Загрузил Олег

Статья про Облачную инфраструктуру

реклама
See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/268445145
Cloud Computing Security & Privacy Challenges
Conference Paper · June 2014
DOI: 10.13140/2.1.1779.6809
CITATIONS
READS
9
6,622
3 authors:
Younis A Younis
Kashif Kifayat
University of Benghazi
Liverpool John Moores University
20 PUBLICATIONS 301 CITATIONS
71 PUBLICATIONS 787 CITATIONS
SEE PROFILE
Madjid Merabti
University of Sharjah
414 PUBLICATIONS 3,666 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
VIBRANT View project
Net Homura View project
All content following this page was uploaded by Younis A Younis on 18 November 2014.
The user has requested enhancement of the downloaded file.
SEE PROFILE
Cloud Computing Security & Privacy Challenges
Younis A.Younis, Kashif Kifayat and Madjid Merabti
School of Computing and Mathematical Sciences,
Liverpool John Moores University,
Liverpool, L3 3AF, UK
[email protected] {k.kifayat, m.merabti}@ljmu.ac.uk
Abstract— Cloud computing is considered one of the most
dominant paradigms in the Information Technology (IT)
industry nowadays. It offers powerful processing and storage
resources as on-demand services at reduced cost, and improved
efficiency. It enables sharing computing physical resources
among cloud computing tents and offers on-demand scaling with
cost efficiency. However, with all of these services promising
facilities and benefits, there are still a number of challenges
associated with utilising cloud computing such as data security,
abuse of cloud services, malicious insider and cyber-attacks. The
target of this paper is to explore potential security issues related
to securing cloud computing, highlight research directions and
investigates various security challenges to cloud consumer and
service providers. It divides cloud security and privacy threats
into three main categories: threats to cloud service provider,
attacks and threats to cloud physical infrastructure and threats
to cloud customers.
Keywords—cloud computing; security challanges; limitations;
attacks and threats.
I.
INTRODUCTION
Cloud computing is an open standard model, which is
Internet-centric and provides various services either software
or hardware. It needs minimal management effort from service
providers. A significant interest in both industry and academia
has been generated to explore and enhance cloud computing.
It has five essential characteristics: on-demand self-service,
measured service, rapid elasticity, broad network access and
resource pooling. It is aiming at giving capabilities to use
powerful computing systems with reducing the cost and
increasing the efficiency and performance.
Cloud computing gives a new hope for meeting various
requirements of service providers and consumers. A new
report published April 2014 by the Right Scale, finds that
among 1000 IT executives surveyed, almost 94% indicate
their companies are running Software as a Service (SaaS) or
experimenting infrastructure as a Service (IaaS). Furthermore,
87% of surveyed organizations are utilising public cloud
services [1]. In April 2013, the National Grid, the UK’s gas
and electricity network, has announced to replace its own
internal datacenters with a CSC-hosted cloud [2].
However, with all of these promising facilities and
benefits, there are still a number of technical barriers that may
prevent cloud computing from becoming a truly ubiquitous
service. Security is the greatest inhibitors for adoption and the
primary concern in cloud computing. It suffers from
ISBN: 978-1-902560-27-4 © 2014 PGNet
conventional distributed systems security attacks such as
malicious codes. Moreover, cloud computing has new
concerns such as moving resources and storing data in the
cloud with probability to reside in another country, which has
different regulations. A cloud service provider has to ensure
its computing resources are fully usable and available at all the
time [3]. Computing resources could be inaccessible due to
many reasons such as natural disaster or denial of service.
Protecting data privacy is another aspect in cloud computing
security. Cloud computing is a shared environment, which
uses sharing infrastructure. Hence, data may face a risk of
disclosure or unauthorized access.
Cloud computing services are delivered by a large number
of service providers. They use various types of technologies,
which cause heterogeneity issues. Extensibility and Shared
Responsibilities is another concern as up to now it is not clear,
how security duties should be assigned in cloud computing
[4]. Furthermore, virtualization is one of many ways used in
cloud computing to meet their consumer requirements, but it
brings its own threats such as data isolation problems and
communication between virtual machines. Cloud computing
makes cyber-attacks more likely; many of these attacks are
among the most potential and commonly encountered in the
wider Internet such as Distributed Denial-Of-Service (DDOS)
attack [5], insecure application programming interface, abuse
and nefarious use of cloud computing, malicious insiders[6],
etc.
