International Conference on Advances in Computing and Management - 2012
Data Security Risks in Cloud Computing 1
P. Vidhyalakshmi
1
Computer Science Department, Ansal Institute of Technology Sec-55, Gurgaon, India. 1
[email protected]
Abstract— Cloud computing is the buzzword in today’s business scenario. Significant innovations in virtualization, distributed computing, easy access to Internet have accelerated the interest in cloud. Cloud computing is an economical solution for those looking at business agility within limited resources. Gartner’s Strategic Planning Hypothesis predicts that, by 2012, about 80% of fortune 1000 companies will use Cloud Computing Service in some fashion. It is mostly used for data storage and data processing needs. It is seen as advancement to distributed processing. It has both positive and negative effects on the data storage. On the positive side it reduces the cost and time for the user and on the negative side it has security issues. Some of the data security risks and their solutions are discussed in this paper. Keywords— Data Centre, cloud computing, IaaS, PaaS, SaaS, SLA, data encryption algorithms, digital signature.
I. INTRODUCTION Information Technology (IT) is an important tool to run business successfully. Organizations rely on the Information system (IS) built with the help of IT for running the business. When the system fails most of the business operations comes to halt. Rendering reliable service is the main aim of IS. Data Centers will be of great help for this. It consists of computer systems and associated components, such as telecommunications, security devices and storage systems. It also includes environment controls like air condition and fire suppression. Redundancy of data storage and backup of power supply are the main features of data centers. Customers with considerable investments in their data centers may find themselves capacity problems, or may want to explore minimizing future capital expenditures. An easy solution for this is Cloud Computing, which offers Pay-Per-Use-OnDemand facility. [3] It is a development of parallel computing, distributed computing and grid computing. Hardware and software are no longer procured by the user, but are used as services. Cloud service providers enable user to access and use the necessary Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. ICACM 2012, January 06-08, 2012, Pune, Maharashtra, India. Copyright 2012, ISBN 978-81-921768-0-2
Internet and Communication Technologies (ICT) resource via the Internet. To provide these resources provider often fall back upon other providers in the cloud, which, for example, make storage capacity available for customer data or computer capacity for data processing. Well-known examples of the cloud computing services are Amazon Simple Storage Services, Amazon Web Services, Google App Engine, Microsoft Azure Services Platform or SalesForce.com. Numerous Internet services providers also use cloud computing as a basis for search engines, blogs and social networks, among others. [3] II. DATA CENTER Information security is the main concern of data centers, and for this reason a data center has to offer a secure environment, which minimizes the chances of the security breach. A data center must therefore keep high standards for assuring the integrity and functionality of its hosted computer environment. This is accomplished through redundancy of both fibre optic cables and power, which includes emergency backup power generations. [1] A data center is divided into four tiers. The first tier (Tier 1) is simple and inexpensive. It consists of single path for power and cooling distribution and does not have a redundant component. It needs a security lock and can tolerate up to 28.8 hours of downtime. It is mostly used as enterprise data center which serve within the organization. The second tier (Tier 2) composed of a single path for power and cooling distribution, with redundant components. Permissible downtime is 22.0 hours per year. It is appropriate for Internet based companies without financial penalty for quality of service commitments. The third tier (Tier 3) consists of multiple active power and cooling distribution paths, but only one path active and also has redundant components. The allowed downtime is 1.6 hours per year. It is suitable for organizations that depend totally on IT for business automations. The last tier (Tier 4) is robust, fault tolerant and used for critical applications. It consists of multiple active power and cooling distribution paths and also has redundant components. The permissible downtime is 0.4 hours per year. This is used by companies which have extremely high-availability requirements for ongoing business such as E-commerce, market transactions, or financial settlement process. [2] Dynamic technological changes, increased business complexity, information explosion, and suer sophistication are the factors, which, insists the organization to find cost These redundant features aim at providing reliable data storage. If the data could not be accommodated in a single server, then
108
