target of this survey is to explore potential security issues related to securing cloud computing for critical infrastructure providers. It highlights security challenges in cloud computing and investigates the security requirements for various critical infrastructure providers. Keywordscloud computing; critical infrastructure; security; limitations;

threats and vulnerabilities pose the greatest risk and how resources should be allocated to ensure that the most probable and damaging attacks are dealt first. These security concerns and attacks could slow the growth of the cloud computing market, which is expected to reach $3.2 billion by the end of 2012 in Asia alone from $1.87 billion last year, while the global market could reach $55 billion in 2014 [3]. Cloud computing gives a new hope for meeting various requirements of service providers and consumers as well, when they look at what the cloud can offer to them. A new report from The Economist Intelligence Unit and IBM finds that among 572 business leaders surveyed, almost threefourths indicate their companies have piloted, adopted or substantially implemented cloud in their organizations and 90% expect to have done so in three years. Moreover, the number of respondents whose companies have substantially implemented cloud is expected to grow from 13% today to 41% in three years [4]. The unique benefits of cloud computing are provided the basis to many critical infrastructure providers to migrate to the cloud computing paradigm, for example, IBM and Cable & Wireless (C&W) have announced plans to collaborate in the development of a cloud-based smart metering system[5]. This system aims at deploying about 50 million smart meters in the UK by 2020. BT has deployed a new cloud-based supply chain solution to increase the operational efficiency, improve customer service and optimize reverse logistics [6]. In April 2013, the National Grid, the UKs gas and electricity network, has announced to replace its own internal datacenters with a CSC-hosted cloud [7]. The critical infrastructure is an essential asset for the maintenance of vital societal such as power distribution networks and financial systems [8]. In cloud environment, critical infrastructure providers would require scalable platforms for their large amount of data and computation, multi-tenant billing and virtualization with very strong isolation, Service Level Agreement (SLA) definitions and automatic enforcement mechanisms, end-to-end performance and security mechanisms. However, these requirements might not be met by the cloud computing service providers as they suffer from some challenges and threats. Our objective is to look at the cloud computing security challenges, which hinder migration to the cloud and the requirements of critical infrastructure providers to utilize the cloud.

I.

INTRODUCTION

In the last few years, we have seen a dramatic growth in IT investments, and a new term has come on the surface which is cloud computing. The National Institute of Standards and Technology defines the cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction [1]. It has five essential characteristics: on-demand self-service, measured service, rapid elasticity, broad network access and resource pooling. It is aiming at giving capabilities to use powerful computing systems with reducing the cost and increasing the efficiency and performance [1]. However, with all of these promising facilities and benefits, there are still a number of technical barriers that may prevent cloud computing from becoming a truly ubiquitous service. Especially where the customer has strict or complex requirements over the security of an infrastructure [2]. The latest cyber-attacks on high profile firms (Amazon, Google and Sonys PlayStation) and the predictions of more cyber attacks on cloud infrastructure are threatening to slow the take-off of cloud computing. The numbers of cyber-attacks are now extremely large and their sophistication so great, that many organizations are having trouble determining which new

ISBN: 978-1-902560-27-4 2013 PGNet

The rest of this paper is structured as follows. Section 2 explores the security challenges in cloud computing. Requirements for different critical infrastructure areas such as health sector, smart girds and telecommunication field are illustrated in section 3. The conclusion from this research and our future work are presented in section 4. II.
SECURITY CHALLENGES IN CLOUD COMPUTING