Cloud computing is shared open environment, which has
its own characteristics and features such as on-demand
services and mobility. Thus, cloud service providers need a
strengthened access control system for controlling access to
their resources with the ability to monitor who deal with them.
They should have the ability to deal with dynamic and random
behaviours of cloud consumers, and heterogeneity and
diversity of service.
This paper illustrates a list of the security issues faced to
adopt the cloud computing and highlights security challenges.
The cloud computing security challenges and threats are
presented in three different categories, attacks and threats and
other security challenges. The rest of this paper is structured as
follows. Potential attacks and threats on cloud computing are
illustrated in section 2. Section 3 presents other cloud
computing security challenges such as access control and
virtualization. The conclusion and our future work are
presented
in
section
4.
Figure 1: Cloud computing attacks and threats
II.
SECURITY ATTACKS AND THREATS IN CLOUD COMPUTING
In cloud computing, a service provider has a big role to
deal with all kinds of threats and attacks, which they or their
customers could face. Cloud computing inherits a number of
security attacks from conventional distributed systems such as
malicious code (viruses, Trojan horses), back door, man-in-the
middle attack and so on [7]. Moreover, cloud computing has
brought its unique security threats and concerns. This section
is divided into three main sections as shown in figure 1. The
first section covers security challenges and threats related to
cloud clients. The second section explores risks and attacks
regarding to cloud service provider. Third section covers the
most well-known threats and attack to the databases and
physical infrastructure.
1. Clouds’ customers risks, challenges and threats
Consumers are not adequately informed about what can be
gained by moving to cloud computing, and the risk associated
with that moving. Consumers should be engaged in the
moving process, and in any further action. Numbers of
security issues related to cloud computing consumers are
listed below.
A. Data security and privacy
Due to migration from a single-tenant environment to
multi-tenant one, consumers’ data face some threats related to
data confidentiality, integrity and availability as shown in
figure 2. The data security concerns and challenges were
explored and presented in another published paper [8].
B. Customers’ privileges and access control
Cloud service provider has the complete responsibility for
managing access control to the network service, and customers
have to maintain their credentials and sensitive data in a
proper way as well. The cloud service provider has to
determine how credentials will be managed, who will be in
command of keeping data safe and giving information about
people who manage customers’ data either people working in
the same organization or third parties.
C. Availability and recovery
In any agreement between customers and a cloud service
provider should be a part stated what will happen to
customers’ data and service when the cloud service provider
face outages problem caused by either natural disaster or
attack such as DOS attack. In some cases, a backup of
customers’ data will be kept in another place, so it should
receive the same attention of security.
D. Policies and Service of Level Agreement (SLA)
In cloud computing, service providers and customers
should have a well-written policy and SLA. A good cloud
computing security policy should state important areas related
to cloud computing security such as confidentiality and
integrity,
access
control,
communication
security,
identification and authentication, accountability and data
protection[7]. In most cases, policies should be read carefully
as it could be complicated, too long and full of jargons. So it
should be easy to be understood and explained very well with
using of diagrams when possible.
cloud service provider system even when it is difficult to
maintain [7].
D. Privilege escalation
Attacks could be happened by escalating privileges on a
system with using a lower level of access rights, then attack a
VM with a higher level of access rights through the hypervisor
[7].
There are other types of attacks should be mentioned such
as social engineering, TCP Hijacking, password guessing and
so on. Cloud computing has unique security and privacy
threats and concerns such as:
Figure 2: Data security challenges and threats in the cloud
E. Long-term viability
Cloud computing customers should be fully confident that
the cloud service provider will not be taken over by other
service providers, which could cause problems to customers’
data viability. Customers should ask in advance for this
situation and add it in any policy of SLA.
F. Investigation support
Cloud service providers should have the ability to trace
any illegal activity and giving investigation support to their
customers.