International Conference on Advances in Computing and Management - 2012 effective solution to operate their data centers. Data centers works fine with these redundant features on a single server. multiple servers have to be used. If the data is spanned across several servers, then the replication becomes wastage of resources. Usage of data center with Cloud Computing will provide solution for this. III. CLOUD COMPUTING Cloud computing is a way of computing which uses Internet to share all resources. This is accomplished with the help of remote accessing. [3] The term cloud computing is derived from the cloud symbol usually used to represent the Internet and the complex infrastructure behind it in graphics. Normally the software that has to be used by the employees has to be loaded on their systems. With the increase in the employee strength, software loading overhead also increases. This was the scenario before the cloud usage, but now the software to be used will be loaded in the cloud and with the help of the application loaded on their machine, the user would log into a web-based service which hosts all the programs the employee would need to do. Remote machines owned by another company would run everything from e-mail to word processing to complex data analysis programs. User can save on fixed costs. Providers who make their resources available to as many users as possible can optimize utilization of their systems and thus reduce their costs. Cloud computing offers the additional advantage that the use of the ICT resources can be easily adjusted to the changes in requirements. In the current economic turmoil cloud computing is therefore an option that is being given serious consideration by many companies and organizations especially the medium sized organizations. Work load, hardware and software demands on the local machines decreases a lot. The network of computers that forms the cloud handles these. The only thing that is required is the cloud computing interface software, mostly like a web browser. It is suitable for organizations of all sizes but it does not suit the ones that have mission critical or commercially sensitive data. This is obvious as no business would like to lose control of critical data. [6] Cloud computing gives the user cost benefits and flexibility. This is broken into three segments: “application”, “Platforms” and “Infrastructure”. The services offered by the cloud are also divided on this basis as: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). Cloud computing architecture is given in Fig 1. IaaS is the base layer of the cloud layer stack. Amazon EC2 (Elastic Compute Cloud), Simple Storage Service (S3) are the famous examples of IaaS. The IaaS provider supplies the infrastructure needs like servers, routers, firewall, storage, hardware based load-balancing and other network equipments based on the demand of the user. PaaS has the set of software and product development tools hosted on cloud, which enables the application development without the cost and complexity of buying and managing the underlying hardware and software. [7]
Client User Interface
Machine Interface
Application Components
Services
Platform Computer
Network
Storage
Infrastructure Servers Fig. 1 Cloud Computing Architecture
It also provides the facilities required to support the complete lifecycle of building and delivering the applications. Some of the well-known examples are Google App Engine and Microsoft’s Azure Service Platform. SaaS facilitates the replacing of the software running on PCs. This helps to reduce the cost of software purchase. Instead of buying the costly software, the pay-as-per-use pattern of the cloud can be used. This is not suitable for real time and online applications because of the delay on the network. A. Cloud vendors and Consumers Cloud vendors are the companies that provide the required cloud computing enabling technologies to satisfy the particular cloud service offering like SaaS, PaaS or IaaS. The vendors can host the infrastructure of their own or can hire other hosting providers. The consumers are the enterprise or the individuals who take the service provided by the vendors. For example some companies can use the IaaS offered by Amazon to implement the application and processes used by the enterprise. These enterprises will develop their application on the infrastructure provided by Amazon. The vendor and the consumer will sign a Service Level Agreement (SLA), which serves as a foundation for the expected level of service between them. QoS (Quality of Service) is an important attribute of SLA that deals with the throughput and response time of running the application. This attribute changes frequently based on the current technical development and has to be closely monitored. [7] IV. DATA SECURITY ISSUES Cloud computing is globalised and has no borders. Storage of data, the computers used for processing could be anywhere across the globe depending on where the resources are available. The cloud operators like Amazon offer an option to the customer to choose the zone for their storage from the available zones. A lot of issues arise regarding the security of data, which are spanned across the globe. For example, if a customer uses an e-mail service based on cloud, the customer’s data can be stored on any server. It is difficult to guess where it is stored, who is responsible for maintaining it, how it is being processed etc. To ensure data confidentiality, integrity and availability the service providers must follow data handling ethics.
