This action might not be possible to undo. Are you sure you want to continue?
V.Krishna Reddy et al. / International Journal of Engineering Science and Technology (IJEST)
Security Architecture of Cloud Computing
V.KRISHNA REDDY1, Dr. L.S.S.REDDY
Department of Computer Science and Engineering, Lakireddy Bali Reddy College of Engineering, Mylavaram. Krishna4474@gmail.com1 Abstract The Cloud Computing offers service over internet with dynamically scalable resources. Cloud Computing services provides benefits to the users in terms of cost and ease of use. Cloud Computing services need to address the security during the transmission of sensitive data and critical applications to shared and public cloud environments. The cloud environments are scaling large for data processing and storage needs. Cloud computing environment have various advantages as well as disadvantages on the data security of service consumers. This paper aims to emphasize the main security issues existing in cloud computing environments. The security issues at various levels of cloud computing environment is identified in this paper and categorized based on cloud computing architecture. This paper focuses on the usage of Cloud services and security issues to build these cross-domain Internet-connected collaborations. Keywords : Infrastructure-as-a-Service (IaaS); Platform-as-a-Service (PaaS); Software-as-a-Service (SaaS); Virtual Machine (VM). I. Introduction The Cloud Computing offers dynamically scalable resources provisioned as a service over the web and so guarantees lots of economic advantages to be distributed among its adopters. betting on the kind of resources provided by the Cloud, different layers may be outlined (see Figure 1). The bottom-most layer provides basic infrastructure elements like Servers, CPU's, memory, and storage, and is henceforth typically denoted as Infrastructure-as-a-Service (IaaS). Amazon Elastic Compute Cloud (EC2) and Amazon easy Storage Service (S3) are distinguished example for an IaaS provide. Platform-as-a-Service (PaaS) that allows deploying and dynamically scaling Python and Java primarily based net applications. Google App Engine for net is an example for an PaaS. Finally, the top-most layer provides it users with able to use applications additionally referred to as Software-as-a-Service (SaaS). SaaS has proven to be a universally accepted and trusted service to access application functionality through a browser while not the requirement to possess or install pricey hardware or software. To access these Cloud services, 2 main technologies may be currently identified. net Services are commonly used to supply access to IaaS services and net browsers are used to access SaaS applications. In PaaS environments each approach may be found. During this paper, we offer a summary on security problems with Cloud Computing. The paper is organized as follows. In section 2, we outline the layered architecture of Cloud Computing and different security issues mapping used in the context of Cloud Computing and security. Then, in Section 3, we provide a set of user layer security-related issues that apply to different Cloud Computing scenarios. In Section 4 Service Provider Layer security-related issues. In section 5, Virtual Machine Layer security-related issues. In section 6, Infrastructure security-related issues. Finally concludes this paper in Section 7. II. Overview of High-level Cloud Architecture We provide and architectural view of the security issues to be addressed in cloud computing environment for providing security for the customer. We have defined four layers based on cloud computing services categorization. The cloud computing categorization based on services as Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS). This section elaborates the four layers shown in figure 1 and mapping the different security issues in each layer. Some of the important components of User layer are Cloud Applications, Programming, Tools and Environments. Some of the popular examples for these applications are B2B, Face Book, MySpace, Enterprise, ISV, Scientific, CDNs, Web 2.0 Interfaces, Aneka, Mashups, Map Reduce, Hadoop, Dryad , Workflows, Libraries, Scripting. Some of the security issues related to the user layer are Security as a Service, Browser Security, and Authentication as elaborated in next sections.