2. Risks and attacks to cloud service providers
Cloud service provider has to cope with two kinds of
threats either inside threats or outside threats and attacks. In
both kinds of threats, there are different kinds of security
concerns must be considered. Most of the attacks which
organizations have faced are come as a result of vulnerability
that organizations have in their systems. Numbers of these
threats are listed below:
A. Weak access controls
It is a big concern which it could cause serious security
problems as having a poor access control system can lead to
reveal customers’ data and give the attackers ability to
infiltrate organizations and their assets. So, the service
provider should design a strengthen access control system
with the ability to monitor who deal with it.
B. Complexity of configuration
Due to cloud computing designing system necessities,
number of layers has been added due to utilizing virtual
machines. These layers have increased the level of
complexity, which might cause improper configuration and
unseen vulnerabilities.
C. Segregation of duties
In cloud computing, a large number of components might
be used together to build a cloud service provider services.
Therefore, segregation of duties should be involved in the
A. Data Breaches and loss
They are on the top list of cloud computing threats [9].
Utilizing cloud computing bring significant new avenues of
attack such as data loss and leakage, which are both serious
threats to cloud computing. A flaw in one client’s application
hosted in a multi-tenant cloud service database that is not
properly designed could allow an attacker access not only to
that client’s data, but every other client’s data as well.
B. Shared Technology Vulnerabilities
Cloud computing will use the same infrastructure used in
the Internet, and it will be shared amongst clouds' consumers.
Furthermore, in order to meet clouds’ consumers’ necessities,
cloud service providers have used a virtualization hypervisor
to mediate access between guest operating systems and the
physical compute resources. However, using hypervisors have
a countable number of flaws, which might give the guest
operating system ability to influence on the underlying
platform or gain inappropriate level of access controls. So,
strong compartmentalization is required to ensure proper
isolation between consumers in the cloud, and the individual
customer do not impact operations of other tents running on
the same cloud providers [6].
C. Account and Service Hijacking
This threat could happen when an attacker hacks into a
web site that is hosted in a cloud service provider and then
secretly installing its software and control the cloud provider
infrastructure. However, moving the data to the cloud might
make the situation more complicated as an attacker can steal
credentials that will be used to gain access to cloud computing
services. According to Cloud Security Alliance (CSA), a
number of remedies can be used to mitigate this threat such as
understanding SLAs and cloud service providers security
policies’, and prohibit the sharing of account credentials
between users and services[9].
D. Cloud Malware Injection Attack
It aims at Injecting a malwares service, application or
virtual machine into a cloud service provider’s system. It
could be used for serving any particular purpose the attacker is
interesting in starting from full functionality changes or
blocking to eavesdropping and data modification. To cope
with this threat, there is a promising countermeasure approach
which is performing a service instance integrity check for
incoming requests. For instance, strong a hash value on the
original service instance’s image file and comparing the hash
value with hash values of all new service instance images.
E. Metadata Spoofing Attack
A web service server provides the metadata documents,
which store all information about the web service invocation
such as message format, security requirements, network
location, etc. to the service clients. Thus, this attack aims at
reengineering a web service’s metadata descriptions in order
modify the network endpoints and the references to security
policies. For dealing with this attack, all metadata documents
have to be carefully examined for authenticity, for example, a
hash based integrity verification of the metadata description
files prior to usage can be used. However, mechanisms for
security metadata documents are not standardized[10].
F. Insecure Application Programming Interface
In order to give cloud computing customers’ ability to
manage and interact with cloud computing services and
deliver resources or data, cloud service providers use software
interfaces or APIs. As a result of creating and using APIs
every day, security has been poorly implemented or left out in
many applications. Organizations try offering value-added
services, which add more complexity to the design of APIs. A
proper analyzes to security models of cloud service providers
interfaces’ are required with strong authentication and access
control [9].
A. Unknown Risk Profile
It can come as a result of caring about what features and
functionalities can be gained from adopting cloud services
without considering how security producers and technologies
will be developed, who has access to the data and what happen
when the data disclose for any reason. A number of concerns
should be considered such as storing data in removable
memory sticks and accessing it using smart phones. That can
lead to serious problems as these handy devices might be lost
with gigabytes of sensitive information. The CSA has
suggested a number of remedies, for instance, monitoring and
alerting on necessary information [6].