customers data has been isolated from others data. As the data may be transferred between countries, so it could face different kind of regulations and legal systems. Data anonymity might be utilized for ensuring the customers data privacy and security. Data sanitization is how to make sure any sensitive data has been deleted from storage devices either when they are removed or the data has to be cleared. Data provision is aiming at meeting the data forensics in the cloud which means registering who has either accessed the data or modified it. So, a secure provision is needed to attest the ownership and any access with modification [10]. B. Security attacks and threats In cloud computing, a service provider has a big role to deal with all kinds of threats and attacks that they or their customers could face. Most of the attacks which organizations have faced are come as a result of vulnerability that organizations have in their systems. In addition, cloud computing inherits a number of security attacks from conventional distributed systems, which could have a huge impact in its services such as malicious code (viruses, Trojan horses), back door, man-in-the middle attack, replay attack, spoofing, social engineering, TCP hijacking, password guessing and so on [11]. By the way, cloud computing has brought its unique security threats and concerns. Cloud malware injection attack - It is on the top list of attacks. it aims at injecting a malwares service, application or virtual machine into the cloud system [12]. Metadata spoofing attack - A web services server provides the metadata documents, which store all information about the web service invocation such as message format, security requirements, network location, etc. to the service clients. So, this attack aims at reengineering a web services metadata descriptions in order modify the network endpoints and the references to security policies [13]. Account and service hijacking - This threat could happen when an attacker hacks into a web site that is hosted in a cloud service provider and then secretly installing their software and control the cloud provider infrastructure [14]. Unknown risk profile - It can come as a result of caring about what features and functionalities can be gained from adopting cloud services without considering how security producers and technologies will be developed, who has access to the data and what happen when the data disclose for any reason [14]. Malicious insiders - It can be caused by lacking of transparency into provider process and how the access to virtual assets will be granted to employees. This threat can be more complicated due to the lack of visibility into how employees roles and responsibilities will be updated when their jobs or behavior is changed [14]. Shared technologys vulnerabilities - Cloud computing will use the same infrastructures used in the Internet, and it will be shared among the cloud consumers. So, all current problems the infrastructures have will migrate to the cloud without

In the cloud computing, critical aspects of security can be gleaned from reported experiences of early adopters, also from researchers analyzing and experimenting with available service provider platforms and associated technologies. Security is the greatest inhibitors for adoption and the primary concern in the cloud computing. As the cloud computing is a modern way to access and use computing resources over the Internet, so it inherits some security risks and vulnerability from the conventional Internet, such as data confidentiality, integrity, and availability, and etc. Moreover, cloud computing has brought new concerns have to be considered such as moving and storing in the cloud with probability to reside in other country, which has different regulations. This section highlights security-related issues that are believed to have long-term significance for cloud computing. A. Data security and privacy One of the critical aspects in cloud competing security is protecting data integrity, availability and confidentiality. Data will be stored and moved in a shared environment managed by various service providers, and it is likely to be located in a different country that has other regulations. It could face a various kind of regulations which might reveal it partially or completely even when it stayed in the national borders. The data could be passed to a third party for using it in any other purposes, for instance, in advertisements, which could lead to significant security problems. Integrity of data that is sorted in the cloud has to be insured without downloading it, as it will be costly for customers, especially with huge amounts of data. Furthermore, data is always dynamic either in the cloud or anywhere else, so it could be updated, appended, deleted and so on [9]. As data is stored in different servers that located at different places, so data availability will become a big concern due to some factors such as bandwidth efficiency, one cloud is partly unavailable and so on. For example, Microsofts Azure cloud service faced severs degradation for nearly 22 hours due to problems related to network upgrading [3]. A cloud service provider also has to ensure its computing resources are fully usable and available at all times. Computing resources could be inaccessible for many reasons such as natural disaster or denial of service. Protecting data privacy is another important aspect in cloud computing security. Cloud computing is a shared environment, which uses sharing infrastructure. So, data may face a risk of disclosure or unauthorized access. Sharing the cloud computing resources with protecting customers privacy is a big challenge. For delivering a secure Multi-tenancy in the cloud computing, isolation is needed to ensure each