109
International Conference on Advances in Computing and Management - 2012 Data encryption techniques should be used to ensure that the shared storage environment is protected. They should adopt stringent access controls to prevent unauthorized access to data. The data should not be shared with the other organization without the consent of the data owner. Techniques should be adopted to ensure the data is transmitted to and from the consumer through secured cables. They have to ensure that their data transmission and their storage or processing systems are completely protected from the hackers. If SaaS is used by the consumers then the vendors have to provide virus free and up-to-date versions softwares. There should be scheduled data backup and safe storage of the backup media. The SLA should have clauses regarding data security, transmission procedures, confidentiality, availability, etc. [4] Instead of relying on vendors for the data security the consumers can also adopt some data security methods. Different types of security measures have to be used in cloud computing because of three service models (IaaS, PaaS, SaaS) and also because of different deployment methods like private cloud, public cloud and community cloud. The public cloud also known as external cloud or multi-tenant cloud is the cloud environment that is openly accessible. It provides an IT infrastructure in a third party physical data centers that can be utilized to deliver services without having to be concerned with the underlying technical complexity. The important characteristics are homogeneous infrastructure, common policies, shared resources, operational expenditure cost model and economy of scale. The private cloud also known as internal Cloud or on-premise cloud is the one that is owned, utilized and maintained by the organization. Customer service is the main purpose of this cloud. This type of cloud is primarily used to maintain a consistent level of control over security, privacy and governance. The characteristics are heterogeneous infrastructure, customized policies, dedicated resources, in-house infrastructure, and end-to-end control. The community cloud is shared and managed by several organizations that have similar requirements. The cost of using the cloud is shared only by few users when compared to the public cloud, but offers higher level of privacy and security. It can be managed by the company or the third party.[9] Public and community cloud users have to be safe guarded from the data security risks. As discussed above, data encryption at the customer’s end could be a solution for these risks. This is basically a mathematical calculations and algorithmic schemes, which uses key transforms the plain text into cyphertext (a form that is not readable to unauthorized users). The receiver of the encrypted message uses the key with the help of which the algorithm decrypts the message. (i.e.) transforms the cyphertext to plain text. The encryption methods are classified as symmetric and asymmetric. In the symmetric method, both the sender and the receiver share the key. Refer Fig 2. Some of the symmetric encryption methods are AES (Advanced Encryption Standard), DES (Data Encryption Standard and blowfish. [8]
Shared Key
Plain text
Encrypt process
Before sending data to cloud
Encrypted cipher Text stored in cloud
Decrypt process
Plain text
After receiving data from cloud
Fig. 2 Symmetric Encryption Technique
In the asymmetric method, a pair of keys called private key and public key are used. Both the sender and receiver know the public key and it is used to encrypt the data. The owner of the private key can only decrypt the message. Refer Fig 3. Although the public and private keys are always in pairs, it is difficult to derive at the private key from the public key which is shared. That is why this method is considered to be more secure than the symmetric method. Examples of this method are Diffie-Hellman and RSA (named after Ron Rivest, Adi Shamir and Len Adleman, who invented this algorithm in 1977). Public Key
Before sending data to the cloud Plain text
Encrypt process
Private Key
Encrypted cipher Text stored in cloud
After receiving data from cloud Decrypt process
Plain text
Fig. 3 Asymmetric Encryption Technique
This encryption process can be done either at the customer’s end or at the service provider’s or at the vendor’s end. Doing at the vendor’s end may increase the computation time and usage which in turn increases the cost. Moreover there may be no guarantee for the proper implementation of the encryption process. Because of these reasons, it is suitable to do the encryption process at the customer’s end. In all the encryption methods the three major components that have to be used are: the data, the encryption engine and the key management. Virtual private storage architecture should be implemented and the data should be encrypted using the cloud backup service before loading the data on to the cloud and the same should do the decryption after the data is downloaded from the cloud. The keys remain in the organization and the key management is solely done by them. The encryption and the key should not be in the same volume of storage. They have to be separated which results in three tier architecture. They are a volume with encrypted data, an instance with the encryption engine and the key management server that provides the encryption key on–demand. The key management server will provide the key based on the manual check and integrity checks in the running encryption engine.