G. Malicious Insiders
There is no a clear definition what the insider term means
in the borderless Internet. In the cloud, insider should not just
describe employees and stuff, yet it should consider third
parties, consultants and anyone who take a part of delivering
services in the cloud. In addition, lack of transparency into
providers’ processes and how the access to virtual assets will
be granted to employees make the matters more complicated.
Furthermore, there is a huge demand of understanding what
the normal behaviors are and how to detect abnormal
behaviors of an employee who accesses the organizations’
resources[9].
H. Abuse and Nefarious use of Cloud Computing
Cloud computing can provide an attacker with huge
computing power of cloud infrastructure to attack any target
by spreading malware and spam such as botnet. In the cloud,
anyone with a valid credit card can register even stolen credit
cards can be accepted and used by attackers. For coping with
these concerns, an enhanced credit card fraud monitoring,
stricter initial registration and validation process should be
deployed in the cloud [9].
3. Threats and attack to databases and physical
infrastructures
In this subsection, we are going to cover the most wellknown threats and attack to the databases and physical
infrastructures.
B. Databases threats
Cloud service providers should prevent any access or
modify to databases by unauthorized users and maintain
appropriate privileges for authorized users in order to prevent
any illegitimate modification of information by them.
C. Physical infrastructure threats
There are a number of threats to the Cloud computing
infrastructure. They are theft, eavesdropping, Distributed
Denial-of-Service (DDoS), fraud, network intrusion,
fragmentation attacks and session hijacking attacks [7].
Figure 3: Other cloud computing security challenges
III.
OTHER SECURITY CHALLANGES
In order to depict the whole pictures, we have to consider
other challenges, which each one of them needs another
survey as illustrated in figure 3.
1. Access controls and Identity Management (IdM)
An access control system is a collection of components
and methods that determine the correct admission to activities
by legitimate users based upon preconfigured access
permissions and privileges outlined in the access security
policy [11]. Identity management (IdM) aims at performing
the authentication among heterogeneous clouds to establish a
federation, but it suffers from some problems related to
interoperability between various security technologies [4].
Moreover, moving any organization to the cloud needs
thinking critically about using multiple sources of identity
with different attributes and ability to identify all the entities
involved in a transaction [12].
Information in cloud
computing is likely to be shared among different entities,
which could have various degrees of sensitivity. Therefore, it
would require robust isolation and controlling access
mechanisms. In order to draw the whole picture, we have
done an in-depth investigation on cloud security and identified
different security requirements for different cloud users (e.g.
critical infrastructure service providers and small businesses).
We have found access control is one of the common and
fundamental requirements for all types of cloud users.
However, conventional access control models cannot be
applied in the cloud environment due to the following reasons:
A. Entities which are cloud based are likely to reside in
varied trusted domains and may be located in different
countries that have various regulations. Thus, they may
not trust each other [13].
B. Cloud computing can be very complex and
sophisticated due to the dynamic nature of the cloud’s
resources [14].
C. Conventional access control models in cloud
computing would suffer from the lack of flexibility in
attribute management and scalability.
D. Heterogeneity and variety of services [15].
E. Diversity of access control policies and various access
control interfaces can cause improper interoperability
[16].
F. Dealing with a large number of users, different
classification, high dynamic performance, mobility
features and changes in high frequency [17].
G. Different access permissions to a same cloud user, and
giving him/her ability to use multiple services with
regard to authentication and login time [17] [18].
H. Sharing of resources among potential untrusted tenants,
multi-tenancy and virtualization, mechanisms to
support transfer customers’ credentials across layers to
access services and resources are crucial aspects in any
access control model going to be deployed in cloud
computing [18].
There may be possibilities to extend existing access
control models and use them in the cloud environment.
However, this could be a potential risk and may not solve the
problem as conventional access models may focus on a
specific problem in a specific platform or environment and
miss the remaining interconnected issues. This could happen
due to inexistence of a complete list of access control
requirements for cloud computing. In other words, the success
on any access control solution for cloud computing will
depend on analysing and accurately identifying a complete list
of requirements.