ISSN : 0975-5462 Vol. 3 No. 9 September 2011 7149
Scheduler& Dispatcher. Audit and Compliance. and storage. Metering. Some of the security issues related to Virtual Machine Layer are VM Sprawl. Accounting. and is henceforth typically denoted as Infrastructure-as-a-Service (IaaS). and Policy Management. Infrastructure. Infrastructure. Load Balancer. / International Journal of Engineering Science and Technology (IJEST) Some of the important components of Service Provider Layer are SLA Monitor. Privacy. Figure 1: Security Architecture of Cloud Computing Some of the security issues related to Service Provider Layer are Identity. End User Security Issues End Users need to access resources within the cloud and may bear in mind of access agreements like acceptable use or conflict of interest. VM Escape.Krishna Reddy et al. Cloud legal and Regularity issues. Data transmission. The client organization have some mechanism to find vulnerable code or protocols at entry points like servers. Identity and Access management Some of the important components of Data Center (Infrastructure) Layer contains the Servers. V. CPU's. People and Identity. Some of the important components of Virtual Machine Layer creates number of virtual machines and number of operating systems and its monitoring. or mobile devices and upload patches on the native systems as soon as they are found. 3 No. The cloud should secure from any user with malicious intent that will conceive to gain access to information or pack up a service. Resource Provisioning. Advance Resource Reservation Monitor. memory. firewalls. ISSN : 0975-5462 Vol. Physical Security: Network and Server 3. Some of the security issues related to Data Center Layer are secure data at rest. 9 September 2011 7150 . Separation between Customers. Cloud integrity and Binding Issues.
In clouds .3 Securing Data in Transmission Encryption techniques are used for data in transmission.Krishna Reddy et al. but this is difficult to verify. It is useful for any purpose the adversary is interested in data modifications to full functionality ISSN : 0975-5462 Vol. In traditional Out sourcing relationships plays an important role for Audit and compliance. secure operations. internal corporate policies and check or monitor all such policies. and ensure the availability of the Internet-facing resources at cloud provider. authentication. For allowing users to easily and quickly leverage cloud services use single sign-on capability is required to simplify user logons for both the cloud and internally hosted applications. which allows data to be processed without being decrypted. Here. V. Man-in-the-middle attacks is cryptographic attack is carried out when an attacker can place themselves in the communication’s path between the users. 4. 4. single sign-on (SSO). increase the importance of these functions in platform-as-aservice (PaaS). In Cloud environments support a large enterprise and various communities of users. only authorized users across their enterprise and access to the data and tools that they require. accurate attributes. for any application that data must be unencrypted. to audit and compliance with coordination of external auditing. Personal information regulations vary across the world and number of restrictions placed by number of countries whether it stored outside of the country. authentication based on claims or role. and auditing. and processes are without fail. Based on contractual commitments data can store within specific countries for privacy regulations. In a fully homomorphism encryption scheme advance in cryptography. Clouds begin a new level of privileged users working for the cloud provider is administrators. and network boundary of an organization will extend into the service provider domain. system. there is the possibility that they can interrupt and change communications. the Cloud system is responsible for determining a free-to-use instance of implementation type for the requested service and for accessing that new instance the address is to be communicated for the requesting user. identity federation . But to process data. SSL/TLS protocols are used here. Cloud Malware Injection Attack is a basic attack in Cloud system for attempt aims at injecting a malicious service performance or virtual machine. including logging activities. To provide the confidentiality and integrity of data-in-transmission to and from cloud provider by using access controls like authorization. To provide the protection for data only goes where the customer wants it to go by using authentication and integrity and is not modified in transmission. Application security and user access controls will compensate for the loss of network control and to strengthen risk assurance. Strong authorization. and other related security and legal issues. and all unauthorized users are blocked for access. 9 September 2011 7152 . the major responsibility is coordinating and maintaining instances of virtual machines (IaaS) or explicit service execution modules (PaaS). in every jurisdiction a single level of service that is acceptable. the organization’s trust boundary will become dynamic and the application. For a cloud service provider.establish and demonstrate with set of controls and it is a challenge task for Cloud service providers (CSPs). And an important requirement is privilegeduser monitoring. To coordinate authentication and authorization with the enterprise back-end or third-party systems are identity federation and rapid on boarding capabilities. But professionals develop the security services and the cloud service privacy practices. and software-as-a-service (SaaS) environments.5 Audit and Compliance An organization implements the Audit and compliance to the internal and external processes that may fallow the requirements classification with which it must stand and the requirements are customer contracts. For any user request. privacy. An effective assessment strategy must cover data protection. when they require them. In Cloud environment most of the data is not encrypted in the processing time. In Cloud dynamic nature. compliance.2 Privacy Privacy is the one of the Security issue in cloud computing. driven by business objectives. This monitoring should include background checking and physical monitoring. 3 No. / International Journal of Engineering Science and Technology (IJEST) With cloud computing. identity management. 4. so these controls are more critical. auditing for using resources. procedures. trusted sources with user activity monitoring. 4. laws and regulations.4 User Identity In Organizations. Customers’ business and regulatory requirements are monitor .6 Cloud Integrity and Binding Issues In a Cloud Computing system. In Private and confidential customer data fast rising for the consequences and potential costs of mistakes for companies that handle. regulatory compliance and internal policy compliance. infrastructure-as-a-service (IaaS). 4.