being ready to migrate because most of its components were not designed for sharing resources in the cloud [14]. Abuse and nefarious use of cloud computing - According to the CSA, it is the top threat to the cloud computing as an attacker can use the available computing power of cloud s infrastructure to attack any target by spreading malware and spam such as botnet [14]. Insecure application programming interface - As cloud service providers depend upon APIs to deliver services to their customers, APIs must have secure authentication, encryption, activity monitoring mechanisms and access control [14]. C. Other security challenges In order to depict the whole pictures, we have to consider other challenges, which each one of them needs another survey. Access controls and Identity Management (IdM) It is a big concern, which it could cause serious security problems, lead to reveal customers data and give attackers ability to infiltrate organizations assets. Identity management (IdM) is another important aspect in cloud computing security, that aims at performing the authentication among heterogeneous clouds to establish a federation, but it suffers from some problems related to interoperability between various security technologies [15]. Monitoring In the cloud, there is a huge demand of using monitoring activities either for insiders or outsiders [2]. Risk analysis and management It is a very important aspect in the cloud computing security. It is about reducing the load in cloud computing by checking any risk in the data before delivering it consumers [16]. Service Level Agreement

Relations between cloud service providers and consumers have to be described with a service level agreement, which uses to define services and ways to deliver these services to consumers [17]. Accounting It is one of the crucial aspects that should be considered in evolving and deploying services in the cloud as it supports network management [18]. Heterogeneity Cloud computing services are delivered by a big number of service providers and using different types of technologies, which might cause heterogeneous problems. Heterogeneity can come as a result from differences at various levels either software or hardware level [19]. Virtualization Virtualization is one of many ways used in cloud computing to meet their consumer necessities, but it brings its unique vulnerability. Compliance Cloud computing has a lack of proper mechanisms for the compliance management. These mechanisms have to deal with concerns related to compliance and prevent any serious problem can be caused to data security and privacy [20]. Trust Management In cloud computing environment, there is a huge demand of establishing a reasonable and practical model for managing a trust relationship among cloud computing entities [2]. Cross-Organizational Security Management Achieving and maintaining security requirements and compliance with SLAs are big challenges to service providers in the cloud computing. Moreover, ensuring and maintaining security requirements need the involvement

Fig 1. Security requirements in different type of CI services

of several organizations to achieve proper security settings that meet security necessities in cloud computing environments, which called organizational security management or cross-organizational [21]. Policies In the cloud computing, a well-written policy is needed to state security guidelines and security procedures, which are used to implement technical security solutions [2]. Security in the web browser At the beginning, web browser has enabled a number of features included cookies and encryption, which were accepted since that time. Later, these features are not enough for handling consumers necessities of sophisticated shopping and banking systems in shared open environments like the cloud [22]. Extensibility and Shared Responsibilities Either end users or cloud computing service providers should care about securing the cloud computing. Up to now, there is no a clear clue about how security duties should be assigned in the cloud computing and who is responsible for what [23]. III. SECURE CLOUD SERVICES FOR CRITICAL
INFRASTRUCTURE PROVIDERS

situation in cloud computing might be different from other IT fields as their data can be revealed for some reasons such as court orders. So, cloud service providers have to state that in their terms and policies. Privacy issues have to be considered here as well, as data may face different kind of regulations, and any security or privacy policy should illustrate that. Moreover, aggregating data from multiple sources could reveal sensitive information about consumers unintentionally and moving the aggregating data form one place to another can lead to violate the privacy of the data [25]. Clouds consumers have to know in advance where their data will be resided and how will be segregated in order to avoid data leakage problems. In addition, lack of visibility about the way data is stored and secured, lead to a number of concerns have to be considered when moving to the cloud. Data centres have to deal with a huge amount of data that collected from everywhere in the cloud. Data centres are not stand alone; it has to be connected to other data centres. So, security and latency should be managed in a proper way [24]. Moving any organization to the cloud needs thinking critically about using multiple sources of identity with different attributes and ability to identify all the entities involved in a transaction [24]. Access control mechanisms have to be sufficient and may allow consumers to define access policies to their data and utilities. Furthermore, consumers should be allowed to specify and update access polices on data they own. User credentials should be known in advance where are stored in either organizations servers or the cloud, in order to avoid disclosure problems. Last but not least strong mutual identification and authentication between users and network are still open an research area either for cloud computing or for any system want to migrate to the cloud [26]. Moreover, there is a huge demand of having a proper polices which can organize relations between consumers, utilities and third parties, but using security and privacy policies should not introduce unacceptable latencies. Compliance, security-breach audit and forensics are used to insure no one violates or attacks the security within the system [24]. In addition, cloud computing service providers have to apply the right operating models and services to meet compliance and security regulations. Virtualization is a key element in cloud computing, which brings well known benefits to the cloud, yet it has a number of security concerns such as Hypervisor security and performance concerns [26]. Supporting scalable multi-tenant billing and very robust isolation are major requirements of any tempted to deploy a system in the cloud. However, in cloud computing there might be multiple networks running in the same infrastructure. So, strong isolation is another requirement to guarantee there is no security or performance interference between cloud tenants. Metering and changing for virtual resources consumptions are needed in cloud computing [27]. There are a number of issues should be considered such as customisation of applications and services, dealing with