2. Monitoring
In the cloud, there is a huge demand of using monitoring
activities either for insiders or outsiders.
3. Risk analysis and management
It is about reducing the load in cloud computing by
checking any risk in the data before delivering it consumers.
Risk analysis and management consist of: business risk
analysis, technical risk analysis and infrastructure risk analysis
[19]. It is used to deal with dynamic and random behaviors of
consumers and mitigate risks involved when consumers
utilizing cloud. Security’s incidents management has to be
stated in any agreement between consumers and the cloud.
4. Service Level Agreement(SLA)
Cloud computing consumers require SLA definitions and
automatic enforcement mechanisms that guarantee their data
security and privacy with sustained and verifiable end-to-end
performance. The SLA must state how isolation, bandwidth
on-demand and quality of service will be insured as well.
5. Heterogeneity
Cloud computing services are delivered by a big number of
service providers and using different types of technologies,
which might cause heterogeneous problems. Heterogeneity
can come as a result from differences at various levels either
software or hardware level.
6. Virtualization
Virtualization is a key element in cloud computing, which
brings well known benefits to the cloud, yet it has a number of
security concerns such as Hypervisor security and
performance concerns [20]. Supporting scalable multi-tenant
billing and very robust isolation are major requirements of any
tempted to deploy a system in the cloud.
7. Compliance
Cloud computing has a lack of proper mechanisms for the
compliance management. These mechanisms have to deal with
concerns related to compliance and prevent any serious
problem can be caused to data security and privacy. In
addition, security-breach audit and forensics are used to insure
no one violates or attacks the security within the system [12].
8. Trust Management
In cloud computing environment, establishing a reasonable
and practical model for managing a trust relationship among
cloud computing entities is hugely needed [21].
9. Cross-Organizational Security Management
Achieving and maintaining security requirements and
compliance with SLAs are big challenges to service providers
in cloud computing. Moreover, ensuring and maintaining
security requirements need the involvement of several
organizations to achieve proper security settings that meet
security necessities in cloud computing environments.
10. Policies
In cloud computing, a well-written policy is needed to
state security guidelines and security procedures, which are
used to implement technical security solutions [21].
11. Security in the web browser
Web applications which used in the Internet have their
own vulnerabilities that have not been solved yet, and these
applications are being used again in the cloud to deliver
services without a clear clue how their weakness will be sorted
out and their impact on cloud computing users[22].
12. Extensibility and Shared Responsibilities
Either end users or cloud computing service providers
should care about securing cloud computing. Up to now, there
is no a clear clue about how security duties should be assigned
in cloud computing and who is responsible for what [23].
[14]
IV. CONCLUSION AND FUTURE WORK
Cloud computing is considered one of the most dominant
paradigms in the Information Technology (IT) industry these
days. It offers new cost effective services on-demand. It
supports multi-tenancy to fulfil future IT increasing demands
for accessing and using resources provisioned over the
Internet. However, without appropriate solutions for security
and privacy challenges, the cloud computing adoption will not
happen soon. In this paper, we have covered the essential
concepts and reviewed significant challenges to cloud
computing security. It is also analysed cloud computing
security challenges and various cloud consumers’ concerns,
which might prevent utilizing the cloud.
Our future work will be focusing on proposing and
implementing a cloud based access control model, which can
secure access to cloud computing and fulfil various security
requirements for different consumers.
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
K. Weins, “2014 State of the Cloud Survey,” 2014. [Online].
Available:
http://www.rightscale.com/blog/cloud-industryinsights/cloud-computing-trends-2014-state-cloud-survey.
P. Danny, “Green light for National Grid’s cloud move,”
Computing.Co.UK,
2013.
[Online].
Available:
http://www.computing.co.uk/ctg/analysis/2257295/green-light-fornational-grid-s-cloud-move. [Accessed: 22-Apr-2013].
C. Wang, Q. Wang, K. Ren, and W. Lou, “Ensuring data storage
security in Cloud Computing,” in 2009 17th International Workshop
on Quality of Service, 2009, pp. 1–9.