8 Accounting and Accountability Accounting and Accountability is a main cost-effective driver behind operation a Cloud Computing service is charging the customers according to their actual usage and another flooding attack on a Cloud service is drastically increasing the bills for Cloud usage. Disabling ISSN : 0975-5462 Vol. Practically. By using the flooding attack requests the server’s hardware resources are completely exhausted.2 VM Security Recommendations Best Practice Security Techniques Hardening the Host Operating System is Vulnerabilities are move to the virtual machine operating system from the operating system of the host computer. not only in the VM and also on the host machine. Using Encrypted Communications is to provide secure communications by using Cryptography techniques like Transport Layer Security (TLS)..7 Flooding Attacks Cloud system provider maintains all basic operational tasks in Cloud Computing. such as memory. Direct Denial of Service is a service attack involves saturating the objective with bogus requests to prevent it from responding to reasonable requests in a timely manner. 3 No. 4. So. I/O devices. In this tasks server hardware maintenance is the most important instead of operating as own hardware. This result gives full system failure in the security mechanisms and is called VM escape. 5.Krishna Reddy et al. in cloud service the direct flooding attack gives some side effect and the same hardware provides some other services may suffer the workload caused by the flooding. a denial-of-service attack risk against another VM. It can capture large number of resources to protect against and cause charges to rise. / International Journal of Engineering Science and Technology (IJEST) changes or blockings. At the same time. 4. 5. processor. but because the virtual machines share the host’s resources. the resources of a cloud are significant with enough attacking computers they can become saturated. Cloud Computing enables companies (clients) to rent server hardware on demand (IaaS). the same server with another. Same servers can operate in different time zones with different data traffic. 9 September 2011 7153 . the Denial of Service is targeted other services with target service instances on the same server hardware. The service instance may on flooded service instance. It gives more economic benefits when it comes to dynamics in server load. Security Issues in Virtualization A virtual machine (VM) could be a software implementation of a machine that executes programs like a physical machine. Some more risks in VM is the hypervisor is the part of a virtual machine that allows enables VM/host isolation and resource sharing. For computational power usage there is no “upper limits” then the client running the flooded service most likely has to foot the bill for the workload caused by the attacker. In Cloud computing environment. between the client domain and host domain and. and so on. It is extra burden to all other servers and it spreads all the servers in the complete computing Cloud. disk. or from administrations to host systems. the host. An attacker to launch physical attack typically uses multiple computers or a botnet. This attack requires to adding to the Cloud system by creating its own malicious service implementation module (PaaS or SaaS) or virtual machine instance (IaaS). denial of service can cause and notice the lack of availability and switch to other service instances to other servers. and Secure HTTP (HTTPS) etc. It provides the necessary separation during planned attack greatly determines how the virtual machine can continue to exist risk.1 VM Escape Virtual Machines (VM) have some relation with host machines and if VM is improperly configured could allow functionality to fully avoid the virtual environment. Indirect Denial of Service is manage the computational power of the attacker. It find full kernel or root access to customer node. Increased Denial of Service Risk: The threat of denial-of-service (DoS) attacks against a virtualized system is as prevalent as it is against no virtualized systems. it can be achieved by using virtual machines. So. The hypervisor has a full control over the system. Extending virtual machines to public clouds causes the enterprise network perimeter to evaporate and therefore the lowest-common denominator to impact the safety of all. In Cloud Computing environment provides a dynamic adaptation of hardware requirements to the actual workload occurring without buying sufficient server hardware for the high workload times. even though it’s controlled by the hypervisor. If a company’s demand on computational power rises. 5. V. then the same hardware machine are unable to perform the other service instances intended tasks. it simply is provided with more instances of virtual machines for its services. or an external service is actually greatly increased. Rogue Hypervisors is the guest operating system is booted inside of a virtual environment working like as a traditional OS managing I/O to hardware and network traffic. Secure Shell (SSH). encrypted Virtual Private Networks (VPNs). Limiting Physical Access to the Host is to protect the hardware of the virtual machine by using physical host security to avoid intruders from attacking the hardware. The cloud dynamic provisioning in some ways minimizes the task of an attacker to cause harm.