As the benefits of cloud computing are hard to be ignored, many critical infrastructure providers are aiming to utilize the unique benefits of cloud computing and migrate to the cloud computing paradigm. For example, the National Grid, the UKs gas and electricity network, has announced to replace its own internal datacenters with a CSC-hosted cloud [7]. However, moving to cloud without addressing all of the previous mentioned cloud security challenges is not going to happen soon. In this section we are to investigate security requirements for different critical infrastructure providers such as smart grids, telecommunication, transportation and finance. A. Requirement analysis Critical infrastructure providers operate using varied kind of infrastructures and may have different security requirements in their unique environments. A successful migration of various critical infrastructure providers to the cloud would need to meet all of their requirements. We have investigated and analysed the security requirements of various critical infrastructure services (shown in Fig 1)to find the common security requirements such as data security, compliance and audit, cryptography and access control. An access control system has been found as one of the core requirements. In cloud computing, information is come from multiple sources, which need to be secured and controlled accurately. Data should be available only to authorize users, secured from attempting to alter it and on hand at any time is being accessed. Privacy of consumers should be insured at any stage either when data is collected and processed or when it transferred. So, assurance of 100% availability, integrity and confidentiality is crucial for clouds[24]. Furthermore, the

latency, eliminating any technical barriers and sorting out complexity integrating cloud services with existing legacy environments. Highly configurable, secure, virtual machines that provide granular control and allow easy customization are required as well [26]. Moreover, As cloud computing is an environment that has shared platforms, shared storage and shared network, thus it has to ensure its components work together to achieve intended mission regardless providers, storage, OS, etc. [24]. Web applications which used in the Internet have their own vulnerabilities that have not been solved yet, and these applications are being used again in the cloud to deliver services without a clear clue how their weakness will be sorted out and their impact on cloud users. Additionally, other challenges might be obstacles moving quickly to the cloud such as meeting security requirements of enterprises, performance, scaling operations, cost-effectively, dynamic and size of communication environment, increased size and complexity operations, changing technology and complexity of services and heterogeneity [27]. Risk analysis and management consist of business risk analysis, a technical risk analysis and infrastructure risk analysis [28]. It is used to deal with dynamic and random behaviors of consumers and mitigate risks involved when consumers utilizing cloud. A Security incident is one of major questions for any organizations want to move to the cloud as what has to be done if the cloud faces any security incidents and steps to be followed to mitigate that incident. Securitys incidents management has to be stated in any agreement between consumers and the cloud [29]. Security and privacy issues, latency, audit and monitoring, reliability, network connectivity and third parties have to be negotiated and addressed in SLA. Cloud computing consumers require SLA definitions and automatic enforcement mechanisms that guarantee sustained and verifiable end-to-end performance. The SLA must state how isolation, bandwidth on-demand and quality of service will be insured as well [30]. Encryption is often used to secure data in untrusted storage environment such as cloud computing. However, it can be a time and cost consumer if it does not be handled in a proper way, and it could cause additional storage and bandwidth usage. Key management is another complicated problem, which needs more attention [24]. Consumers are not adequately informed about what can be gained by moving to the cloud computing, and the risk associated with that moving. Consumers should be engaged in the moving process, and in any further action as they have always considered the weakest link [24]. IV.
CONCLUSION AND FUTURE WORK