S. Lar, X. Liao, and S. Abbas, “Cloud computing privacy & security
global issues, challenges, & mechanisms,” in Communications and
Networking in …, 2011, pp. 1240–1245.
Z. Wang, “Security and Privacy Issues within the Cloud
Computing,” in 2011 International Conference on Computational
and Information Sciences, 2011, pp. 175–178.
W. Dan Hubbard and Z. Michael Sutton, “Top Threats to Cloud
Computing V1.0,” Cloud Security Alliance, 2010. [Online].
Available:
https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf.
[Accessed: 20-Jun-2012].
R. Krutz and R. Vines, Cloud security: A comprehensive guide to
secure cloud computing. John Wiley & Sons, 2010, p. 384.
Y. A. Younis, M. Merabti, and K. Kifayat, “Secure Cloud
Computing for Critical Infrastructure: A Survey,” in The 14th
annual post graduate symposium on the convergence of
telecommunications, networking and broadcasting, 2013, p. 6.
Top Threats Working Group, “The Notorious Nine: Cloud
Computing Top Threats in 2013,” 2013.
M. Jensen, N. Gruschka, and R. Herkenhöner, “A survey of attacks
on web services,” Comput. Sci. …, vol. 24, no. 4, 2009.
R. Anderson, Security Engineering: A guide to building dependable
distributed systems. John Wiley & Sons, 2010, p. 640.
W. Group, “Guidelines for Smart Grid Cyber Security: Vol. 1,
Smart Grid Cyber Security Strategy, Architecture, and High-Level
Requirements,” National Institute of Standards and Technology,
2010.
[Online].
Available:
http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol1.pdf.
Z. Wan, J. Liu, and R. Deng, “HASBE: A Hierarchical AttributeBased Solution for Flexible and Scalable Access Control in Cloud
View publication stats
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
Computing,” IEEE Trans. Inf. Forensics Secur., vol. 7, no. 2, pp.
743–754, 2012.
R. Masood and M. A. Shibli, “Comparative Analysis of Access
Control Systems on Cloud,” in 2012 13th ACIS International
Conference on Software Engineering, Artificial Intelligence,
Networking and Parallel/Distributed Computing, 2012, pp. 41–46.
H. Takabi, J. Joshi, and G. Ahn, “Security and privacy challenges in
cloud computing environments,” Secur. Privacy, IEEE, vol. 8, no. 6,
pp. 24–31, 2010.
Z. Tianyi, L. Weidong, and S. Jiaxing, “An Efficient Role Based
Access Control System for Cloud Computing,” in 2011 IEEE 11th
International Conference on Computer and Information
Technology, 2011, pp. 97–102.
W. Wang, J. Han, M. Song, and X. Wang, “The design of a trust and
role based access control model in cloud computing,” in 2011 6th
International Conference on Pervasive Computing and
Applications, 2011, pp. 330–334.
A. Almutairi, M. Sarfraz, and S. Basalamah, “A Distributed Access
Control Architecture for Cloud Computing,” Software, IEEE, vol.
29, no. 2, pp. 36–44, 2012.
E. Bezerra, “Critical telecommunications infrastructure protection in
Brazil,” in Critical Infrastructure Protection, First IEEE
International Workshop on, 2005.
S. Subashini and V. Kavitha, “A survey on security issues in service
delivery models of cloud computing,” J. Netw. Comput. Appl., vol.
34, no. 1, pp. 1–11, Jan. 2011.
Q. Zhang, L. Cheng, and R. Boutaba, “Cloud computing: state-ofthe-art and research challenges,” J. Internet Serv. Appl., vol. 1, no.
1, pp. 7–18, Apr. 2010.
M. Mujinga and B. Chipangura, “Cloud computing concerns in
developing economies,” in Australian Information Security
Management Conference, 2011. the 9th Australian Information
Security Management Conference, 2011.
C. Aete, “7 areas of shared responsibility for public cloud security,”
hp Cloud Source
Blog, 2012. [Online].
Available:
http://h30507.www3.hp.com/t5/Cloud-Source-Blog/7-areas-ofshared-responsibility-for-public-cloud-security/ba-p/117425.
[Accessed: 12-Aug-2012].
Скачать