In the cloud storage infrastructure. regulated and sensitive data needs to be properly segregated. issues involving the cost of data breaches. data. the security equipped to the foremost demanding clients is additionally created on the market to those with the smallest amount stringent necessities. Strong passwords. At the cloud provider. Use encrypted communications only. Updating and Patching is the concept of suitable patching and updating of systems in standards organizations. protecting data privacy and managing compliance are critical by using encrypting and managing encryption keys of data in transfer to the cloud. compliance . Whereas Infrastructure Security Solutions and product are often simply deployed. The issues to be considered include auditing. One-time passwords. data retention and destruction. In this issue . and damage to brand value.3 Separation between Users One of the most important cloud concerns issue is separation between a cloud provider’s users to avoid intentional or inadvertent access to sensitive information. who has access and archived. have to be compelled to be secured in IaaS clouds. 9 September 2011 7154 . 3 No. Software encryption is less secure and slower because the encryption key can be copied off the machine without detection. and MAC address or IP address filtering.4 Cloud legal issues A cloud provider has practices and strong policies that address regulatory and legal issues. the best practice for securing data at rest is cryptographic encryption and shipping selfencrypting is used by hard drive manufacturers. Infrastructure Security Issues Cloud suppliers provide security-related services to a good vary of client types. VM integrity and hardware-based verification of hypervisor are provided by TPM. each physically and logically. and is the process of that the files maintain serves as a check for disturbance into the system. audit requirements. 6. provider use virtual machines (VMs) and a hypervisor to separate cloud customers. In public and financial services areas involving users and data with different risks. is commingled with other users’ data. Example. data security and export. 6.Krishna Reddy et al. notification requirements . very like their non-virtual counterparts. 6. The VM and virtual network separation security improvements from TCG technologies. PaaS based applications. to inspect cloud provider policies and practices to ensure their adequacy each customer must have its legal and regulatory experts. in a very hybrid cloud the infrastructure consists of private cloud composed with either a public cloud or another organization’s private cloud. virtual firewalls are often used to isolate teams of virtual machines from different hosted teams. Securing VM Remote Access is most of the VM systems are located in a server farm physically distinct from the management location. they need to a part of an entire and secure design to be effective. Implementing File Integrity Checks is a verifying process of the files retain the accurate consistency. Hybrid clouds are a sort of composite cloud with similar protection problems.2 Network and Server Server-Side Protection: Virtual servers and applications. Rigorously managing virtual machine pictures is additionally vital to avoid accidentally deploying pictures underneath development or containing vulnerabilities. such as a SSH or VPNs. when stored for use by a cloud-based application or. 5. it concerns include the way in which data is accessed and stored . But the creation of VMs gives burden to the patch control process. Strong authentication practices should be employed with Private/public PKI key pairs. legal discovery and compliance. 5. Data-at-rest is the economics of cloud computing and a multitenancy architecture used in SaaS.1 Securing Data-Storage In Cloud computing environment data protection as the most important security issue. sure along by standardized or proprietary technology that ISSN : 0975-5462 Vol. data co-location has some significant restrictions. The cloud-wide data classification will govern how that data is encrypted. In cloud computing. Strong network separation and security are provided by TNC architecture and standards. In limiting access to data. The clouds themselves stay distinctive entities. In other words. Self-encrypting provides automated encryption with performance or minimal cost impact. / International Journal of Engineering Science and Technology (IJEST) Background Tasks is traditional server operating systems are scheduled to run after important hours with number of low-priority processes. and how technologies are used to prevent data loss. In the service provider’s data center . processed by a cloud-based application. Two-factor authentication. like production systems from development systems or development systems from different cloud-resident systems. Encryption keys share securely between Consumer and the cloud service provider and encryption of mobile media is an important and often overlooked need. In a cloud Environment. V. Trusted Storage and TPM access techniques can play a key role.