computing features. However, without appropriate solutions for a considerable number of security and privacy challenges, the cloud computing adoption will not happen soon. In this survey, we have reviewed significant problems to cloud computing security and analysed security requirements for various critical infrastructure providers. A reliable access control system is a crucial requirement to secure clouds from unauthorised access. Access control systems in cloud computing can be more complex and sophisticated due to dynamic resources, heterogeneity and diversity of service. Our future work will be focusing on developing a novel access control model for cloud computing to meet the security requirements of critical infrastructure providers. It will look at proposing and implementing a security policy to meet the requirements of critical infrastructure providers and proposing an efficient enforcement method to enforce the security policy in the proper layer. REFERENCES [1] P. Mell and T. Grance, The NIST definition of cloud computing, NIST special publication, 2011. [Online]. Available: http://csrc.nist.gov/publications/nistpubs/800145/SP800-145.pdf. [Accessed: 15-Oct-2012]. Q. Zhang, L. Cheng, and R. Boutaba, Cloud computing: state-of-the-art and research challenges, Journal of Internet Services and Applications, vol. 1, no. 1, pp. 718, Apr. 2010. W. a Jansen, Cloud Hooks: Security and Privacy Issues in Cloud Computing, in 2011 44th Hawaii International Conference on System Sciences, 2011, pp. 110. S. Berman and L. Kesterson-Townes, The power of cloud. Driving business model innovation, 2012. D. du Preez, IBM and Cable & Wireless to gather smart meter data in the cloud, Computing.Co.UK, 2011. [Online]. Available: http://www.computing.co.uk/ctg/news/2035755/ibmcable-wireless-gather-smart-meter-cloud. [Accessed: 20-Sep-2012]. CBR Staff Writer, BT adds new cloud -based solution to supply chain solution portfolio, Cloud Platform, 2012. [Online]. Available: http://cloudplatforms.cbronline.com/news/bt-addsnew-cloud-based-solution-to-supply-chain-solutionportfolio-241012. [Accessed: 26-Oct-2012]. P. Danny, Green light for National Grids cloud move, Computing.Co.UK, 2013. [Online]. Available: http://www.computing.co.uk/ctg/analysis/2257295/gre en-light-for-national-grid-s-cloud-move. [Accessed: 22-Apr-2013]. M. Merabti, M. Kennedy, and W. Hurst, Critical infrastructure protection: A 21 st century challenge,

[2]

[3]

[4] [5]

[6]

[7]

Cloud computing has got a significant interest in both academic and industry fields, as it is considered a backbone of future modern societies. It will reduce costs and increase economic efficiencies. Critical infrastructure providers are looking as others for facilitating and enjoying the cloud

[8]