110
International Conference on Advances in Computing and Management - 2012 V. DIGITAL SIGNATURE WITH ENCRYPTION Encryption is suitable for data like customer id, outstanding balance, password etc. If the company’s important confidential document like tenders, price list and capital investment details have to be stored in the cloud, then the digital signature along with the data encryption has to be used. This is a mathematical method to authenticate the document. This gives the consumer a certificate, which guarantees that the document was not tempered in the storage or in the transmission. [5] Steps to be taken before sending the document to the cloud are as follows: 1. Use the hashing algorithm to reduce the document to few lines called “message digest”. Store the message digest in the local system. 2. Encrypt the message digest with the private key to produce digital signature. 3. Append this signature to the document and send it to the cloud storage. Steps to be taken after taking the data from the cloud to ensure authenticity of the document are: 1. Decrypt the signature with the private key and convert it to message digest. 2. If the message digest match with the one that is stored in the local system, then the authentication is successful. 3. Convert the message digest to the proper message. Most cloud providers automatically encrypt the data in transit by acquiring SSL connection on any web browser, but whether the data is stored in an encrypted container is another issue. The best way to utilize the cloud is to make the cloudbased resources to sit behind the corporate firewall so that it is protected and also gives an illusion that it is inside the organization’s data center. [9] Data encryption and decryption is collectively called as cryptography. Things to remember while using cryptography in cloud implementation are: · Algorithms should be specialized and suitable for the complex shared environment. · The key management has to be done effectively. · The encrypted data has to be transmitted over secured
· ·
·
connection. The encryption may increase processing time, so it has to be used mainly for the confidential data. New encryption method has to be adopted (i.e.) periodic change to the encryption method has to be done. A comprehensive layering approach has to be used which makes it difficult to penetrate the data in the cloud.
VI. CONCLUSIONS AND FUTURE SCOPE Use of encryption method is the key component of cloud data security, but the most robust encryption is pointless if the keys are exposed or if the encryption end points are insecure, so key management is very important. The issues discussed above are for the data at rest (i.e.) data in the storage. There are several security problems for the data in motion also. (i.e.) data in transmission. Cloud computing is expected grow in size and is still vulnerable to attacks. Stringent data protection laws should be enforced with details about scope of processing, deletion of data, localization of data, restitution of data and audits. Proper implementation of data protection laws and quality SLAs could help to have better security of data in the cloud. The future scope of this paper is to identify the security and quality issues of all the three deployment methods and to provide solutions. [1] [2] [3] [4]
[5] [6] [7] [8]
[9]
REFERENCES Data Center. http://en.wikipedia.org/wiki/data_center http://www.vi.net/vital-support/datacenter-tiers.php Cloud Computing. http://en.wikipedia.org/wiki/Cloud_computing Data security issues. www.whoswholegal.com/news/features/article/18246/cloudcomputing-data-protection Business benefits.www.techno-pulse.com/2011/03/businessbenefitscloudcomputingservices.html http://www.cloudcomputinglive.com/asia/platform-as-a-service.html http:www.eetimes.com/design/embedded-internet-design/data-securityin-cloud-computing—part-2-data-encryption-applications-and-limit. European Network and Information Security Agency (ENISA), Cloud Computing: Benefits, Risks and Recommendations for Information Security, Nov. 2009; www.enisa.europa.eu/act/rm/files/deleverables/cloud-computing-riskassessment/fullreport. http://bizcloudnetwork.com/defining-cloud-deployment-models.
111