identification and authentication can be performed through an organization’s personal cloud infrastructure. pp 109-119. “High Level Architecture to Provide Cloud Services Using Green DataCenter”.S. Expert Reference Series of White Papers. We investigated ongoing security issues in Software-as-a-service (SaaS). Most enterprises with data security programs have nevertheless to institute an application security program to take care of this realm.Krishna Reddy et al.Sai Kiran “Research Issues in Cloud Computing “ Global Journal of Computer Science and Technology. V. 7. The organization to take the lead in terms of contract management for any risk assessments or controls deployment and it does not execute directly. Cloud computing White paper November. References Meiko Jensen. Research India Publication ISSN 0973-6972 (2010). Designing and implementing applications targeted for deployment on a cloud platform would need that existing application security programs reevaluate current practices and standards. Russell Dean Vines “Cloud Security A Comprehensive Guide to Secure Cloud Computing”. however additionally creates interdependency. Cloud computing systems challenge is assessing and managing risk. In cloud environment. L. July 2011. Conclusion In this paper. IBM Global Technology Services Technical White Paper . B. we explored the security issues at various levels of cloud computing service architecture. purchasers wish the talent to configure trusted policy-based security zones or virtual domains. Krutz. IT Today  “Security and high availability in cloud computing environments” . 3 No. Rittinghouse.IBM . “The Definitive Guide to Cloud Computing”. Preventing holes or leaks between the composed infrastructures could be a major concern with hybrid clouds. 2009. purchasers want this footage to be secure and properly protected against corruption and abuse.. 9 September 2011 7155 . specifications and tools. Management. 2009  John W. and Security” . Nils Gruschka. Application or software security got to be a vital part of your security program. “10 Security Concerns for Cloud Computing”.  Stephen C. P. if the advantages outweigh the prices and associated risks.A Natural Match”. they expect capabilities like intrusion detection and prevention systems to be designed into the environment. Ransome “Cloud Computing: Implementation. Luigi Lo Iacono. Wiley Publishing.S. As data moves beyond the client's management. James F.Issue 11. purchasers want to form certain that every one tenant domains are properly isolated that no probability exists for data or transactions to leak from one tenant domain into successive. 2010  Tim Mather. in Advances in Wireless and Mobile Communications (AWMC) Volume 3 Number 2. if the % availability of anyone part drops. as an example. Moving data to external service suppliers raises additional problems regarding internal and Internet-based denial of service (DoS) or distributed denial of service (DDoS) attacks. all parties ought to agree on their responsibilities to review data and perform these reviews on an everyday basis. 2010  “IBM Point of View: Security and Cloud Computing”. as a method for its users to achieve access to services provisioned in a very public cloud. but conjointly the potential for data leakages and for extrusions—the misuse of a client’s domain to mount attacks on third parties. Jörg Schwenk. the supply of the hybrid cloud. computed because the product of the supply levels for the part clouds. Thirumal Rao.  ISSN : 0975-5462 Vol. Cloud Computing with Software as a Service (SaaS): How It Is Changing the Business and Organization Today. the priority is not solely intrusions into a client's trusted virtual domains. Volume 11. Thirupathi Rao et al. Inc. Federal agencies and organizations ought to work to confirm an acceptable balance between the amount and strength of controls and therefore the risks related to cloud computing solutions. 2009 IEEE International Conference on Cloud Computing  Michael Gregg. “On Technical Security Issues in Cloud Computing”. Reddy. 2009. the availability suffers proportionately. Platform as a service (PaaS) and Infrastructure as a service (IaaS). / International Journal of Engineering Science and Technology (IJEST) permits unified service delivery. Shahed Latif “Cloud Security and Privacy”. as a result of will increase in complexity and diffusion of responsibilities. Security of customer information is a major requirement for any services offered by any cloud computing.  K.CRC Press. For doing this. Hawald . Too several controls may be ineffective and inefficient. Realtime Publishers  “Cloud Computing and Security –. Cloud computing security issues are to be addresses in all the levels of cloud environment with essential protocols. also can be a concern. Dr.. In a shared environment.  Ronald L. risks that are identified should be rigorously balanced against the protection and privacy controls out there and therefore the expected edges from their utilization.  V. Subra Kumaraswamy. Trusted Computing Group. Global Knowledge. April 2010. June 2011  Dan Sullivan. O’Reilly Media. Several shoppers expect this footage to be cryptographically certified and guarded. Where image catalogs are provided by the cloud provider. In the system lifecycle. Krishna Reddy.
.Copyright of International Journal of Engineering Science & Technology is the property of Engg Journals Publications and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. or email articles for individual use. users may print. download. However.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.