in International Conference on Communications and Information Technology (ICCIT), 2011, 2011, pp. 16. [9] C. Wang, Q. Wang, K. Ren, and W. Lou, Ensuring data storage security in Cloud Computing, in 2009 17th International Workshop on Quality of Service , 2009, pp. 19. R. Lu, X. Lin, X. Liang, and X. Shen, Secure provenance: the essential of bread and butter of data forensics in cloud computing, in ASIACCS 10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, 2010, pp. 282292. R. Krutz and R. Vines, Cloud security: A comprehensive guide to secure cloud computing. John Wiley & Sons, 2010, p. 384. M. Jensen, J. Schwenk, N. Gruschka, and L. Lo Iacono, On Technical Security Issues in Cloud Computing, in 2009 IEEE International Conference on Cloud Computing, 2009, pp. 109116. M. Jensen, N. Gruschka, and R. Herkenhner, A survey of attacks on web services, Computer ScienceResearch , vol. 24, no. 4, 2009. D. Hubbard and M. Sutton, Top Threats to Cloud Computing V1. 0, Cloud Security Alliance, 2010. [Online]. Available: https://cloudsecurityalliance.org/topthreats/csathreats. v1.0.pdf. [Accessed: 12-Apr-2013]. S. Lar, X. Liao, and S. Abbas, Cloud computing privacy & security global issues, challenges, & mechanisms, in Communications and Networking in , 2011, pp. 12401245. M. R. Aswin and M. Kavitha, Cloud intelligent track - Risk analysis and privacy data management in the cloud computing, in 2012 International Conference on Recent Trends in Information Technology, 2012, pp. 222227. T. Chauhan, S. Chaudhary, V. Kumar, and M. Bhise, Service level agreement parameter matching in cloud computing, in 2011 World Congress on Information and Communication Technologies, 2011, pp. 564570. I. Ruiz-Agundez, Y. K. Penya, and P. G. Bringas, A Flexible Accounting Model for Cloud Computing, in 2011 Annual SRII Global Conference, 2011, pp. 277 284. S. Crago, K. Dunn, P. Eads, L. Hochstein, D.-I. Kang, M. Kang, D. Modium, K. Singh, J. Suh, and J. P. Walters, Heterogeneous Cloud Computing, in 2011 IEEE International Conference on Cluster Computing , 2011, pp. 378385. D. Schleicher, C. Fehling, S. Grohe, F. Leymann, A. Nowak, P. Schneider, and D. Schumm, Compliance [25]

Domains: A Means to Model Data-Restrictions in Cloud Environments, in 2011 IEEE 15th International Enterprise Distributed Object Computing Conference, 2011, pp. 257266. [21] S. Thalmann, D. Bachlechner, L. Demetz, and R. Maier, Challenges in Cross-Organizational Security Management, in 2012 45th Hawaii International Conference on System Sciences, 2012, pp. 54805489. T. Wadlow and V. Gorelik, Security in the Browser, Communications of the ACM, vol. 7, no. 2, p. 40, Feb. 2009. C. Aete, 7 areas of shared responsibility for public cloud security, hp Cloud Source Blog, 2012. [Online]. Available: http://h30507.www3.hp.com/t5/Cloud-Source-Blog/7areas-of-shared-responsibility-for-public-cloudsecurity/ba-p/117425. [Accessed: 12-Aug-2012]. W. Group, Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, National Institute of Standards and Technology, 2010. [Online]. Available: http://csrc.nist.gov/publications/nistir/ir7628/nistir7628_vol1.pdf. S. Rani and A. Gangal, Security Issues of Banking Adopting the Application of Cloud Computing, International Journal of Information Technology , vol. 5, no. 2, pp. 243246, 2012. S. Subashini and V. Kavitha, A survey on security issues in service delivery models of cloud computing, Journal of Network and Computer Applications, vol. 34, no. 1, pp. 111, Jan. 2011. M. Mujinga and B. Chipangura, Cloud computing concerns in developing economies, in Australian Information Security Management Conference, 2011. the 9th Australian Information Security Management Conference, 2011. E. Bezerra, Critical telecommunications infrastructure protection in Brazil, in Critical Infrastructure Protection, First IEEE International Workshop on, 2005. A. Sharma, Data Management and Deployment of Cloud Applications in Financial Institutions and its Adoption Challenges, International Journal of Scientific & Technology Research, vol. 1, no. 1, pp. 1 7, 2012. Andras Vajda, Stephan Baucke, Cloud Computing and Telecommunications: Business Opportunities, Technologies and Experimental Setup, in World Telecommunications Congress (WTC), 2012, 2012, vol. 0091, no. C, pp. 16.

[10]

[22]

[23]

[11]

[12]

[24]

[13]

[14]

[15]

[26]

[16]

[27]

[17]

[28]

[18]

[29]

[19]

[30]

[20]